Post by: ochie on April 18, 2005, 03:50:57 AM
am not entirely sure how to do this - hope i'm not posting things in the worng place.
thanks
ochie
this is my hijack file
Logfile of HijackThis v1.99.1
Scan saved at 07:10:10, on 12/01/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
D:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
D:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
D:\Program Files\Norton AntiVirus\navapsvc.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
D:\Program Files\Common Files\GMT\GMT.exe
D:\Program Files\Common Files\CMEII\CMESys.exe
D:\WINDOWS\System32\ctfmon.exe
D:\WINDOWS\System32\taskmgr.exe
D:\Program Files\Internet Explorer\iexplore.exe
D:\WINDOWS\System32\wuauclt.exe
C:\HJT\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.isearch.com/index.php?app=SE&af...ODQ6NTo5&Terms= (http://\"http://www.isearch.com/index.php?app=SE&affjump=1&affiliate=ODQ6NTo5&Terms=\")
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.isearch.com/index.php?app=SE&af...ODQ6NTo5&Terms= (http://\"http://www.isearch.com/index.php?app=SE&affjump=1&affiliate=ODQ6NTo5&Terms=\")
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.isearch.com/index.php?app=SE&af...ODQ6NTo5&Terms= (http://\"http://www.isearch.com/index.php?app=SE&affjump=1&affiliate=ODQ6NTo5&Terms=\")
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://rl.webtracer.cc/-/?bayzm (http://\"http://rl.webtracer.cc/-/?bayzm\")
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://rl.webtracer.cc/-/?bayzm (http://\"http://rl.webtracer.cc/-/?bayzm\")
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.isearch.com/index.php?app=SE&af...ODQ6NTo5&Terms= (http://\"http://www.isearch.com/index.php?app=SE&affjump=1&affiliate=ODQ6NTo5&Terms=\")
O1 - Hosts: 1159680172 auto.search.msn.com
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: GStartup.lnk = D:\Program Files\Common Files\GMT\GMT.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = D:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &Google Search - res://d:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Yahoo! Search - file:///D:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward Links - res://d:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://d:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://d:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://d:\program files\google\GoogleToolbar2.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///D:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///D:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - D:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - D:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - D:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - D:\WINDOWS\web\related.htm
O12 - Plugin for .spop: D:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {11010101-1001-1111-1000-110112345678} - ms-its:mhtml:file://C: oo.mht!http://superprogdownload.com/download/helps/id/187787/1632098270.chm::/win.exe
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -
O16 - DPF: {DE910060-8EFB-44B9-B492-75180696643F} (iiittt Class) - http://www.hotsearchbar.com/toolbar30/hsrb.cab (http://\"http://www.hotsearchbar.com/toolbar30/hsrb.cab\")
O17 - HKLM\System\CCS\Services\Tcpip\..\{AD3746BA-E008-41BD-A14B-D119ACC8F4E3}: NameServer = 203.197.12.30 202.54.1.18
O19 - User stylesheet: D:\WINDOWS\stsheets.dat
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - D:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - D:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - D:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - D:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
Post by: ochie on April 19, 2005, 12:54:41 AM
i think my post has gotten left out. someone please help.
ochie
Post by: guestolo on April 19, 2005, 12:56:16 AM
Create a new folder on your desktop
Right click an empty spot on the desktop
Select NEW>>FOLDER
Name the new folder Locate
Download and save too desktop Locate.zip (http://\"http://www.atribune.org/downloads/locate.zip\")
UNZIP the contents to that newly created folder
Open the Locate folder and Double click to run Locate.bat
Could you also
download Startdreck.zip startdreck.zip (http://\"http://www.niksoft.at/php/dl.php?f=startdreck.zip\")
UNZIP to a folder. DoubleClick: 'StartDreck.exe'
First click on the config button.
Now click the Unmark all button
Under "System/Drivers, put a check by these boxes only:
*Mark NT Services
*List binaries
*NT Kernel- and FS Drivers
Now click the Save button to save that log. Go to the StartDreck folder and find the Startdreck.log file.
