|
HijackThis Log Please Help
|
|
|
melst
Suspended due to non-functional email address
|
18. October 2006 @ 01:59 |
Link to this message
|
I have run HijackThis as per the instructions. Strangely, when running HijackThus I receive an error message before it finishes creating the log file 'HijackThis has generated errors and will need to be closed by windows. An error log is being created' . Any help would be appreciated.
Logfile of HijackThis v1.99.1
Scan saved at 8:39:21 PM, on 18/10/2006
Platform: Windows 2000 SP2 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\hidserv.exe
C:\WINNT\system\msidll.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\stisvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.EXE
C:\WINNT\SOUNDMAN.EXE
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\WINNT\loadqm.exe
C:\WINNT\System32\carpserv.exe
C:\Program Files\Dodo Speed Accelerator\slipcore.exe
C:\WINNT\System32\ctfmon.exe
C:\DOCUME~1\EIS~1.EIS\LOCALS~1\Temp\1D4A.tmp
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINNT\system32\cmd.exe
C:\WINNT\system32\NOTEPAD.EXE
C:\DOCUME~1\EIS~1.EIS\LOCALS~1\Temp\FB5B.tmp
C:\HJT\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.creative.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.creative.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_6_2_0.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [POINTER] C:\Program Files\Microsoft Hardware\Mouse\point32.exe
O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [Creative WebCam Tray] C:\Program Files\Creative\WebCam Control\CAMTRAY.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [SlipStream] "C:\Program Files\Dodo Speed Accelerator\slipcore.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - Global Startup: Dodo Speed Accelerator.lnk = C:\Program Files\Dodo Speed Accelerator\slipgui.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: Natural Reader - {0DF757C4-9999-463C-A4EB-B6BF1D8D8D3D} - C:\Program Files\NaturalReaders\Natural Voice Text To Speech Software Standard\read.html
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\YAHOO!\COMMON\yhexbmesau.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\YAHOO!\COMMON\yhexbmesau.dll
O9 - Extra button: (no name) - {9819CC0E-9669-4D01-9CD7-2C66DA43AC6C} - (no file)
O14 - IERESET.INF: START_PAGE_URL=http://www.creative.com
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{0FCBF06D-6C43-4CE7-B33D-49DF38CB2146}: NameServer = 203.194.56.150 203.194.27.57
O17 - HKLM\System\CS1\Services\Tcpip\..\{0FCBF06D-6C43-4CE7-B33D-49DF38CB2146}: NameServer = 203.194.56.150 203.194.27.57
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: COM+ System Service (DLLHOST) - Unknown owner - C:\WINNT\system\dllhost.exe (file missing)
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Microsoft information dll service (msidll) - Unknown owner - C:\WINNT\system\msidll.exe
O23 - Service: Windows Service Host (SVCHOST) - Unknown owner - C:\WINNT\system\svchost.exe (file missing)
O23 - Service: ZipToA - Unknown owner - C:\WINNT\System32\ZipToA.exe (file missing)
|
|
Advertisement
|
|
|
|
Senior Member
|
18. October 2006 @ 11:55 |
Link to this message
|
Go here to download the trial version of AVG Anti-spyware.
Go here and download ATF Cleaner.
Install and update AVGAS.
Note: Print or copy these instructions to Notepad and save them. You will be in safe mode and can't access the internet.
Restart your computer in safe mode(press F8 upon boot, select "Safe Mode" from menu and press Enter).
Open AVG AS and click "Scanner".
Click "Complete System Scan".
When it finishes scanning, set all items to "Quarantine".
Click "Apply All Actions".
Click "Save Report".
Click "Save report as" and save it to the desktop.
Open ATF Cleaner.
Check "Select All".
Click "Empty Selected".
Restart in normal mode.
Post back with the AVG report and a new HijackThis log.
|
|
melst
Suspended due to non-functional email address
|
18. October 2006 @ 19:25 |
Link to this message
|
Thanks for helping me. I have done all as instructed. Here is my AVG report and HijackThis log. I still received the error message as before when running HijackThis.
---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------
+ Created at: 2:01:49 PM 19/10/2006
+ Scan result:
C:\WINNT\system\msidll.exe -> Backdoor.SdBot.awj : Cleaned with backup (quarantined).
C:\WINNT\system32\dvudtmue.dll -> Logger.VBStat.e : Cleaned with backup (quarantined).
C:\WINNT\system32\kuiaullb.dll -> Logger.VBStat.e : Cleaned with backup (quarantined).
C:\WINNT\system32\lbwdhdxq.dll -> Logger.VBStat.e : Cleaned with backup (quarantined).
C:\WINNT\system32\upmxdhfy.dll -> Logger.VBStat.e : Cleaned with backup (quarantined).
:mozilla.54:C:\Documents and Settings\EIS.EIS-LRJTXCCU1V4\Application Data\Mozilla\Firefox\Profiles\vdy15fob.default\cookies.txt -> TrackingCookie.Adjuggler : Cleaned.
:mozilla.55:C:\Documents and Settings\EIS.EIS-LRJTXCCU1V4\Application Data\Mozilla\Firefox\Profiles\vdy15fob.default\cookies.txt -> TrackingCookie.Adjuggler : Cleaned.
:mozilla.9:C:\Documents and Settings\ADMINISTRATOR\Application Data\Mozilla\Firefox\Profiles\xnfu6um2.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.60:C:\Documents and Settings\EIS.EIS-LRJTXCCU1V4\Application Data\Mozilla\Firefox\Profiles\vdy15fob.default\cookies.txt -> TrackingCookie.Atdmt : Cleaned.
