Post by: Loquita2576 on April 02, 2005, 07:13:40 PM
Kimberly
Logfile of HijackThis v1.99.1
Scan saved at 6:11:32 PM, on 4/2/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\interMute\SpySubtract\SpySub.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Kimberly Klein\Local Settings\Temp\Temporary Directory 2 for hijackthis.zip\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\KIMBER~1\LOCALS~1\Temp\se.dll/spage.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\KIMBER~1\LOCALS~1\Temp\se.dll/spage.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar_en_2.0.114-big.dll
O2 - BHO: XBTB09580 - {BBBE1C1A-89F7-4AF6-ABD1-F8FBCFA47408} - C:\PROGRA~1\WORDRE~1\WORDRE~1.DLL
O2 - BHO: (no name) - {F73C3A01-97E7-433F-B371-CF40C9C57BEE} - C:\WINDOWS\System32\cecp.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar_en_2.0.114-big.dll
O3 - Toolbar: WordReferenceEsEn - {5776A2BC-D803-47F6-9DC0-8344DB8D604C} - C:\Program Files\WordReferenceEsEn\wordreferenceEsEn.dll
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [sp] rundll32 C:\DOCUME~1\KIMBER~1\LOCALS~1\Temp\se.dll,DllInstall
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar_en_2.0.114-big.dll/cmtrans.html
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0819.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0819.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM95\aim.exe
O18 - Filter: text/html - {F75684B1-5947-40D3-B5FF-C871C900BB91} - C:\WINDOWS\System32\cecp.dll
O18 - Filter: text/plain - {F75684B1-5947-40D3-B5FF-C871C900BB91} - C:\WINDOWS\System32\cecp.dll
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINDOWS\System32\ImapiRox.exe
Post by: guestolo on April 03, 2005, 03:49:25 AM
UNZIP to a folder. DoubleClick: 'StartDreck.exe'
First click on the config button.
Now click the Unmark all button
Under "System/Drivers, put a check by these boxes only:
*Mark NT Services
*List binaries
*NT Kernel- and FS Drivers
Now click the Save button to save that log. Go to the StartDreck folder and find the Startdreck.log file.
Copy and Paste the contents of that log back here
Could you also
Download and save to Desktop DLLCompare (http://\"http://downloads.subratam.org/DllCompare.exe\")
Start the Program and click the Run Locate.com
Let it complete the SCAN, which won't take long
Click the Compare button to start the next process.This will take a bit longer.
The results appear in two panes - files in the upper pane have been verified to 'exist'.
Files in the lower pane were 'not able to be accessed'.
Very few files should be listed in the lower pane,if any, when the Compare scan is complete.
Click on each of the listed entries in the lower pane to select them. Right-click on the file and use the option Rescan. This will cause Windows Find to see if the file does exist, and then if so it will be removed from the list to reduce the number of identified files.
Click the Make a Log of what was found button
Post back this log
Along with a fresh Hijackthis log
Post by: Loquita2576 on April 06, 2005, 09:35:36 PM
here is the log>
StartDreck (build 2.1.7 public stable) - 2005-04-06 @ 21:30:19 (GMT -05:00)
Platform: Windows XP (Win NT 5.1.2600 Service Pack 1)
Internet Explorer: 6.0.2800.1106
Logged in as Kimberly Klein at KIMBERLY
»Registry