Copy and Paste the contents of that log back here
Post by: Guest on April 19, 2005, 01:29:25 AM
this is the startdreck log:
StartDreck (build 2.1.7 public stable) - 2005-01-13 @ 05:04:10 (GMT +05:30)
Platform: Windows XP (Win NT 5.1.2600 )
Internet Explorer: 6.0.2600.0000
Logged in as John at JOSEPH-XBTEGV7B
»Registry
»Files
»System/Drivers
»NT Services
*Alerter Alerter - on demand
`binary: D:\WINDOWS\System32\svchost.exe -k LocalService
*Application Layer Gateway Service ALG - on demand
`binary: D:\WINDOWS\System32\alg.exe
*Application Management AppMgmt - on demand
`binary: D:\WINDOWS\system32\svchost.exe -k netsvcs
*Windows Audio AudioSrv running auto
`binary: D:\WINDOWS\System32\svchost.exe -k netsvcs
*Background Intelligent Transfer Service BITS - on demand
`binary: D:\WINDOWS\System32\svchost.exe -k netsvcs
*Computer Browser Browser running auto
`binary: D:\WINDOWS\System32\svchost.exe -k netsvcs
*Symantec Event Manager ccEvtMgr running auto
`binary: "D:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
*Symantec Password Validation ccPwdSvc - on demand
`binary: "D:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe"
*Symantec Settings Manager ccSetMgr running auto
`binary: "D:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"
*Indexing Service cisvc - on demand
`binary: D:\WINDOWS\System32\cisvc.exe
*ClipBook ClipSrv - on demand
`binary: D:\WINDOWS\system32\clipsrv.exe
*COM+ System Application COMSysApp - on demand
`binary: D:\WINDOWS\System32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
*Cryptographic Services CryptSvc running auto
`binary: D:\WINDOWS\system32\svchost.exe -k netsvcs
*DHCP Client Dhcp running auto
`binary: D:\WINDOWS\System32\svchost.exe -k netsvcs
*Logical Disk Manager Administrative Service dmadmin - on demand
`binary: D:\WINDOWS\System32\dmadmin.exe /com
*Logical Disk Manager dmserver running auto
`binary: D:\WINDOWS\System32\svchost.exe -k netsvcs
*DNS Client Dnscache running auto
`binary: D:\WINDOWS\System32\svchost.exe -k NetworkService
*Error Reporting Service ERSvc running auto
`binary: D:\WINDOWS\System32\svchost.exe -k netsvcs
*Event Log Eventlog running auto
`binary: D:\WINDOWS\system32\services.exe
*COM+ Event System EventSystem running on demand
`binary: D:\WINDOWS\System32\svchost.exe -k netsvcs
*Fast User Switching Compatibility FastUserSwitchingCom running on demand
`binary: D:\WINDOWS\System32\svchost.exe -k netsvcs
*Help and Support helpsvc running auto
`binary: D:\WINDOWS\System32\svchost.exe -k netsvcs
*Human Interface Device Access HidServ - disabled
`binary: D:\WINDOWS\System32\svchost.exe -k netsvcs
*IMAPI CD-Burning COM Service ImapiService - on demand
`binary: D:\WINDOWS\System32\imapi.exe
*Server lanmanserver running auto
`binary: D:\WINDOWS\System32\svchost.exe -k netsvcs
*Workstation lanmanworkstation running auto
`binary: D:\WINDOWS\System32\svchost.exe -k netsvcs
*TCP/IP NetBIOS Helper LmHosts running auto
`binary: D:\WINDOWS\System32\svchost.exe -k LocalService
*Machine Debug Manager MDM running auto
`binary: "D:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe"
*Messenger Messenger running auto
`binary: D:\WINDOWS\System32\svchost.exe -k netsvcs
*NetMeeting Remote Desktop Sharing mnmsrvc - on demand
`binary: D:\WINDOWS\System32\mnmsrvc.exe
*Distributed Transaction Coordinator MSDTC - on demand
`binary: D:\WINDOWS\System32\msdtc.exe
*Windows Installer MSIServer - on demand
`binary: D:\WINDOWS\System32\msiexec.exe /V
*Norton AntiVirus Auto-Protect Service navapsvc running auto
`binary: "D:\Program Files\Norton AntiVirus\navapsvc.exe"
*Network DDE NetDDE - on demand
`binary: D:\WINDOWS\system32\netdde.exe
*Network DDE DSDM NetDDEdsdm - on demand
`binary: D:\WINDOWS\system32\netdde.exe
*Net Logon Netlogon - on demand
`binary: D:\WINDOWS\System32\lsass.exe
*Network Connections Netman running on demand
`binary: D:\WINDOWS\System32\svchost.exe -k netsvcs
*Network Location Awareness (NLA) Nla running on demand
`binary: D:\WINDOWS\System32\svchost.exe -k netsvcs
*Norton AntiVirus Firewall Monitor Service NPFMntor running auto
`binary: D:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
*NT LM Security Support Provider NtLmSsp - on demand
