TheTechGuide Forum
General Category => Tech Clinic => Topic started by: ItTastesLikeBurning on February 14, 2005, 05:45:02 AM
-
ok, so my computer is getting messed up by dso exploit like so many others apparently, here's my logfile from hjt:
Logfile of HijackThis v1.99.0
Scan saved at 2:43:32 AM, on 2/15/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
c:\Program Files\Norton AntiVirus\navapsvc.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Owner\Desktop\HijackThis.exe
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&t...lion&pf=desktop (http://\"http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q304&bd=pavilion&pf=desktop\")
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {64B02C29-0DA1-6DD0-5BC1-3DB65EDE291B} - C:\WINDOWS\system32\qvonmzxh.dll
O2 - BHO: (no name) - {85ECDD6F-362A-06E0-015D-E5B8F667DFF4} - C:\WINDOWS\system32\apkslaym.dll
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\RunOnce: [rmoc3260.dll OCX] regsvr32.exe /s "C:\WINDOWS\system32\rmoc3260.dll"
O4 - HKCU\..\RunOnce: [RealPlayer0] "C:\Program Files\Real\RealOne Player\realplay.exe" "/firstrun"
O4 - HKCU\..\RunOnce: [RealPlayer1] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"
O4 - HKCU\..\RunOnce: [RealPlayer2] "C:\Program Files\Common Files\Real\Update_OB\RealOneMessageCenter.exe"
O8 - Extra context menu item: &Viewpoint Search - res://C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll/CXTSEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by20fd.bay20.Email (http://\"http://by20fd.bay20.Email\") Removed.msn.com/resources/MsnPUpld.cab
O18 - Protocol: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - C:\Program Files\HP\hpcoretech\comp\hpuiprot.dll
O23 - Service: Symantec Event Manager - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Miscrosoft Updates Service 5 - Unknown - C:\WINDOWS\system32\msupd5.exe
O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - c:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - c:\Program Files\Norton AntiVirus\SAVScan.exe
whoever helps me fix this you are a freakin' saint and i hope you live a very long and happy life thanks sooooo much!
-
Can you do me a favor and update your version of Hijackthis
Important: Create a Permanent folder for Hijackthis
Double Click "MY Computer"
Open your C: drive
Click "File" >>> "New" >>>> "Folder"
A new folder will be created, name it HJT
Now you will have C:\HJT
Download Hijackthis from CLICK HERE (http://\"https://ssl.perfora.net/tools.radiosplace.com/HijackThis.exe\") or CLICK HERE (http://\"http://aumha.org/downloads/hijackthis.exe\")
Save it to that new folder
Do a SCAN and Save a Log file---Save the log----copy and paste the WHOLE contents of the log here... Don't try and fix anything yet----It is all important
Can you also go to this site please
Give this site time to load
http://virusscan.jotti.dhs.org/ (http://\"http://virusscan.jotti.dhs.org/\")
Use the browse button and navigate to this file
C:\WINDOWS\system32\rmoc3260.dll <--this file
Right click on the file and choose Select
Then use the Submit button
Let it scan finish scanning
Could you post back the results of the scan back here please
-
ok i did everything you told me to do, took me a little longer than i had hoped to sit down and actually take care of it though, i hope to hear from you soon as my brand new comp is still getting bogged down by something...i appreciate all your help, here's the new hjt log:
Logfile of HijackThis v1.99.1
Scan saved at 10:59:56 AM, on 2/27/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\VTTimer.exe
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
c:\Program Files\Norton AntiVirus\navapsvc.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft AntiSpyware\GIANTAntiSpywareMain.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\HJT\HijackThis.exe
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&t...lion&pf=desktop (http://\"http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q304&bd=pavilion&pf=desktop\")
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {64B02C29-0DA1-6DD0-5BC1-3DB65EDE291B} - C:\WINDOWS\system32\qvonmzxh.dll
O2 - BHO: (no name) - {85ECDD6F-362A-06E0-015D-E5B8F667DFF4} - C:\WINDOWS\system32\qilkarec.dll
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\RunOnce: [CleanUp!] C:\Program Files\CleanUp!\Cleanup.exe /WindowsRestart
O8 - Extra context menu item: &Viewpoint Search - res://C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll/CXTSEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by20fd.bay20.Email (http://\"http://by20fd.bay20.Email\") Removed.msn.com/resources/MsnPUpld.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: srpgwhocdids (MsUpdate6) - Unknown owner - C:\WINDOWS\system32\msupd6.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - c:\Program Files\Norton AntiVirus\SAVScan.exe
beyond that i did the scan u told me to, here are the results:
Service load: 0% 100%
File: rmoc3260.dll
Status: OK
Packers detected: None
AntiVir No viruses found (0.77 seconds taken)
Avast No viruses found (3.05 seconds taken)
AVG Antivirus No viruses found (0.90 seconds taken)
BitDefender No viruses found (0.91 seconds taken)
ClamAV No viruses found (1.22 seconds taken)
Dr.Web No viruses found (1.86 seconds taken)
F-Prot Antivirus No viruses found (0.16 seconds taken)
Fortinet No viruses found (0.66 seconds taken)
Kaspersky Anti-Virus No viruses found (1.00 seconds taken)
mks_vir No viruses found (0.25 seconds taken)
NOD32 No viruses found (0.47 seconds taken)
Norman Virus Control No viruses found (0.19 seconds taken)
hope to hear form you soon! you're a lifesaver!