»Files
»System/Drivers
»NT Services
*Alerter Alerter - on demand
`binary: C:\WINDOWS\System32\svchost.exe -k LocalService
*Application Layer Gateway Service ALG - on demand
`binary: C:\WINDOWS\System32\alg.exe
*Application Management AppMgmt - on demand
`binary: C:\WINDOWS\system32\svchost.exe -k netsvcs
*Windows Audio AudioSrv running auto
`binary: C:\WINDOWS\System32\svchost.exe -k netsvcs
*Background Intelligent Transfer Service BITS - on demand
`binary: C:\WINDOWS\System32\svchost.exe -k netsvcs
*Computer Browser Browser running auto
`binary: C:\WINDOWS\System32\svchost.exe -k netsvcs
*Indexing Service cisvc - on demand
`binary: C:\WINDOWS\System32\cisvc.exe
*ClipBook ClipSrv - on demand
`binary: C:\WINDOWS\system32\clipsrv.exe
*COM+ System Application COMSysApp - on demand
`binary: C:\WINDOWS\System32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
*Cryptographic Services CryptSvc running auto
`binary: C:\WINDOWS\system32\svchost.exe -k netsvcs
*DHCP Client Dhcp running auto
`binary: C:\WINDOWS\System32\svchost.exe -k netsvcs
*Logical Disk Manager Administrative Service dmadmin - on demand
`binary: C:\WINDOWS\System32\dmadmin.exe /com
*Logical Disk Manager dmserver - on demand
`binary: C:\WINDOWS\System32\svchost.exe -k netsvcs
*DNS Client Dnscache running auto
`binary: C:\WINDOWS\System32\svchost.exe -k NetworkService
*Error Reporting Service ERSvc running auto
`binary: C:\WINDOWS\System32\svchost.exe -k netsvcs
*Event Log Eventlog running auto
`binary: C:\WINDOWS\system32\services.exe
*COM+ Event System EventSystem running on demand
`binary: C:\WINDOWS\System32\svchost.exe -k netsvcs
*Fast User Switching Compatibility FastUserSwitchingCom running on demand
`binary: C:\WINDOWS\System32\svchost.exe -k netsvcs
*Help and Support helpsvc running auto
`binary: C:\WINDOWS\System32\svchost.exe -k netsvcs
*HID Input Service HidServ running auto
`binary: C:\WINDOWS\System32\svchost.exe -k netsvcs
*IMAPI CD-Burning COM Service ImapiService - on demand
`binary: C:\WINDOWS\System32\ImapiRox.exe
*Server lanmanserver running auto
`binary: C:\WINDOWS\System32\svchost.exe -k netsvcs
*Workstation lanmanworkstation running auto
`binary: C:\WINDOWS\System32\svchost.exe -k netsvcs
*TCP/IP NetBIOS Helper LmHosts running auto
`binary: C:\WINDOWS\System32\svchost.exe -k LocalService
*Messenger Messenger running auto
`binary: C:\WINDOWS\System32\svchost.exe -k netsvcs
*NetMeeting Remote Desktop Sharing mnmsrvc - on demand
`binary: C:\WINDOWS\System32\mnmsrvc.exe
*Distributed Transaction Coordinator MSDTC - on demand
`binary: C:\WINDOWS\System32\msdtc.exe
*Windows Installer MSIServer - on demand
`binary: C:\WINDOWS\System32\msiexec.exe /V
*Network DDE NetDDE - on demand
`binary: C:\WINDOWS\system32\netdde.exe
*Network DDE DSDM NetDDEdsdm - on demand
`binary: C:\WINDOWS\system32\netdde.exe
*Net Logon Netlogon - on demand
`binary: C:\WINDOWS\System32\lsass.exe
*Network Connections Netman running on demand
`binary: C:\WINDOWS\System32\svchost.exe -k netsvcs
*Network Location Awareness (NLA) Nla running on demand
`binary: C:\WINDOWS\System32\svchost.exe -k netsvcs
*NT LM Security Support Provider NtLmSsp - on demand
`binary: C:\WINDOWS\System32\lsass.exe
*Removable Storage NtmsSvc - on demand