`binary: D:\WINDOWS\System32\lsass.exe
*Removable Storage NtmsSvc - on demand
`binary: D:\WINDOWS\system32\svchost.exe -k netsvcs
*Plug and Play PlugPlay running auto
`binary: D:\WINDOWS\system32\services.exe
*IPSEC Services PolicyAgent running auto
`binary: D:\WINDOWS\System32\lsass.exe
*Protected Storage ProtectedStorage running auto
`binary: D:\WINDOWS\system32\lsass.exe
*Remote Access Auto Connection Manager RasAuto running on demand
`binary: D:\WINDOWS\System32\svchost.exe -k netsvcs
*Remote Access Connection Manager RasMan running on demand
`binary: D:\WINDOWS\System32\svchost.exe -k netsvcs
*Remote Desktop Help Session Manager RDSessMgr - on demand
`binary: D:\WINDOWS\system32\sessmgr.exe
*Routing and Remote Access RemoteAccess - disabled
`binary: D:\WINDOWS\System32\svchost.exe -k netsvcs
*Remote Registry RemoteRegistry running auto
`binary: D:\WINDOWS\system32\svchost.exe -k LocalService
*Remote Procedure Call (RPC) Locator RpcLocator - on demand
`binary: D:\WINDOWS\System32\locator.exe
*Remote Procedure Call (RPC) RpcSs running auto
`binary: D:\WINDOWS\system32\svchost -k rpcss
*QoS RSVP RSVP - on demand
`binary: D:\WINDOWS\System32\rsvp.exe
*Security Accounts Manager SamSs running auto
`binary: D:\WINDOWS\system32\lsass.exe
*SAVScan SAVScan - on demand
`binary: D:\Program Files\Norton AntiVirus\SAVScan.exe
*ScriptBlocking Service SBService - auto
`binary: D:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
*Smart Card Helper SCardDrv - on demand
`binary: D:\WINDOWS\System32\SCardSvr.exe
*Smart Card SCardSvr - on demand
`binary: D:\WINDOWS\System32\SCardSvr.exe
*Task Scheduler Schedule running auto
`binary: D:\WINDOWS\System32\svchost.exe -k netsvcs
*Secondary Logon seclogon running auto
`binary: D:\WINDOWS\System32\svchost.exe -k netsvcs
*System Event Notification SENS running auto
`binary: D:\WINDOWS\system32\svchost.exe -k netsvcs
*Internet Connection Firewall (ICF) / Internet C SharedAccess - on demand
`onnection Sharing (ICS)
`binary: D:\WINDOWS\System32\svchost.exe -k netsvcs
*Shell Hardware Detection ShellHWDetection running auto
`binary: D:\WINDOWS\System32\svchost.exe -k netsvcs
*Symantec Network Drivers Service SNDSrvc - on demand
`binary: D:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
*Symantec SPBBCSvc SPBBCSvc running auto
`binary: D:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
*Print Spooler Spooler running auto
`binary: D:\WINDOWS\system32\spoolsv.exe
*System Restore Service srservice running auto
`binary: D:\WINDOWS\System32\svchost.exe -k netsvcs
*SSDP Discovery Service SSDPSRV running on demand
`binary: D:\WINDOWS\System32\svchost.exe -k LocalService
*Windows Image Acquisition (WIA) stisvc running auto
`binary: D:\WINDOWS\System32\svchost.exe -k imgsvc
*MS Software Shadow Copy Provider SwPrv - on demand
`binary: D:\WINDOWS\System32\dllhost.exe /Processid:{BFFAC990-E42F-418D-AED2-63CB8716C66A}
*Symantec Core LC Symantec Core LC running auto
`binary: D:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
*Performance Logs and Alerts SysmonLog - on demand
`binary: D:\WINDOWS\system32\smlogsvc.exe
*Telephony TapiSrv running on demand
`binary: D:\WINDOWS\System32\svchost.exe -k netsvcs
*Terminal Services TermService running on demand
`binary: D:\WINDOWS\System32\svchost.exe -k netsvcs
*Themes Themes running auto
`binary: D:\WINDOWS\System32\svchost.exe -k netsvcs
*Telnet TlntSvr - on demand
`binary: D:\WINDOWS\System32\tlntsvr.exe
*Distributed Link Tracking Client TrkWks running auto
`binary: D:\WINDOWS\system32\svchost.exe -k netsvcs
*Windows User Mode Driver Framework UMWdf running auto
`binary: D:\WINDOWS\System32\wdfmgr.exe
*Upload Manager uploadmgr running auto
`binary: D:\WINDOWS\System32\svchost.exe -k netsvcs
*Universal Plug and Play Device Host upnphost - on demand
`binary: D:\WINDOWS\System32\svchost.exe -k LocalService
*Uninterruptible Power Supply UPS - on demand
`binary: D:\WINDOWS\System32\ups.exe
*Volume Shadow Copy VSS - on demand
`binary: D:\WINDOWS\System32\vssvc.exe
*Windows Time W32Time running auto
`binary: D:\WINDOWS\System32\svchost.exe -k netsvcs
*WebClient WebClient running auto
`binary: D:\WINDOWS\System32\svchost.exe -k LocalService
