Post by: owen on March 24, 2005, 05:11:43 PM
i also have the same problem as alot of other people on this forum my home page is, yes you guest it about:blank.
i tried following your solution for somebody else's hijack log to get the sort of idea of what to do but it hasn't worked.
anyway here is my hijack log. i'm sure your a very busy person sorting out everyones spyware stuff but if you get a chance could you please have a look at mine. thank you very much
owen
/smile.gif\' class=\'bbc_emoticon\' alt=\':)\' /> Logfile of HijackThis v1.99.1
Scan saved at 21:57:41, on 24/03/2005
Platform: Windows 2000 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 (5.00.2920.0000)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\DRIVERS\CDANTSRV.EXE
C:\WINNT\System32\CTsvcCDA.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\nvsvc32.exe
C:\Program Files\Panda Software\Panda Antivirus Titanium\Pavsrv50.exe
C:\WINNT\system32\regsvc.exe
C:\Program Files\Panda Software\Panda Antivirus Titanium\AVENGINE.EXE
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.exe
C:\WINNT\System32\devldr32.exe
C:\WINNT\System32\RUNDLL32.EXE
C:\WINNT\System32\rundll32.exe
C:\WINNT\System32\rundll32.exe
C:\Program Files\Panda Software\Panda Antivirus Titanium\pavProxy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Any User.ANY-0C83B2LVGI6\Desktop\nina\hijackthis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\ANYUSE~1.ANY\LOCALS~1\Temp\se.dll/spage.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\ANYUSE~1.ANY\LOCALS~1\Temp\se.dll/spage.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {4BB01396-218E-4E73-B874-649AA011B0AF} - C:\WINNT\System32\ijbl.dll
O4 - HKLM\..\Run: [sp] rundll32 C:\DOCUME~1\ANYUSE~1.ANY\LOCALS~1\Temp\se.dll,DllInstall
O18 - Filter: text/html - {23825487-92CD-42EE-BE6A-2153BBA521C2} - C:\WINNT\System32\ijbl.dll
O18 - Filter: text/plain - {23825487-92CD-42EE-BE6A-2153BBA521C2} - C:\WINNT\System32\ijbl.dll
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINNT\System32\DRIVERS\CDANTSRV.EXE
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINNT\System32\CTsvcCDA.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software - C:\Program Files\Panda Software\Panda Antivirus Titanium\Pavsrv50.exe
Post by: guestolo on March 26, 2005, 12:02:54 AM
If you still need a hand please register and post back a fresh Hijackthis log
Post by: owen on March 28, 2005, 01:33:29 PM
i've registered now and here is my log file. i thought i might have deleted some things i shouldn't have using hi jackthis so i restored all the backups just before creating this log.
thanks for looking
regards owen
/smile.gif\' class=\'bbc_emoticon\' alt=\':)\' /> Logfile of HijackThis v1.99.1
Scan saved at 19:38:14, on 28/03/2005
Platform: Windows 2000 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 (5.00.2920.0000)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\DRIVERS\CDANTSRV.EXE
C:\WINNT\System32\CTsvcCDA.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\nvsvc32.exe
C:\Program Files\Panda Software\Panda Antivirus Titanium\Pavsrv50.exe
C:\WINNT\system32\regsvc.exe
C:\Program Files\Panda Software\Panda Antivirus Titanium\AVENGINE.EXE
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.exe
C:\WINNT\System32\rundll32.exe
C:\WINNT\System32\devldr32.exe
C:\WINNT\System32\rundll32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Any User.ANY-0C83B2LVGI6\Desktop\nina\hijackthis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\ANYUSE~1.ANY\LOCALS~1\Temp\se.dll/spage.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\ANYUSE~1.ANY\LOCALS~1\Temp\se.dll/spage.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {4BB01396-218E-4E73-B874-649AA011B0AF} - C:\WINNT\System32\ijbl.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {8D0506AB-8CB3-4631-A7EC-7CAC99C31AA5} - C:\WINNT\System32\ijbl.dll