`binary: C:\WINDOWS\system32\svchost.exe -k netsvcs
*Plug and Play PlugPlay running auto
`binary: C:\WINDOWS\system32\services.exe
*IPSEC Services PolicyAgent running auto
`binary: C:\WINDOWS\System32\lsass.exe
*Protected Storage ProtectedStorage running auto
`binary: C:\WINDOWS\system32\lsass.exe
*Remote Access Auto Connection Manager RasAuto - on demand
`binary: C:\WINDOWS\System32\svchost.exe -k netsvcs
*Remote Access Connection Manager RasMan running on demand
`binary: C:\WINDOWS\System32\svchost.exe -k netsvcs
*Remote Desktop Help Session Manager RDSessMgr - on demand
`binary: C:\WINDOWS\system32\sessmgr.exe
*Routing and Remote Access RemoteAccess - disabled
`binary: C:\WINDOWS\System32\svchost.exe -k netsvcs
*Remote Procedure Call (RPC) Locator RpcLocator - on demand
`binary: C:\WINDOWS\System32\locator.exe
*Remote Procedure Call (RPC) RpcSs running auto
`binary: C:\WINDOWS\system32\svchost -k rpcss
*QoS RSVP RSVP - on demand
`binary: C:\WINDOWS\System32\rsvp.exe
*Security Accounts Manager SamSs running auto
`binary: C:\WINDOWS\system32\lsass.exe
*Smart Card Helper SCardDrv - on demand
`binary: C:\WINDOWS\System32\SCardSvr.exe
*Smart Card SCardSvr - on demand
`binary: C:\WINDOWS\System32\SCardSvr.exe
*Task Scheduler Schedule running auto
`binary: C:\WINDOWS\System32\svchost.exe -k netsvcs
*Secondary Logon seclogon running auto
`binary: C:\WINDOWS\System32\svchost.exe -k netsvcs
*System Event Notification SENS running auto
`binary: C:\WINDOWS\system32\svchost.exe -k netsvcs
*Internet Connection Firewall (ICF) / Internet C SharedAccess - on demand
`onnection Sharing (ICS)
`binary: C:\WINDOWS\System32\svchost.exe -k netsvcs
*Shell Hardware Detection ShellHWDetection running auto
`binary: C:\WINDOWS\System32\svchost.exe -k netsvcs
*Print Spooler Spooler running auto
`binary: C:\WINDOWS\system32\spoolsv.exe
*System Restore Service srservice running auto
`binary: C:\WINDOWS\System32\svchost.exe -k netsvcs
*SSDP Discovery Service SSDPSRV running on demand
`binary: C:\WINDOWS\System32\svchost.exe -k LocalService
*Windows Image Acquisition (WIA) stisvc running auto
`binary: C:\WINDOWS\System32\svchost.exe -k imgsvc
*MS Software Shadow Copy Provider SwPrv - on demand
`binary: C:\WINDOWS\System32\dllhost.exe /Processid:{95B6B685-1498-480F-8CD9-E0AC0504F680}
*Performance Logs and Alerts SysmonLog - on demand
`binary: C:\WINDOWS\system32\smlogsvc.exe
*Telephony TapiSrv running on demand
`binary: C:\WINDOWS\System32\svchost.exe -k netsvcs
*Terminal Services TermService running on demand
`binary: C:\WINDOWS\System32\svchost.exe -k netsvcs
*Themes Themes running auto
`binary: C:\WINDOWS\System32\svchost.exe -k netsvcs
*Distributed Link Tracking Client TrkWks running auto
`binary: C:\WINDOWS\system32\svchost.exe -k netsvcs
*Upload Manager uploadmgr running auto
`binary: C:\WINDOWS\System32\svchost.exe -k netsvcs
*Universal Plug and Play Device Host upnphost - on demand
`binary: C:\WINDOWS\System32\svchost.exe -k LocalService
*Uninterruptible Power Supply UPS - on demand
`binary: C:\WINDOWS\System32\ups.exe
*Volume Shadow Copy VSS - on demand
`binary: C:\WINDOWS\System32\vssvc.exe
*Windows Time W32Time running auto
`binary: C:\WINDOWS\System32\svchost.exe -k netsvcs
*WebClient WebClient running auto
`binary: C:\WINDOWS\System32\svchost.exe -k LocalService
