TheTechGuide Forum

General Category => Tech Clinic => Topic started by: Guest on December 30, 2004, 11:20:06 PM

Title: hello
Post by: Guest on December 30, 2004, 11:20:06 PM

Logfile of HijackThis v1.99.0
Scan saved at 7:16:43 PM, on 12/30/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\WINDOWS.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\WINDOWS\System32\VTTimer.exe
C:\WINDOWS\System32\hllcxpa.exe
C:\Program Files\Admilli Service\AdmilliServ.exe
C:\WINDOWS\naendnwg.exe
C:\Program Files\Admilli Service\AdmilliKeep.exe
C:\WINDOWS\System32\delxp.exe
C:\WINDOWS\System32\alg32.exe
C:\Program Files\ISTsvc\istsvc.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\System32\taskmgr32.exe
C:\WINDOWS\System32\sps32.exe
C:\Program Files\BigFix\BigFix.exe
c:\windows\system32\schtst.exe
c:\windows\system32\sschst.exe
C:\24tgs.exe
C:\24tgs.exe
C:\24tgs.exe
c:\windows\system32\schqst.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\chris\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/ (http://\"http://www.google.ca/\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.emachines.com (http://\"http://www.emachines.com\")
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {ED103D9F-3070-4580-AB1E-E5C179C1AE41} - (no file)
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [HLL Data Parameter] hllcxpa.exe
O4 - HKLM\..\Run: [Admilli Service] C:\Program Files\Admilli Service\AdmilliServ.exe
O4 - HKLM\..\Run: [bReCS] C:\WINDOWS\naendnwg.exe
O4 - HKLM\..\Run: [USB Driver] WINDOWS.exe
O4 - HKLM\..\Run: [¢‰¸u0–4C
}ïÁzî[8C:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\naendnwg.exe
O4 - HKLM\..\Run: [Microsoft Task32 Protocol] taskmgr32.exe
O4 - HKLM\..\Run: [TURXP Protocol] sps32.exe
O4 - HKLM\..\Run: [DELXP Protocol] delxp.exe
O4 - HKLM\..\Run: [¢‰¸u0–4C
}ïÁzîžigÝC:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\naendnwg.exe
O4 - HKLM\..\Run: [¢‰¸u0Ô@ÔÁß]­ú"ü‰üžiC:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\naendnwg.exe
O4 - HKLM\..\Run: [¢‰¸u0Ô@ÔÁß]­ú"ü‰¸u0C:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\naendnwg.exe
O4 - HKLM\..\Run: [Microsoft ALGXP Protocol] alg32.exe
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\RunServices: [HLL Data Parameter] hllcxpa.exe
O4 - HKLM\..\RunServices: [USB Driver] WINDOWS.exe
O4 - HKLM\..\RunServices: [Microsoft Task32 Protocol] taskmgr32.exe
O4 - HKLM\..\RunServices: [TURXP Protocol] sps32.exe
O4 - HKLM\..\RunServices: [DELXP Protocol] delxp.exe
O4 - HKLM\..\RunServices: [Microsoft ALGXP Protocol] alg32.exe
O4 - HKLM\..\RunOnce: [USB Driver] WINDOWS.exe
O4 - HKCU\..\Run: [HLL Data Parameter] hllcxpa.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [USB Driver] WINDOWS.exe
O4 - HKCU\..\Run: [Microsoft Task32 Protocol] taskmgr32.exe
O4 - HKCU\..\Run: [TURXP Protocol] sps32.exe
O4 - HKCU\..\Run: [DELXP Protocol] delxp.exe
O4 - HKCU\..\Run: [Microsoft ALGXP Protocol] alg32.exe
O4 - HKCU\..\RunServices: [HLL Data Parameter] hllcxpa.exe
O4 - HKCU\..\RunOnce: [USB Driver] WINDOWS.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab31267.cab (http://\"http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab\")
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab (http://\"http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab\")
O16 - DPF: {B1B7606A-D7B9-42A8-AFA2-476308413211} (VacPro.canada_ver4) - http://advnt01.com/dialer/canada_ver4.CAB (http://\"http://advnt01.com/dialer/canada_ver4.CAB\")
O23 - Service: AOL Connectivity Service - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: SmartLinkService - Unknown - slserv.exe (file missing)
O23 - Service: WAN Miniport (ATW) Service - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: ZESOFT - Unknown - C:\WINDOWS\zeta.exe (file missing)