*Windows Management Instrumentation winmgmt running auto
`binary: D:\WINDOWS\system32\svchost.exe -k netsvcs
*Portable Media Serial Number Service WmdmPmSN - on demand
`binary: D:\WINDOWS\System32\svchost.exe -k netsvcs
*Windows Management Instrumentation Driver Exten Wmi - on demand
`sions
`binary: D:\WINDOWS\System32\svchost.exe -k netsvcs
*WMI Performance Adapter WmiApSrv - on demand
`binary: D:\WINDOWS\System32\wbem\wmiapsrv.exe
*Automatic Updates wuauserv running auto
`binary: D:\WINDOWS\system32\svchost.exe -k netsvcs
*Wireless Zero Configuration WZCSVC running auto
`binary: D:\WINDOWS\System32\svchost.exe -k netsvcs
»NT Kernel- and FS-drivers
*Abiosdsk Abiosdsk - disabled
`binary:
*abp480n5 abp480n5 - disabled
`binary:
*Microsoft ACPI Driver ACPI running boot
`binary: \SystemRoot\System32\DRIVERS\ACPI.sys
*ACPIEC ACPIEC - disabled
`binary:
*adpu160m adpu160m - disabled
`binary:
*Microsoft Kernel Acoustic Echo Canceller aec - on demand
`binary: system32\drivers\aec.sys
*AFD Networking Support Environment AFD running auto
`binary: \SystemRoot\System32\drivers\afd.sys
*Aha154x Aha154x - disabled
`binary:
*aic78u2 aic78u2 - disabled
`binary:
*aic78xx aic78xx - disabled
`binary:
*AliIde AliIde - disabled
`binary:
*amsint amsint - disabled
`binary:
*asc asc - disabled
`binary:
*asc3350p asc3350p - disabled
`binary:
*asc3550 asc3550 - disabled
`binary:
*RAS Asynchronous Media Driver AsyncMac - on demand
`binary: System32\DRIVERS\asyncmac.sys
*Standard IDE/ESDI Hard Disk Controller atapi running boot
`binary: \SystemRoot\System32\DRIVERS\atapi.sys
*Atdisk Atdisk - disabled
`binary:
*ATM ARP Client Protocol Atmarpc - on demand
`binary: System32\DRIVERS\atmarpc.sys
*Audio Stub Driver audstub running on demand
`binary: System32\DRIVERS\audstub.sys
*Beep Beep running system
`binary:
*cbidf2k cbidf2k - disabled
`binary:
*cd20xrnt cd20xrnt - disabled
`binary:
*Cdaudio Cdaudio - system
`binary:
*Cdfs Cdfs running disabled
`binary:
*CD-ROM Driver Cdrom running system
`binary: System32\DRIVERS\cdrom.sys
*Changer Changer - system
`binary:
*CmdIde CmdIde - disabled
`binary:
*Cpqarray Cpqarray - disabled
`binary:
*dac960nt dac960nt - disabled
`binary:
*Disk Driver Disk running boot
`binary: \SystemRoot\System32\DRIVERS\disk.sys
*dmboot dmboot - disabled
`binary: System32\drivers\dmboot.sys
*Logical Disk Manager Driver dmio running boot
`binary: \SystemRoot\System32\drivers\dmio.sys
*dmload dmload running boot
`binary: \SystemRoot\System32\drivers\dmload.sys
*Microsoft Kernel DLS Syntheiszer DMusic - on demand
`binary: system32\drivers\DMusic.sys
*dpti2o dpti2o - disabled
`binary:
*Microsoft Kernel DRM Audio Descrambler drmkaud - on demand
`binary: system32\drivers\drmkaud.sys
*drvmcdb drvmcdb running boot
`binary: \SystemRoot\System32\DRIVERS\drvmcdb.sys
*Accton EN5251 Series Chip Based Fast Ethernet A EN5251 running on demand
`dapter Windows Driver
`binary: System32\DRIVERS\EN5251N5.SYS
*Creative AudioPCI (ES1371,ES1373) (WDM) es1371 running on demand
`binary: system32\drivers\es1371mp.sys
*Fastfat Fastfat running disabled
`binary:
*Floppy Disk Controller Driver Fdc running on demand
`binary: System32\DRIVERS\fdc.sys
*Fips Fips running system
`binary:
*Floppy Disk Driver Flpydisk running on demand
`binary: System32\DRIVERS\flpydisk.sys
*Volume Manager Driver Ftdisk running boot
`binary: \SystemRoot\System32\DRIVERS\ftdisk.sys
*Game Port Enumerator gameenum running on demand
`binary: System32\DRIVERS\gameenum.sys
*Generic Packet Classifier Gpc running on demand
`binary: System32\DRIVERS\msgpc.sys
*hpn hpn - disabled
`binary:
*hpt3xx hpt3xx - disabled
`binary:
*HP CD Writer Plus Controller Driver HPUATA - on demand
`binary: System32\DRIVERS\HPUATA.sys
*i2omgmt i2omgmt - system
`binary:
*i2omp i2omp - disabled
`binary:
*i8042 Keyboard and PS/2 Mouse Port Driver i8042prt running system
`binary: System32\DRIVERS\i8042prt.sys
*i81x i81x running on demand
`binary: System32\DRIVERS\i81xnt5.sys
*iAimFP0 iAimFP0 - on demand
`binary: System32\DRIVERS\wADV01nt.sys
*iAimFP1 iAimFP1 - on demand
`binary: System32\DRIVERS\wADV02NT.sys
*iAimFP2 iAimFP2 - on demand
`binary: System32\DRIVERS\wADV05NT.sys
*iAimFP3 iAimFP3 - on demand
`binary: System32\DRIVERS\wSiINTxx.sys