*Windows Management Instrumentation winmgmt running auto
`binary: C:\WINDOWS\system32\svchost.exe -k netsvcs
*Portable Media Serial Number WmdmPmSp running auto
`binary: C:\WINDOWS\System32\svchost.exe -k netsvcs
*WMI Performance Adapter WmiApSrv - on demand
`binary: C:\WINDOWS\System32\wbem\wmiapsrv.exe
*Automatic Updates wuauserv running auto
`binary: C:\WINDOWS\system32\svchost.exe -k netsvcs
*Wireless Zero Configuration WZCSVC running auto
`binary: C:\WINDOWS\System32\svchost.exe -k netsvcs
»NT Kernel- and FS-drivers
*Abiosdsk Abiosdsk - disabled
`binary:
*abp480n5 abp480n5 - disabled
`binary:
*Intel® 82801 Audio Driver Install Service (WD ac97intc running on demand
`M)
`binary: system32\drivers\ac97intc.sys
*Microsoft ACPI Driver ACPI running boot
`binary: \SystemRoot\System32\DRIVERS\ACPI.sys
*ACPIEC ACPIEC - disabled
`binary:
*adpu160m adpu160m - disabled
`binary:
*Microsoft Kernel Acoustic Echo Canceller aec - on demand
`binary: system32\drivers\aec.sys
*AFD Networking Support Environment AFD running auto
`binary: \SystemRoot\System32\drivers\afd.sys
*Aha154x Aha154x - disabled
`binary:
*aic78u2 aic78u2 - disabled
`binary:
*aic78xx aic78xx - disabled
`binary:
*AliIde AliIde - disabled
`binary:
*amsint amsint - disabled
`binary:
*ADMtek AN983/AN985/ADM951X 10/100Mbps Fast Ethe AN983 running on demand
`rnet Adapter
`binary: System32\DRIVERS\AN983.sys
*asc asc - disabled
`binary:
*asc3350p asc3350p - disabled
`binary:
*asc3550 asc3550 - disabled
`binary:
*ASCTRM ASCTRM running auto
`binary:
*RAS Asynchronous Media Driver AsyncMac - on demand
`binary: System32\DRIVERS\asyncmac.sys
*Standard IDE/ESDI Hard Disk Controller atapi running boot
`binary: \SystemRoot\System32\DRIVERS\atapi.sys
*Atdisk Atdisk - disabled
`binary:
*ATM ARP Client Protocol Atmarpc - on demand
`binary: System32\DRIVERS\atmarpc.sys
*Audio Stub Driver audstub running on demand
`binary: System32\DRIVERS\audstub.sys
*Beep Beep running system
`binary:
*cbidf2k cbidf2k - disabled
`binary:
*cd20xrnt cd20xrnt - disabled
`binary:
*Cdaudio Cdaudio - system
`binary:
*Cdfs Cdfs running disabled
`binary:
*Cdr4_xp Cdr4_xp running system
`binary:
*Cdralw2k Cdralw2k running system
`binary:
*CD-ROM Driver Cdrom running system
`binary: System32\DRIVERS\cdrom.sys
*cdudf_xp cdudf_xp running system
`binary:
*Changer Changer - system
`binary:
*CmdIde CmdIde - disabled
`binary:
*Cpqarray Cpqarray - disabled
`binary:
*dac960nt dac960nt - disabled
`binary:
*Disk Driver Disk running boot
`binary: \SystemRoot\System32\DRIVERS\disk.sys
*dmboot dmboot - disabled
`binary: System32\drivers\dmboot.sys
*dmio dmio - disabled
`binary: System32\drivers\dmio.sys
*dmload dmload - disabled
`binary: System32\drivers\dmload.sys
*Microsoft Kernel DLS Syntheiszer DMusic - on demand
`binary: system32\drivers\DMusic.sys
*dpti2o dpti2o - disabled
`binary:
*Microsoft Kernel DRM Audio Descrambler drmkaud - on demand
`binary: system32\drivers\drmkaud.sys
*dvd_2K dvd_2K - on demand
`binary:
*Fallback Fallback running auto
`binary: System32\DRIVERS\fallback.sys
*Fastfat Fastfat running disabled
`binary:
*Floppy Disk Controller Driver Fdc running on demand
`binary: System32\DRIVERS\fdc.sys
*Fips Fips running system
`binary:
*Floppy Disk Driver Flpydisk running on demand
