MyTechSupport.ca :: Your Computer Technical Resource Headquarters! MyTechSupport.ca :: Your Computer Technical Resource Headquarters!
HOME FORUMS RESOURCES & TOOLS ARTICLES ONLINE STORE ABOUT US
Computer Support Forums arrow Internet & Network Support arrow Security & Viruses arrow Topic: Recurring Spyware Problems
June 06, 2020, 08:20:18 AM
 

Home Forum Rules Help Search Mobile Version Login Register

Welcome, Guest. Please login or register.
Did you miss your activation email?
June 06, 2020, 08:20:18 AM

Login with username, password and session length
 Featured Sites:
News
Help us help you! Help us help you by helping out! The more people know about us, the more help will be available. Click here to find out how...
  0 Members and 1 Guest are viewing this topic.
Pages: [1] Go Down Print
Author Topic: Recurring Spyware Problems  (Read 2864 times)
hisdudeness
Newbie
*

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 6


Bookmark and Share

View Profile
« on: October 03, 2004, 05:40:45 PM »

PLEASE SUPPLY RELEVANT INFORMATION:
Operating System Version:Windows 2000
Problem Application Name & Version:
Problem Hardware Make & Model:
Error Messages:





Ok, I'm having serious problems with recurring spyware. I've installed AdAware SE, Spybot Search and Destroy and CWShredder. Running AdAware in safe mode seems to get rid of everything, that is when I rerun the scan in the same session of safe mode nothing shows up, and Spybot does the same (though it seems unable to fix a DSO Exploit that's on the computer) CWShredder doesn't seem to do anything.

I'm going to post two HijackThis Logs, one at the beginning of a session in safe mode and the other at the end of the same session having run all of the above programs.

Just a point to note, on restarting the computer into normal Windows, it went into an automatic shutdown, stating some error from the Windows NT System Authority or something, with an error in status code 128 and also something to do with the file C:/WINNT/System32/issas.exe  I'm not 100% sure if all the details for this last bit are right as it doesn't stay up on screen long enough for me, but it's happened a few times.

Anyway here's the first

Logfile of HijackThis v1.98.2
Scan saved at 17:52:50, on 03/10/04
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.EXE
C:\Documents and Settings\Administrator\Desktop\New Folder\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\lljem.dll/sp.html#29126
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\lljem.dll/sp.html#29126
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINNT\system32\lljem.dll/sp.html#29126
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\lljem.dll/sp.html#29126
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\lljem.dll/sp.html#29126
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\lljem.dll/sp.html#29126
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\lljem.dll/sp.html#29126
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = cache.nuigalway.ie:8080
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {038C66BF-48F3-C39A-16BD-230A711BB317} - C:\WINNT\system32\apppo32.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [XTNDConnect PC - ErPhn2] C:\PROGRA~1\COMMON~1\XCPCSync\TRANSL~1\ErPhn2\ErTray.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\System32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [golumm] C:\WINNT\system32\golumm\services.exe
O4 - HKLM\..\Run: [d3zx.exe] C:\WINNT\system32\d3zx.exe
O4 - HKLM\..\Run: [Windows SyncroAd] C:\Program Files\Windows SyncroAd\SyncroAd.exe
O4 - HKLM\..\Run: [ipjm.exe] C:\WINNT\system32\ipjm.exe
O4 - HKLM\..\Run: [sdkbc32.exe] C:\WINNT\system32\sdkbc32.exe
O4 - HKLM\..\Run: [sysxt32.exe] C:\WINNT\system32\sysxt32.exe
O4 - HKLM\..\Run: [apiyp.exe] C:\WINNT\system32\apiyp.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [sysinit] C:\WINNT\system32\golumm\services.exe
O4 - HKCU\..\Run: [Rshu] C:\Documents and Settings\Administrator\Application Data\ccea.exe
O4 - HKCU\..\Run: [Qsuzt] C:\WINNT\System32\w?wexec.exe
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: v2cab - http://10896.searchmiracle.com/cab/v2cab.cab
O16 - DPF: {062D34A9-2AEE-68AD-88C7-59DD05A267C6} - http://69.50.188.54/1/gdnIE208.exe
O16 - DPF: {0B5E6AE9-3E5C-0F10-2EDC-57D2119AB379} - http://69.50.188.54/1/gdnIE208.exe
O16 - DPF: {0CF916E6-28A5-1B12-1BBA-076D3B12F833} - http://69.50.188.54/1/gdnIE208.exe
O16 - DPF: {101ABF37-8A32-5959-FA10-48A91B27CEE5} - http://69.50.188.54/1/gdnIE208.exe
O16 - DPF: {10895A62-A13A-6414-3AC3-43720ABABB6F} - http://69.50.188.54/1/gdnIE208.exe
O16 - DPF: {14C5F5DE-AF1D-1B2D-5341-26507A46D343} - http://69.50.188.54/1/gdnIE208.exe
O16 - DPF: {1586B476-45AA-2E52-EFB7-513137B6644A} - http://69.50.188.54/1/gdnIE208.exe
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_file.php?bt=ie&p=30579607f432361f4c24553de3a9fe7e27f55e8c7382e8f812488538178c09374cd3d1696277ab341d588a056fa84851d5e1f9fecd5da6e7490e:d3e35fce064ccfbb2d7510b28ebf1261
O16 - DPF: {17FEF0C0-615E-0661-0D89-24C75F6B52F8} - http://69.50.188.54/1/rdgIE208.exe
O16 - DPF: {19335DA0-87D6-03C5-12D6-46F40193C49F} - http://69.50.188.54/1/rdgIE208.exe
O16 - DPF: {1B1D1068-7CFE-4DE7-4952-35C13ACF54C5} - http://69.50.188.54/1/gdnIE208.exe