O2 - BHO: (no name) - {9B8C9419-C1CA-488D-8FD6-7F264078BF57} - C:\WINNT\System32\ijbl.dll
O2 - BHO: (no name) - {F1241467-FAA5-424B-B76F-87861125EA45} - C:\WINNT\System32\ijbl.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [sp] rundll32 C:\DOCUME~1\ANYUSE~1.ANY\LOCALS~1\Temp\se.dll,DllInstall
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\System32\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Speed racer] C:\Program Files\Creative\PlayCenter\CTSRReg.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AudioHQ] C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb01.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Software\Panda Antivirus Titanium\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [UpdReg] C:\WINNT\Updreg.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - Startup: Pika Backup.lnk = C:\Program Files\PikaOne Software\FlyCASE\PikaBackup.exe
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O18 - Filter: text/html - {4EA73DF3-08C5-418F-A152-7D32753D40D8} - C:\WINNT\System32\ijbl.dll
O18 - Filter: text/plain - {4EA73DF3-08C5-418F-A152-7D32753D40D8} - C:\WINNT\System32\ijbl.dll
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINNT\System32\DRIVERS\CDANTSRV.EXE
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINNT\System32\CTsvcCDA.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software - C:\Program Files\Panda Software\Panda Antivirus Titanium\Pavsrv50.exe
Post by: guestolo on March 28, 2005, 09:03:05 PM
[attachment=97:attachment]
Unzip it to it's own folder
run StartDreck.exe:
Hit: -config
hit: -Unmark all
Check these boxes only:
*Registry->run keys
*Registry->Browser helper objects
*System/drivers> Running processes
hit >ok.
Use the "save" tab, to save, name and post this log
Also
Download DLLCompare (http://\"http://downloads.subratam.org/DllCompare.exe\")
Start the Program and click the Run Locate.com
Let it complete the SCAN, which won't take long
Click the Compare button to start the next process.This will take a bit longer.
The results appear in two panes - files in the upper pane have been verified to 'exist'.
Files in the lower pane were 'not able to be accessed'.
Very few files should be listed in the lower pane,if any, when the Compare scan is complete.
Click on each of the listed entries in the lower pane to select them. Right-click on the file and use the option Rescan. This will cause Windows Find to see if the file does exist, and then if so it will be removed from the list to reduce the number of identified files.
Click the Make a Log of what was found button and post it back here
Post by: owen on March 29, 2005, 11:42:52 AM
this is the startdreck log and the dllcompare log
thanks again
owen
StartDreck (build 2.1.7 public stable) - 2005-03-29 @ 17:43:27 (GMT +01:00)
Platform: Windows 2000 (Win NT 5.0.2195 )
Internet Explorer: 5.00.2920.0000
Logged in as Any User at ANY-0C83B2LVGI6
»Registry
»Run Keys
»Current User
»Run
+nView
*NVIEW=rundll32.exe nview.dll,nViewLoadHook
»RunOnce
»Default User
»Run
»RunOnce
*^SetupICWDesktop=C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop
»Local Machine
»Run
*sp=rundll32 C:\DOCUME~1\ANYUSE~1.ANY\LOCALS~1\Temp\se.dll,DllInstall
*Synchronization Manager=mobsync.exe /logon
*NvCplDaemon=RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
*NeroCheck=C:\WINNT\System32\NeroCheck.exe
*TkBellExe="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
*Speed racer=C:\Program Files\Creative\PlayCenter\CTSRReg.exe
*QuickTime Task="C:\Program Files\QuickTime\qttask.exe" -atboottime