`binary: System32\DRIVERS\flpydisk.sys
*Fsks Fsks running auto
`binary: System32\DRIVERS\fsksnt.sys
*Volume Manager Driver Ftdisk running boot
`binary: \SystemRoot\System32\DRIVERS\ftdisk.sys
*Generic Packet Classifier Gpc running on demand
`binary: System32\DRIVERS\msgpc.sys
*Microsoft HID Class Driver hidusb running on demand
`binary: System32\DRIVERS\hidusb.sys
*hpn hpn - disabled
`binary:
*hpt3xx hpt3xx - disabled
`binary:
*i2omgmt i2omgmt - system
`binary:
*i2omp i2omp - disabled
`binary:
*i8042prt i8042prt - system
`binary:
*i81x i81x running on demand
`binary: System32\DRIVERS\i81xnt5.sys
*iAimFP0 iAimFP0 - on demand
`binary: System32\DRIVERS\wADV01nt.sys
*iAimFP1 iAimFP1 - on demand
`binary: System32\DRIVERS\wADV02NT.sys
*iAimFP2 iAimFP2 - on demand
`binary: System32\DRIVERS\wADV05NT.sys
*iAimFP3 iAimFP3 - on demand
`binary: System32\DRIVERS\wSiINTxx.sys
*iAimFP4 iAimFP4 - on demand
`binary: System32\DRIVERS\wVchNTxx.sys
*iAimFP5 iAimFP5 - on demand
`binary: System32\DRIVERS\wADV07nt.sys
*iAimFP6 iAimFP6 - on demand
`binary: System32\DRIVERS\wADV08nt.sys
*iAimFP7 iAimFP7 - on demand
`binary: System32\DRIVERS\wADV09nt.sys
*iAimFP8 iAimFP8 - on demand
`binary: System32\DRIVERS\wADV11nt.sys
*iAimTV0 iAimTV0 - on demand
`binary: System32\DRIVERS\wATV01nt.sys
*iAimTV1 iAimTV1 - on demand
`binary: System32\DRIVERS\wATV02NT.sys
*iAimTV2 iAimTV2 - on demand
`binary: System32\DRIVERS\wATV03nt.sys
*iAimTV3 iAimTV3 - on demand
`binary: System32\DRIVERS\wATV04nt.sys
*iAimTV4 iAimTV4 - on demand
`binary: System32\DRIVERS\wCh7xxNT.sys
*iAimTV5 iAimTV5 - on demand
`binary: System32\DRIVERS\wATV10nt.sys
*iAimTV6 iAimTV6 - on demand
`binary: System32\DRIVERS\wATV06nt.sys
*Ich Ich running on demand
`binary: System32\DRIVERS\Ich.sys
*Imapi Imapi running system
`binary: system32\drivers\ImapiRox.sys
*ini910u ini910u - disabled
`binary:
*IntelIde IntelIde running boot
`binary: \SystemRoot\System32\DRIVERS\intelide.sys
*IP Traffic Filter Driver IpFilterDriver - on demand
`binary: System32\DRIVERS\ipfltdrv.sys
*IP in IP Tunnel Driver IpInIp - on demand
`binary: System32\DRIVERS\ipinip.sys
*IP Network Address Translator IpNat - on demand
`binary: System32\DRIVERS\ipnat.sys
*IPSEC driver IPSec running system
`binary: System32\DRIVERS\ipsec.sys
*IR Enumerator Service IRENUM - on demand
`binary: System32\DRIVERS\irenum.sys
*PnP ISA/EISA Bus Driver isapnp running boot
`binary: \SystemRoot\System32\DRIVERS\isapnp.sys
*K56 K56 running auto
`binary: System32\DRIVERS\k56nt.sys
*Keyboard Class Driver Kbdclass running system
`binary: System32\DRIVERS\kbdclass.sys
*Keyboard HID Driver kbdhid running system
`binary: System32\DRIVERS\kbdhid.sys
*Microsoft Kernel Wave Audio Mixer kmixer running on demand
`binary: system32\drivers\kmixer.sys
*KSecDD KSecDD running boot
`binary:
*lbrtfdc lbrtfdc - system
`binary:
*mmc_2K mmc_2K running on demand
`binary:
*mnmdd mnmdd running system
`binary:
*Modem Modem running on demand
`binary:
*Unimodem Streaming Filter Device MODEMCSA running on demand
`binary: system32\drivers\MODEMCSA.sys
*Mouse Class Driver Mouclass running system
`binary: System32\DRIVERS\mouclass.sys
*Mouse HID Driver mouhid running on demand
`binary: System32\DRIVERS\mouhid.sys
*Mount Point Manager MountMgr running boot