:mozilla.18:C:\Documents and Settings\EIS.EIS-LRJTXCCU1V4\Application Data\Mozilla\Firefox\Profiles\vdy15fob.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.19:C:\Documents and Settings\EIS.EIS-LRJTXCCU1V4\Application Data\Mozilla\Firefox\Profiles\vdy15fob.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.20:C:\Documents and Settings\EIS.EIS-LRJTXCCU1V4\Application Data\Mozilla\Firefox\Profiles\vdy15fob.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.21:C:\Documents and Settings\EIS.EIS-LRJTXCCU1V4\Application Data\Mozilla\Firefox\Profiles\vdy15fob.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.22:C:\Documents and Settings\EIS.EIS-LRJTXCCU1V4\Application Data\Mozilla\Firefox\Profiles\vdy15fob.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.42:C:\Documents and Settings\EIS.EIS-LRJTXCCU1V4\Application Data\Mozilla\Firefox\Profiles\vdy15fob.default\cookies.txt -> TrackingCookie.Cpvfeed : Cleaned.
:mozilla.43:C:\Documents and Settings\EIS.EIS-LRJTXCCU1V4\Application Data\Mozilla\Firefox\Profiles\vdy15fob.default\cookies.txt -> TrackingCookie.Cpvfeed : Cleaned.
:mozilla.44:C:\Documents and Settings\EIS.EIS-LRJTXCCU1V4\Application Data\Mozilla\Firefox\Profiles\vdy15fob.default\cookies.txt -> TrackingCookie.Cpvfeed : Cleaned.
:mozilla.45:C:\Documents and Settings\EIS.EIS-LRJTXCCU1V4\Application Data\Mozilla\Firefox\Profiles\vdy15fob.default\cookies.txt -> TrackingCookie.Cpvfeed : Cleaned.
:mozilla.62:C:\Documents and Settings\EIS.EIS-LRJTXCCU1V4\Application Data\Mozilla\Firefox\Profiles\vdy15fob.default\cookies.txt -> TrackingCookie.Doubleclick : Cleaned.
:mozilla.16:C:\Documents and Settings\EIS.EIS-LRJTXCCU1V4\Application Data\Mozilla\Firefox\Profiles\vdy15fob.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned.
:mozilla.17:C:\Documents and Settings\EIS.EIS-LRJTXCCU1V4\Application Data\Mozilla\Firefox\Profiles\vdy15fob.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned.
:mozilla.53:C:\Documents and Settings\EIS.EIS-LRJTXCCU1V4\Application Data\Mozilla\Firefox\Profiles\vdy15fob.default\cookies.txt -> TrackingCookie.Mediaplex : Cleaned.
C:\Documents and Settings\EIS.EIS-LRJTXCCU1V4\Cookies\eis@mediaplex[1].txt -> TrackingCookie.Mediaplex : Cleaned.
:mozilla.32:C:\Documents and Settings\EIS.EIS-LRJTXCCU1V4\Application Data\Mozilla\Firefox\Profiles\vdy15fob.default\cookies.txt -> TrackingCookie.Reliablestats : Cleaned.
:mozilla.33:C:\Documents and Settings\EIS.EIS-LRJTXCCU1V4\Application Data\Mozilla\Firefox\Profiles\vdy15fob.default\cookies.txt -> TrackingCookie.Reliablestats : Cleaned.
:mozilla.34:C:\Documents and Settings\EIS.EIS-LRJTXCCU1V4\Application Data\Mozilla\Firefox\Profiles\vdy15fob.default\cookies.txt -> TrackingCookie.Reliablestats : Cleaned.
:mozilla.35:C:\Documents and Settings\EIS.EIS-LRJTXCCU1V4\Application Data\Mozilla\Firefox\Profiles\vdy15fob.default\cookies.txt -> TrackingCookie.Reliablestats : Cleaned.
:mozilla.71:C:\Documents and Settings\EIS.EIS-LRJTXCCU1V4\Application Data\Mozilla\Firefox\Profiles\vdy15fob.default\cookies.txt -> TrackingCookie.Webtrendslive : Cleaned.
::Report end
Logfile of HijackThis v1.99.1
Scan saved at 2:12:40 PM, on 19/10/2006
Platform: Windows 2000 SP2 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINNT\system32\hidserv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\stisvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.EXE
C:\WINNT\SOUNDMAN.EXE
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\WINNT\loadqm.exe
C:\Program Files\Creative\WebCam Control\CAMTRAY.EXE
C:\WINNT\System32\carpserv.exe
C:\Program Files\Dodo Speed Accelerator\slipcore.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINNT\System32\ctfmon.exe
C:\Program Files\Dodo Speed Accelerator\slipgui.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\HJT\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.creative.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.creative.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = ipcop:80
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_6_2_0.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [POINTER] C:\Program Files\Microsoft Hardware\Mouse\point32.exe
O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [Creative WebCam Tray] C:\Program Files\Creative\WebCam Control\CAMTRAY.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [SlipStream] "C:\Program Files\Dodo Speed Accelerator\slipcore.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - Global Startup: Dodo Speed Accelerator.lnk = C:\Program Files\Dodo Speed Accelerator\slipgui.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: Natural Reader - {0DF757C4-9999-463C-A4EB-B6BF1D8D8D3D} - C:\Program Files\NaturalReaders\Natural Voice Text To Speech Software Standard\read.html
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\YAHOO!\COMMON\yhexbmesau.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\YAHOO!\COMMON\yhexbmesau.dll
O9 - Extra button: (no name) - {9819CC0E-9669-4D01-9CD7-2C66DA43AC6C} - (no file)
O14 - IERESET.INF: START_PAGE_URL=http://www.creative.com
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: COM+ System Service (DLLHOST) - Unknown owner - C:\WINNT\system\dllhost.exe (file missing)
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Microsoft information dll service (msidll) - Unknown owner - C:\WINNT\system\msidll.exe (file missing)
O23 - Service: Windows Service Host (SVCHOST) - Unknown owner - C:\WINNT\system\svchost.exe (file missing)
O23 - Service: ZipToA - Unknown owner - C:\WINNT\System32\ZipToA.exe (file missing)
|
Senior Member
|
18. October 2006 @ 20:00 |
Link to this message
|
Go to Start > Run > type service.msc
Find these, right click each one and click "Stop".
If not there, continue with HijackThis remove.
COM+ System Service (DLLHOST)
Microsoft information dll service (msidll)
Windows Service Host (SVCHOST)
Close Services.