O16 - DPF: {1B760DC5-4E77-191E-9F82-1B1C7319C77E} - http://69.50.188.54/1/gdnIE208.exe
O16 - DPF: {1BA9A2AD-D90D-4D19-0771-22EC500EE515} - http://69.50.188.54/1/rdgIE208.exe
O16 - DPF: {1C54FB17-BFAA-6086-9085-6F17358C3F34} - http://69.50.188.54/1/gdnIE208.exe
O16 - DPF: {1D797BFD-5F26-7EE9-5D97-209B446AEECC} - http://69.50.188.54/1/gdnIE208.exe
O16 - DPF: {1E00E452-BF33-4524-1D5F-582E4BF0B2BC} - http://69.50.188.54/1/gdnIE208.exe
O16 - DPF: {20270438-93B8-084B-5AB4-5CE4708C6B33} - http://69.50.188.54/1/gdnIE208.exe
O16 - DPF: {21139ACE-EF74-5B9C-789E-49AC176EE6C4} - http://69.50.188.54/1/gdnIE208.exe
O16 - DPF: {263160C5-CC82-0F0E-DE3D-19BB399996E0} - http://69.50.188.54/1/gdnIE208.exe
O16 - DPF: {283838EA-1C97-3E81-AE10-495B0B956DE9} - http://69.50.188.54/1/gdnIE208.exe
O16 - DPF: {2A2984AC-020A-03A8-0B84-4A95437B8EBA} - http://69.50.188.54/1/gdnIE208.exe
O16 - DPF: {2E2982C6-C1D4-39DA-6A16-5C9844B1D730} - http://69.50.188.54/1/gdnIE208.exe
O16 - DPF: {33CBEC0D-A9A9-35E3-9CC3-00B86EF3021A} - http://69.50.188.54/1/gdnIE208.exe
O16 - DPF: {346BA196-6B89-3546-762C-2F725A84E1E1} - http://69.50.188.54/1/gdnIE208.exe
O16 - DPF: {359F00BF-3559-713D-8168-0F0054660875} - http://69.50.188.54/1/gdnIE208.exe
O16 - DPF: {373363D8-DF9A-0763-B661-679E5CCDF08C} - http://69.50.188.54/1/gdnIE208.exe
O16 - DPF: {386C64AD-161A-5D92-8BDE-215A3DC484C2} - http://69.50.188.54/1/gdnIE208.exe
O16 - DPF: {3A6E2839-2B34-3376-86BB-2EA2523AFDB9} - http://69.50.188.54/1/gdnIE208.exe
O16 - DPF: {3A836D02-28CC-4177-3219-116E7F4ABCD3} - http://69.50.188.54/1/gdnIE208.exe
O16 - DPF: {3AB63B21-DF20-7157-90A9-0C400F6E259E} - http://69.50.188.54/1/gdnIE208.exe
O16 - DPF: {3B329F41-638B-485B-E36F-478B1A6E14D6} - http://69.50.188.54/1/gdnIE208.exe
O16 - DPF: {3B8E4FB0-E2D0-090E-D1D4-60877AC3D490} - http://69.50.188.54/1/gdnIE208.exe
O16 - DPF: {4417DEF3-0401-5A7E-970A-1C4904FD7010} - http://69.50.188.54/1/gdnIE208.exe
O16 - DPF: {4641FC09-DF0B-6D6A-E9C2-2F563C4F7E0E} - http://69.50.188.54/1/gdnIE208.exe
O16 - DPF: {490DCE5F-AE08-5207-3929-67771FA923C0} - http://69.50.188.54/1/gdnIE208.exe
O16 - DPF: {4A9612A1-062D-1C8D-6FFA-0D153B651B15} - http://69.50.188.54/1/gdnIE208.exe
O16 - DPF: {4E8581E1-2025-166A-5C31-792A3CAC203D} - http://69.50.188.54/1/gdnIE208.exe
O16 - DPF: {50BA5281-6F7A-6363-F14A-5B313197F234} - http://69.50.188.54/1/gdnIE208.exe
O16 - DPF: {50F065B6-FF68-7C58-3875-05FF278FF581} - http://69.50.188.54/1/gdnIE208.exe
O16 - DPF: {5458BD85-3156-35ED-ED3F-31DE25DD5AD6} - http://69.50.188.54/1/gdnIE208.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/181ba6867e953d18b505/netzip/RdxIE601.cab
O16 - DPF: {5751417A-7A1E-56FB-F9FB-098B1BD0603A} - http://69.50.188.54/1/rdgIE208.exe
O16 - DPF: {5B8FC5C5-3867-04DB-FB7E-5787654FD59A} - http://69.50.188.54/1/gdnIE208.exe
O16 - DPF: {5EB77B74-4BD4-2C94-69A3-0841251E6AA8} - http://69.50.188.54/1/gdnIE208.exe
O16 - DPF: {62F10966-D369-4D2D-792A-604C2E1EA6B3} - http://69.50.188.54/1/gdnIE208.exe
O16 - DPF: {643441E6-D0D5-7292-458A-0F740D74E20A} - http://69.50.188.54/1/gdnIE208.exe
O16 - DPF: {6517525E-959C-71D1-05A0-312F1D9EA917} - http://69.50.188.54/1/gdnIE208.exe
O16 - DPF: {6524C97B-CA81-2CDA-6739-3BAC6AFC0CA1} - http://69.50.188.54/1/gdnIE208.exe
O16 - DPF: {65752E20-B76A-1D58-5A2E-4034035A63A6} - http://69.50.188.54/1/gdnIE208.exe
O16 - DPF: {667064A4-4DF9-7AAE-FC87-168D2116CBBD} - http://69.50.188.54/1/gdnIE208.exe
O16 - DPF: {66BC402E-548F-53B8-8CBC-4A1A14FD5801} - http://69.50.188.54/1/gdnIE208.exe
O16 - DPF: {68246EE4-4072-50FF-23A9-6C2D2CD126F6} - http://69.50.188.54/1/gdnIE208.exe
O16 - DPF: {695B8E04-B17F-10C3-E7B0-20B66DD1293C} - http://69.50.188.54/1/gdnIE208.exe
O16 - DPF: {6B1EBEBF-3E4E-7E32-66A1-28CC0953D8D4} - http://69.50.188.54/1/gdnIE208.exe
O16 - DPF: {6D027616-4EDE-5A2A-09EB-53896F29BBD4} - http://69.50.188.54/1/gdnIE208.exe
O16 - DPF: {6D4358B2-8FBB-6B96-B52D-14EA676AB189} - http://69.50.188.54/1/gdnIE208.exe
O16 - DPF: {6F69C89A-6117-1E0F-0A8A-0DA8335C417B} - http://69.50.188.54/1/gdnIE208.exe
O16 - DPF: {706F3805-27D7-478D-80E5-E25D2BB030B3} (VacPro.internazionale_ver3) - http://www.advnt01.com/dialer/internazionale_ver3.CAB
O16 - DPF: {71A98661-6809-0CE5-72B3-57612254A2FE} - http://69.50.188.54/1/gdnIE208.exe
O16 - DPF: {78CF1F14-A5FE-6B72-BF64-6C2F0B3E005D} - http://69.50.188.54/1/gdnIE208.exe
O16 - DPF: {790EAC01-67E0-5821-3F68-47974C9A4F6A} - http://69.50.188.54/1/gdnIE208.exe
O16 - DPF: {79AD2264-47D4-4675-13BF-65727DE325D8} - http://69.50.188.54/1/gdnIE208.exe
O16 - DPF: {7A0A4126-CFF3-2AC9-CD0D-0D5E633A6D2B} - http://69.50.188.54/1/gdnIE208.exe
O16 - DPF: {7B281185-B1BE-2FB6-9B26-616564CB7BE3} - http://69.50.188.54/1/gdnIE208.exe
O16 - DPF: {7BB4996C-E83F-739D-A61C-2E667517A1BC} - http://69.50.188.54/1/gdnIE208.exe
O16 - DPF: {7CC3C160-417D-5DA2-CBB1-34D90D701440} - http://69.50.188.54/1/gdnIE208.exe
O16 - DPF: {7DA43071-C32E-1C76-A482-131D0342E04D} - http://69.50.188.54/1/gdnIE208.exe
O16 - DPF: {91433D86-9F27-402C-B5E3-DEBDD122C339} - http://www.netvenda.com/sites/gampr-ie/iep/games4.cab
O16 - DPF: {FF65677A-8977-48CA-916A-DFF81B037DF3} - http://download.overpro.com/WildApp.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = motherboard.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = motherboard.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = motherboard.local





