Post by: Kenshin1591 on March 14, 2005, 08:54:24 PM
/biggrin.gif\' class=\'bbc_emoticon\' alt=\':D\' /> Logfile of HijackThis v1.99.1
Scan saved at 8:35:14 AM, on 3/14/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Cain\Abel.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\PROGRA~1\QUICKH~1\qhwscsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Matt\Desktop\HijackThis.exe
O2 - BHO: (no name) - {ED103D9F-3070-4580-AB1E-E5C179C1AE41} - (no file)
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\RunOnce: [Srv32 spool service] C:\WINDOWS\System32\spoolsrv32.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\RunOnce: [Srv32 spool service] C:\WINDOWS\System32\spoolsrv32.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0a\aoltray.exe
O4 - Global Startup: Event Reminder.lnk = C:\Program Files\Broderbund\PrintMaster\PMremind.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O8 - Extra context menu item: &Define - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra 'Tools' menuitem: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra 'Tools' menuitem: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra button: Run DAP - {669695BC-A811-4A9D-8CDF-BA8C795F261C} - C:\PROGRA~1\DAP\DAP.EXE
O9 - Extra button: Microsoft AntiSpyware helper - {AB854823-1967-4D5C-9EF7-03274F12BF93} - C:\WINDOWS\System32\wldr.dll
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {AB854823-1967-4D5C-9EF7-03274F12BF93} - C:\WINDOWS\System32\wldr.dll
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted IP range: 206.161.125.149
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone (HKLM)
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://www.jp.uo.com/fonts/TDSERVER.CAB (http://\"http://www.jp.uo.com/fonts/TDSERVER.CAB\")
O16 - DPF: {10000000-1000-0000-1000-000000000000} - ms-its:mhtml:file://C:\MAIN.MHT!http://d.dialer2004.com//bestporn/main.chm::/load.exe
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab (http://\"http://www.musicnotes.com/download/mnviewer.cab\")
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/6247971C.../bridge-c18.cab (http://\"http://static.windupdates.com/cab/6247971CanadaInc/ie/bridge-c18.cab\")
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://imgfarm.com/images/nocache/funwebpr...etup1.0.0.8.cab (http://\"http://imgfarm.com/images/nocache/funwebproducts/ei/PopSwatterInitialSetup1.0.0.8.cab\")
O16 - DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A} (Microsoft.WinRep) - https://webresponse.one.microsoft.com/oas/ActiveX/winrep.cab (http://\"https://webresponse.one.microsoft.com/oas/ActiveX/winrep.cab\")
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1110535164775 (http://\"http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1110535164775\")
O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) - http://www.stopzilla.com/_download/Auto_Installer/dwnldr.cab (http://\"http://www.stopzilla.com/_download/Auto_Installer/dwnldr.cab\")
O23 - Service: Abel - oxid.it - C:\Program Files\Cain\Abel.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Quick Heal Helper Service WSC (qhwscsvc) - Unknown owner - C:\PROGRA~1\QUICKH~1\qhwscsvc.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
Post by: guestolo on March 14, 2005, 09:26:15 PM
Download the trial version of tds-3 anti trojan from here:
http://www.diamondcs.com.au/tds/downloads/...s/tds3setup.exe (http://\"http://www.diamondcs.com.au/tds/downloads/tds3setup.exe\")
Install it and Restart your computer when prompted
Don't run a scan yet
When your back in Windows it's important to update the latest RADIUS database
IMPORTANT>>>Right click the link below, select "save target as" or save link as
http://www.diamondcs.com.au/tds/radius.td3 (http://\"http://www.diamondcs.com.au/tds/radius.td3\")
Save it to the directory where you installed TDS-3
The default location should be
C:\Program Files\TDS3
Allow it to overwrite the previous radius.td3
If your unsure how to update it follow the instructions from this link
http://tds.diamondcs.com.au/index.php?page=update (http://\"http://tds.diamondcs.com.au/index.php?page=update\")
Follow the Manual update procedure
Again, don't run a scan yet
Print this out or save to a Notepad file for easy access
Restart into Safe mode without Network connection
You can do this by tapping the F8 key as The system is booting up
Launch TDS-3. In the top bar of tds window click system testing> full systemscan.