Open HijackThis.
Click "Open the misc tools section".
Click "Delete an NT service..."
Copy/paste each of these one at at time into the area and then click OK.
O23 - Service: COM+ System Service (DLLHOST) - Unknown owner - C:\WINNT\system\dllhost.exe (file missing)
O23 - Service: Microsoft information dll service (msidll) - Unknown owner - C:\WINNT\system\msidll.exe (file missing)
O23 - Service: Windows Service Host (SVCHOST) - Unknown owner - C:\WINNT\system\svchost.exe (file missing)
Then, run a scan only with HijackThis, check this:
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = ipcop:80
Close all windowns then click "Fix checked".
Close HijackThis.
Turn off System Restore.
Start > Control Panel > System > System Restore tab > select "Turn off System Restore" > click OK
Restart your computer.
Go here and run Kaspersky Online Scanner.
Accept the terms.
After downloading, click "My Computer".
After scanning, click "Save report as".
Save as a text file.
Post back with the Kaspersky log and a new HijackThis log.
Also, please tell if the error still remains with HijackThis.
|
|
melst
Suspended due to non-functional email address
|
18. October 2006 @ 21:32 |
Link to this message
|
Thanks for your help. I am a bit confused though. When I tried Start>Run>services.msc I received a message that this file could not be found so I opened HijackThis and checked those entries but I don't know how to remove them. Would that be by clicking 'fix checked'? Or do you want me to 'close' them and if so how would I do that please?
|
Senior Member
|
19. October 2006 @ 01:03 |
Link to this message
|
Checking and clicking "Fix checked" usually will not work with services. You have to use the "Delete an NT service" option.
Look here C:\WINNT\System32 for your services.msc file(the icon looks like two gears). If it's there open it and continue with stopping them. If it isn't there, start with opening HijackThis and deleting the services and continue from there.
Before you run Kaspersky run a new scan with HijackThis, if they are still there let me know 'cause we'll have to remove them manually.
This message has been edited since posting. Last time this message was edited on 19. October 2006 @ 01:04
|
|
melst
Suspended due to non-functional email address
|
19. October 2006 @ 14:20 |
Link to this message
|
Thanks for perservering with me. I have followed your instructions. In C:winnt... these services were marked as already stopped. When I tried to stop them using HijackThis I received notification that these services were not found in the registry and that I needed to enter the short name of the sevice. So I haven't been able to complete these tasks.
|
Senior Member
|
19. October 2006 @ 15:53 |
Link to this message
|
|
Try these with HijackThis:
COM+ System Service (DLLHOST)
Microsoft information dll service (msidll)
Windows Service Host (SVCHOST)
|
|
melst
Suspended due to non-functional email address
|
19. October 2006 @ 23:28 |
Link to this message
|
I tried those titles in the 'Delete an NT service' area in the 'Misc Tools' section of HijackThis but still received the same message,
eg 'Service 'Windows Service Host (SVC)' was not found in the Registry. Make sure you entered the short name of the service., vbEclamation'.
|
Senior Member
|
20. October 2006 @ 00:02 |
Link to this message
|
Ah, my fault! I wasn't thinking when I posted the second time. :)
This is what you use:
DLLHOST
msidll
SVCHOST
Sorry about that.
After that, restart.
Then, run Kaspersky and post back with the log and a new HijackThis log.
This message has been edited since posting. Last time this message was edited on 20. October 2006 @ 00:03
|
|
melst
Suspended due to non-functional email address
|
20. October 2006 @ 04:11 |
Link to this message
|
No worries and thanks for helping. I have attempted to 'delete an NT service' using those headings but have recieved the message for DLLHOST, 'The Service 'DLLHOST' is enabled and or running. Disable it first, using HijackThis itself (from the scan results) or the services.msc window' and for msidll SVCHOST the message,
'Service ... was not found in the Registry. Make sure you entered the short name of the service., vbEclamation'.
|
Senior Member
|
20. October 2006 @ 05:51 |
Link to this message
|
Ok, one more time. Hopefully the last. :)
Start > Run > type services.msc > click OK.
Find each of these and double click them.
Beside "Startup Type" click the drop down menu and select "Disabled".
COM+ System Service (DLLHOST)
Microsoft information dll service (msidll)
Windows Service Host (SVCHOST)
Close Services.
For more assurance fix each with HijackThis also.
Then, go to Delete an NT service and try again.
You will be prompted to restart after each one, do so after entering the last one.
If SVCHOST or msidll still prompts it's not in registry just continue with Kaspersky scan.
|
|
melst
Suspended due to non-functional email address
|
21. October 2006 @ 17:48 |
Link to this message
|
As instructed, I did
'Start > Run > type services.msc > click OK.
Find each of these and double click them.
Beside "Startup Type" click the drop down menu and select "Disabled".
COM+ System Service (DLLHOST)
Microsoft information dll service (msidll)
Windows Service Host (SVCHOST)
Close Services.'
However when trying 'Delete an NT service, HijackThis still told me that these entries could not be found in the Registry and when I created the log I recieved the message that 'HijackThis has generated errors and will be closed by Windows'.
Here are the Kaspersky online virus scan results and the HijackThis log.