*iAimFP4 iAimFP4 - on demand
`binary: System32\DRIVERS\wVchNTxx.sys
*iAimTV0 iAimTV0 - on demand
`binary: System32\DRIVERS\wATV01nt.sys
*iAimTV1 iAimTV1 - on demand
`binary: System32\DRIVERS\wATV02NT.sys
*iAimTV2 iAimTV2 - on demand
`binary: System32\DRIVERS\wATV03nt.sys
*iAimTV3 iAimTV3 - on demand
`binary: System32\DRIVERS\wATV04nt.sys
*iAimTV4 iAimTV4 - on demand
`binary: System32\DRIVERS\wCh7xxNT.sys
*Imapi Imapi - system
`binary:
*ini910u ini910u - disabled
`binary:
*IntelIde IntelIde running boot
`binary: \SystemRoot\System32\DRIVERS\intelide.sys
*IP Traffic Filter Driver IpFilterDriver - on demand
`binary: System32\DRIVERS\ipfltdrv.sys
*IP in IP Tunnel Driver IpInIp - on demand
`binary: System32\DRIVERS\ipinip.sys
*IP Network Address Translator IpNat - on demand
`binary: System32\DRIVERS\ipnat.sys
*IPSEC driver IPSec running system
`binary: System32\DRIVERS\ipsec.sys
*IR Enumerator Service IRENUM - on demand
`binary: System32\DRIVERS\irenum.sys
*PnP ISA/EISA Bus Driver isapnp running boot
`binary: \SystemRoot\System32\DRIVERS\isapnp.sys
*Keyboard Class Driver Kbdclass running system
`binary: System32\DRIVERS\kbdclass.sys
*Microsoft Kernel Wave Audio Mixer kmixer running on demand
`binary: system32\drivers\kmixer.sys
*KSecDD KSecDD running boot
`binary:
*lbrtfdc lbrtfdc - system
`binary:
*mnmdd mnmdd running system
`binary:
*Modem Modem running on demand
`binary:
*Mouse Class Driver Mouclass running system
`binary: System32\DRIVERS\mouclass.sys
*MountMgr MountMgr running boot
`binary:
*mraid35x mraid35x - disabled
`binary:
*WebDav Client Redirector MRxDAV running on demand
`binary: System32\DRIVERS\mrxdav.sys
*MRxSmb MRxSmb running system
`binary: System32\DRIVERS\mrxsmb.sys
*Msfs Msfs running system
`binary:
*Microsoft Streaming Service Proxy MSKSSRV - on demand
`binary: system32\drivers\MSKSSRV.sys
*Microsoft Streaming Clock Proxy MSPCLOCK - on demand
`binary: system32\drivers\MSPCLOCK.sys
*Microsoft Streaming Quality Manager Proxy MSPQM - on demand
`binary: system32\drivers\MSPQM.sys
*Microsoft MPU-401 MIDI UART Driver ms_mpu401 running on demand
`binary: system32\drivers\msmpu401.sys
*Mup Mup running boot
`binary:
*NAVENG NAVENG running on demand
`binary: \??\D:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20050302.008\NAVENG.Sys
*NAVEX15 NAVEX15 running on demand
`binary: \??\D:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20050302.008\NavEx15.Sys
*NDIS System Driver NDIS running boot
`binary:
*Remote Access NDIS TAPI Driver NdisTapi running on demand
`binary: System32\DRIVERS\ndistapi.sys
*NDIS Usermode I/O Protocol Ndisuio running on demand
`binary: System32\DRIVERS\ndisuio.sys
*Remote Access NDIS WAN Driver NdisWan running on demand
`binary: System32\DRIVERS\ndiswan.sys
*NDIS Proxy NDProxy running on demand
`binary:
*NetBIOS Interface NetBIOS running system
`binary: System32\DRIVERS\netbios.sys
*NetBT NetBT running system
`binary: System32\DRIVERS\netbt.sys
*Npfs Npfs running system
`binary:
*Ntfs Ntfs running disabled
`binary:
*Null Null running system
`binary:
*IPX Traffic Filter Driver NwlnkFlt - on demand
`binary: System32\DRIVERS\nwlnkflt.sys
*IPX Traffic Forwarder Driver NwlnkFwd - on demand
`binary: System32\DRIVERS\nwlnkfwd.sys
*Intel PentiumIII Processor Driver P3 running system
`binary: System32\DRIVERS\p3.sys
*Parallel port driver Parport running on demand
`binary: System32\DRIVERS\parport.sys
*PartMgr PartMgr running boot
`binary:
*ParVdm ParVdm running auto
`binary:
*PCI Bus Driver PCI running boot
`binary: \SystemRoot\System32\DRIVERS\pci.sys
*PCIDump PCIDump - system
`binary:
*PCIIde PCIIde - disabled
`binary:
*pciidexq pciidexq running auto
`binary: \??\D:\WINDOWS\System32\drivers\pciidexq.sys
*Pcmcia Pcmcia - disabled
`binary:
*PDCOMP PDCOMP - on demand
`binary:
*PDFRAME PDFRAME - on demand
`binary:
*PDRELI PDRELI - on demand
`binary:
*PDRFRAME PDRFRAME - on demand
`binary:
*perc2 perc2 - disabled
`binary:
*perc2hib perc2hib - disabled
`binary:
*WAN Miniport (PPTP) PptpMiniport running on demand
`binary: System32\DRIVERS\raspptp.sys
*QoS Packet Scheduler PSched running on demand
`binary: System32\DRIVERS\psched.sys
*Direct Parallel Link Driver Ptilink running on demand