*AudioHQ=C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
*HPDJ Taskbar Utility=C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb01.exe
*InCD=C:\Program Files\ahead\InCD\InCD.exe
*APVXDWIN="C:\Program Files\Panda Software\Panda Antivirus Titanium\APVXDWIN.EXE" /s
*UpdReg=C:\WINNT\Updreg.exe
*nwiz=nwiz.exe /install
+OptionalComponents
+MSFS
*Installed=1
+MAPI
*NoChange=1
*Installed=1
+MAPI
*NoChange=1
*Installed=1
»RunOnce
»RunServices
»RunServicesOnce
»RunOnceEx
»RunServicesOnceEx
»Browser Helper Objects (LM)
*AcroIEHelper.AcroIEHlprObj.1/{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
`InprocServer32=C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
*{4BB01396-218E-4E73-B874-649AA011B0AF}
`InprocServer32=C:\WINNT\System32\ijbl.dll
*{53707962-6F74-2D53-2644-206D7942484F}
`InprocServer32=C:\PROGRA~1\SPYBOT~1\SDHelper.dll
*{8D0506AB-8CB3-4631-A7EC-7CAC99C31AA5}
`InprocServer32=C:\WINNT\System32\ijbl.dll
*{9B8C9419-C1CA-488D-8FD6-7F264078BF57}
`InprocServer32=C:\WINNT\System32\ijbl.dll
*{F1241467-FAA5-424B-B76F-87861125EA45}
`InprocServer32=C:\WINNT\System32\ijbl.dll
»Files
»System/Drivers
»Running Processes
+0=<idle>
+8=<system>
+144=\SystemRoot\System32\smss.exe
+172=\??\C:\WINNT\system32\csrss.exe
+192=\??\C:\WINNT\system32\winlogon.exe
+220=C:\WINNT\system32\services.exe
+232=C:\WINNT\system32\lsass.exe
+488=C:\WINNT\system32\svchost.exe
+524=C:\WINNT\system32\spoolsv.exe
+568=C:\WINNT\System32\DRIVERS\CDANTSRV.EXE
+584=C:\WINNT\System32\CTsvcCDA.exe
+600=C:\WINNT\System32\svchost.exe
+636=C:\WINNT\System32\nvsvc32.exe
+652=C:\Program Files\Panda Software\Panda Antivirus Titanium\Pavsrv50.exe
+712=C:\WINNT\system32\regsvc.exe
+696=C:\Program Files\Panda Software\Panda Antivirus Titanium\AVENGINE.EXE
+700=C:\WINNT\system32\MSTask.exe
+788=C:\WINNT\system32\stisvc.exe
+844=C:\WINNT\System32\WBEM\WinMgmt.exe
+1188=C:\WINNT\Explorer.exe
+1248=C:\WINNT\System32\rundll32.exe
+908=C:\WINNT\System32\devldr32.exe
+1204=C:\WINNT\System32\rundll32.exe
+1288=C:\Program Files\Internet Explorer\iexplore.exe
+1148=C:\Documents and Settings\Any User.ANY-0C83B2LVGI6\Desktop\nina\startdreck\StartDreck.exe
»Application specific
* DLLCompare Log version(1.0.0.127)
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________
O^E says: "There were no files found
/smile.gif\' class=\'bbc_emoticon\' alt=\':)\' />"________________________________________________
1,222 items found: 1,222 files, 0 directories.
Total of file sizes: 218,905,819 bytes 208.76 M
Administrator Account = True
AppInit_DLLs value = NVDESK32.DLL (not hidden)
--------------------End log---------------------
Post by: owen on March 29, 2005, 11:51:39 AM
i ran dll compare looking for *.* rather than just *.dll and a few popped up and i rescanned them all. i don't know if you wanted this but here is the log anyway.
regards
owen
* DLLCompare Log version(1.0.0.127)
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________
C:\WINNT\SYSTEM32\cdi5t.drv Tue 16 Apr 2002 11:27:54 A.SH. 5 0.00 K
C:\WINNT\SYSTEM32\desktop.ini Sun 15 Aug 2004 14:04:40 ...H. 271 0.26 K
C:\WINNT\SYSTEM32\folder.htt Sun 15 Aug 2004 14:04:40 ...H. 21,692 21.18 K
________________________________________________
1,981 items found: 1,949 files (4 H/S), 32 directories (2 H/S).
Total of file sizes: 306,911,865 bytes 292.69 M
Administrator Account = True
AppInit_DLLs value = NVDESK32.DLL (not hidden)
--------------------End log---------------------
Post by: guestolo on March 29, 2005, 04:25:41 PM
SpSeHjFix110.zip (http://\"http://www.derbilk.de/SpSeHjfix110.zip\")
Unzip the contents, so you now have SpSeHjfix110.exe on your desktop
===Download and Install this small program
to help clean your temp folders,cookies, etc...