KASPERSKY ONLINE SCANNER REPORT
Sunday, October 22, 2006 2:22:09 AM
Operating System: Microsoft Windows 2000 Professional, Service Pack 2 (Build 2195)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 21/10/2006
Kaspersky Anti-Virus database records: 220190
Scan Settings
Scan using the following antivirus database standard
Scan Archives true
Scan Mail Bases true
Scan Target My Computer
A:\
C:\
D:\
Scan Statistics
Total number of scanned objects 28312
Number of viruses found 4
Number of infected objects 9 / 0
Number of suspicious objects 0
Duration of the scan process 03:31:02
Infected Object Name Virus Name Last Action
C:\WINNT\system32\config\software.LOG Object is locked skipped
C:\WINNT\system32\config\default.LOG Object is locked skipped
C:\WINNT\system32\config\SECURITY Object is locked skipped
C:\WINNT\system32\config\SECURITY.LOG Object is locked skipped
C:\WINNT\system32\config\SYSTEM.ALT Object is locked skipped
C:\WINNT\system32\config\SAM Object is locked skipped
C:\WINNT\system32\config\SAM.LOG Object is locked skipped
C:\WINNT\system32\config\SYSTEM Object is locked skipped
C:\WINNT\system32\config\SOFTWARE Object is locked skipped
C:\WINNT\system32\config\DEFAULT Object is locked skipped
C:\WINNT\system32\config\AppEvent.Evt Object is locked skipped
C:\WINNT\system32\config\SecEvent.Evt Object is locked skipped
C:\WINNT\system32\config\SysEvent.Evt Object is locked skipped
C:\WINNT\system32\pvcoartv.dll Infected: Trojan.Win32.BHO.g skipped
C:\WINNT\system32\bhevgfno.dll Infected: Trojan.Win32.BHO.g skipped
C:\WINNT\Temp\9D14.tmp Infected: Trojan.Win32.Zapchast.cg skipped
C:\WINNT\Temp\FC4D.tmp Infected: Trojan.Win32.Zapchast.cg skipped
C:\WINNT\Debug\PASSWD.LOG Object is locked skipped
C:\WINNT\Debug\ipsecpa.log Object is locked skipped
C:\WINNT\Debug\oakley.log Object is locked skipped
C:\WINNT\SchedLgU.Txt Object is locked skipped
C:\WINNT\CSC\00000001 Object is locked skipped
C:\WINNT\Sti_Trace.log Object is locked skipped
C:\WINNT\ModemLog_SoftK56 Data Fax Voice Speakerphone CARP.txt Object is locked skipped
C:\red.exe Infected: Trojan-Dropper.Win32.Small.uy skipped
C:\Documents and Settings\Default User.WINNT\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Default User.WINNT\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Default User.WINNT\Local Settings\Temporary Internet Files\Content.IE5\SFMLMNKV\s2.5[1].exe Infected: Trojan.Win32.Zapchast.cg skipped
C:\Documents and Settings\Default User.WINNT\Local Settings\Temporary Internet Files\Content.IE5\SFMLMNKV\s2.5[2].exe Infected: Trojan.Win32.Zapchast.cg skipped
C:\Documents and Settings\Default User.WINNT\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\All Users.WINNT\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Documents and Settings\All Users.WINNT\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Documents and Settings\EIS.EIS-LRJTXCCU1V4\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\EIS.EIS-LRJTXCCU1V4\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\EIS.EIS-LRJTXCCU1V4\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\EIS.EIS-LRJTXCCU1V4\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\EIS.EIS-LRJTXCCU1V4\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\EIS.EIS-LRJTXCCU1V4\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst/Personal Folders/Inbox/02 Jul 2003 01:57 from David Needham:FW: UNCLASSIFIED:-Oldie but/spider.sav.scr Infected: Email-Worm.Win32.Tanatos.b.dam skipped
C:\Documents and Settings\EIS.EIS-LRJTXCCU1V4\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst Mail MS Mail: infected - 1 skipped
C:\Documents and Settings\EIS.EIS-LRJTXCCU1V4\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\EIS.EIS-LRJTXCCU1V4\Application Data\Mozilla\Firefox\Profiles\vdy15fob.default\history.dat Object is locked skipped
C:\Documents and Settings\EIS.EIS-LRJTXCCU1V4\Application Data\Mozilla\Firefox\Profiles\vdy15fob.default\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\EIS.EIS-LRJTXCCU1V4\Application Data\Mozilla\Firefox\Profiles\vdy15fob.default\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\EIS.EIS-LRJTXCCU1V4\Application Data\Mozilla\Firefox\Profiles\vdy15fob.default\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\EIS.EIS-LRJTXCCU1V4\Application Data\Mozilla\Firefox\Profiles\vdy15fob.default\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\EIS.EIS-LRJTXCCU1V4\Application Data\Mozilla\Firefox\Profiles\vdy15fob.default\parent.lock Object is locked skipped
C:\Documents and Settings\EIS.EIS-LRJTXCCU1V4\Application Data\Mozilla\Firefox\Profiles\vdy15fob.default\cert8.db Object is locked skipped
C:\Documents and Settings\EIS.EIS-LRJTXCCU1V4\Application Data\Mozilla\Firefox\Profiles\vdy15fob.default\key3.db Object is locked skipped
C:\Documents and Settings\EIS.EIS-LRJTXCCU1V4\ntuser.dat.LOG Object is locked skipped
Scan process completed.
Logfile of HijackThis v1.99.1
Scan saved at 12:31:56 PM, on 22/10/2006
Platform: Windows 2000 SP2 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINNT\system32\hidserv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\stisvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.EXE
C:\WINNT\SOUNDMAN.EXE
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\WINNT\loadqm.exe
C:\Program Files\Creative\WebCam Control\CAMTRAY.EXE
C:\WINNT\System32\carpserv.exe
C:\Program Files\Dodo Speed Accelerator\slipcore.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINNT\System32\ctfmon.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\HJT\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.creative.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_6_2_0.dll
O3 - Toolbar: &VSToolBar - {821F87FF-8245-4972-9E28-732E92EC2F51} - C:\Program Files\VSToolbar\VSToolBar.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [POINTER] C:\Program Files\Microsoft Hardware\Mouse\point32.exe
O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [Creative WebCam Tray] C:\Program Files\Creative\WebCam Control\CAMTRAY.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [SlipStream] "C:\Program Files\Dodo Speed Accelerator\slipcore.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - Global Startup: Dodo Speed Accelerator.lnk = C:\Program Files\Dodo Speed Accelerator\slipgui.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: Natural Reader - {0DF757C4-9999-463C-A4EB-B6BF1D8D8D3D} - C:\Program Files\NaturalReaders\Natural Voice Text To Speech Software Standard\read.html
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\YAHOO!\COMMON\yhexbmesau.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\YAHOO!\COMMON\yhexbmesau.dll
O9 - Extra button: (no name) - {9819CC0E-9669-4D01-9CD7-2C66DA43AC6C} - (no file)
O14 - IERESET.INF: START_PAGE_URL=http://www.creative.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner...can_unicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ZipToA - Unknown owner - C:\WINNT\System32\ZipToA.exe (file missing)
Thanks again for all the help.
|
Senior Member
|
21. October 2006 @ 19:55 |
Link to this message
|
Did you install VSToolBar since your last post? If you didn't go to Add/Remove Programs and uninstall it.