`binary:
*mraid35x mraid35x - disabled
`binary:
*WebDav Client Redirector MRxDAV running on demand
`binary: System32\DRIVERS\mrxdav.sys
*MRxSmb MRxSmb running system
`binary: System32\DRIVERS\mrxsmb.sys
*Msfs Msfs running system
`binary:
*Microsoft Streaming Service Proxy MSKSSRV - on demand
`binary: system32\drivers\MSKSSRV.sys
*Microsoft Streaming Clock Proxy MSPCLOCK - on demand
`binary: system32\drivers\MSPCLOCK.sys
*Microsoft Streaming Quality Manager Proxy MSPQM - on demand
`binary: system32\drivers\MSPQM.sys
*Mup Mup running boot
`binary:
*MxlW2k MxlW2k running auto
`binary:
*NDIS System Driver NDIS running boot
`binary:
*Remote Access NDIS TAPI Driver NdisTapi running on demand
`binary: System32\DRIVERS\ndistapi.sys
*NDIS Usermode I/O Protocol Ndisuio running on demand
`binary: System32\DRIVERS\ndisuio.sys
*Remote Access NDIS WAN Driver NdisWan running on demand
`binary: System32\DRIVERS\ndiswan.sys
*NDIS Proxy NDProxy running on demand
`binary:
*NetBIOS Interface NetBIOS running system
`binary: System32\DRIVERS\netbios.sys
*NetBios over Tcpip NetBT running system
`binary: System32\DRIVERS\netbt.sys
*Npfs Npfs running system
`binary:
*Ntfs Ntfs running disabled
`binary:
*Null Null running system
`binary:
*IPX Traffic Filter Driver NwlnkFlt - on demand
`binary: System32\DRIVERS\nwlnkflt.sys
*IPX Traffic Forwarder Driver NwlnkFwd - on demand
`binary: System32\DRIVERS\nwlnkfwd.sys
*Intel PentiumIII Processor Driver P3 running system
`binary: System32\DRIVERS\p3.sys
*Parallel port driver Parport running on demand
`binary: System32\DRIVERS\parport.sys
*Partition Manager PartMgr running boot
`binary:
*ParVdm ParVdm running auto
`binary:
*PCI Bus Driver PCI running boot
`binary: \SystemRoot\System32\DRIVERS\pci.sys
*PCIDump PCIDump - system
`binary:
*PCIIde PCIIde - disabled
`binary:
*Pcmcia Pcmcia - disabled
`binary:
*PDCOMP PDCOMP - on demand
`binary:
*PDFRAME PDFRAME - on demand
`binary:
*PDRELI PDRELI - on demand
`binary:
*PDRFRAME PDRFRAME - on demand
`binary:
*perc2 perc2 - disabled
`binary:
*perc2hib perc2hib - disabled
`binary:
*WAN Miniport (PPTP) PptpMiniport running on demand
`binary: System32\DRIVERS\raspptp.sys
*QoS Packet Scheduler PSched running on demand
`binary: System32\DRIVERS\psched.sys
*Direct Parallel Link Driver Ptilink running on demand
`binary: System32\DRIVERS\ptilink.sys
*pwd_2K pwd_2K running system
`binary:
*ql1080 ql1080 - disabled
`binary:
*Ql10wnt Ql10wnt - disabled
`binary:
*ql12160 ql12160 - disabled
`binary:
*ql1240 ql1240 - disabled
`binary:
*ql1280 ql1280 - disabled
`binary:
*Remote Access Auto Connection Driver RasAcd running system
`binary: System32\DRIVERS\rasacd.sys
*WAN Miniport (L2TP) Rasl2tp running on demand
`binary: System32\DRIVERS\rasl2tp.sys
*Remote Access PPPOE Driver RasPppoe running on demand
`binary: System32\DRIVERS\raspppoe.sys
*Direct Parallel Raspti running on demand
`binary: System32\DRIVERS\raspti.sys
*Rdbss Rdbss running system
`binary: System32\DRIVERS\rdbss.sys
*RDPCDD RDPCDD running system
`binary: System32\DRIVERS\RDPCDD.sys
*RDPWD RDPWD - on demand
`binary:
*Digital CD Audio Playback Filter Driver redbook running system
`binary: System32\DRIVERS\redbook.sys
*Rksample Rksample running on demand
`binary: System32\DRIVERS\rksample.sys