Let it completely finish scanning---Even if it appears to hesitate at times
Detections will appear in the lower pane of tds window after the scan is finished Right click the list> select save as txt.>> save this to a convenient location, I'll need to see it later
After saving the scandump.txt go ahead and right click the list of alarms again, this time select delete...only delete those with POSITIVE IDENTIFICATION
Restart back to Normal mode
If your having problems with your desktop
Go to Control Panel > Display.
Click on the "Desktop" tab then click the "Customize Desktop" button.
Click on the "Web" tab.
Uncheck everything
Log off and back on again
Post back with a fresh Hijackthis log afterwards
Could you also Open Hijackthis>>Open Misc tools>>Open Hosts file manager
click the "Open In Notepad" button
Notepad should open with your Hosts entries
Copy and paste back here the Whole contents of the Hosts notepad file
Also post the Scandump.txt
Post by: Kenshin1591 on March 16, 2005, 03:21:36 PM
/sad.gif\' class=\'bbc_emoticon\' alt=\':(\' /> lol i think im in a small pickle..heres the dumplog
Scan Control Dumped @ 06:15:24 15-03-05
Live trojan found (in process memory): RAT.Cain
File: C:\Program Files\Cain\Abel.exe
RegVal Trace: TrojanClicker.Win32.Spyre: HKEY_CURRENT_USER
File: Software\Microsoft\Windows\CurrentVersion\RunOnce [Srv32 spool service=C:\WINDOWS\System32\spoolsrv32.exe]
RegVal Trace: TrojanClicker.Win32.Spyre: HKEY_LOCAL_MACHINE
File: Software\Microsoft\Windows\CurrentVersion\RunOnce [Srv32 spool service=C:\WINDOWS\System32\spoolsrv32.exe]
Positive identification (DLL): Adware.ToolBar.EliteBar.q1 (dll)
File: c:\elitebar version 53.dll
Positive identification (DLL): Adware.ToolBar.EliteBar.z1 (dll)
File: c:\elitesidebar version 8.dll
Positive identification (DLL): Adware.ToolBar.EliteBar.z (dll)
File: c:\elitetoolbar version 59.dll
Positive identification: TrojanDownloader.Win32.WinFetch.a
File: c:\documents and settings\matt\local settings\temp\5ydtuba.exe
Positive identification: Trojan.Win32.Delf.cf4
File: c:\documents and settings\matt\local settings\temp\atiupdate.exe
Suspicious Filename: Dual extensions
File: c:\documents and settings\matt\local settings\temp\sa375.tmp.exe
Positive identification: TrojanDownloader.Win32.Small.uf
File: c:\documents and settings\matt\local settings\temp\sa375.tmp.exe
Positive identification: Adware.Altnet.b
File: c:\documents and settings\matt\local settings\temp\__unin__.exe
Positive identification <Adv>: Possible WebDownloader
File: c:\documents and settings\matt\local settings\temporary internet files\content.ie5\65et05kb\mediaaccess[1].exe
Positive identification: Adware.180Solutions.o
File: c:\documents and settings\matt\local settings\temporary internet files\content.ie5\85ibglav\saap[1].exe
Positive identification <Adv>: Possible keylogger
File: c:\documents and settings\matt\local settings\temporary internet files\content.ie5\85ibglav\search[2].exe
Positive identification (DLL): Adware.ToolBar.EliteBar.z (dll)
File: c:\documents and settings\matt\local settings\temporary internet files\content.ie5\c1c1yzy1\elitebar59[1].dll
Positive identification (DLL): TrojanDownloader.Win32.Dyfuca.dd (dll)
File: c:\documents and settings\matt\local settings\temporary internet files\content.ie5\g52vcp6v\nem220[1].dll
Positive identification (DLL): Adware.ToolBar.EliteBar.z (dll)
File: c:\documents and settings\matt\local settings\temporary internet files\content.ie5\mpmr8xuv\elitebar59[1].dll
Positive identification: TrojanDownloader.Win32.Dyfuca.dk
File: c:\documents and settings\matt\local settings\temporary internet files\content.ie5\mpmr8xuv\optimize[1].exe
Positive identification (DLL): TrojanDownloader.Win32.Agent.ex7 (dll)