Go here and download Spybot Search and Destroy.
After installing open Spybot.
Click "Check for Updates".
Click "Search for Updates".
Select all and click "Download Updates".
After updating, close Spybot. Will run the scan in safe mode.
Restart in safe mode.
Loacte and remove these files:
C:\red.exe
C:\Documents and Settings\Default User.WINNT\Local Settings\Temporary Internet Files\Content.IE5\SFMLMNKV\s2.5[1].exe
C:\Documents and Settings\Default User.WINNT\Local Settings\Temporary Internet Files\Content.IE5\SFMLMNKV\s2.5[2].exe
Empty the Recylce Bin.
Open Spybot.
Click "Check for Problems".
When it finishes, click "Fix selected problems".
Right click and select "Copy results" (not full report)
Paste the log into Notepad and save it.
Restart in normal mode.
Are you still getting errors with HijackThis?
Post back with the Spybot log and a new HijackThis log.
|
|
melst
Suspended due to non-functional email address
|
21. October 2006 @ 21:46 |
Link to this message
|
I can't recall installing the VST toolbar. I have done as instructed and am still receiving the error message when I run HijackThis. Something odd that I just noticed in My Computer is a new additional unidentified and unnamed folder.
Here are the logs,
Spybot SD
MediaPlex: Tracking cookie (Internet Explorer: EIS) (Cookie, fixed)
Microsoft.WindowsSecurityCenter.AntiVirusDisableNotify: Settings (Registry change, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify!=dword:0
Microsoft.WindowsSecurityCenter.AntiVirusOverride: Settings (Registry change, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusOverride!=dword:0
Microsoft.WindowsSecurityCenter.FirewallDisabled: Settings (Registry change, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\windowsfirewall\standardprofile\enablefirewall!=dword:1
Microsoft.WindowsSecurityCenter.FirewallDisabled: Settings (Registry change, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\windowsfirewall\domainprofile\enablefirewall!=dword:1
Microsoft.WindowsSecurityCenter.FirewallDisableNotify: Settings (Registry change, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify!=dword:0
Microsoft.WindowsSecurityCenter.FirewallOverride: Settings (Registry change, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallOverride!=dword:0
Microsoft.WindowsSecurityCenter.SP2Update: Settings (Registry change, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\DoNotAllowXPSP2!=dword:0
Microsoft.WindowsSecurityCenter.UpdateDisableNotify: Settings (Registry change, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify!=dword:0
Microsoft.WindowsSecurityCenter_disabled: Settings (Registry change, fixed)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc\Start!=W=2
SeachToolbarCorp.ToolbarVision: Program directory (Directory, fixed)
C:\Program Files\VSToolbar\
SeachToolbarCorp.ToolbarVision: Text file (File, fixed)
C:\Documents and Settings\EIS.EIS-LRJTXCCU1V4\Application Data\SearchToolbarCorp\Toolbar Vision\WebHistory.txt
SeachToolbarCorp.ToolbarVision: Text file (File, fixed)
C:\Documents and Settings\EIS.EIS-LRJTXCCU1V4\Application Data\SearchToolbarCorp\Toolbar Vision\PageHistory.txt
SeachToolbarCorp.ToolbarVision: Program directory (Directory, fixed)
C:\Documents and Settings\EIS.EIS-LRJTXCCU1V4\Application Data\SearchToolbarCorp\Toolbar Vision\
SeachToolbarCorp.ToolbarVision: Program directory (Directory, fixed)
C:\Documents and Settings\EIS.EIS-LRJTXCCU1V4\Application Data\SearchToolbarCorp\
SeachToolbarCorp.ToolbarVision: Settings (Registry key, fixed)
HKEY_USERS\S-1-5-21-436374069-1677128483-839522115-1000\Software\Search Toolbar Corp
--- Spybot - Search && Destroy version: 1.3 ---
2006-10-20 Includes\Cookies.sbi
2006-10-13 Includes\Dialer.sbi
2006-10-13 Includes\Hijackers.sbi
2004-11-29 Includes\LSP.sbi
2006-10-20 Includes\Keyloggers.sbi
2006-10-13 Includes\Malware.sbi
2006-10-20 Includes\Revision.sbi
2006-10-13 Includes\Security.sbi
2006-10-13 Includes\Spybots.sbi
2006-10-20 Includes\PUPS.sbi
2006-10-13 Includes\Trojans.sbi
2006-10-20 Includes\PUPSC.sbi
2005-02-17 Includes\Tracks.uti
2006-10-20 Includes\TrojansC.sbi
2006-10-20 Includes\SpybotsC.sbi
2006-10-20 Includes\SecurityC.sbi
2006-10-20 Includes\MalwareC.sbi
2006-10-20 Includes\KeyloggersC.sbi
2006-10-20 Includes\HijackersC.sbi
2006-10-20 Includes\DialerC.sbi
HijackThis
Logfile of HijackThis v1.99.1
Scan saved at 4:15:37 PM, on 22/10/2006
Platform: Windows 2000 SP2 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINNT\system32\hidserv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\stisvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.EXE
C:\WINNT\SOUNDMAN.EXE
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\WINNT\loadqm.exe
C:\Program Files\Creative\WebCam Control\CAMTRAY.EXE
C:\WINNT\System32\carpserv.exe
C:\Program Files\Dodo Speed Accelerator\slipcore.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINNT\System32\ctfmon.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\HJT\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.creative.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = ipcop:80
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_6_2_0.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [POINTER] C:\Program Files\Microsoft Hardware\Mouse\point32.exe
O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [Creative WebCam Tray] C:\Program Files\Creative\WebCam Control\CAMTRAY.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [SlipStream] "C:\Program Files\Dodo Speed Accelerator\slipcore.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - Global Startup: Dodo Speed Accelerator.lnk = C:\Program Files\Dodo Speed Accelerator\slipgui.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: Natural Reader - {0DF757C4-9999-463C-A4EB-B6BF1D8D8D3D} - C:\Program Files\NaturalReaders\Natural Voice Text To Speech Software Standard\read.html
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\YAHOO!\COMMON\yhexbmesau.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\YAHOO!\COMMON\yhexbmesau.dll
O9 - Extra button: (no name) - {9819CC0E-9669-4D01-9CD7-2C66DA43AC6C} - (no file)
O14 - IERESET.INF: START_PAGE_URL=http://www.creative.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner...can_unicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ZipToA - Unknown owner - C:\WINNT\System32\ZipToA.exe (file missing)
I'm pretty ignorant when it comes to these diagnostic practices, and am probably barking up the wrong tree but in my C: directory I noticed two new .exe files that I don't recall seeing previously. They are named zzkzddz.exe and zzkzdz.exe
BTW has anyone ever ascertained the identities of the people responsible for the winfixpro malware? I'd like to know where they live...