`binary: System32\DRIVERS\ptilink.sys
*PxHelp20 PxHelp20 running boot
`binary: \SystemRoot\System32\DRIVERS\PxHelp20.sys
*ql1080 ql1080 - disabled
`binary:
*Ql10wnt Ql10wnt - disabled
`binary:
*ql12160 ql12160 - disabled
`binary:
*ql1240 ql1240 - disabled
`binary:
*ql1280 ql1280 - disabled
`binary:
*Remote Access Auto Connection Driver RasAcd running system
`binary: System32\DRIVERS\rasacd.sys
*WAN Miniport (L2TP) Rasl2tp running on demand
`binary: System32\DRIVERS\rasl2tp.sys
*Remote Access PPPOE Driver RasPppoe running on demand
`binary: System32\DRIVERS\raspppoe.sys
*Direct Parallel Raspti running on demand
`binary: System32\DRIVERS\raspti.sys
*Rdbss Rdbss running system
`binary: System32\DRIVERS\rdbss.sys
*RDPCDD RDPCDD running system
`binary: System32\DRIVERS\RDPCDD.sys
*Terminal Server Device Redirector Driver rdpdr running on demand
`binary: System32\DRIVERS\rdpdr.sys
*RDPWD RDPWD - on demand
`binary:
*Digital CD Audio Playback Filter Driver redbook running system
`binary: System32\DRIVERS\redbook.sys
*WAN Miniport (PPP over Ethernet Protocol) RMSPPPOE running on demand
`binary: System32\DRIVERS\RMSPPPOE.SYS
*Microsoft Legacy Modem Driver ROOTMODEM running on demand
`binary: System32\Drivers\RootMdm.sys
*SAVRT SAVRT running on demand
`binary: \??\D:\Program Files\Norton AntiVirus\SAVRT.SYS
*SAVRTPEL SAVRTPEL running system
`binary: \??\D:\Program Files\Norton AntiVirus\SAVRTPEL.SYS
*Secdrv Secdrv - on demand
`binary: System32\DRIVERS\secdrv.sys
*Serenum Filter Driver serenum running on demand
`binary: System32\DRIVERS\serenum.sys
*Serial port driver Serial running system
`binary: System32\DRIVERS\serial.sys
*Sfloppy Sfloppy - system
`binary:
*Simbad Simbad - disabled
`binary:
*Sparrow Sparrow - disabled
`binary:
*SPBBCDrv SPBBCDrv running system
`binary: \??\D:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys
*Microsoft Kernel Audio Splitter splitter - on demand
`binary: system32\drivers\splitter.sys
*System Restore Filter Driver sr running boot
`binary: \SystemRoot\System32\DRIVERS\sr.sys
*Srv Srv running on demand
`binary: System32\DRIVERS\srv.sys
*Software Bus Driver swenum running on demand
`binary: System32\DRIVERS\swenum.sys
*Microsoft Kernel GS Wavetable Synthesizer swmidi - on demand
`binary: system32\drivers\swmidi.sys
*symc810 symc810 - disabled
`binary:
*symc8xx symc8xx - disabled
`binary:
*SYMDNS SYMDNS - on demand
`binary: \??\D:\WINDOWS\System32\Drivers\SYMDNS.SYS
*SymEvent SymEvent running on demand
`binary: \??\D:\Program Files\Symantec\SYMEVENT.SYS
*SYMFW SYMFW - on demand
`binary: \??\D:\WINDOWS\System32\Drivers\SYMFW.SYS
*SYMIDS SYMIDS - on demand
`binary: \??\D:\WINDOWS\System32\Drivers\SYMIDS.SYS
*SYMIDSCO SYMIDSCO - on demand
`binary: \??\D:\PROGRA~1\COMMON~1\SYMANT~1\SymcData\IDS-DI~1\20041209.018\symidsco.sys
*symlcbrd symlcbrd running auto
`binary: \??\D:\WINDOWS\System32\drivers\symlcbrd.sys
*SYMNDIS SYMNDIS - on demand
`binary: \??\D:\WINDOWS\System32\Drivers\SYMNDIS.SYS
*SYMREDRV SYMREDRV - on demand
`binary: \??\D:\WINDOWS\System32\Drivers\SYMREDRV.SYS
*SYMTDI SYMTDI running system
`binary: \??\D:\WINDOWS\System32\Drivers\SYMTDI.SYS
*sym_hi sym_hi - disabled
`binary:
*sym_u3 sym_u3 - disabled
`binary:
*Microsoft Kernel System Audio Device sysaudio running on demand
`binary: system32\drivers\sysaudio.sys
*TCP/IP Protocol Driver Tcpip running system
`binary: System32\DRIVERS\tcpip.sys
*TDPIPE TDPIPE - on demand
`binary:
*TDTCP TDTCP - on demand
`binary:
*Terminal Device Driver TermDD running system
`binary: System32\DRIVERS\termdd.sys
*TosIde TosIde - disabled
`binary:
*Udfs Udfs - disabled
`binary:
*ultra ultra - disabled
`binary:
*Microcode Update Driver Update running on demand
`binary: System32\DRIVERS\update.sys
*USB2 Enabled Hub usbhub running on demand
`binary: System32\DRIVERS\usbhub.sys
*USB Scanner Driver usbscan - on demand
`binary: System32\DRIVERS\usbscan.sys
*USB Mass Storage Driver USBSTOR - on demand
`binary: System32\DRIVERS\USBSTOR.SYS
*Microsoft USB Universal Host Controller Minipor usbuhci running on demand
`t Driver
`binary: System32\DRIVERS\usbuhci.sys
*VgaSave VgaSave running system
`binary: \SystemRoot\System32\drivers\vga.sys
*ViaIde ViaIde - disabled