*Secdrv Secdrv - on demand
`binary: System32\DRIVERS\secdrv.sys
*Serial Serial - auto
`binary:
*Sfloppy Sfloppy - system
`binary:
*Simbad Simbad - disabled
`binary:
*SoftFax SoftFax running auto
`binary: System32\DRIVERS\faxnt.sys
*Sony USB Filter Driver (SONYPVU1) SONYPVU1 - on demand
`binary: System32\DRIVERS\SONYPVU1.SYS
*Sparrow Sparrow - disabled
`binary:
*SpeakerPhone SpeakerPhone running auto
`binary: System32\DRIVERS\spkpnt.sys
*Microsoft Kernel Audio Splitter splitter - on demand
`binary: system32\drivers\splitter.sys
*System Restore Filter Driver sr running boot
`binary: \SystemRoot\System32\DRIVERS\sr.sys
*Srv Srv running on demand
`binary: System32\DRIVERS\srv.sys
*StreamDispatcher StreamDispatcher running auto
`binary: System32\DRIVERS\strmdisp.sys
*Software Bus Driver swenum running on demand
`binary: System32\DRIVERS\swenum.sys
*Microsoft Kernel GS Wavetable Synthesizer swmidi - on demand
`binary: system32\drivers\swmidi.sys
*symc810 symc810 - disabled
`binary:
*symc8xx symc8xx - disabled
`binary:
*sym_hi sym_hi - disabled
`binary:
*sym_u3 sym_u3 - disabled
`binary:
*Microsoft Kernel System Audio Device sysaudio running on demand
`binary: system32\drivers\sysaudio.sys
*TCP/IP Protocol Driver Tcpip running system
`binary: System32\DRIVERS\tcpip.sys
*TDPIPE TDPIPE - on demand
`binary:
*TDTCP TDTCP - on demand
`binary:
*Terminal Device Driver TermDD running system
`binary: System32\DRIVERS\termdd.sys
*Tones Tones running auto
`binary: System32\DRIVERS\tonesnt.sys
*TosIde TosIde - disabled
`binary:
*UdfReadr_xp UdfReadr_xp running system
`binary:
*Udfs Udfs - disabled
`binary:
*ultra ultra - disabled
`binary:
*Microcode Update Driver Update running on demand
`binary: System32\DRIVERS\update.sys
*Microsoft USB Generic Parent Driver usbccgp running on demand
`binary: System32\DRIVERS\usbccgp.sys
*Microsoft USB Standard Hub Driver usbhub running on demand
`binary: System32\DRIVERS\usbhub.sys
*Microsoft USB PRINTER Class usbprint running on demand
`binary: System32\DRIVERS\usbprint.sys
*USB Scanner Driver usbscan - on demand
`binary: System32\DRIVERS\usbscan.sys
*USB Mass Storage Driver USBSTOR - on demand
`binary: System32\DRIVERS\USBSTOR.SYS
*Microsoft USB Universal Host Controller Minipor usbuhci running on demand
`t Driver
`binary: System32\DRIVERS\usbuhci.sys
*V124 V124 running auto
`binary: System32\DRIVERS\v124nt.sys
*VGA Display Controller. VgaSave running system
`binary: \SystemRoot\System32\drivers\vga.sys
*ViaIde ViaIde - disabled
`binary:
*VolSnap VolSnap running boot
`binary:
*Remote Access IP ARP Driver Wanarp running on demand
`binary: System32\DRIVERS\wanarp.sys
*WAN Miniport (ATW) wanatw - on demand
`binary: System32\DRIVERS\wanatw4.sys
*WDICA WDICA - on demand
`binary:
*Microsoft WINMM WDM Audio Compatibility Driver wdmaud running on demand
`binary: system32\drivers\wdmaud.sys
*winachsf winachsf running on demand
`binary: System32\DRIVERS\HSF_CNXT.sys
»Application specific
Nothing was found in the DLLCompare
DLLCompare Log version()
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________
O^E says: "There were no files found
/smile.gif\' class=\'bbc_emoticon\' alt=\':)\' />"________________________________________________
1,115 items found: 1,115 files, 0 directories.