|
Senior Member
|
21. October 2006 @ 22:00 |
Link to this message
|
Thank you! You mentioned WinFixer and I thought, Vundo. And look, no 02 or 020 entries in your log. Rename HijackThis to any name of your choice. Run a new scan and post the new log.
Yes, those two files mentioned are most likey bad because of the random name. I can't believe Kaspersky didn't pick these things up.
Go to Jotti's malware scan.
Beside the "File to upload and scan" click "Browse" find one of those, upload and scan it. Copy the results and post them with the new HjT log.
By the way, I'm not sure if they are known yet. I'll look into it.
This message has been edited since posting. Last time this message was edited on 21. October 2006 @ 22:05
|
|
melst
Suspended due to non-functional email address
|
21. October 2006 @ 23:16 |
Link to this message
|
I should be thanking you! Something else that is odd is that now when I'm trying open any Word .doc I'm being prompted to register my copy of Microsoft Office Suite which I assumed was already registered since I have never had this request made of me before. Also, after I ran Spybot and HijackThis and rebooted in normal mode, both browsers 'could not find' any of the websites I tried to look up, Afterdawn.com and Google.com for example and I had to reboot again to restore browser access. I wonder, what do you make of the unnamed folder in My Computer? Will do as instructed and post asap, thanks again.
|
Senior Member
|
21. October 2006 @ 23:22 |
Link to this message
|
Quote:
when I'm trying open any Word .doc I'm being prompted to register my copy of Microsoft Office Suite
May or may not be caused by the malware. We'll see what happens after we finish cleaning.
Quote:
Also, after I ran Spybot and HijackThis and rebooted in normal mode, both browsers 'could not find' any of the websites I tried to look up, Afterdawn.com and Google.com for example and I had to reboot again to restore browser access.
Hmm, could have been caused by whatever remains.
Quote:
I wonder, what do you make of the unnamed folder in My Computer?
Sorry, forgot to say something about that. If you didn't create it, delete it.
This message has been edited since posting. Last time this message was edited on 21. October 2006 @ 23:24
|
|
melst
Suspended due to non-functional email address
|
21. October 2006 @ 23:30 |
Link to this message
|
HijackThis log
Logfile of HijackThis v1.99.1
Scan saved at 6:18:59 PM, on 22/10/2006
Platform: Windows 2000 SP2 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINNT\system32\hidserv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\stisvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.EXE
C:\WINNT\SOUNDMAN.EXE
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\WINNT\loadqm.exe
C:\Program Files\Creative\WebCam Control\CAMTRAY.EXE
C:\WINNT\System32\carpserv.exe
C:\Program Files\Dodo Speed Accelerator\slipcore.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINNT\System32\ctfmon.exe
C:\Program Files\Dodo Speed Accelerator\slipgui.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\JHT\JackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.creative.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_6_2_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {1DAEFCB9-06C8-47c6-8F20-3FB54B244DAA} - C:\WINNT\System32\pvcoartv.dll
O2 - BHO: PBlockHelper Class - {4115122B-85FF-4DD3-9515-F075BEDE5EB5} - C:\Program Files\Dodo Speed Accelerator\PBHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NOW!Imaging - {9AA2F14F-E956-44B8-8694-A5B615CDF341} - C:\Program Files\Dodo Speed Accelerator\components\NOWImaging.dll
O2 - BHO: (no name) - {AE390722-A6AB-47DB-BFBD-06C986291B2C} - C:\WINNT\AppPatch\bvrul.dll
O2 - BHO: (no name) - {B3D86720-11FA-492E-97E0-7411E80EF26D} - C:\WINNT\System32\ljjjjhh.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_6_2_0.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [POINTER] C:\Program Files\Microsoft Hardware\Mouse\point32.exe
O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [Creative WebCam Tray] C:\Program Files\Creative\WebCam Control\CAMTRAY.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [SlipStream] "C:\Program Files\Dodo Speed Accelerator\slipcore.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - Global Startup: Dodo Speed Accelerator.lnk = C:\Program Files\Dodo Speed Accelerator\slipgui.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: Natural Reader - {0DF757C4-9999-463C-A4EB-B6BF1D8D8D3D} - C:\Program Files\NaturalReaders\Natural Voice Text To Speech Software Standard\read.html
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\YAHOO!\COMMON\yhexbmesau.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\YAHOO!\COMMON\yhexbmesau.dll
O9 - Extra button: (no name) - {9819CC0E-9669-4D01-9CD7-2C66DA43AC6C} - (no file)
O14 - IERESET.INF: START_PAGE_URL=http://www.creative.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner...can_unicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{0FCBF06D-6C43-4CE7-B33D-49DF38CB2146}: NameServer = 203.194.56.150 203.194.27.57
O17 - HKLM\System\CS1\Services\Tcpip\..\{0FCBF06D-6C43-4CE7-B33D-49DF38CB2146}: NameServer = 203.194.56.150 203.194.27.57
O20 - Winlogon Notify: bvrul - C:\WINNT\AppPatch\bvrul.dll
O20 - Winlogon Notify: ljjjjhh - ljjjjhh.dll (file missing)
O20 - Winlogon Notify: WLogon - srvc.dll (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ZipToA - Unknown owner - C:\WINNT\System32\ZipToA.exe (file missing)
JOtti's result
File: zzkzddz.exe
Status:
OK
MD5 c0f8622d0f0983ddf08b166739e5d077
Packers detected:
-
Scanner results
AntiVir
Found nothing
ArcaVir
Found nothing
Avast
Found nothing
AVG Antivirus
Found nothing
BitDefender
Found nothing
ClamAV
Found nothing
Dr.Web
Found nothing
F-Prot Antivirus
Found nothing
Fortinet
Found nothing
Kaspersky Anti-Virus
Found nothing
NOD32
Found nothing
Norman Virus Control
Found nothing
VirusBuster
Found nothing
VBA32
Found nothing
As you say, it might be a new virus by the looks of these results.