`binary:
*VolSnap VolSnap running boot
`binary:
*Remote Access IP ARP Driver Wanarp running on demand
`binary: System32\DRIVERS\wanarp.sys
*WDICA WDICA - on demand
`binary:
*Microsoft WINMM WDM Audio Compatibility Driver wdmaud running on demand
`binary: system32\drivers\wdmaud.sys
»Application specific
Post by: ochie on April 19, 2005, 01:33:42 AM
i hope that will not get me in trouble! i can post the files again if needed.
ochie
Post by: guestolo on April 19, 2005, 09:08:33 AM
Locate and post back the contents of the text report
Post by: ochie on April 19, 2005, 09:57:56 AM
D:\WINDOWS\SYSTEM32\DRIVERS\PCIIDEXQ.SYS
thats all there was.
when i use explorer now, its really really slow and the right click on some links seem to open wrong sites. i have to type the link in to get there.
i really need to get this cleaned. please!
ochie
Post by: guestolo on April 19, 2005, 11:20:57 PM
iSearch.zip so you now have iSearch.reg on the desktop
[attachment=155:attachment]
Afterwards
If found
do the following in quotes
Quote
=Right click on the Gator icon in the System Tray and click on Exit.
=Enter your Control panel from the Start button
=When the Control Panel window opens, double-click on the Add/Remove Programs icon.
=When the Add/Remove Programs Properties window opens, locate Gator in the list of installed programs. Click on it one time and then click on the Add/Remove button.
Follow the on screen instructions.
=Place a check in the box for "Delete User Information"
Please Print this out or save these instructions to a Notepad file and save it to your Desktop
RESTART your Computer in SAFE MODE (http://\"http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001060608000039?OpenDocument&ExpandSection=4#_Section4\")
You can do this by tapping the F8 key as the system is restarting, after the single post beep, or use the link
I supplied for a more detailed explanation
In safe mode, find and delete these files or folders if found
D:\WINDOWS\SYSTEM32\DRIVERS\PCIIDEXQ.SYS <-file
D:\WINDOWS\stsheets.dat <-file
D:\Program Files\Common Files\GMT <-folder
D:\Program Files\Common Files\CMEII <-folder
Stay in safe mode
Do another scan with Hijackthis and put a check next to these entries:
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.isearch.com/index.php?app=SE&af...ODQ6NTo5&Terms= (http://\"http://www.isearch.com/index.php?app=SE&af...ODQ6NTo5&Terms=\")
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.isearch.com/index.php?app=SE&af...ODQ6NTo5&Terms= (http://\"http://www.isearch.com/index.php?app=SE&af...ODQ6NTo5&Terms=\")
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.isearch.com/index.php?app=SE&af...ODQ6NTo5&Terms= (http://\"http://www.isearch.com/index.php?app=SE&af...ODQ6NTo5&Terms=\")
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://rl.webtracer.cc/-/?bayzm (http://\"http://rl.webtracer.cc/-/?bayzm\")
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://rl.webtracer.cc/-/?bayzm (http://\"http://rl.webtracer.cc/-/?bayzm\")
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.isearch.com/index.php?app=SE&af...ODQ6NTo5&Terms= (http://\"http://www.isearch.com/index.php?app=SE&af...ODQ6NTo5&Terms=\")
O1 - Hosts: 1159680172 auto.search.msn.com
O4 - Global Startup: GStartup.lnk = D:\Program Files\Common Files\GMT\GMT.exe
O16 - DPF: {11010101-1001-1111-1000-110112345678} - ms-its:mhtml:file://C: oo.mht!http://superprogdownload.com/download/helps/id/187787/1632098270.chm::/win.exe
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -
O16 - DPF: {DE910060-8EFB-44B9-B492-75180696643F} (iiittt Class) - http://www.hotsearchbar.com/toolbar30/hsrb.cab (http://\"http://www.hotsearchbar.com/toolbar30/hsrb.cab\")
O19 - User stylesheet: D:\WINDOWS\stsheets.dat
After you have ticked the above entries, close All other open windows, including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis
Double click on iSearch.reg and allow to merge to the registry
Restart back to Normal mode
Download and Install the free version of Ad-Aware SE Personal 1.05 (http://\"http://www.lavasoftusa.com/support/download/\")
Ensure you have this version or the paid version
Open Ad-Aware, ensure to click the check for updates now link and Connect to download the latest updates