File: c:\documents and settings\matt\local settings\temporary internet files\content.ie5\n8mlm9aj\jabber[1].ocx
Positive identification: Adware.ToolBar.EliteBar.v
File: c:\program files\dap\temp\ldn554.tmp
Positive identification (DLL): Adware.ToolBar.MyWebSearch.c (dll)
File: c:\program files\mywebsearch\bar\2.bin\f3popswt.dll
Positive identification (DLL): Adware.ToolBar.MyWebSearch.d (dll)
File: c:\program files\mywebsearch\bar\2.bin\f3restub.dll
Positive identification (DLL): Adware.ToolBar.MyWebSearch.e (dll)
File: c:\program files\mywebsearch\bar\2.bin\f3wphook.dll
Positive identification (DLL): Adware.ToolBar.MyWebSearch.f (dll)
File: c:\program files\mywebsearch\bar\2.bin\mwsoestb.dll
Positive identification (DLL): Adware.Wesbar (dll)
File: c:\program files\mywebsearch\srchastt\2.bin\mwssrcas.dll
Positive identification (embedded in file): Adware.NewDotNet (dll)
File: c:\program files\warez p2p client\nnwarz3_88.exe
Positive identification: Adware.NewDotNet
File: c:\program files\warez p2p client\nnwarz3_88.exe
Positive identification (DLL): Adware.Winad (dll)
File: c:\program files\winad client\clientcom.dll
Positive identification: TrojanDownloader.Win32.Agent.bf2
File: c:\program files\winad client\winclt.exe
Positive identification: TrojanProxy.Win32.Agent.dl1
File: c:\recycler\s-1-5-21-1715567821-1580818891-854245398-1004\dc2.exe
Positive identification <Adv>: Possible WebDownloader
File: c:\recycler\s-1-5-21-1715567821-1580818891-854245398-1004\dc11\mediaaccess.exe
Positive identification: Adware.SyncroAd
File: c:\recycler\s-1-5-21-1715567821-1580818891-854245398-1004\dc12\syncroad.exe
Positive identification (DLL): Adware.ToolBar.SBSoft.e (dll)
File: c:\recycler\s-1-5-21-1715567821-1580818891-854245398-1004\dc13\rundlg32.dll
Positive identification: Adware.BargainBuddy.j Dropper
File: c:\temp\cdt_bbi8016.exe
Positive identification (embedded in file): TrojanDropper.Win32.Delf.z
File: c:\temp\installer2.exe
Positive identification (embedded in file): TrojanClicker.Win32.Delf.r
File: c:\temp\installer2.exe
Positive identification: Adware.Blazefind Dropper
File: c:\temp\installer2.exe
Positive identification (DLL): Adware.180Solutions.g (dll)
File: c:\temp\msbbhook.dll
Positive identification: Adware.TopRebates.a Dropper
File: c:\temp\webrebates_cdt_installsilent.exe
Positive identification: Adware.MDH.a Dropper
File: c:\windows\setup_silent_17304.exe
Positive identification: Adware.MDH.a Dropper
File: c:\windows\setup_silent_26223.exe
Positive identification: Adware.ToolBar.EliteBar.v
File: c:\windows\sideb.exe
Positive identification: TrojanDropper.Win32.Small.oy
File: c:\windows\sys2515.exe
Positive identification: RAT.Jeemp.b
File: c:\windows\sys2519.exe
Positive identification: TrojanProxy.Win32.Agent.dl1
File: c:\windows\sys2538.exe
Positive identification: RAT.Thunk.d
File: c:\windows\sys2555.exe
Positive identification: Adware.MediaMotor
File: c:\windows\unstall.exe
Positive identification (DLL): TrojanDownloader.Win32.Agent.ex7 (dll)
File: c:\windows\downloaded program files\jabber.ocx
Positive identification (DLL): Adware.ToolBar.EliteBar.l (dll)
File: c:\windows\downloaded program files\v2.dll
Positive identification (DLL): Adware.ToolBar.EliteBar.q1 (dll)
File: c:\windows\elitetoolbar\elitetoolbar version 53.dll
Positive identification (DLL): Adware.ToolBar.EliteBar.q (dll)
File: c:\windows\elitetoolbar\elitetoolbar version 54.dll
Positive identification (DLL): Adware.EliteBar (dll)
File: c:\windows\elitetoolbar\elitetoolbar version 56.dll
Positive identification (DLL): Adware.EliteBar (dll)
File: c:\windows\elitetoolbar\elitetoolbar version 58.dll
Positive identification: Pornware.Downloader.Tibsystems.d