And heres the second, having run the various programs

Logfile of HijackThis v1.98.2
Scan saved at 18:08:09, on 03/10/04
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.EXE
C:\Documents and Settings\Administrator\Desktop\New Folder\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\lljem.dll/sp.html#29126
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\lljem.dll/sp.html#29126
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINNT\system32\lljem.dll/sp.html#29126
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\lljem.dll/sp.html#29126
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\lljem.dll/sp.html#29126
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\lljem.dll/sp.html#29126
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = cache.nuigalway.ie:8080
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {038C66BF-48F3-C39A-16BD-230A711BB317} - C:\WINNT\system32\apppo32.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [XTNDConnect PC - ErPhn2] C:\PROGRA~1\COMMON~1\XCPCSync\TRANSL~1\ErPhn2\ErTray.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\System32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [golumm] C:\WINNT\system32\golumm\services.exe
O4 - HKLM\..\Run: [d3zx.exe] C:\WINNT\system32\d3zx.exe
O4 - HKLM\..\Run: [Windows SyncroAd] C:\Program Files\Windows SyncroAd\SyncroAd.exe
O4 - HKLM\..\Run: [ipjm.exe] C:\WINNT\system32\ipjm.exe
O4 - HKLM\..\Run: [sdkbc32.exe] C:\WINNT\system32\sdkbc32.exe
O4 - HKLM\..\Run: [sysxt32.exe] C:\WINNT\system32\sysxt32.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [sysinit] C:\WINNT\system32\golumm\services.exe
O4 - HKCU\..\Run: [Rshu] C:\Documents and Settings\Administrator\Application Data\ccea.exe
O4 - HKCU\..\Run: [Qsuzt] C:\WINNT\System32\w?wexec.exe
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: v2cab - http://10896.searchmiracle.com/cab/v2cab.cab
O16 - DPF: {062D34A9-2AEE-68AD-88C7-59DD05A267C6} - http://69.50.188.54/1/gdnIE208.exe
O16 - DPF: {0B5E6AE9-3E5C-0F10-2EDC-57D2119AB379} - http://69.50.188.54/1/gdnIE208.exe
O16 - DPF: {0CF916E6-28A5-1B12-1BBA-076D3B12F833} - http://69.50.188.54/1/gdnIE208.exe
O16 - DPF: {101ABF37-8A32-5959-FA10-48A91B27CEE5} - http://69.50.188.54/1/gdnIE208.exe
O16 - DPF: {10895A62-A13A-6414-3AC3-43720ABABB6F} - http://69.50.188.54/1/gdnIE208.exe
O16 - DPF: {14C5F5DE-AF1D-1B2D-5341-26507A46D343} - http://69.50.188.54/1/gdnIE208.exe
O16 - DPF: {1586B476-45AA-2E52-EFB7-513137B6644A} - http://69.50.188.54/1/gdnIE208.exe
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_file.php?bt=ie&p=30579607f432361f4c24553de3a9fe7e27f55e8c7382e8f812488538178c09374cd3d1696277ab341d588a056fa84851d5e1f9fecd5da6e7490e:d3e35fce064ccfbb2d7510b28ebf1261
O16 - DPF: {17FEF0C0-615E-0661-0D89-24C75F6B52F8} - http://69.50.188.54/1/rdgIE208.exe
O16 - DPF: {19335DA0-87D6-03C5-12D6-46F40193C49F} - http://69.50.188.54/1/rdgIE208.exe
O16 - DPF: {1B1D1068-7CFE-4DE7-4952-35C13ACF54C5} - http://69.50.188.54/1/gdnIE208.exe
O16 - DPF: {1B760DC5-4E77-191E-9F82-1B1C7319C77E} - http://69.50.188.54/1/gdnIE208.exe
O16 - DPF: {1BA9A2AD-D90D-4D19-0771-22EC500EE515} - http://69.50.188.54/1/rdgIE208.exe
O16 - DPF: {1C54FB17-BFAA-6086-9085-6F17358C3F34} - http://69.50.188.54/1/gdnIE208.exe
O16 - DPF: {1D797BFD-5F26-7EE9-5D97-209B446AEECC} - http://69.50.188.54/1/gdnIE208.exe
O16 - DPF: {1E00E452-BF33-4524-1D5F-582E4BF0B2BC} - http://69.50.188.54/1/gdnIE208.exe
O16 - DPF: {20270438-93B8-084B-5AB4-5CE4708C6B33} - http://69.50.188.54/1/gdnIE208.exe
O16 - DPF: {21139ACE-EF74-5B9C-789E-49AC176EE6C4} - http://69.50.188.54/1/gdnIE208.exe
O16 - DPF: {263160C5-CC82-0F0E-DE3D-19BB399996E0} - http://69.50.188.54/1/gdnIE208.exe
O16 - DPF: {283838EA-1C97-3E81-AE10-495B0B956DE9} - http://69.50.188.54/1/gdnIE208.exe
O16 - DPF: {2A2984AC-020A-03A8-0B84-4A95437B8EBA} - http://69.50.188.54/1/gdnIE208.exe
O16 - DPF: {2E2982C6-C1D4-39DA-6A16-5C9844B1D730} - http://69.50.188.54/1/gdnIE208.exe
O16 - DPF: {33CBEC0D-A9A9-35E3-9CC3-00B86EF3021A} - http://69.50.188.54/1/gdnIE208.exe
O16 - DPF: {346BA196-6B89-3546-762C-2F725A84E1E1} - http://69.50.188.54/1/gdnIE208.exe
O16 - DPF: {359F00BF-3559-713D-8168-0F0054660875} - http://69.50.188.54/1/gdnIE208.exe
O16 - DPF: {373363D8-DF9A-0763-B661-679E5CCDF08C} - http://69.50.188.54/1/gdnIE208.exe
O16 - DPF: {386C64AD-161A-5D92-8BDE-215A3DC484C2} - http://69.50.188.54/1/gdnIE208.exe
O16 - DPF: {3A6E2839-2B34-3376-86BB-2EA2523AFDB9} - http://69.50.188.54/1/gdnIE208.exe
O16 - DPF: {3A836D02-28CC-4177-3219-116E7F4ABCD3} - http://69.50.188.54/1/gdnIE208.exe
O16 - DPF: {3AB63B21-DF20-7157-90A9-0C400F6E259E} - http://69.50.188.54/1/gdnIE208.exe
O16 - DPF: {3B329F41-638B-485B-E36F-478B1A6E14D6} - http://69.50.188.54/1/gdnIE208.exe
O16 - DPF: {3B8E4FB0-E2D0-090E-D1D4-60877AC3D490} - http://69.50.188.54/1/gdnIE208.exe
O16 - DPF: {4417DEF3-0401-5A7E-970A-1C4904FD7010} - http://69.50.188.54/1/gdnIE208.exe
O16 - DPF: {4641FC09-DF0B-6D6A-E9C2-2F563C4F7E0E} - http://69.50.188.54/1/gdnIE208.exe
O16 - DPF: {490DCE5F-AE08-5207-3929-67771FA923C0} - http://69.50.188.54/1/gdnIE208.exe
O16 - DPF: {4A9612A1-062D-1C8D-6FFA-0D153B651B15} - http://69.50.188.54/1/gdnIE208.exe
O16 - DPF: {4E8581E1-2025-166A-5C31-792A3CAC203D} - http://69.50.188.54/1/gdnIE208.exe
O16 - DPF: {50BA5281-6F7A-6363-F14A-5B313197F234} - http://69.50.188.54/1/gdnIE208.exe
O16 - DPF: {50F065B6-FF68-7C58-3875-05FF278FF581} - http://69.50.188.54/1/gdnIE208.exe
O16 - DPF: {5458BD85-3156-35ED-ED3F-31DE25DD5AD6} - http://69.50.188.54/1/gdnIE208.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/181ba6867e953d18b505/netzip/RdxIE601.cab
O16 - DPF: {5751417A-7A1E-56FB-F9FB-098B1BD0603A} - http://69.50.188.54/1/rdgIE208.exe
O16 - DPF: {5B8FC5C5-3867-04DB-FB7E-5787654FD59A} - http://69.50.188.54/1/gdnIE208.exe
O16 - DPF: {5EB77B74-4BD4-2C94-69A3-0841251E6AA8} - http://69.50.188.54/1/gdnIE208.exe
O16 - DPF: {62F10966-D369-4D2D-792A-604C2E1EA6B3} - http://69.50.188.54/1/gdnIE208.exe
O16 - DPF: {643441E6-D0D5-7292-458A-0F740D74E20A} - http://69.50.188.54/1/gdnIE208.exe
O16 - DPF: {6517525E-959C-71D1-05A0-312F1D9EA917} - http://69.50.188.54/1/gdnIE208.exe
O16 - DPF: {6524C97B-CA81-2CDA-6739-3BAC6AFC0CA1} - http://69.50.188.54/1/gdnIE208.exe
O16 - DPF: {65752E20-B76A-1D58-5A2E-4034035A63A6} - http://69.50.188.54/1/gdnIE208.exe
O16 - DPF: {667064A4-4DF9-7AAE-FC87-168D2116CBBD} - http://69.50.188.54/1/gdnIE208.exe
O16 - DPF: {66BC402E-548F-53B8-8CBC-4A1A14FD5801} - http://69.50.188.54/1/gdnIE208.exe
O16 - DPF: {68246EE4-4072-50FF-23A9-6C2D2CD126F6} - http://69.50.188.54/1/gdnIE208.exe
O16 - DPF: {695B8E04-B17F-10C3-E7B0-20B66DD1293C} - http://69.50.188.54/1/gdnIE208.exe
O16 - DPF: {6B1EBEBF-3E4E-7E32-66A1-28CC0953D8D4} - http://69.50.188.54/1/gdnIE208.exe
O16 - DPF: {6D027616-4EDE-5A2A-09EB-53896F29BBD4} - http://69.50.188.54/1/gdnIE208.exe
O16 - DPF: {6D4358B2-8FBB-6B96-B52D-14EA676AB189} - http://69.50.188.54/1/gdnIE208.exe
O16 - DPF: {6F69C89A-6117-1E0F-0A8A-0DA8335C417B} - http://69.50.188.54/1/gdnIE208.exe
O16 - DPF: {706F3805-27D7-478D-80E5-E25D2BB030B3} (VacPro.internazionale_ver3) - http://www.advnt01.com/dialer/internazionale_ver3.CAB
O16 - DPF: {71A98661-6809-0CE5-72B3-57612254A2FE} - http://69.50.188.54/1/gdnIE208.exe
O16 - DPF: {78CF1F14-A5FE-6B72-BF64-6C2F0B3E005D} - http://69.50.188.54/1/gdnIE208.exe
O16 - DPF: {790EAC01-67E0-5821-3F68-47974C9A4F6A} - http://69.50.188.54/1/gdnIE208.exe
O16 - DPF: {79AD2264-47D4-4675-13BF-65727DE325D8} - http://69.50.188.54/1/gdnIE208.exe
O16 - DPF: {7A0A4126-CFF3-2AC9-CD0D-0D5E633A6D2B} - http://69.50.188.54/1/gdnIE208.exe
O16 - DPF: {7B281185-B1BE-2FB6-9B26-616564CB7BE3} - http://69.50.188.54/1/gdnIE208.exe
O16 - DPF: {7BB4996C-E83F-739D-A61C-2E667517A1BC} - http://69.50.188.54/1/gdnIE208.exe
O16 - DPF: {7CC3C160-417D-5DA2-CBB1-34D90D701440} - http://69.50.188.54/1/gdnIE208.exe
O16 - DPF: {7DA43071-C32E-1C76-A482-131D0342E04D} - http://69.50.188.54/1/gdnIE208.exe
O16 - DPF: {91433D86-9F27-402C-B5E3-DEBDD122C339} - http://www.netvenda.com/sites/gampr-ie/iep/games4.cab
O16 - DPF: {FF65677A-8977-48CA-916A-DFF81B037DF3} - http://download.overpro.com/WildApp.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = motherboard.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = motherboard.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = motherboard.local