Windows Cleanup (http://\"http://www.antispyware.nextdesigns.net/installs/cleanup.php?type=exe\")
Install for now, don't run a scan yet
Please Print this out or save these instructions to a Notepad file and save it to your Desktop
RESTART your Computer in SAFE MODE (http://\"http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001060608000039\")
Find and delete this file, if found
C:\WINNT\System32\ijbl.dll <--this file
Stay in safe mode
Do another scan with Hijackthis and put a check next to these entries:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\ANYUSE~1.ANY\LOCALS~1\Temp\se.dll/spage.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\ANYUSE~1.ANY\LOCALS~1\Temp\se.dll/spage.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {4BB01396-218E-4E73-B874-649AA011B0AF} - C:\WINNT\System32\ijbl.dll
O2 - BHO: (no name) - {8D0506AB-8CB3-4631-A7EC-7CAC99C31AA5} - C:\WINNT\System32\ijbl.dll
O2 - BHO: (no name) - {9B8C9419-C1CA-488D-8FD6-7F264078BF57} - C:\WINNT\System32\ijbl.dll
O2 - BHO: (no name) - {F1241467-FAA5-424B-B76F-87861125EA45} - C:\WINNT\System32\ijbl.dll
O4 - HKLM\..\Run: [sp] rundll32 C:\DOCUME~1\ANYUSE~1.ANY\LOCALS~1\Temp\se.dll,DllInstall
O4 - HKLM\..\Run: [UpdReg] C:\WINNT\Updreg.exe
O4 - Startup: PowerReg Scheduler V3.exe
O18 - Filter: text/html - {4EA73DF3-08C5-418F-A152-7D32753D40D8} - C:\WINNT\System32\ijbl.dll
O18 - Filter: text/plain - {4EA73DF3-08C5-418F-A152-7D32753D40D8} - C:\WINNT\System32\ijbl.dll
After you have ticked the above entries, close All other open windows, including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis
Open Windows CleanUp!>>START>>programs>>Cleanup!
Click on the CleanUp button, let it finish scanning for files, when it's done
Don't log off or restart yet
Instead run SpSeHjfix110.exe and click the START Disinfection
It should Reboot your computer after you run it, if not
Restart your computer back to Normal mode
Don't open a browser yet, instead access Internet Options via Control Panel
Under the Programs tab "Reset Web Settings"
Under the General tab---Reset home page,
Afterwards post back a fresh Hijackthis log,
And the log from SpSeHjfix110.exe
Could you also post a fresh StartDreck log
Post by: owen on March 30, 2005, 07:08:12 PM
i've done what you asked in your last post and it seems to have sorted out my problem. i couldn't delete the file
C:\WINNIT\system32\ijbl.dll
when i found it the computer said it was in use. but the rest of the instructions seem to have fixed it. here are the hijackthis, spehjfix111 and startdreck logs any way.
please tell me if anything still looks amiss to you.
thank you very much for all your help.
owen
/biggrin.gif\' class=\'bbc_emoticon\' alt=\':D\' /> Logfile of HijackThis v1.99.1
Scan saved at 01:03:08, on 31/03/2005
Platform: Windows 2000 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 (5.00.2920.0000)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\DRIVERS\CDANTSRV.EXE
C:\WINNT\System32\CTsvcCDA.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\nvsvc32.exe
C:\Program Files\Panda Software\Panda Antivirus Titanium\Pavsrv50.exe
C:\WINNT\system32\regsvc.exe
C:\Program Files\Panda Software\Panda Antivirus Titanium\AVENGINE.EXE
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.exe
C:\WINNT\System32\devldr32.exe
C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
C:\WINNT\System32\RUNDLL32.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb01.exe