File: c:\windows\system\121689.exe
Positive identification: Pornware.Downloader.Tibsystems.d
File: c:\windows\system\121690.exe
Positive identification: Pornware.Downloader.Tibsystems.a
File: c:\windows\system\121710.exe
Positive identification: Pornware.Downloader.Tibsystems.a
File: c:\windows\system\121711.exe
Positive identification: Pornware.Downloader.Tibsystems.d
File: c:\windows\system\121793.exe
Positive identification: Pornware.Downloader.Tibsystems.a
File: c:\windows\system\122335.exe
Positive identification: Pornware.Downloader.Tibsystems.d
File: c:\windows\system\teen.exe
Positive identification (DLL): RAT.Thunk.d (dll)
File: c:\windows\system32\child.dll
Positive identification (DLL): Adware.EliteBar (dll)
File: c:\windows\system32\elitedoolsav.dat
Positive identification: Trojan.Win32.StartPage.nk6
File: c:\windows\system32\eliteerror32.dat
Positive identification: Trojan.Win32.StartPage.nk6
File: c:\windows\system32\elitexkp32.exe
Positive identification: Adware.ToolBar.EliteBar.j Dropper
File: c:\windows\system32\config\systemprofile\local settings\temporary internet files\content.ie5\e521gfut\silent_install[1].exe
Positive identification: Trojan.Win32.StartPage.nk6
File: c:\windows\system32\config\systemprofile\local settings\temporary internet files\content.ie5\kdensp6b\protector_update[1].exe
Positive identification: TrojanDownloader.Win32.Elitebar.a
File: c:\windows\system32\config\systemprofile\local settings\temporary internet files\content.ie5\kdensp6b\silent_install[1].exe
Positive identification <Adv>: Possible WebDownloader
File: c:\windows\system32\config\systemprofile\local settings\temporary internet files\content.ie5\sxqj0dmf\bobby[1].exe
Positive identification: TrojanDropper.Win32.Tibsis.a1
File: c:\windows\system32\services\1.exe
Positive identification: TrojanDropper.Win32.Tibsis.a1
File: c:\windows\system32\services\12.exe
Positive identification: TrojanDropper.Win32.Tibsis.a1
File: c:\windows\system32\services\123.exe
Positive identification: TrojanDropper.Win32.Tibsis.a1
File: c:\windows\system32\services\[censored].exe
Positive identification: TrojanDownloader.Win32.IstBar.fu
File: c:\windows\system32\services\gamka2.exe
Positive identification: TrojanClicker.Win32.Agent.v1
File: c:\windows\system32\services\gamka324.exe
Positive identification: TrojanDownloader.Win32.IstBar.fx
File: c:\windows\system32\services\gammaka.exe
Positive identification: TrojanDropper.Win32.Tibsis.a1
File: c:\windows\system32\services\redirect.exe
Positive identification: TrojanDropper.Win32.Tibsis.a1
File: c:\windows\system32\services\redirect23.exe
Positive identification: TrojanDropper.Win32.Tibsis.a1
File: c:\windows\system32\services\redirect234.exe
Positive identification: TrojanDropper.Win32.Tibsis.a1
File: c:\windows\system32\services\sexychat.exe
Positive identification: TrojanClicker.Win32.Agent.ar
File: c:\windows\system32\services\winsd.exe
and heres the hijack log:
Logfile of HijackThis v1.99.1
Scan saved at 3:18:52 AM, on 3/16/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Cain\Abel.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\PROGRA~1\QUICKH~1\qhwscsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\explorer.exe
C:\Program Files\America Online 9.0\wEmail Removedexe
C:\Program Files\America Online 9.0\shellmon.exe
C:\Program Files\America Online 9.0\aolwbspd.exe
C:\Documents and Settings\Matt\Desktop\HijackThis.exe
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O2 - BHO: (no name) - {ED103D9F-3070-4580-AB1E-E5C179C1AE41} - (no file)
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\RunOnce: [Srv32 spool service] C:\WINDOWS\System32\spoolsrv32.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\RunOnce: [Srv32 spool service] C:\WINDOWS\System32\spoolsrv32.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0a\aoltray.exe