Logged

 
benditup
Hero Member
*****

Karma: +2/-0
Offline Offline

Gender: Male
Posts: 2105


Bookmark and Share

View Profile
« Reply #1 on: October 03, 2004, 05:54:10 PM »

I've uploaded a file called getservices.zip
Unzip it to a folder
RESTART your computer
Double click on the Getservice.bat file to run it. This will create and open a text file named getservice.txt in the same folder.
getservice.txt will list all active Services

Please attach it in your reply, Simply click the "Insert File Attachment" below the reply box
Browse to getservice.txt---Right click on it and Select it
Click the Upload File

Also post back with a Fresh hijackthis log



Download Attachment: getservices.zip 23.62 KB
Right click and select Save Target As... then rename the file as shown here and save.
Logged

 
benditup
Hero Member
*****

Karma: +2/-0
Offline Offline

Gender: Male
Posts: 2105


Bookmark and Share

View Profile
« Reply #2 on: October 03, 2004, 05:57:27 PM »

When you post back with a Fresh hijackthis log can you ensure that you try to do a Scan in Normal Mode, thanks

EDIT--I just reread your reply about your computer going into automated shutdown
Try one of 2 things
At Normal Startup go to START>>>RUN
type in shutdown -a

Or try it at a command prompt
START>>>RUN>>>type in cmd
then input the shutdown -a command

This may help to stop your computer from shutting down
This is not a permanent fix, but may buy you some time

If you can could you also Download
The Stinger from McAfee's
Download link is near the top of the page
Run it in Safe mode, let me know if it finds anything
« Last Edit: October 03, 2004, 06:05:00 PM by benditup » Logged

 
hisdudeness
Newbie
*

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 6


Bookmark and Share

View Profile
« Reply #3 on: October 03, 2004, 06:10:49 PM »

Thanks a mill!

This is the get service log:



and the hijackthis log:

Logfile of HijackThis v1.98.2
Scan saved at 19:05:28, on 03/10/04
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINNT\ntox32.dll:vvbcx
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\PROGRA~1\INTERN~1\IEXPLORE.EXE
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\msfu.exe
C:\WINNT\System32\hkcmd.exe
C:\WINNT\system32\pctspk.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb05.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\COMMON~1\XCPCSync\TRANSL~1\ErPhn2\ErTray.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINNT\system32\golumm\services.exe
C:\Program Files\Windows SyncroAd\SyncroAd.exe
C:\Documents and Settings\Administrator\Application Data\ccea.exe
C:\WINNT\System32\w?wexec.exe
C:\Program Files\Windows SyncroAd\WinSync.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINNT\system32\cmd.exe
C:\WINNT\system32\notepad.exe
C:\Documents and Settings\Administrator\Desktop\New Folder\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\lljem.dll/sp.html#29126
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\lljem.dll/sp.html#29126
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINNT\system32\lljem.dll/sp.html#29126
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\lljem.dll/sp.html#29126
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\lljem.dll/sp.html#29126
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\lljem.dll/sp.html#29126
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\lljem.dll/sp.html#29126
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = cache.nuigalway.ie:8080
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {038C66BF-48F3-C39A-16BD-230A711BB317} - C:\WINNT\system32\apppo32.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [XTNDConnect PC - ErPhn2] C:\PROGRA~1\COMMON~1\XCPCSync\TRANSL~1\ErPhn2\ErTray.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\System32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [golumm] C:\WINNT\system32\golumm\services.exe
O4 - HKLM\..\Run: [d3zx.exe] C:\WINNT\system32\d3zx.exe
O4 - HKLM\..\Run: [Windows SyncroAd] C:\Program Files\Windows SyncroAd\SyncroAd.exe
O4 - HKLM\..\Run: [ipjm.exe] C:\WINNT\system32\ipjm.exe
O4 - HKLM\..\Run: [sdkbc32.exe] C:\WINNT\system32\sdkbc32.exe
O4 - HKLM\..\Run: [sysxt32.exe] C:\WINNT\system32\sysxt32.exe
O4 - HKLM\..\Run: [msfu.exe] C:\WINNT\msfu.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [sysinit] C:\WINNT\system32\golumm\services.exe
O4 - HKCU\..\Run: [Rshu] C:\Documents and Settings\Administrator\Application Data\ccea.exe
O4 - HKCU\..\Run: [Qsuzt] C:\WINNT\System32\w?wexec.exe
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: v2cab - http://10896.searchmiracle.com/cab/v2cab.cab
O16 - DPF: {062D34A9-2AEE-68AD-88C7-59DD05A267C6} - http://69.50.188.54/1/gdnIE208.exe
O16 - DPF: {0B5E6AE9-3E5C-0F10-2EDC-57D2119AB379} - http://69.50.188.54/1/gdnIE208.exe
O16 - DPF: {0CF916E6-28A5-1B12-1BBA-076D3B12F833} - http://69.50.188.54/1/gdnIE208.exe
O16 - DPF: {101ABF37-8A32-5959-FA10-48A91B27CEE5} - http://69.50.188.54/1/gdnIE208.exe
O16 - DPF: {10895A62-A13A-6414-3AC3-43720ABABB6F} - http://69.50.188.54/1/gdnIE208.exe
O16 - DPF: {14C5F5DE-AF1D-1B2D-5341-26507A46D343} - http://69.50.188.54/1/gdnIE208.exe
O16 - DPF: {1586B476-45AA-2E52-EFB7-513137B6644A} - http://69.50.188.54/1/gdnIE208.exe
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_file.php?bt=ie&p=30579607f432361f4c24553de3a9fe7e27f55e8c7382e8f812488538178c09374cd3d1696277ab341d588a056fa84851d5e1f9fecd5da6e7490e:d3e35fce064ccfbb2d7510b28ebf1261
O16 - DPF: {17FEF0C0-615E-0661-0D89-24C75F6B52F8} - http://69.50.188.54/1/rdgIE208.exe
O16 - DPF: {19335DA0-87D6-03C5-12D6-46F40193C49F} - http://69.50.188.54/1/rdgIE208.exe
O16 - DPF: {1B1D1068-7CFE-4DE7-4952-35C13ACF54C5} - http://69.50.188.54/1/gdnIE208.exe
O16 - DPF: {1B760DC5-4E77-191E-9F82-1B1C7319C77E} - http://69.50.188.54/1/gdnIE208.exe
O16 - DPF: {1BA9A2AD-D90D-4D19-0771-22EC500EE515} - http://69.50.188.54/1/rdgIE208.exe
O16 - DPF: {1C54FB17-BFAA-6086-9085-6F17358C3F34} - http://69.50.188.54/1/gdnIE208.exe
O16 - DPF: {1D797BFD-5F26-7EE9-5D97-209B446AEECC} - http://69.50.188.54/1/gdnIE208.exe
O16 - DPF: {1E00E452-BF33-4524-1D5F-582E4BF0B2BC} - http://69.50.188.54/1/gdnIE208.exe
O16 - DPF: {20270438-93B8-084B-5AB4-5CE4708C6B33} - http://69.50.188.54/1/gdnIE208.exe
O16 - DPF: {21139ACE-EF74-5B9C-789E-49AC176EE6C4} - http://69.50.188.54/1/gdnIE208.exe
O16 - DPF: {263160C5-CC82-0F0E-DE3D-19BB399996E0} - http://69.50.188.54/1/gdnIE208.exe
O16 - DPF: {283838EA-1C97-3E81-AE10-495B0B956DE9} - http://69.50.188.54/1/gdnIE208.exe
O16 - DPF: {2A2984AC-020A-03A8-0B84-4A95437B8EBA} - http://69.50.188.54/1/gdnIE208.exe
O16 - DPF: {2E2982C6-C1D4-39DA-6A16-5C9844B1D730} - http://69.50.188.54/1/gdnIE208.exe
O16 - DPF: {33CBEC0D-A9A9-35E3-9CC3-00B86EF3021A} - http://69.50.188.54/1/gdnIE208.exe
O16 - DPF: {346BA196-6B89-3546-762C-2F725A84E1E1} - http://69.50.188.54/1/gdnIE208.exe
O16 - DPF: {359F00BF-3559-713D-8168-0F0054660875} - http://69.50.188.54/1/gdnIE208.exe
O16 - DPF: {373363D8-DF9A-0763-B661-679E5CCDF08C} - http://69.50.188.54/1/gdnIE208.exe
O16 - DPF: {386C64AD-161A-5D92-8BDE-215A3DC484C2} - http://69.50.188.54/1/gdnIE208.exe
O16 - DPF: {3A6E2839-2B34-3376-86BB-2EA2523AFDB9} - http://69.50.188.54/1/gdnIE208.exe
O16 - DPF: {3A836D02-28CC-4177-3219-116E7F4ABCD3} - http://69.50.188.54/1/gdnIE208.exe
O16 - DPF: {3AB63B21-DF20-7157-90A9-0C400F6E259E} - http://69.50.188.54/1/gdnIE208.exe
O16 - DPF: {3B329F41-638B-485B-E36F-478B1A6E14D6} - http://69.50.188.54/1/gdnIE208.exe
O16 - DPF: {3B8E4FB0-E2D0-090E-D1D4-60877AC3D490} - http://69.50.188.54/1/gdnIE208.exe
O16 - DPF: {3C20D71C-EEDC-5530-3C8D-4678190E3CAE} - http://69.50.188.54/1/gdnIE208.exe
O16 - DPF: {4417DEF3-0401-5A7E-970A-1C4904FD7010} - http://69.50.188.54/1/gdnIE208.exe
O16 - DPF: {4641FC09-DF0B-6D6A-E9C2-2F563C4F7E0E} - http://69.50.188.54/1/gdnIE208.exe
O16 - DPF: {490DCE5F-AE08-5207-3929-67771FA923C0} - http://69.50.188.54/1/gdnIE208.exe
O16 - DPF: {4A9612A1-062D-1C8D-6FFA-0D153B651B15} - http://69.50.188.54/1/gdnIE208.exe
O16 - DPF: {4E8581E1-2025-166A-5C31-792A3CAC203D} - http://69.50.188.54/1/gdnIE208.exe
O16 - DPF: {50BA5281-6F7A-6363-F14A-5B313197F234} - http://69.50.188.54/1/gdnIE208.exe
O16 - DPF: {50F065B6-FF68-7C58-3875-05FF278FF581} - http://69.50.188.54/1/gdnIE208.exe
O16 - DPF: {5458BD85-3156-35ED-ED3F-31DE25DD5AD6} - http://69.50.188.54/1/gdnIE208.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/181ba6867e953d18b505/netzip/RdxIE601.cab
O16 - DPF: {5751417A-7A1E-56FB-F9FB-098B1BD0603A} - http://69.50.188.54/1/rdgIE208.exe
O16 - DPF: {5B8FC5C5-3867-04DB-FB7E-5787654FD59A} - http://69.50.188.54/1/gdnIE208.exe
O16 - DPF: {5EB77B74-4BD4-2C94-69A3-0841251E6AA8} - http://69.50.188.54/1/gdnIE208.exe
O16 - DPF: {62F10966-D369-4D2D-792A-604C2E1EA6B3} - http://69.50.188.54/1/gdnIE208.exe
O16 - DPF: {643441E6-D0D5-7292-458A-0F740D74E20A} - http://69.50.188.54/1/gdnIE208.exe
O16 - DPF: {6517525E-959C-71D1-05A0-312F1D9EA917} - http://69.50.188.54/1/gdnIE208.exe
O16 - DPF: {6524C97B-CA81-2CDA-6739-3BAC6AFC0CA1} - http://69.50.188.54/1/gdnIE208.exe
O16 - DPF: {65752E20-B76A-1D58-5A2E-4034035A63A6} - http://69.50.188.54/1/gdnIE208.exe
O16 - DPF: {667064A4-4DF9-7AAE-FC87-168D2116CBBD} - http://69.50.188.54/1/gdnIE208.exe
O16 - DPF: {66BC402E-548F-53B8-8CBC-4A1A14FD5801} - http://69.50.188.54/1/gdnIE208.exe
O16 - DPF: {68246EE4-4072-50FF-23A9-6C2D2CD126F6} - http://69.50.188.54/1/gdnIE208.exe
O16 - DPF: {695B8E04-B17F-10C3-E7B0-20B66DD1293C} - http://69.50.188.54/1/gdnIE208.exe
O16 - DPF: {6B1EBEBF-3E4E-7E32-66A1-28CC0953D8D4} - http://69.50.188.54/1/gdnIE208.exe
O16 - DPF: {6D027616-4EDE-5A2A-09EB-53896F29BBD4} - http://69.50.188.54/1/gdnIE208.exe
O16 - DPF: {6D4358B2-8FBB-6B96-B52D-14EA676AB189} - http://69.50.188.54/1/gdnIE208.exe
O16 - DPF: {6F69C89A-6117-1E0F-0A8A-0DA8335C417B} - http://69.50.188.54/1/gdnIE208.exe
O16 - DPF: {706F3805-27D7-478D-80E5-E25D2BB030B3} (VacPro.internazionale_ver3) - http://www.advnt01.com/dialer/internazionale_ver3.CAB
O16 - DPF: {71A98661-6809-0CE5-72B3-57612254A2FE} - http://69.50.188.54/1/gdnIE208.exe
O16 - DPF: {78CF1F14-A5FE-6B72-BF64-6C2F0B3E005D} - http://69.50.188.54/1/gdnIE208.exe
O16 - DPF: {790EAC01-67E0-5821-3F68-47974C9A4F6A} - http://69.50.188.54/1/gdnIE208.exe
O16 - DPF: {79AD2264-47D4-4675-13BF-65727DE325D8} - http://69.50.188.54/1/gdnIE208.exe
O16 - DPF: {7A0A4126-CFF3-2AC9-CD0D-0D5E633A6D2B} - http://69.50.188.54/1/gdnIE208.exe
O16 - DPF: {7B281185-B1BE-2FB6-9B26-616564CB7BE3} - http://69.50.188.54/1/gdnIE208.exe
O16 - DPF: {7BB4996C-E83F-739D-A61C-2E667517A1BC} - http://69.50.188.54/1/gdnIE208.exe
O16 - DPF: {7CC3C160-417D-5DA2-CBB1-34D90D701440} - http://69.50.188.54/1/gdnIE208.exe
O16 - DPF: {7DA43071-C32E-1C76-A482-131D0342E04D} - http://69.50.188.54/1/gdnIE208.exe
O16 - DPF: {91433D86-9F27-402C-B5E3-DEBDD122C339} - http://www.netvenda.com/sites/gampr-ie/iep/games4.cab
O16 - DPF: {FF65677A-8977-48CA-916A-DFF81B037DF3} - http://download.overpro.com/WildApp.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = motherboard.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = motherboard.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = motherboard.local



I'll do the bit 'bout the shutdown next

Download Attachment: hjthis.txt 25.23 KB
Right click and select Save Target As... then rename the file as shown here and save.