Title: hello
Post by: guestolo on January 16, 2005, 04:37:28 AM

Most of this was fixed via phone
Co-Workers log, still have yet to see an updated log  /wink.gif\' class=\'bbc_emoticon\' alt=\';)\' />

Any others with similiar problems please start your own post and include a Hijackthis log

Title: hello
Post by: guestolo on January 26, 2005, 10:27:34 PM

bump

Title: hello
Post by: Guest on January 26, 2005, 10:31:02 PM

Logfile of HijackThis v1.99.0
Scan saved at 6:28:36 PM, on 1/26/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\WINDOWS\System32\VTTimer.exe
C:\WINDOWS\System32\cpxp.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\lsass2k.exe
C:\WINDOWS\System32\cpvhost.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\crssxp.exe
C:\WINDOWS\System32\vsass.exe
C:\Documents and Settings\chris\Desktop\handwriting\MsgPlus.exe
C:\WINDOWS\System32\mcaxp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\pstcp32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\BigFix\BigFix.exe
c:\progra~1\intern~1\iexplore.exe
C:\WINDOWS\System32\alg.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Internet Explorer\PLUGINS\r_server.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\chris\Desktop\COMPUTER FIXES\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.njgwrwxyunyhjdbkqeezvmc.uk/0Ezw...FlCbh404Bj.html (http://\"http://www.njgwrwxyunyhjdbkqeezvmc.uk/0EzwuYNQ_3_xspOxXwhKhjfADRa8olGBocZOUHa4x2N9A693kIZWsFFlCbh404Bj.html\")
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://gmqkfnkbjwmcg.com/0EzwuYNQ_38YDtNTm...afXJtFh52Tk.php (http://\"http://gmqkfnkbjwmcg.com/0EzwuYNQ_38YDtNTmsqBJQ4lxIdFLon0afXJtFh52Tk.php\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.emachines.com (http://\"http://www.emachines.com\")
R3 - Default URLSearchHook is missing
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.mhjwdmmfgsmnhuueo.com/0EzwuYNQ_38YDtNTmsqBJXqiQwKu6zvjafXJtFh52Tk.html");\nuser_pref("browser.startup.page", 1); (C:\Documents and Settings\chris\Application Data\Mozilla\Profiles\default\4y3i2rnl.slt\prefs.js)
O2 - BHO: (no name) - {1E1FA0F7-F537-ECDF-0C3A-C959EACB6087} - C:\DOCUME~1\chris\APPLIC~1\CHICPR~1\Fast file.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [¢‰¸u0Ô@ÔÁß]­ú"ü‰üžiC:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\naendnwg.exe
O4 - HKLM\..\Run: [¢‰¸u0Ô@ÔÁß]­ú"ü‰¸u0C:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\naendnwg.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.0\THGuard.exe"
O4 - HKLM\..\Run: [Microsoft CPXP Protocol] cpxp.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [lsass2k Update] lsass2k.exe
O4 - HKLM\..\Run: [CPVHOST Settings] cpvhost.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [CRSSXP SysInfo] crssxp.exe
O4 - HKLM\..\Run: [VSASS Loader] vsass.exe
O4 - HKLM\..\Run: [MCAXP Center] mcaxp.exe
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Documents and Settings\chris\Desktop\handwriting\MsgPlus.exe"
O4 - HKLM\..\Run: [OnceMapiLogoSize] C:\Documents and Settings\All Users\Application Data\campdriveoncemapi\32 64.exe
O4 - HKLM\..\Run: [Microsoft PSTCP32 Data] pstcp32.exe
O4 - HKLM\..\RunServices: [Microsoft CPXP Protocol] cpxp.exe
O4 - HKLM\..\RunServices: [lsass2k Update] lsass2k.exe
O4 - HKLM\..\RunServices: [CPVHOST Settings] cpvhost.exe
O4 - HKLM\..\RunServices: [CRSSXP SysInfo] crssxp.exe
O4 - HKLM\..\RunServices: [VSASS Loader] vsass.exe
O4 - HKLM\..\RunServices: [MCAXP Center] mcaxp.exe
O4 - HKLM\..\RunServices: [Microsoft PSTCP32 Data] pstcp32.exe
O4 - HKCU\..\Run: [Microsoft CPXP Protocol] cpxp.exe
O4 - HKCU\..\Run: [lsass2k Update] lsass2k.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] c:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [CPVHOST Settings] cpvhost.exe
O4 - HKCU\..\Run: [CRSSXP SysInfo] crssxp.exe
O4 - HKCU\..\Run: [VSASS Loader] vsass.exe
O4 - HKCU\..\Run: [MCAXP Center] mcaxp.exe
O4 - HKCU\..\Run: [NURB 32] C:\DOCUME~1\chris\APPLIC~1\FLAWBI~1\IsoGram.exe
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Documents and Settings\chris\Desktop\handwriting\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Microsoft PSTCP32 Data] pstcp32.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab (http://\"http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab\")
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab31267.cab (http://\"http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab\")
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab (http://\"http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab\")
O16 - DPF: {B1B7606A-D7B9-42A8-AFA2-476308413211} (VacPro.canada_ver4) - http://advnt01.com/dialer/canada_ver4.CAB (http://\"http://advnt01.com/dialer/canada_ver4.CAB\")
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntr...ro.cab32846.cab (http://\"http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab\")
O16 - DPF: {D1E7CBDA-E60E-4970-A01C-37301EF7BF98} (Measurement Service Client v.3.4) - http://ccon.futuremark.com/global/msc34.cab (http://\"http://ccon.futuremark.com/global/msc34.cab\")
O23 - Service: AVG7 Alert Manager Server - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Remote Administrator Service - Unknown - C:\Program Files\Internet Explorer\PLUGINS\r_server.exe
O23 - Service: SmartLinkService - Unknown - slserv.exe (file missing)