O4 - Global Startup: Event Reminder.lnk = C:\Program Files\Broderbund\PrintMaster\PMremind.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O8 - Extra context menu item: &Define - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra 'Tools' menuitem: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra 'Tools' menuitem: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra button: Run DAP - {669695BC-A811-4A9D-8CDF-BA8C795F261C} - C:\PROGRA~1\DAP\DAP.EXE
O9 - Extra button: Microsoft AntiSpyware helper - {AB854823-1967-4D5C-9EF7-03274F12BF93} - C:\WINDOWS\System32\wldr.dll
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {AB854823-1967-4D5C-9EF7-03274F12BF93} - C:\WINDOWS\System32\wldr.dll
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted IP range: 206.161.125.149
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone (HKLM)
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://www.jp.uo.com/fonts/TDSERVER.CAB (http://\"http://www.jp.uo.com/fonts/TDSERVER.CAB\")
O16 - DPF: {10000000-1000-0000-1000-000000000000} - ms-its:mhtml:file://C:\MAIN.MHT!http://d.dialer2004.com//bestporn/main.chm::/load.exe
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab (http://\"http://www.musicnotes.com/download/mnviewer.cab\")
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/6247971C.../bridge-c18.cab (http://\"http://static.windupdates.com/cab/6247971CanadaInc/ie/bridge-c18.cab\")
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://imgfarm.com/images/nocache/funwebpr...etup1.0.0.8.cab (http://\"http://imgfarm.com/images/nocache/funwebproducts/ei/PopSwatterInitialSetup1.0.0.8.cab\")
O16 - DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A} (Microsoft.WinRep) - https://webresponse.one.microsoft.com/oas/ActiveX/winrep.cab (http://\"https://webresponse.one.microsoft.com/oas/ActiveX/winrep.cab\")
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1110535164775 (http://\"http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1110535164775\")
O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) - http://www.stopzilla.com/_download/Auto_Installer/dwnldr.cab (http://\"http://www.stopzilla.com/_download/Auto_Installer/dwnldr.cab\")
O17 - HKLM\System\CCS\Services\Tcpip\..\{F7D4212C-AD0A-46BA-977E-E471F5C719D3}: NameServer = 205.188.146.145
O23 - Service: Abel - oxid.it - C:\Program Files\Cain\Abel.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Quick Heal Helper Service WSC (qhwscsvc) - Unknown owner - C:\PROGRA~1\QUICKH~1\qhwscsvc.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
thnx
/smile.gif\' class=\'bbc_emoticon\' alt=\':)\' />
Post by: guestolo on March 16, 2005, 08:19:01 PM
NEXT:
Download and save to desktop Elite.zip
UNZIP the contents to desktop, you will now have Elite.reg on your desktop
[attachment=63:attachment]
We'll need this later
Download DelDomains.inf
http://www.mvps.org/winhelp2002/DelDomains.inf (http://\"http://www.mvps.org/winhelp2002/DelDomains.inf\") and save it to desktop
We'll need this later>>If using a Mozilla browser, right click on that link and SAVE Link As, save it to desktop
Print the rest of this out or save too a Notepad file on your desktop
RESTART your Computer in SAFE MODE (http://\"http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001060608000039?OpenDocument&ExpandSection=4#_Section4\")
Find and delete this file
C:\WINDOWS\System32\spoolsrv32.exe <-file, EXACT name
Look for these ones too, if you find these files, delete them
C:\WINDOWS\desktop.html <-file
C:\WINDOWS\Web\desktop.html <-file
Make sure you do this:
Go to Control Panel > Display.