Perform a Full system scan
When it's finished scanning
At this point you should either right click on the screen and and choose the "Select All" Objects option or individually put a checkmark in each objects checkbox
click on the Next button. Ad-Aware SE will now present you with a confirmation box as to whether or not you would like to remove the objects you have just selected. Press the "OK" button
RESTART your computer to finish the cleaning process
If you are controlling startup entries with msconfig
Please do a normal startup
Go to START>>RUN>>Type in
msconfig
Hit Ok
Under the general tab do a Normal startup
Restart your computer again if the above is needed
Post back with a fresh Hijackthis log afterwards
Post by: ochie on April 20, 2005, 02:13:21 PM
i have 2 operating systems (XP professional and windows 98) loaded and restarted the computer with the F8 mode mentioned. i did all that was asked upto restarting back in normal mode in XP when i got a blue screen and this message:
A problem has been detected and windows has been shut down to provent damage to your computer
If this is the first time you've seen this stop error screen, restart your computer. if this appears again follow these steps.
check for viruses on your computer. Remove any newly installed hard drives or drive controllers. check your hard drive to make sure it is properly configured and terminated. Run CHKDSK/F to check for hard drive corruption and then restart your computer.
Technical Information: ***STOP:0X0000007B (0XF967C640, 0XC0000034, 0X00000000, 0X00000000)
i'm working on windows 98 now which doesn't seem to have a problem.
am i done for? :-(
ochie
Post by: ochie on April 20, 2005, 02:31:05 PM
is there anyway to fix this now?
ochie.
/sad.gif\' class=\'bbc_emoticon\' alt=\':(\' />
Post by: guestolo on April 20, 2005, 06:30:12 PM
Code: [Select]
1. Restart the computer. The computer begins processing a set of instructions known as the Basic Input/Output System (BIOS). What is displayed depends on the BIOS manufacturer. Some computers display a progress bar that refers to the word BIOS, while others may not display any indication that this process is happening.
2. When the Boot loader menu (list of the available operating systems) appears, use the arrow keys on the keyboard to select the version Windows that you want to safe boot into.
3. Press Enter, and then immediately begin tapping the F8 key. The Windows Advanced Options menu appears.
4. Using the arrow keys on the keyboard, scroll to and select the Safe mode menu item, and then press Enter.Try getting back in safe mode, not sure what happened
But try restoring your computer to a time before all this mess
START>>All Programs>>Accessories>>System Tools
System Restore
If you still have problems with getting into safe mode
Try last know good configuration
Post by: ochie on April 21, 2005, 06:44:48 AM
its seems to be a registry problem, can this be fixed? or is the only option to reinstall windows XP?
ochie
Post by: guestolo on April 21, 2005, 11:41:48 PM
I've fixed this infection a few times with no problems
Are you sure you deleted the proper files???
Anything I asked you to remove would have no bearing on the boot file or corrupt it in anyway
I'M Positive of that
Are you willing to reformat the drive that XP is on or do you want to take a stab at fixing this thing
Personally, if you do have a boot virus I would start clean
but please try a CHKDSK/F first
Post by: ochie on April 22, 2005, 02:45:34 AM
O19 - User stylesheet: D:\WINDOWS\stsheets.dat (file missing)
i didnt think the 'file missing' thing was of concequence as i i'd just searched and deleted the file.
it would be best if this can be fixed without formatting the drive because i dont want to lose the data files on this drive
is there a way to retrive the data (configurations and software loaded + data files) and format the drive?
how do you run CHKDSK/F when xp refuses to move past the blue screen.
ochie.
Post by: ochie on April 25, 2005, 01:22:47 AM
ochie.
Post by: guestolo on April 25, 2005, 01:41:26 AM
You can reinstall over top or do a Repair
This may be your best bet at the moment