C:\Program Files\ahead\InCD\InCD.exe
C:\Program Files\Panda Software\Panda Antivirus Titanium\APVXDWIN.EXE
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\PikaOne Software\FlyCASE\PikaBackup.exe
C:\WINNT\System32\rundll32.exe
C:\Program Files\Panda Software\Panda Antivirus Titanium\pavProxy.exe
C:\Documents and Settings\Any User.ANY-0C83B2LVGI6\Desktop\nina\hijackthis.exe
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\System32\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Speed racer] C:\Program Files\Creative\PlayCenter\CTSRReg.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AudioHQ] C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb01.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Software\Panda Antivirus Titanium\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - Startup: Pika Backup.lnk = C:\Program Files\PikaOne Software\FlyCASE\PikaBackup.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINNT\System32\DRIVERS\CDANTSRV.EXE
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINNT\System32\CTsvcCDA.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software - C:\Program Files\Panda Software\Panda Antivirus Titanium\Pavsrv50.exe
(3/31/05 00:50:38) SPSeHjFix started v1.1.1
(3/31/05 00:50:38) OS: Win2000 (5.0.2195)
(3/31/05 00:50:38) Language: english
(3/31/05 00:50:45) Disinfection started
(3/31/05 00:50:45) Bad-Dll(IEP): c:\docume~1\anyuse~1.any\locals~1\temp\se.dll
(3/31/05 00:50:45) Searchassistant Uninstaller found: regsvr32 /s /u C:\WINNT\System32\ijbl.dll
(3/31/05 00:50:45) Searchassistant Uninstaller - Keys Deleted
(3/31/05 00:50:45) FilterKey: HKCR\text/html (deleted)
(3/31/05 00:50:45) FilterKey: HKCR\CLSID\{860D3C78-6CCA-4CB4-969A-9FD87EC6DD5B} (deleted)
(3/31/05 00:50:45) FilterKey: HKLM\SOFTWARE\Classes\text/html (error while deleting)
(3/31/05 00:50:45) FilterKey: HKCR\text/plain (deleted)
(3/31/05 00:50:45) FilterKey: HKCR\CLSID\{860D3C78-6CCA-4CB4-969A-9FD87EC6DD5B} (error while deleting)
(3/31/05 00:50:45) FilterKey: HKLM\SOFTWARE\Classes\text/plain (error while deleting)
(3/31/05 00:50:45) BHO-Key: HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AC3AA9C6-B511-4936-9EF6-35C83DC820C0} (deleted)
(3/31/05 00:50:45) BHO-Key: HKCR\CLSID\{AC3AA9C6-B511-4936-9EF6-35C83DC820C0} (deleted)
(3/31/05 00:50:45) UBF: 6
(3/31/05 00:50:45) UBB: 2
(3/31/05 00:50:45) UBR: 12
(3/31/05 00:50:45) Run-Key: HKLM\Software\Microsoft\Windows\CurrentVersion\Run\sp=rundll32 C:\DOCUME~1\ANYUSE~1.ANY\LOCALS~1\Temp\se.dll,DllInstall (deleted)
(3/31/05 00:50:45) Bad IE-pages:
deleted: HKCU\Software\Microsoft\Internet Explorer\Main, Search Bar: res://c:\docume~1\anyuse~1.any\locals~1\temp\se.dll/spage.html
deleted: HKCU\Software\Microsoft\Internet Explorer\Main, Search Page: about:blank
deleted: HKCU\Software\Microsoft\Internet Explorer\Main, Start Page: about:blank
deleted: HKCU\Software\Microsoft\Internet Explorer\Main, HomeOldSP: about:blank
deleted: HKCU\Software\Microsoft\Internet Explorer\Search, SearchAssistant: about:blank
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Search Bar: res://c:\docume~1\anyuse~1.any\locals~1\temp\se.dll/spage.html
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Search Page: about:blank
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Start Page: about:blank
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, HomeOldSP: about:blank
deleted: HKLM\Software\Microsoft\Internet Explorer\Search, SearchAssistant: about:blank