Title: hello
Post by: Guest on January 26, 2005, 10:41:12 PM

Logfile of HijackThis v1.99.0
Scan saved at 6:38:14 PM, on 1/26/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\WINDOWS\System32\VTTimer.exe
C:\WINDOWS\System32\cpxp.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\lsass2k.exe
C:\WINDOWS\System32\cpvhost.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\crssxp.exe
C:\WINDOWS\System32\vsass.exe
C:\WINDOWS\System32\mcaxp.exe
C:\WINDOWS\System32\pstcp32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\BigFix\BigFix.exe
c:\progra~1\intern~1\iexplore.exe
C:\WINDOWS\System32\alg.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Internet Explorer\PLUGINS\r_server.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\chris\Desktop\COMPUTER FIXES\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.piobdthkeclausrhbpmtp.com/0Ezwu...FlCbh404Bj.html (http://\"http://www.piobdthkeclausrhbpmtp.com/0EzwuYNQ_3_xspOxXwhKhjfADRa8olGBocZOUHa4x2M3ygwQh9ALElFlCbh404Bj.html\")
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://gmqkfnkbjwmcg.com/0EzwuYNQ_38YDtNTm...afXJtFh52Tk.php (http://\"http://gmqkfnkbjwmcg.com/0EzwuYNQ_38YDtNTmsqBJQ4lxIdFLon0afXJtFh52Tk.php\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.emachines.com (http://\"http://www.emachines.com\")
R3 - Default URLSearchHook is missing
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.mhjwdmmfgsmnhuueo.com/0EzwuYNQ_38YDtNTmsqBJXqiQwKu6zvjafXJtFh52Tk.html");\nuser_pref("browser.startup.page", 1); (C:\Documents and Settings\chris\Application Data\Mozilla\Profiles\default\4y3i2rnl.slt\prefs.js)
O2 - BHO: (no name) - {1E1FA0F7-F537-ECDF-0C3A-C959EACB6087} - C:\DOCUME~1\chris\APPLIC~1\CHICPR~1\Fast file.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [¢‰¸u0Ô@ÔÁß]­ú"ü‰üžiC:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\naendnwg.exe
O4 - HKLM\..\Run: [¢‰¸u0Ô@ÔÁß]­ú"ü‰¸u0C:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\naendnwg.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.0\THGuard.exe"
O4 - HKLM\..\Run: [Microsoft CPXP Protocol] cpxp.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [lsass2k Update] lsass2k.exe
O4 - HKLM\..\Run: [CPVHOST Settings] cpvhost.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [CRSSXP SysInfo] crssxp.exe
O4 - HKLM\..\Run: [VSASS Loader] vsass.exe
O4 - HKLM\..\Run: [MCAXP Center] mcaxp.exe
O4 - HKLM\..\Run: [OnceMapiLogoSize] C:\Documents and Settings\All Users\Application Data\campdriveoncemapi\32 64.exe
O4 - HKLM\..\Run: [Microsoft PSTCP32 Data] pstcp32.exe
O4 - HKLM\..\RunServices: [Microsoft CPXP Protocol] cpxp.exe
O4 - HKLM\..\RunServices: [lsass2k Update] lsass2k.exe
O4 - HKLM\..\RunServices: [CPVHOST Settings] cpvhost.exe
O4 - HKLM\..\RunServices: [CRSSXP SysInfo] crssxp.exe
O4 - HKLM\..\RunServices: [VSASS Loader] vsass.exe
O4 - HKLM\..\RunServices: [MCAXP Center] mcaxp.exe
O4 - HKLM\..\RunServices: [Microsoft PSTCP32 Data] pstcp32.exe
O4 - HKCU\..\Run: [Microsoft CPXP Protocol] cpxp.exe
O4 - HKCU\..\Run: [lsass2k Update] lsass2k.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] c:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [CPVHOST Settings] cpvhost.exe
O4 - HKCU\..\Run: [CRSSXP SysInfo] crssxp.exe
O4 - HKCU\..\Run: [VSASS Loader] vsass.exe
O4 - HKCU\..\Run: [MCAXP Center] mcaxp.exe