I've inserted the Getservices.txt file as an attachment, makes this thread a little easier to get to Smiley
« Last Edit: October 03, 2004, 06:29:23 PM by benditup » Logged

 
benditup
Hero Member
*****

Karma: +2/-0
Offline Offline

Gender: Male
Posts: 2105


Bookmark and Share

View Profile
« Reply #4 on: October 03, 2004, 06:25:28 PM »

I'm not sure at what point your at right now, but after you Restart again
preferrably in Normal Mode
You may want to try Stinger(try this in Safe Mode) first, it may not find anything, but I want to be sure
Try posting another Getservices.txt file and another Fresh hijackthis log
and then try not to Restart the computer again until we apply a fix...
Logged

 
hisdudeness
Newbie
*

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 6


Bookmark and Share

View Profile
« Reply #5 on: October 03, 2004, 08:48:51 PM »

Stinger located the W32/Nachi!ftfpd virus in the C://WINNT/System32/wins/svchost file. (It may be an .exe, I can't remember)
Logged

 
benditup
Hero Member
*****

Karma: +2/-0
Offline Offline

Gender: Male
Posts: 2105


Bookmark and Share

View Profile
« Reply #6 on: October 03, 2004, 08:54:29 PM »

Make sure you let Stinger fix whatever it finds
If it can't fix it manually try to delete this file
C://WINNT/System32/wins/svchost.exe <--this file
DON'T try and delete the legitimate svchost files
in the system32 folder
Just the one that stinger found bad in the wins folder

Then Restart in Normal mode and post another hijackthis log and Getservices.txt so we can fix up the rest
Logged

 
hisdudeness
Newbie
*

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 6


Bookmark and Share

View Profile
« Reply #7 on: October 03, 2004, 10:52:48 PM »

Stinger got rid of the svchost file itself

The newest getservice file is:

And the newest hijackthis is:


Logfile of HijackThis v1.98.2
Scan saved at 23:38:51, on 03/10/04
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINNT\ntox32.dll:vvbcx
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\msfu.exe
C:\WINNT\System32\hkcmd.exe
C:\WINNT\system32\pctspk.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb05.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\COMMON~1\XCPCSync\TRANSL~1\ErPhn2\ErTray.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINNT\system32\golumm\services.exe
C:\Program Files\Windows SyncroAd\SyncroAd.exe
C:\Program Files\ISTsvc\istsvc.exe
C:\WINNT\system32\wbqathf.exe
C:\Documents and Settings\Administrator\Application Data\ccea.exe
C:\WINNT\System32\w?wexec.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Administrator\Desktop\New Folder\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://searchmiracle.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\lljem.dll/sp.html#29126
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\lljem.dll/sp.html#29126
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINNT\system32\lljem.dll/sp.html#29126
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\lljem.dll/sp.html#29126
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\lljem.dll/sp.html#29126
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\lljem.dll/sp.html#29126
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\lljem.dll/sp.html#29126
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = cache.nuigalway.ie:8080
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {038C66BF-48F3-C39A-16BD-230A711BB317} - C:\WINNT\system32\apppo32.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [XTNDConnect PC - ErPhn2] C:\PROGRA~1\COMMON~1\XCPCSync\TRANSL~1\ErPhn2\ErTray.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\System32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [golumm] C:\WINNT\system32\golumm\services.exe
O4 - HKLM\..\Run: [d3zx.exe] C:\WINNT\system32\d3zx.exe
O4 - HKLM\..\Run: [Windows SyncroAd] C:\Program Files\Windows SyncroAd\SyncroAd.exe
O4 - HKLM\..\Run: [ipjm.exe] C:\WINNT\system32\ipjm.exe
O4 - HKLM\..\Run: [sdkbc32.exe] C:\WINNT\system32\sdkbc32.exe
O4 - HKLM\..\Run: [sysxt32.exe] C:\WINNT\system32\sysxt32.exe
O4 - HKLM\..\Run: [msfu.exe] C:\WINNT\msfu.exe
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
O4 - HKLM\..\Run: [Sys29] C:\winnt\system32\winbjo32.exe
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\Run: [ysqzdgyv] C:\WINNT\system32\wbqathf.exe
O4 - HKLM\..\Run: [sais] c:\program files\180solutions\sais.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [sysinit] C:\WINNT\system32\golumm\services.exe
O4 - HKCU\..\Run: [Rshu] C:\Documents and Settings\Administrator\Application Data\ccea.exe
O4 - HKCU\..\Run: [Qsuzt] C:\WINNT\System32\w?wexec.exe
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: SideFind - {10E42047-DEB9-4535-A118-B3F6EC39B807} - C:\Program Files\SideFind\sidefind.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: v2cab - http://searchmiracle.com/cab/v2cab.cab
O16 - DPF: {062D34A9-2AEE-68AD-88C7-59DD05A267C6} - http://69.50.188.54/1/gdnIE208.exe
O16 - DPF: {0B5E6AE9-3E5C-0F10-2EDC-57D2119AB379} - http://69.50.188.54/1/gdnIE208.exe
O16 - DPF: {0CF916E6-28A5-1B12-1BBA-076D3B12F833} - http://69.50.188.54/1/gdnIE208.exe
O16 - DPF: {101ABF37-8A32-5959-FA10-48A91B27CEE5} - http://69.50.188.54/1/gdnIE208.exe
O16 - DPF: {10895A62-A13A-6414-3AC3-43720ABABB6F} - http://69.50.188.54/1/gdnIE208.exe
O16 - DPF: {13D6C866-AE06-631E-9118-52D2671C8EFB} - http://69.50.188.54/1/gdnIE208.exe
O16 - DPF: {14C5F5DE-AF1D-1B2D-5341-26507A46D343} - http://69.50.188.54/1/gdnIE208.exe
O16 - DPF: {1586B476-45AA-2E52-EFB7-513137B6644A} - http://69.50.188.54/1/gdnIE208.exe
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_file.php?bt=ie&p=30579607f432361f4c24553de3a9fe7e27f55e8c7382e8f812488538178c09374cd3d1696277ab341d588a056fa84851d5e1f9fecd5da6e7490e:d3e35fce064ccfbb2d7510b28ebf1261
O16 - DPF: {17FEF0C0-615E-0661-0D89-24C75F6B52F8} - http://69.50.188.54/1/rdgIE208.exe
O16 - DPF: {19335DA0-87D6-03C5-12D6-46F40193C49F} - http://69.50.188.54/1/rdgIE208.exe
O16 - DPF: {1B1D1068-7CFE-4DE7-4952-35C13ACF54C5} - http://69.50.188.54/1/gdnIE208.exe
O16 - DPF: {1B760DC5-4E77-191E-9F82-1B1C7319C77E} - http://69.50.188.54/1/gdnIE208.exe
O16 - DPF: {1BA9A2AD-D90D-4D19-0771-22EC500EE515} - http://69.50.188.54/1/rdgIE208.exe
O16 - DPF: {1C54FB17-BFAA-6086-9085-6F17358C3F34} - http://69.50.188.54/1/gdnIE208.exe
O16 - DPF: {1D797BFD-5F26-7EE9-5D97-209B446AEECC} - http://69.50.188.54/1/gdnIE208.exe
O16 - DPF: {1E00E452-BF33-4524-1D5F-582E4BF0B2BC} - http://69.50.188.54/1/gdnIE208.exe
O16 - DPF: {20270438-93B8-084B-5AB4-5CE4708C6B33} - http://69.50.188.54/1/gdnIE208.exe
O16 - DPF: {21139ACE-EF74-5B9C-789E-49AC176EE6C4} - http://69.50.188.54/1/gdnIE208.exe
O16 - DPF: {263160C5-CC82-0F0E-DE3D-19BB399996E0} - http://69.50.188.54/1/gdnIE208.exe
O16 - DPF: {27C6AAC8-8806-4ACB-05DE-607861380471} - http://69.50.188.54/1/gdnIE208.exe
O16 - DPF: {283838EA-1C97-3E81-AE10-495B0B956DE9} - http://69.50.188.54/1/gdnIE208.exe
O16 - DPF: {29FE97DA-6838-2FD9-C9FF-040514E9FF89} - http://69.50.188.54/1/gdnIE208.exe
O16 - DPF: {2A2984AC-020A-03A8-0B84-4A95437B8EBA} - http://69.50.188.54/1/gdnIE208.exe
O16 - DPF: {2E2982C6-C1D4-39DA-6A16-5C9844B1D730} - http://69.50.188.54/1/gdnIE208.exe
O16 - DPF: {33CBEC0D-A9A9-35E3-9CC3-00B86EF3021A} - http://69.50.188.54/1/gdnIE208.exe
O16 - DPF: {346BA196-6B89-3546-762C-2F725A84E1E1} - http://69.50.188.54/1/gdnIE208.exe
O16 - DPF: {359F00BF-3559-713D-8168-0F0054660875} - http://69.50.188.54/1/gdnIE208.exe
O16 - DPF: {373363D8-DF9A-0763-B661-679E5CCDF08C} - http://69.50.188.54/1/gdnIE208.exe
O16 - DPF: {386A771C-E96A-421F-8BA7-32F1B706892F} (Installer Class) - http://www.xxxtoolbar.com/ist/softwares/v4.0/0006_regular.cab
O16 - DPF: {386C64AD-161A-5D92-8BDE-215A3DC484C2} - http://69.50.188.54/1/gdnIE208.exe
O16 - DPF: {3A6E2839-2B34-3376-86BB-2EA2523AFDB9} - http://69.50.188.54/1/gdnIE208.exe
O16 - DPF: {3A836D02-28CC-4177-3219-116E7F4ABCD3} - http://69.50.188.54/1/gdnIE208.exe
O16 - DPF: {3AB63B21-DF20-7157-90A9-0C400F6E259E} - http://69.50.188.54/1/gdnIE208.exe
O16 - DPF: {3B329F41-638B-485B-E36F-478B1A6E14D6} - http://69.50.188.54/1/gdnIE208.exe
O16 - DPF: {3B8E4FB0-E2D0-090E-D1D4-60877AC3D490} - http://69.50.188.54/1/gdnIE208.exe
O16 - DPF: {3C20D71C-EEDC-5530-3C8D-4678190E3CAE} - http://69.50.188.54/1/gdnIE208.exe
O16 - DPF: {4417DEF3-0401-5A7E-970A-1C4904FD7010} - http://69.50.188.54/1/gdnIE208.exe
O16 - DPF: {4641FC09-DF0B-6D6A-E9C2-2F563C4F7E0E} - http://69.50.188.54/1/gdnIE208.exe
O16 - DPF: {490DCE5F-AE08-5207-3929-67771FA923C0} - http://69.50.188.54/1/gdnIE208.exe
O16 - DPF: {4A9612A1-062D-1C8D-6FFA-0D153B651B15} - http://69.50.188.54/1/gdnIE208.exe
O16 - DPF: {4E8581E1-2025-166A-5C31-792A3CAC203D} - http://69.50.188.54/1/gdnIE208.exe
O16 - DPF: {50BA5281-6F7A-6363-F14A-5B313197F234} - http://69.50.188.54/1/gdnIE208.exe
O16 - DPF: {50F065B6-FF68-7C58-3875-05FF278FF581} - http://69.50.188.54/1/gdnIE208.exe
O16 - DPF: {5458BD85-3156-35ED-ED3F-31DE25DD5AD6} - http://69.50.188.54/1/gdnIE208.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/181ba6867e953d18b505/netzip/RdxIE601.cab
O16 - DPF: {5751417A-7A1E-56FB-F9FB-098B1BD0603A} - http://69.50.188.54/1/rdgIE208.exe
O16 - DPF: {5B8FC5C5-3867-04DB-FB7E-5787654FD59A} - http://69.50.188.54/1/gdnIE208.exe
O16 - DPF: {5EB77B74-4BD4-2C94-69A3-0841251E6AA8} - http://69.50.188.54/1/gdnIE208.exe
O16 - DPF: {62F10966-D369-4D2D-792A-604C2E1EA6B3} - http://69.50.188.54/1/gdnIE208.exe
O16 - DPF: {643441E6-D0D5-7292-458A-0F740D74E20A} - http://69.50.188.54/1/gdnIE208.exe
O16 - DPF: {6517525E-959C-71D1-05A0-312F1D9EA917} - http://69.50.188.54/1/gdnIE208.exe
O16 - DPF: {6524C97B-CA81-2CDA-6739-3BAC6AFC0CA1} - http://69.50.188.54/1/gdnIE208.exe
O16 - DPF: {65752E20-B76A-1D58-5A2E-4034035A63A6} - http://69.50.188.54/1/gdnIE208.exe
O16 - DPF: {667064A4-4DF9-7AAE-FC87-168D2116CBBD} - http://69.50.188.54/1/gdnIE208.exe
O16 - DPF: {66BC402E-548F-53B8-8CBC-4A1A14FD5801} - http://69.50.188.54/1/gdnIE208.exe
O16 - DPF: {68246EE4-4072-50FF-23A9-6C2D2CD126F6} - http://69.50.188.54/1/gdnIE208.exe
O16 - DPF: {695B8E04-B17F-10C3-E7B0-20B66DD1293C} - http://69.50.188.54/1/gdnIE208.exe
O16 - DPF: {6B1EBEBF-3E4E-7E32-66A1-28CC0953D8D4} - http://69.50.188.54/1/gdnIE208.exe
O16 - DPF: {6D027616-4EDE-5A2A-09EB-53896F29BBD4} - http://69.50.188.54/1/gdnIE208.exe
O16 - DPF: {6D4358B2-8FBB-6B96-B52D-14EA676AB189} - http://69.50.188.54/1/gdnIE208.exe
O16 - DPF: {6DCC5EF1-C8FA-24FC-1666-3B01464CF26D} - http://69.50.188.54/1/gdnIE208.exe
O16 - DPF: {6F69C89A-6117-1E0F-0A8A-0DA8335C417B} - http://69.50.188.54/1/gdnIE208.exe
O16 - DPF: {706F3805-27D7-478D-80E5-E25D2BB030B3} (VacPro.internazionale_ver3) - http://www.advnt01.com/dialer/internazionale_ver3.CAB
O16 - DPF: {71A98661-6809-0CE5-72B3-57612254A2FE} - http://69.50.188.54/1/gdnIE208.exe
O16 - DPF: {78CF1F14-A5FE-6B72-BF64-6C2F0B3E005D} - http://69.50.188.54/1/gdnIE208.exe
O16 - DPF: {790EAC01-67E0-5821-3F68-47974C9A4F6A} - http://69.50.188.54/1/gdnIE208.exe
O16 - DPF: {79AD2264-47D4-4675-13BF-65727DE325D8} - http://69.50.188.54/1/gdnIE208.exe
O16 - DPF: {7A0A4126-CFF3-2AC9-CD0D-0D5E633A6D2B} - http://69.50.188.54/1/gdnIE208.exe
O16 - DPF: {7B281185-B1BE-2FB6-9B26-616564CB7BE3} - http://69.50.188.54/1/gdnIE208.exe
O16 - DPF: {7BB4996C-E83F-739D-A61C-2E667517A1BC} - http://69.50.188.54/1/gdnIE208.exe
O16 - DPF: {7CC3C160-417D-5DA2-CBB1-34D90D701440} - http://69.50.188.54/1/gdnIE208.exe
O16 - DPF: {7DA43071-C32E-1C76-A482-131D0342E04D} - http://69.50.188.54/1/gdnIE208.exe
O16 - DPF: {91433D86-9F27-402C-B5E3-DEBDD122C339} - http://www.netvenda.com/sites/gampr-ie/iep/games4.cab
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsInstaller.cab
O16 - DPF: {FF65677A-8977-48CA-916A-DFF81B037DF3} - http://download.overpro.com/WildApp.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = motherboard.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = motherboard.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = motherboard.local




I tried to post them as attachments, but everytime I tried, the website said that i'd to log in, even though I was.