(3/31/05 00:50:45) Stealth-String not found
(3/31/05 00:50:45) Temp-Files delete on Reboot
(3/31/05 00:50:45) File added to delete: c:\winnt\system32\ijbl.dll
(3/31/05 00:50:45) File added to delete: c:\docume~1\anyuse~1.any\locals~1\temp\se.dll
(3/31/05 00:50:45) File added to delete: c:\docume~1\anyuse~1.any\locals~1\temp\~df5db1.tmp
(3/31/05 00:50:45) Reboot
(3/31/05 00:54:33) SPSeHjFix started v1.1.1
(3/31/05 00:54:33) OS: Win2000 (5.0.2195)
(3/31/05 00:54:33) Language: english
(3/31/05 00:55:20) Disinfection started
(3/31/05 00:55:20) Bad-Dll(IEP): (not found)
(3/31/05 00:55:20) Bad-Dll(IEP) in BHO: (not found)
(3/31/05 00:55:20) UBF: 4
(3/31/05 00:55:20) UBB: 1
(3/31/05 00:55:20) UBR: 12
(3/31/05 00:55:20) Run-Key: HKLM\Software\Microsoft\Windows\CurrentVersion\Run\sp=rundll32 C:\DOCUME~1\ANYUSE~1.ANY\LOCALS~1\Temp\se.dll,DllInstall (deleted)
(3/31/05 00:55:20) Bad IE-pages: (none)
(3/31/05 00:55:20) Stealth-String not found
(3/31/05 00:55:20) Temp-Files delete on Reboot
(3/31/05 00:55:20) File added to delete: c:\docume~1\anyuse~1.any\locals~1\temp\se.dll
(3/31/05 00:55:20) File added to delete: c:\docume~1\anyuse~1.any\locals~1\temp\~dfd30c.tmp
(3/31/05 00:55:20) Reboot
(3/31/05 01:03:41) SPSeHjFix started v1.1.1
(3/31/05 01:03:41) OS: Win2000 (5.0.2195)
(3/31/05 01:03:41) Language: english
(3/31/05 01:03:50) Disinfection started
(3/31/05 01:03:50) Bad-Dll(IEP): (not found)
(3/31/05 01:03:50) Bad-Dll(IEP) in BHO: (not found)
(3/31/05 01:03:50) UBF: 4
(3/31/05 01:03:50) UBB: 1
(3/31/05 01:03:50) UBR: 10
(3/31/05 01:03:50) Bad IE-pages: (none)
(3/31/05 01:03:50) Stealth-String not found
(3/31/05 01:03:50) Not infected->END
StartDreck (build 2.1.7 public stable) - 2005-03-31 @ 01:04:43 (GMT +01:00)
Platform: Windows 2000 (Win NT 5.0.2195 )
Internet Explorer: 5.00.2920.0000
Logged in as Any User at ANY-0C83B2LVGI6
»Registry
»Run Keys
»Current User
»Run
+nView
*NVIEW=rundll32.exe nview.dll,nViewLoadHook
»RunOnce
»Default User
»Run
»RunOnce
*^SetupICWDesktop=C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop
»Local Machine
»Run
*Synchronization Manager=mobsync.exe /logon
*NvCplDaemon=RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
*NeroCheck=C:\WINNT\System32\NeroCheck.exe
*TkBellExe="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
*Speed racer=C:\Program Files\Creative\PlayCenter\CTSRReg.exe
*QuickTime Task="C:\Program Files\QuickTime\qttask.exe" -atboottime
*AudioHQ=C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
*HPDJ Taskbar Utility=C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb01.exe
*InCD=C:\Program Files\ahead\InCD\InCD.exe
*APVXDWIN="C:\Program Files\Panda Software\Panda Antivirus Titanium\APVXDWIN.EXE" /s
*nwiz=nwiz.exe /install
+OptionalComponents
+MSFS
*Installed=1
+MAPI
*NoChange=1
*Installed=1
+MAPI
*NoChange=1
*Installed=1
»RunOnce
»RunServices
»RunServicesOnce
»RunOnceEx
»RunServicesOnceEx
»File Associations (CR)
+.bat
*batfile="%1" %*
+.com
*comfile="%1" %*
+.disabled
*SpybotSD.DisabledFile="C:\Program Files\Spybot - Search & Destroy\blindman.exe" "%1"
+.exe
*exefile="%1" %*
+.hta
*htafile=C:\WINNT\System32\mshta.exe "%1" %*
+.htm
*htmlfile="C:\Program Files\Internet Explorer\iexplore.exe" -nohome
+.html
*htmlfile="C:\Program Files\Internet Explorer\iexplore.exe" -nohome
+.js
*JSFile=%SystemRoot%\System32\WScript.exe "%1" %*
+.jse
*JSEFile=%SystemRoot%\System32\WScript.exe "%1" %*
+.pif
*piffile="%1" %*
+.reg