-
rmoc3260.dll
That is probably related too Realplayer, it should be OK
Do another scan with Hijackthis and put a check next to these entries:
R3 - Default URLSearchHook is missing
02 - BHO: (no name) - {64B02C29-0DA1-6DD0-5BC1-3DB65EDE291B} - C:\WINDOWS\system32\qvonmzxh.dll
O2 - BHO: (no name) - {85ECDD6F-362A-06E0-015D-E5B8F667DFF4} - C:\WINDOWS\system32\qilkarec.dll
O8 - Extra context menu item: &Viewpoint Search - res://C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll/CXTSEARCH.HTML
O23 - Service: srpgwhocdids (MsUpdate6) - Unknown owner - C:\WINDOWS\system32\msupd6.exe
After you have ticked the above entries, close All other open windows, including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis
Restart your computer
Ensure that these files are gone, if not delete them
C:\WINDOWS\system32\qvonmzxh.dll <--file
C:\WINDOWS\system32\qilkarec.dll <--file
C:\WINDOWS\system32\msupd6.exe <--file
Post back a fresh Hijackthis log afterwards
-
ok so i removed all of those files except the 023-... one, although i checked it (twice) it still shows up on the hjt file each time... also when i run spybot, dso exploit still shows up. Any ideas? Thank you sooo much again for your time, you're a life-saver. Here's the new Hjt log..
Scan saved at 6:18:21 PM, on 2/28/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\VTTimer.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
c:\Program Files\Norton AntiVirus\navapsvc.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\HJT\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&t...lion&pf=desktop (http://\"http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q304&bd=pavilion&pf=desktop\")
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {64B02C29-0DA1-6DD0-5BC1-3DB65EDE291B} - (no file)
O2 - BHO: (no name) - {85ECDD6F-362A-06E0-015D-E5B8F667DFF4} - (no file)
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by20fd.bay20.Email (http://\"http://by20fd.bay20.Email\") Removed.msn.com/resources/MsnPUpld.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: srpgwhocdids (MsUpdate6) - Unknown owner - C:\WINDOWS\system32\msupd6.exe (file missing)
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - c:\Program Files\Norton AntiVirus\SAVScan.exe
hope to hear from you soon!
-
Don't worry about the DSO exploit in Spybot, it's a bug in the program
I let you know about it later
I have to step out
But could you
Restart into Safe mode
From safe mode
Go to start>>run>>type in services.msc
Hit OK
In the new window do you see this service name?
srpgwhocdids (MsUpdate6)
If so can you double click on it
Ensure the service is stopped and from the drop down menu set to disabled
Next with just Hijackthis open
Fix checked these entries
O2 - BHO: (no name) - {64B02C29-0DA1-6DD0-5BC1-3DB65EDE291B} - (no file)
O2 - BHO: (no name) - {85ECDD6F-362A-06E0-015D-E5B8F667DFF4} - (no file)
O23 - Service: srpgwhocdids (MsUpdate6) - Unknown owner - C:\WINDOWS\system32\msupd6.exe (file missing)
I want to see if they return
Restart back into Normal mode post back a fresh hijackthis log
Could you also
Download ServiceFilter.zip (http://\"http://www.bleepingcomputer.com/files/windows/ServiceFilter.zip\")
Unzip the contents to a folder
Double-click ServiceFilter.vbs, if you get a prompt from your Anti-Virus, Allow this to run, we are just collecting information
This script will create a text file named 'Post_This.txt' in the same folder as the script itself has been saved - copy and paste the contents of Post_This.txt in your next reply here.
-
k i did what u said, here's current hjt log followed by post this:
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&t...lion&pf=desktop (http://\"http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q304&bd=pavilion&pf=desktop\")
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {64B02C29-0DA1-6DD0-5BC1-3DB65EDE291B} - (no file)
O2 - BHO: (no name) - {85ECDD6F-362A-06E0-015D-E5B8F667DFF4} - (no file)
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKCU\..\RunOnce: [CleanUp!] C:\Program Files\CleanUp!\Cleanup.exe /WindowsRestart
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by20fd.bay20.Email (http://\"http://by20fd.bay20.Email\") Removed.msn.com/resources/MsnPUpld.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - c:\Program Files\Norton AntiVirus\SAVScan.exe
and post this:
---> Begin Service Listing <---
Unknown Service # 1
Service Name: MsUpdate6
Display Name: srpgwhocdids
Start Mode: Disabled
Start Name: LocalSystem
Description: ...
Service Type: Own Process
Path: c:\windows\system32\msupd6.exe
State: Stopped
Process ID: 0
Started: False
Exit Code: 1077
Accept Pause: False
Accept Stop: False
Unknown Service #2
Service Name: SAVScan
Display Name: SAVScan
Start Mode: Manual
Start Name: LocalSystem
Description: Handles Norton AntiVirus Auto-Protect Archive ...