Click on the "Desktop" tab then click the "Customize Desktop" button.
Click on the "Web" tab.
Uncheck everything
Do another scan with Hijackthis and put a check next to these entries:
O2 - BHO: (no name) - {ED103D9F-3070-4580-AB1E-E5C179C1AE41} - (no file)
O4 - HKLM\..\RunOnce: [Srv32 spool service] C:\WINDOWS\System32\spoolsrv32.exe
O4 - HKCU\..\RunOnce: [Srv32 spool service] C:\WINDOWS\System32\spoolsrv32.exe
O15 - Trusted IP range: 206.161.125.149
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone (HKLM)
O16 - DPF: {10000000-1000-0000-1000-000000000000} - ms-its:mhtml:file://C:\MAIN.MHT!http://d.dialer2004.com//bestporn/main.chm::/load.exe
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/6247971C.../bridge-c18.cab (http://\"http://static.windupdates.com/cab/6247971C.../bridge-c18.cab\")
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://imgfarm.com/images/nocache/funwebpr...etup1.0.0.8.cab (http://\"http://imgfarm.com/images/nocache/funwebpr...etup1.0.0.8.cab\")
After you have ticked the above entries, close All other open windows, including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis
Right Click on DelDomains.inf>>Choose Install from the menu bar
This will delete all your Trusted and Ranges entries
Double click on Elite.reg and allow to merge to your registry
Stay in safe mode
Open Windows CleanUp!>>START>>All programs>>Cleanup!
Click on the CleanUp button, let it finish scanning for files
Restart back to Normal mode
In Normal mode
If still having problems with your Desktop
Go back to Control Panel > Display.
Click on the "Desktop" tab then click the "Customize Desktop" button.
Click on the "Web" tab.
Uncheck everything
Log off and back on again
Do you have Microsofts Anti-Spyware Beta version installed?
Also, did you purposely install this next program
Cain & Abel
May be associated with a Password Cracker, I'm just checking
Go to this link
Give it time to load if it's busy
http://virusscan.jotti.dhs.org/ (http://\"http://virusscan.jotti.dhs.org/\")
Use the browse button and navigate to this file on your hard drive
C:\WINDOWS\System32\wldr.dll <--this file
Right click on the file and choose Select
Then use the Submit button
Let it scan finish scanning
Could you post back the results of the scan back here please
Could you do the same for this file too please
C:\Program Files\Cain\Abel.exe <-file
Navigate to this folder
c:\windows\system32\services
Open it and let me know what other files you see in it
Could you also
Post back with a fresh Hijackthis log afterwards
Also Open Hijackthis>>Open Misc tools>>Open Hosts file manager
click the "Open In Notepad" button
Notepad should open with your Hosts entries
Copy and paste back here the Whole contents of the Hosts notepad file
Please review everything I asked from above and post back with all required information