*regfile=regedit.exe "%1"
+.scr
*scrfile="%1" /S
+.txt
*txtfile=%SystemRoot%\system32\NOTEPAD.EXE %1
+.vbs
*VBSFile=%SystemRoot%\System32\WScript.exe "%1" %*
+.vbe
*VBEFile=%SystemRoot%\System32\WScript.exe "%1" %*
+.wsh
*WSHFile=%SystemRoot%\System32\WScript.exe "%1" %*
+.wsf
*WSFFile=%SystemRoot%\System32\WScript.exe "%1" %*
+.lnk
`lnkfile= [key or value does not exist]
»Browser Helper Objects (LM)
*AcroIEHelper.AcroIEHlprObj.1/{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
`InprocServer32=C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
*{53707962-6F74-2D53-2644-206D7942484F}
`InprocServer32=C:\PROGRA~1\SPYBOT~1\SDHelper.dll
»Files
»Autostart Folders
»Current User
*C:\Documents and Settings\Any User.ANY-0C83B2LVGI6\Start Menu\Programs\Startup\Pika Backup.lnk
»Default User
»Local Machine
*C:\Documents and Settings\All Users.WINNT\Start Menu\Programs\Startup\Acrobat Assistant.lnk
*C:\Documents and Settings\All Users.WINNT\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
»INI-Files
»WIN.INI\[windows]
*LOAD=
*RUN=
»SYSTEM.INI\[boot]
*SHELL=Explorer.exe
»Text Files
*C:\boot.ini
*C:\msdos.sys
*C:\config.sys
*C:\WINNT\System32\config.nt
*C:\autoexec.bat
*C:\WINNT\System32\autoexec.nt
*C:\WINNT\System32\drivers\etc\hosts
»System/Drivers
»Running Processes
+0=<idle>
+8=<system>
+148=\SystemRoot\System32\smss.exe
+172=\??\C:\WINNT\system32\csrss.exe
+168=\??\C:\WINNT\system32\winlogon.exe
+220=C:\WINNT\system32\services.exe
+232=C:\WINNT\system32\lsass.exe
+496=C:\WINNT\system32\svchost.exe
+520=C:\WINNT\system32\spoolsv.exe
+572=C:\WINNT\System32\DRIVERS\CDANTSRV.EXE
+588=C:\WINNT\System32\CTsvcCDA.exe
+604=C:\WINNT\System32\svchost.exe
+640=C:\WINNT\System32\nvsvc32.exe
+656=C:\Program Files\Panda Software\Panda Antivirus Titanium\Pavsrv50.exe
+120=C:\WINNT\system32\regsvc.exe
+716=C:\Program Files\Panda Software\Panda Antivirus Titanium\AVENGINE.EXE
+740=C:\WINNT\system32\MSTask.exe
+772=C:\WINNT\system32\stisvc.exe
+808=C:\WINNT\System32\WBEM\WinMgmt.exe
+1004=C:\WINNT\Explorer.exe
+1160=C:\WINNT\System32\devldr32.exe
+1208=C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
+1132=C:\WINNT\System32\RUNDLL32.EXE
+1268=C:\Program Files\Common Files\Real\Update_OB\realsched.exe
+1308=C:\Program Files\QuickTime\qttask.exe
+1328=C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb01.exe
+1372=C:\Program Files\ahead\InCD\InCD.exe
+1388=C:\Program Files\Panda Software\Panda Antivirus Titanium\APVXDWIN.EXE
+1416=C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
+684=C:\Program Files\PikaOne Software\FlyCASE\PikaBackup.exe
+1396=C:\WINNT\System32\rundll32.exe
+900=C:\Program Files\Panda Software\Panda Antivirus Titanium\pavProxy.exe
+1340=C:\WINNT\system32\NOTEPAD.EXE
+620=C:\WINNT\system32\NOTEPAD.EXE
+260=C:\Documents and Settings\Any User.ANY-0C83B2LVGI6\Desktop\nina\startdreck\StartDreck.exe
»NT Services
*Alerter Alerter - on demand
*Application Management AppMgmt - on demand
*Computer Browser Browser running auto
*C-DillaSrv C-DillaSrv running auto
*Indexing Service cisvc - on demand
*ClipBook ClipSrv - on demand
*Creative Service for CDROM Access Creative Service for running auto
*DHCP Client Dhcp running auto
*Logical Disk Manager Administrative Service dmadmin - on demand
*Logical Disk Manager dmserver running auto
*DNS Client Dnscache running auto
*Event Log Eventlog running auto
*COM+ Event System EventSystem running on demand
*Fax Service Fax - on demand