Hope you can help

Download Attachment: hjthis.txt 25.22 KB
Right click and select Save Target As... then rename the file as shown here and save.
« Last Edit: October 03, 2004, 11:03:35 PM by benditup » Logged

 
benditup
Hero Member
*****

Karma: +2/-0
Offline Offline

Gender: Male
Posts: 2105


Bookmark and Share

View Profile
« Reply #8 on: October 03, 2004, 11:45:14 PM »

You have a little work to do, you may want to print this out as I need you to Restart in safe mode and stay disconnected from the Internet for some of it, do as much as you can, hopefully all of it
But first, do the following

===Set Windows to Show Hidden Files and Folders

===Create a New folder on your desktop, call it Aboutbuster
Download to desktop About:Buster
by RubbeR Ducky
Unzip it to that new folder===Run this later

===Open Notepad (START>>>RUN>>>type in notepad) hit Enter
Copy the contents of the Quote box to notepad
Name the file as fix.reg
Change the Save as Type to All Files.
Save this file on the desktop, well need this later, don't run it yet

 
quote:


REGEDIT4


[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\HSA]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SE]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SW]

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\O?
Logged

 
hisdudeness
Newbie
*

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 6


Bookmark and Share

View Profile
« Reply #9 on: October 10, 2004, 04:25:20 PM »

Hey man, thanks for the advice. Sorry for not getting back quicker, I haven't gotten near my computer in ages, but I finally got it done and I'm going to post the two logs (HijackThis and AboutBuster)

HijackThis:

Logfile of HijackThis v1.98.2
Scan saved at 16:47:04, on 10/10/04
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\PROGRA~1\INTERN~1\IEXPLORE.EXE
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\hkcmd.exe
C:\WINNT\system32\pctspk.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb05.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\COMMON~1\XCPCSync\TRANSL~1\ErPhn2\ErTray.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\WINNT\system32\d?dplay.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Administrator\Desktop\New Folder\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = cache.nuigalway.ie:8080
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [XTNDConnect PC - ErPhn2] C:\PROGRA~1\COMMON~1\XCPCSync\TRANSL~1\ErPhn2\ErTray.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\System32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [Fxkwtlea] C:\WINNT\system32\d?dplay.exe
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = motherboard.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = motherboard.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = motherboard.local





AboutBuster Log:



Scanned at: 17:09:40   on: 10/10/04


-- Scan 1 ---------------------------
About:Buster Version 3.0
Reference List : 15

No ADS found on system
Attempted Clean Of Temp folder.
Pages Reset... Done!

-- Scan 2 ---------------------------
About:Buster Version 3.0
Reference List : 15

No ADS found on system
Attempted Clean Of Temp folder.
Pages Reset... Done!






Just a few other bits to add:

When deleting and removing the files and folders that you said to, I got rid of a few others that sounded like spyware, like an ISTbar folder and one called ClockSync. Just saying in case it'll have an effect on the computer

Some of the files that you said to delete, I couldn't find on my computer either

Also, I couldn't get the DiscCleanup to run properly, it would just stall after starting.

The control.exe file is on the computer, though the shell.dll isn't, but one called shell32.dll is.

When running Hoster, it said that I hadn't a HOSTS file set up, but I clicked the "Restore Original Hosts" button anyway.

Spybot Search And Destroy
 Version 1.3, No detection update is installed

Ad-Aware SE
Reference Number  SE1R10 28.09.2004
Internal Build  15

Thanks again. Anything else for me to do?

Logged

 
benditup
Hero Member
*****

Karma: +2/-0
Offline Offline

Gender: Male
Posts: 2105


Bookmark and Share

View Profile
« Reply #10 on: October 10, 2004, 05:21:23 PM »

Have your tried search for updates with Spybot before running it?
It may be compromised, you may want to uninstall and reinstall it
SEARCH FOR UPDATES, check for problems, fix everything in RED

I don't recognize the 017 Domain name, does it look OK to you
It may be safe
Check you

I hope that you installed SpywareBlaster, if prompted to reset your ActiveX settings, allow it

We should restore your default search settings
Open Notepad (START>>>RUN>>>type in notepad) hit Enter
Copy the contents of the Quote box to notepad
Name the file as search.reg
Change the Save as Type to All Files.
Save this file on the desktop, don't use it yet


 
quote:
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\URL\DefaultPrefix]
@="http://"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\URL\Prefixes]
"ftp"="ftp://"
"gopher"="gopher://"
"home"="http://"
"mosaic"="http://"
"www"="http://"

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"=""


Download this zip file
Shell.dll.zip

Save it to your desktop and UNZIP it to your C:\Winnt\System32 folder

You can have hijackthis fix these entries
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O4 - HKCU\..\Run: [Fxkwtlea] C:\WINNT\system32\d?dplay.exe

Optionally, fix the next ones too, not threats, but are NOT needed on startup, programs work fine without them
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - Startup: PowerReg Scheduler.exe <--registration reminder
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

RESTART your computer into safe mode
Find and delete this file if it exists
C:\WINNT\system32\d?dplay.exe <--this file

Navigate to this file
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
RENAME realsched.exe>>>realsched.old

Navigate to your Temp folders and delete the Whole contents, but don't delete the Temp directories themselves
#C:\Windows\Temp\
# C:\Documents and Settings\<Your Profile>\Local Settings\Temporary Internet Files\
# C:\Documents and Settings\<Your Profile>\Local Settings\Temp\
# C:\Documents and Settings\<Any other users Profile>\Local Settings\Temporary Internet Files\
# C:\Documents and Settings\<Any other users Profile>\Local Settings\Temp\

Double click on search.reg you saved earlier on desktop and allow it to merge to the registry..
Restart back in Normal mode and post back one more hijackthis log and let me know if you have any problems...
Logged

 
hisdudeness
Newbie
*

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 6


Bookmark and Share

View Profile
« Reply #11 on: October 10, 2004, 07:29:28 PM »

Thanks a million dude!!

I think it's fixed! The browser opens up the right homepage, no pop-ups so far, and the connection speed is better. You're a genius!

Here's the HijackThis log anyway:

Logfile of HijackThis v1.98.2
Scan saved at 20:25:22, on 10/10/04
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\PROGRA~1\INTERN~1\IEXPLORE.EXE
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\hkcmd.exe
C:\WINNT\system32\pctspk.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb05.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\COMMON~1\XCPCSync\TRANSL~1\ErPhn2\ErTray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Documents and Settings\Administrator\Desktop\New Folder\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = cache.nuigalway.ie:8080
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [XTNDConnect PC - ErPhn2] C:\PROGRA~1\COMMON~1\XCPCSync\TRANSL~1\ErPhn2\ErTray.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\System32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = motherboard.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = motherboard.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = motherboard.local



Those 017 parameters, i don't know what they are either but that's probably because I don't know what they're supposed to be. But it seems to be working, which is good. Thanks again!
Logged

 
benditup
Hero Member
*****

Karma: +2/-0
Offline Offline

Gender: Male
Posts: 2105


Bookmark and Share

View Profile
« Reply #12 on: October 10, 2004, 08:39:54 PM »

Well your log looks good, I'm not sure about the 017 entries, could be a name given by your University

If I find anything new I'll get back to you, otherwise I'll lock this topic shortly as your problems appear to be resolved
Stay safe Smiley
Logged

 
Pages: [1] Go Up Print 
 
Jump to:  

Powered by MySQL Powered by PHP

Powered by SMF 1.1.21 | SMF © 2015, Simple Machines

Valid XHTML 1.0! Valid CSS!

Disclaimer
This site is NOT responsible for any damage that the information on this site may cause to your system. Everything you try, whether inspired by the response given from this site or not, is entirely at your own risk. All product names and company names used herein are for identification purpose only and may be trademarks or registered trademarks of their respective owners. We are in no way affiliated or representing any of the companies on this site unless specified.
Back to Top
Stop Spam Harvesters, Join Project Honey Pot Fight Back Against Spammers! Get Firefox! Get Thunderbird! View Sylvain Amyots profile on LinkedIn
Back to Top
Google visited last this page November 17, 2016, 01:24:16 AM