O4 - HKCU\..\Run: [NURB 32] C:\DOCUME~1\chris\APPLIC~1\FLAWBI~1\IsoGram.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Microsoft PSTCP32 Data] pstcp32.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab (http://\"http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab\")
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab31267.cab (http://\"http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab\")
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab (http://\"http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab\")
O16 - DPF: {B1B7606A-D7B9-42A8-AFA2-476308413211} (VacPro.canada_ver4) - http://advnt01.com/dialer/canada_ver4.CAB (http://\"http://advnt01.com/dialer/canada_ver4.CAB\")
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntr...ro.cab32846.cab (http://\"http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab\")
O16 - DPF: {D1E7CBDA-E60E-4970-A01C-37301EF7BF98} (Measurement Service Client v.3.4) - http://ccon.futuremark.com/global/msc34.cab (http://\"http://ccon.futuremark.com/global/msc34.cab\")
O23 - Service: AVG7 Alert Manager Server - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Remote Administrator Service - Unknown - C:\Program Files\Internet Explorer\PLUGINS\r_server.exe
O23 - Service: SmartLinkService - Unknown - slserv.exe (file missing)

Title: hello
Post by: Guest on January 26, 2005, 11:15:10 PM

Logfile of HijackThis v1.99.0
Scan saved at 7:13:00 PM, on 1/26/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\VTTimer.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Internet Explorer\PLUGINS\r_server.exe
C:\WINDOWS\system32\slserv.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\chris\Desktop\COMPUTER FIXES\HijackThis.exe
C:\WINDOWS\System32\wuauclt.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.emachines.com (http://\"http://www.emachines.com\")
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/"); (C:\Documents and Settings\chris\Application Data\Mozilla\Profiles\default\4y3i2rnl.slt\prefs.js)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [¢‰¸u0Ô@ÔÁß]­ú"ü‰üžiC:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\naendnwg.exe
O4 - HKLM\..\Run: [¢‰¸u0Ô@ÔÁß]­ú"ü‰¸u0C:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\naendnwg.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] c:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab (http://\"http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab\")
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab31267.cab (http://\"http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab\")
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab (http://\"http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab\")
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntr...ro.cab32846.cab (http://\"http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab\")
O23 - Service: AVG7 Alert Manager Server - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Remote Administrator Service - Unknown - C:\Program Files\Internet Explorer\PLUGINS\r_server.exe
O23 - Service: SmartLinkService - Unknown - slserv.exe (file missing)

Title: hello
Post by: guestolo on January 26, 2005, 11:17:12 PM

Download the trial version of tds-3 anti trojan from here:
http://www.diamondcs.com.au/tds/downloads/...s/tds3setup.exe (http://\"http://www.diamondcs.com.au/tds/downloads/tds3setup.exe\")
This is good for 30 days
Install it and Restart your computer when prompted
Don't run a scan yet