*Server lanmanserver running auto
*Workstation lanmanworkstation running auto
*TCP/IP NetBIOS Helper Service LmHosts running auto
*Messenger Messenger running auto
*NetMeeting Remote Desktop Sharing mnmsrvc - on demand
*Distributed Transaction Coordinator MSDTC - on demand
*Windows Installer MSIServer - on demand
*Network DDE NetDDE - on demand
*Network DDE DSDM NetDDEdsdm - on demand
*Net Logon Netlogon - on demand
*Network Connections Netman running on demand
*NT LM Security Support Provider NtLmSsp - on demand
*Removable Storage NtmsSvc running auto
*NVIDIA Driver Helper Service NVSvc running auto
*Panda anti-virus service PAVSRV running auto
*Plug and Play PlugPlay running auto
*IPSEC Policy Agent PolicyAgent running auto
*Protected Storage ProtectedStorage running auto
*Remote Access Auto Connection Manager RasAuto - on demand
*Remote Access Connection Manager RasMan running on demand
*Routing and Remote Access RemoteAccess - disabled
*Remote Registry Service RemoteRegistry running auto
*Remote Procedure Call (RPC) Locator RpcLocator - on demand
*Remote Procedure Call (RPC) RpcSs running auto
*QoS RSVP RSVP - on demand
*Security Accounts Manager SamSs running auto
*Smart Card Helper SCardDrv - on demand
*Smart Card SCardSvr - on demand
*Task Scheduler Schedule running auto
*RunAs Service seclogon running auto
*System Event Notification SENS running auto
*Internet Connection Sharing SharedAccess - on demand
*Print Spooler Spooler running auto
*Still Image Service StiSvc running auto
*Performance Logs and Alerts SysmonLog - on demand
*Telephony TapiSrv running on demand
*Telnet TlntSvr - on demand
*Distributed Link Tracking Client TrkWks running auto
*Uninterruptible Power Supply UPS - on demand
*Utility Manager UtilMan - on demand
*Windows Time W32Time - on demand
*Windows Management Instrumentation WinMgmt running auto
*Windows Management Instrumentation Driver Exten Wmi running on demand
`sions
»Application specific
Post by: guestolo on March 30, 2005, 08:12:49 PM
You should visit Windows Updates and Get all Latest Critcal updates and Service Packs
Don't install the Recommended updates unless preferred
Restart your machine when prompted and go back to Windows updates until there are no more Critical and Service Packs to Install
When that's done
You should set up protection against future attacks
SpywareBlaster by JavaCool---will block bad ActiveX and malevolent cookies
Install---Check for Updates---Enable all protection
http://www.javacoolsoftware.com/spywareblaster.html (http://\"http://www.javacoolsoftware.com/spywareblaster.html\")
IE-Spyad---IE-SPYAD puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
Here is a tutorial and download link
TUTORIAL==Link to Tutorial (http://\"http://www.bleepingcomputer.com/forums/index.php?showtutorial=53\")
Download link (http://\"https://netfiles.uiuc.edu/ehowes/www/resource.htm#IESPYAD\")
With both, Check for updates every couple of weeks
Keep the link to IE-Spyad bookmarked so you can check for updates
SpywareBlaster, after every update just simply enable all protection
I also see Messenger service running, this can allow popups even when your not online>>This is not the same as MSN Messenger
Go to START>>>RUN>>>type in services.msc and hit Enter
In the next window, look on the right hand side for this service
name---- Messenger
Double click on it--- STOP the service--
In the drop down menu, change the startup type to Disabled