|
Senior Member
|
21. October 2006 @ 23:36 |
Link to this message
|
Well, well, look at all the new files that decided to join us. :)
Download VundoFix to your desktop.
Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Please post the contents of C:\vundofix.txt and a fresh HijackThis log.
Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.
After the reboot, look for those randomly named files. Still there?
Post back with the contents of vundofix.txt and a new HijackThis. Still getting error?
This message has been edited since posting. Last time this message was edited on 21. October 2006 @ 23:38
|
|
melst
Suspended due to non-functional email address
|
21. October 2006 @ 23:40 |
Link to this message
|
|
In regard to the new folder in the C: directory when I single click on it it says that it's a system file and I feel a bit apprehensive about deleting it, just checking, do you think it is still okay to delete it?
|
Senior Member
|
22. October 2006 @ 00:01 |
Link to this message
|
|
Run Vundofix.
Then show hidden files and folders.
Open My Computer
Select the Tools > Folder Options > View tab.
Check "show hidden files and folders".
Click Apply then OK.
Open the folder. What is in it?
|
|
melst
Suspended due to non-functional email address
|
22. October 2006 @ 00:31 |
Link to this message
|
The randomly named files are still there. In relation to the unnamed folder in My Computer, here is no 'open' option available only 'cut, create shortcut or delete', even double clicking does nothing. Go ahead and delete it you think?
Here is the Vundofix log
VundoFix V6.2.6
Checking Java version...
Scan started at 6:50:36 PM 22/10/2006
Listing files found while scanning....
C:\WINNT\system32\pvcoartv.dll
C:\WINNT\system32\bhevgfno.dll
C:\WINNT\system32\pmnnmkl.dll
C:\WINNT\system32\ovlrympm.dll
C:\WINNT\system32\picbbufd.exe
C:\WINNT\AppPatch\bvrul.dll
C:\WINNT\AppPatch\lurvb.ini
C:\WINNT\AppPatch\lurvb.bak1
C:\WINNT\AppPatch\lurvb.bak2
C:\WINNT\AppPatch\lurvb.tmp
Beginning removal...
Attempting to delete C:\WINNT\system32\pvcoartv.dll
C:\WINNT\system32\pvcoartv.dll Has been deleted!
Attempting to delete C:\WINNT\system32\bhevgfno.dll
C:\WINNT\system32\bhevgfno.dll Has been deleted!
Attempting to delete C:\WINNT\system32\pmnnmkl.dll
C:\WINNT\system32\pmnnmkl.dll Has been deleted!
Attempting to delete C:\WINNT\system32\ovlrympm.dll
C:\WINNT\system32\ovlrympm.dll Has been deleted!
Attempting to delete C:\WINNT\system32\picbbufd.exe
C:\WINNT\system32\picbbufd.exe Has been deleted!
Attempting to delete C:\WINNT\AppPatch\bvrul.dll
C:\WINNT\AppPatch\bvrul.dll Could not be deleted.
Attempting to delete C:\WINNT\AppPatch\lurvb.ini
C:\WINNT\AppPatch\lurvb.ini Has been deleted!
Attempting to delete C:\WINNT\AppPatch\lurvb.bak1
C:\WINNT\AppPatch\lurvb.bak1 Has been deleted!
Attempting to delete C:\WINNT\AppPatch\lurvb.bak2
C:\WINNT\AppPatch\lurvb.bak2 Has been deleted!
Attempting to delete C:\WINNT\AppPatch\lurvb.tmp
C:\WINNT\AppPatch\lurvb.tmp Has been deleted!
Performing Repairs to the registry.
Done!
Beginning removal...
Attempting to delete C:\WINNT\AppPatch\bvrul.dll
C:\WINNT\AppPatch\bvrul.dll Has been deleted!
Performing Repairs to the registry.
Done!