When your back in Windows it's important to update the latest RADIUS database
IMPORTANT>>>Right click the link below, select "save target as" or save link as
http://www.diamondcs.com.au/tds/radius.td3 (http://\"http://www.diamondcs.com.au/tds/radius.td3\")
Save it to the directory where you installed TDS-3
The default location should be
C:\Program Files\TDS3
Allow it to overwrite the previous radius.td3
Again, don't run a scan yet

Launch TDS-3. In the top bar of tds window click system testing> full systemscan.
Let it completely finish scanning---Even if it appears to freeze at times
Detections will appear in the lower pane of tds window after the scan is finished ( it'll take a while ) Right click the list> select save as txt.>> save this to a convienent location, I'll need to see it later

After saving the scandump go ahead and right click the list of alarms again, this time select delete...only delete those with POSITIVE IDENTIFICATION

Title: hello
Post by: Guest on January 26, 2005, 11:59:43 PM

Scan Control Dumped @ 19:56:54 26-01-05
Positive identification: RemoteAdmin.RAdmin 2.1a
  File: c:\program files\internet explorer\plugins\r_server.exe

Live trojan found (in process memory): RAT.Remote Administrator
  File: C:\Program Files\Internet Explorer\PLUGINS\r_server.exe

Positive identification: TrojanProxy.Win32.Agent.ap1
  File: c:\documents and settings\chris\noname.exe

Positive identification (DLL): TrojanClicker.Win32.Adpower.a2 (dll)
  File: c:\documents and settings\chris\desktop\computer fixes\backups\backup-20050126-190444-216.dll

Positive identification (DLL): RemoteAdmin.RAdmin 2.0 (dll)
  File: c:\program files\internet explorer\plugins\admdll.dll

Positive identification: RemoteAdmin.RAdmin 2.1a
  File: c:\program files\internet explorer\plugins\r_server.exe

Positive identification: Trojan.Win32.LowZones.s1
  File: c:\windows\b2.exe

Positive identification: Trojan.Win32.LowZones.s1
  File: c:\windows\b22.exe

Positive identification: Trojan.Win32.LowZones.s1
  File: c:\windows\b24.exe

Positive identification: DDoS.RAT.rBot.age
  File: c:\windows\h2.exe

Positive identification: DDoS.RAT.rBot.age
  File: c:\windows\lgb.exe

Positive identification (DLL): Adware.ToolBat.EliteBar.z (dll)
  File: c:\windows\system32\doolsav.dat

Positive identification: Trojan.Win32.LowZones.s1
  File: c:\windows\system32\f2.exe

Positive identification: Trojan.Win32.LowZones.s1
  File: c:\windows\system32\f80.exe

Positive identification: Trojan.Win32.LowZones.s1
  File: c:\windows\system32\f85.exe

Positive identification: Trojan.Win32.LowZones.s1
  File: c:\windows\system32\t2.exe

Positive identification: Trojan.Win32.LowZones.d8
  File: c:\windows\system32\config\systemprofile\local settings\temporary internet files\content.ie5\ez6pspah\a[1].exe

Title: hello
Post by: guestolo on January 27, 2005, 12:04:46 AM

c:\windows\system32\t7.exe

Title: hello
Post by: Guest on January 27, 2005, 12:46:30 AM

Logfile of HijackThis v1.99.0
Scan saved at 8:44:29 PM, on 1/26/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\VTTimer.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\slserv.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\chris\Desktop\COMPUTER FIXES\HijackThis.exe
C:\WINDOWS\System32\wuauclt.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.emachines.com (http://\"http://www.emachines.com\")
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/"); (C:\Documents and Settings\chris\Application Data\Mozilla\Profiles\default\4y3i2rnl.slt\prefs.js)
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [¢‰¸u0Ô@ÔÁß]­ú"ü‰üžiC:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\naendnwg.exe
O4 - HKLM\..\Run: [¢‰¸u0Ô@ÔÁß]­ú"ü‰¸u0C:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\naendnwg.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] c:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab (http://\"http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab\")
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab31267.cab (http://\"http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab\")
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab (http://\"http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab\")
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntr...ro.cab32846.cab (http://\"http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab\")
O23 - Service: AVG7 Alert Manager Server - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: SmartLinkService - Unknown - slserv.exe (file missing)