Service Type: Own Process
Path: c:\program files\norton antivirus\savscan.exe
State: Stopped
Process ID: 0
Started: False
Exit Code: 1077
Accept Pause: False
Accept Stop: False
Unknown Service #3
Service Name: SwPrv
Display Name: MS Software Shadow Copy Provider
Start Mode: Manual
Start Name: LocalSystem
Description: Manages software-based volume shadow copies taken by the Volume Shadow Copy service. If this ...
Service Type: Own Process
Path: c:\windows\system32\dllhost.exe /processid:{e4bcb320-70ef-43ec-8fb9-38b4d4f46161}
State: Stopped
Process ID: 0
Started: False
Exit Code: 1077
Accept Pause: False
Accept Stop: False
---> End Service Listing <---
Thanks so much for your help and always replying so shortly after i post, can't thank you enough =).
-
It's been awhile since you posted back
I need to see the WHOLE hijackthis log, not just the bottom part of it
Could you also ensure your running Hijackthis 1.99.1
You can get the updated version from my Signature below
Save it to a permanent folder
Rescan and post the log
All of it
-
Logfile of HijackThis v1.99.1
Scan saved at 11:42:13 PM, on 3/15/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\VTTimer.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
c:\Program Files\Norton AntiVirus\navapsvc.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HJT\hijackthis.exe
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&t...lion&pf=desktop (http://\"http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q304&bd=pavilion&pf=desktop\")
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {64B02C29-0DA1-6DD0-5BC1-3DB65EDE291B} - (no file)
O2 - BHO: (no name) - {85ECDD6F-362A-06E0-015D-E5B8F667DFF4} - (no file)
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKCU\..\RunOnce: [CleanUp!] C:\Program Files\CleanUp!\Cleanup.exe /WindowsRestart
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by20fd.bay20.Email (http://\"http://by20fd.bay20.Email\") Removed.msn.com/resources/MsnPUpld.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - c:\Program Files\Norton AntiVirus\SAVScan.exe
k that's the new log! sorry i didn't reply earlier. you, however, came through as punctually as ever and i greaty appreciate it! thank you so much. can't wait to hear back.
-
Open Hijackthis>>Open Misc tools section>>Click the
"Delete an NT Service"
In the box copy and paste the below in bold
srpgwhocdids
Hit OK
Afterwards
Could you please go to this link
http://www.billsway.com/vbspage/ (http://\"http://www.billsway.com/vbspage/\") and scroll down to
Registry Search Tool
Download,UNZIP and run "RegSrch.vbs"
Copy and paste this in the dialog box:
{64B02C29-0DA1-6DD0-5BC1-3DB65EDE291B}
Click OK
After a while a prompt will come up.
Click OK to open in Notepad or Wordpad
Post back the results that are found
Do the same for this one too
{85ECDD6F-362A-06E0-015D-E5B8F667DFF4}
-
ok, as far as the srpgwhocdids, when i tried to delete it with hjt it said it wasn't found. I downloaded the reg search and ran the scans u suggested, here's the first:
REGEDIT4
; RegSrch.vbs © Bill James
; Registry search results for string "{64B02C29-0DA1-6DD0-5BC1-3DB65EDE291B}" 3/19/2005 10:58:01 AM
; NOTE: This file will be deleted when you close WordPad.
; You must manually save this file to a new location if you want to refer to it again later.
; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.)
[HKEY_USERS\S-1-5-21-1837791230-566809135-3639824827-1003\Software\GIANTCompany\AntiSpyware\Alerts\6779FE23-A617-42FE-BAB1-5B0EAE]
"RegistryFullPath"="HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Browser Helper Objects\\{64B02C29-0DA1-6DD0-5BC1-3DB65EDE291B}"
[HKEY_USERS\S-1-5-21-1837791230-566809135-3639824827-1003\Software\GIANTCompany\AntiSpyware\Alerts\6779FE23-A617-42FE-BAB1-5B0EAE]
"RegistryKey"="{64B02C29-0DA1-6DD0-5BC1-3DB65EDE291B}"
[HKEY_USERS\S-1-5-21-1837791230-566809135-3639824827-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{64B02C29-0DA1-6DD0-5BC1-3DB65EDE291B}]
[HKEY_USERS\S-1-5-21-1837791230-566809135-3639824827-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{64B02C29-0DA1-6DD0-5BC1-3DB65EDE291B}\iexplore]
here's the second:
REGEDIT4
; RegSrch.vbs © Bill James
; Registry search results for string "{85ECDD6F-362A-06E0-015D-E5B8F667DFF4}" 3/19/2005 11:01:05 AM
; NOTE: This file will be deleted when you close WordPad.
; You must manually save this file to a new location if you want to refer to it again later.
; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.)
[HKEY_USERS\S-1-5-21-1837791230-566809135-3639824827-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{85ECDD6F-362A-06E0-015D-E5B8F667DFF4}]
[HKEY_USERS\S-1-5-21-1837791230-566809135-3639824827-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{85ECDD6F-362A-06E0-015D-E5B8F667DFF4}\iexplore]
can't thank you enough for all your help =) be hearing from you soon hopefully!