and the new HjT log
Logfile of HijackThis v1.99.1
Scan saved at 7:30:49 PM, on 22/10/2006
Platform: Windows 2000 SP2 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINNT\system32\hidserv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\stisvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.EXE
C:\WINNT\SOUNDMAN.EXE
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\WINNT\loadqm.exe
C:\Program Files\Creative\WebCam Control\CAMTRAY.EXE
C:\WINNT\System32\carpserv.exe
C:\Program Files\Dodo Speed Accelerator\slipcore.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINNT\System32\ctfmon.exe
C:\Program Files\Dodo Speed Accelerator\slipgui.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\JHT\JackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.creative.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_6_2_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {1DAEFCB9-06C8-47c6-8F20-3FB54B244DAA} - C:\WINNT\System32\pvcoartv.dll (file missing)
O2 - BHO: PBlockHelper Class - {4115122B-85FF-4DD3-9515-F075BEDE5EB5} - C:\Program Files\Dodo Speed Accelerator\PBHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NOW!Imaging - {9AA2F14F-E956-44B8-8694-A5B615CDF341} - C:\Program Files\Dodo Speed Accelerator\components\NOWImaging.dll
O2 - BHO: (no name) - {AE390722-A6AB-47DB-BFBD-06C986291B2C} - C:\WINNT\AppPatch\bvrul.dll (file missing)
O2 - BHO: (no name) - {B3D86720-11FA-492E-97E0-7411E80EF26D} - C:\WINNT\System32\ljjjjhh.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_6_2_0.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [POINTER] C:\Program Files\Microsoft Hardware\Mouse\point32.exe
O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [Creative WebCam Tray] C:\Program Files\Creative\WebCam Control\CAMTRAY.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [SlipStream] "C:\Program Files\Dodo Speed Accelerator\slipcore.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - Global Startup: Dodo Speed Accelerator.lnk = C:\Program Files\Dodo Speed Accelerator\slipgui.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: Natural Reader - {0DF757C4-9999-463C-A4EB-B6BF1D8D8D3D} - C:\Program Files\NaturalReaders\Natural Voice Text To Speech Software Standard\read.html
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\YAHOO!\COMMON\yhexbmesau.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\YAHOO!\COMMON\yhexbmesau.dll
O9 - Extra button: (no name) - {9819CC0E-9669-4D01-9CD7-2C66DA43AC6C} - (no file)
O14 - IERESET.INF: START_PAGE_URL=http://www.creative.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner...can_unicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{0FCBF06D-6C43-4CE7-B33D-49DF38CB2146}: NameServer = 203.194.56.150 203.194.27.57
O17 - HKLM\System\CS1\Services\Tcpip\..\{0FCBF06D-6C43-4CE7-B33D-49DF38CB2146}: NameServer = 203.194.56.150 203.194.27.57
O20 - Winlogon Notify: ljjjjhh - ljjjjhh.dll (file missing)
O20 - Winlogon Notify: WLogon - srvc.dll (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ZipToA - Unknown owner - C:\WINNT\System32\ZipToA.exe (file missing)
|
Senior Member
|
22. October 2006 @ 00:51 |
Link to this message
|
Yeah, go ahead and delete it.
Run a scan only with HiajckThis and check these:
O2 - BHO: (no name) - {1DAEFCB9-06C8-47c6-8F20-3FB54B244DAA} - C:\WINNT\System32\pvcoartv.dll (file missing)
O2 - BHO: (no name) - {AE390722-A6AB-47DB-BFBD-06C986291B2C} - C:\WINNT\AppPatch\bvrul.dll (file missing)
O2 - BHO: (no name) - {B3D86720-11FA-492E-97E0-7411E80EF26D} - C:\WINNT\System32\ljjjjhh.dll (file missing)
O9 - Extra button: (no name) - {9819CC0E-9669-4D01-9CD7-2C66DA43AC6C} - (no file)
O20 - Winlogon Notify: ljjjjhh - ljjjjhh.dll (file missing)
O20 - Winlogon Notify: WLogon - srvc.dll (file missing)
These entires were not showing before the rename. So, if these are not your IP fix them also.
O17 - HKLM\System\CCS\Services\Tcpip\..\{0FCBF06D-6C43-4CE7-B33D-49DF38CB2146}: NameServer = 203.194.56.150 203.194.27.57
O17 - HKLM\System\CS1\Services\Tcpip\..\{0FCBF06D-6C43-4CE7-B33D-49DF38CB2146}: NameServer = 203.194.56.150 203.194.27.57
Close all windows then click "Fix checked".
If you do fix those two 017 entires and loose internet connection afterwards you know they were yours. :) Just open HijackThis and click "View list of backups". Select those two and click "Restore".
Don't think you will find it, but search for this file and delete if found.
srvc.dll
Also, I almost positive those randomly named files are not good. Delete them also. If access is denied with any, delete them in safe mode.
Restart and post a new HijackThis log. Also tell me if you are still recieving error when runing HjT or if you are having any other problems.
This message has been edited since posting. Last time this message was edited on 22. October 2006 @ 00:52
|
|
Advertisement
|
|
|
|
melst
Suspended due to non-functional email address
|
22. October 2006 @ 01:29 |
Link to this message
|
There were no problems with HjT and it seems no other visible problems. I searched for that .dll file but it didn't come up at all.
Logfile of HijackThis v1.99.1
Scan saved at 8:23:29 PM, on 22/10/2006
Platform: Windows 2000 SP2 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINNT\system32\hidserv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\stisvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.EXE
C:\WINNT\SOUNDMAN.EXE
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\WINNT\loadqm.exe
C:\Program Files\Creative\WebCam Control\CAMTRAY.EXE
C:\WINNT\System32\carpserv.exe
C:\Program Files\Dodo Speed Accelerator\slipcore.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINNT\System32\ctfmon.exe
C:\Program Files\Dodo Speed Accelerator\slipgui.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\JHT\JackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.creative.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_6_2_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: PBlockHelper Class - {4115122B-85FF-4DD3-9515-F075BEDE5EB5} - C:\Program Files\Dodo Speed Accelerator\PBHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NOW!Imaging - {9AA2F14F-E956-44B8-8694-A5B615CDF341} - C:\Program Files\Dodo Speed Accelerator\components\NOWImaging.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_6_2_0.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [POINTER] C:\Program Files\Microsoft Hardware\Mouse\point32.exe
O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [Creative WebCam Tray] C:\Program Files\Creative\WebCam Control\CAMTRAY.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [SlipStream] "C:\Program Files\Dodo Speed Accelerator\slipcore.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - Global Startup: Dodo Speed Accelerator.lnk = C:\Program Files\Dodo Speed Accelerator\slipgui.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: Natural Reader - {0DF757C4-9999-463C-A4EB-B6BF1D8D8D3D} - C:\Program Files\NaturalReaders\Natural Voice Text To Speech Software Standard\read.html
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\YAHOO!\COMMON\yhexbmesau.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\YAHOO!\COMMON\yhexbmesau.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.creative.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner...can_unicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ZipToA - Unknown owner - C:\WINNT\System32\ZipToA.exe (file missing)
|