Total of file sizes: 202,854,036 bytes 193.45 M
Administrator Account = True
--------------------End log---------------------
Logfile of HijackThis v1.99.1
Scan saved at 9:33:30 PM, on 4/6/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\AIM95\aim.exe
C:\Program Files\interMute\SpySubtract\SpySub.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Kimberly Klein\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\KIMBER~1\LOCALS~1\Temp\se.dll/spage.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\KIMBER~1\LOCALS~1\Temp\se.dll/spage.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar_en_2.0.114-big.dll
O2 - BHO: XBTB09580 - {BBBE1C1A-89F7-4AF6-ABD1-F8FBCFA47408} - C:\PROGRA~1\WORDRE~1\WORDRE~1.DLL
O2 - BHO: (no name) - {F73C3A01-97E7-433F-B371-CF40C9C57BEE} - C:\WINDOWS\System32\cecp.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar_en_2.0.114-big.dll
O3 - Toolbar: WordReferenceEsEn - {5776A2BC-D803-47F6-9DC0-8344DB8D604C} - C:\Program Files\WordReferenceEsEn\wordreferenceEsEn.dll
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [sp] rundll32 C:\DOCUME~1\KIMBER~1\LOCALS~1\Temp\se.dll,DllInstall
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar_en_2.0.114-big.dll/cmtrans.html
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0819.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0819.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O18 - Filter: text/html - {F75684B1-5947-40D3-B5FF-C871C900BB91} - C:\WINDOWS\System32\cecp.dll
O18 - Filter: text/plain - {F75684B1-5947-40D3-B5FF-C871C900BB91} - C:\WINDOWS\System32\cecp.dll
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINDOWS\System32\ImapiRox.exe
Thanks for your help... I'll try and check back tomorrow!!
Kimberly
Post by: guestolo on April 06, 2005, 09:41:57 PM
Post by: guestolo on April 06, 2005, 09:54:26 PM
Can you save Hijackthis too a permanent folder please
EG...//
Double Click "MY Computer"
Open your C: drive
Click "File" >>> "New" >>>> "Folder"
A new folder will be created, name it HJT
Now you will have C:\HJT
This is important because HijackThis makes backups to that same folder
You can redownload Hijackthis from my signature below
and save it to that new folder
==Download and Unzip to your desktop SpSeHjFix112.zip (http://\"http://www.derbilk.de/404.html\")
from this link, ensure you download the correct version for your operating system
=====Download and Install this small program
to help clean your temp folders,cookies,prefetch folder, recylebin
Windows Cleanup (http://\"http://www.antispyware.nextdesigns.net/installs/cleanup.php?type=exe\")
Install for now, don't run a scan yet
Please Print this out or save these instructions to a Notepad file and save it to your Desktop
RESTART your Computer in SAFE MODE (http://\"http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001060608000039?OpenDocument&ExpandSection=4#_Section4\")
==Open Windows CleanUp!>>START>>All programs>>Cleanup!
Click on the CleanUp button, let it finish scanning for files, when it's done
Don't restart the computer or log off yet
==Double click to run SpSeHjFix112.exe>>ensure you unzipped this
Click the Start Disinfection
Let it scan>>It should Reboot your computer
Allow to restart back to Normal mode
Back in Windows>>Run another scan with Hijackthis and post the log
Also post the log from SpSeHjFix112.exe
Could you also run Startdreck in this manner and post the log
Hit: -config
hit: -Unmark all
Check these boxes only:
*Registry->run keys
*Registry->Browser helper objects
*System/drivers> Running processes
hit >ok.
Use the "save" tab, to save, name and post this log