Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Messages - stash3123

Pages: [1]

Tech Clinic / DESKTOP HIJACKING-THIS SUCKS-PLEASE HELP

« on: February 02, 2006, 02:51:09 PM »

Here is the new hijackthis log and the ewido log. Regarding scanning at Jotti's malware site, I could not find the lib.exe file on my pc. Nonetheless here are the two logs. thanks again for all your help so far.

Logfile of HijackThis v1.99.1
Scan saved at 2:50:09 PM, on 2/2/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\Ati2evxx.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Intel\Intel® Active Monitor\imonnt.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
C:\Program Files\Intel\Intel® Active Monitor\imontray.exe
C:\WINNT\system32\NWTRAY.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Netscape\Netscape\Netscp.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Bardales\Desktop\HijackThis.exe

N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/bookmark/7_2/home.html"); (C:\Documents and Settings\Bardales\Application Data\Mozilla\Profiles\default\46bl92mo.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", ""); (C:\Documents and Settings\Bardales\Application Data\Mozilla\Profiles\default\46bl92mo.slt\prefs.js)
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\system32\hkcmd.exe
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [DrvListnr] C:\Program Files\Analog Devices\SoundMAX\DrvListnr.exe
O4 - HKLM\..\Run: [IMONTRAY] C:\Program Files\Intel\Intel® Active Monitor\imontray.exe
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [MMUpdate] L:\IShield\Update\Disk1\update.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [TempRemove] "C:\Program Files\Crystal Ball\CB Predictor\terminator.exe"
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [cleaner] lib.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\Program Files\Netscape\Netscape\Netscp.exe" -turbo
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst20040510.cab
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - https://www.gofileroom.com/msxml4.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/shockwa...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{8F845CF9-6846-4E61-A208-5D9181582E12}: NameServer = 64.8.192.9,216.175.203.59
O17 - HKLM\System\CS1\Services\Tcpip\..\{8F845CF9-6846-4E61-A208-5D9181582E12}: NameServer = 64.8.192.9,216.175.203.59
O17 - HKLM\System\CS2\Services\Tcpip\..\{8F845CF9-6846-4E61-A208-5D9181582E12}: NameServer = 64.8.192.9,216.175.203.59
O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: NavLogon - C:\WINNT\system32\NavLogon.dll
O20 - Winlogon Notify: nwprovau - C:\WINNT\SYSTEM32\nwprovau.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINNT\system32\ati2sgag.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: Intel® Active Monitor (imonNT) - Intel Corp. - C:\Program Files\Intel\Intel® Active Monitor\imonnt.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on:         2:37:06 PM, 2/2/2006
+ Report-Checksum:      9436099C

+ Scan result:

   HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoActiveDesktopChanges -> Trojan.Small : Cleaned with backup
   [1648] C:\winstall.exe -> Not-A-Virus.Hoax.Win32.Renos.bb : Cleaned with backup
   :mozilla.6:C:\Documents and Settings\Bardales\Application Data\Mozilla\Profiles\default\46bl92mo.slt\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
   :mozilla.7:C:\Documents and Settings\Bardales\Application Data\Mozilla\Profiles\default\46bl92mo.slt\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
   :mozilla.8:C:\Documents and Settings\Bardales\Application Data\Mozilla\Profiles\default\46bl92mo.slt\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
   :mozilla.10:C:\Documents and Settings\Bardales\Application Data\Mozilla\Profiles\default\46bl92mo.slt\cookies.txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
   :mozilla.11:C:\Documents and Settings\Bardales\Application Data\Mozilla\Profiles\default\46bl92mo.slt\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
   :mozilla.12:C:\Documents and Settings\Bardales\Application Data\Mozilla\Profiles\default\46bl92mo.slt\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
   C:\Documents and Settings\Bardales\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\omfg.class-133dde29-43ad3959.class -> Downloader.OpenStream.y : Cleaned with backup
   C:\Documents and Settings\Bardales\Cookies\bardales@advertising[1].txt -> Spyware.Cookie.Advertising : Cleaned with backup
   C:\Documents and Settings\Bardales\Cookies\bardales@atdmt[1].txt -> Spyware.Cookie.Atdmt : Cleaned with backup
   C:\Documents and Settings\Bardales\Cookies\[email protected][1].txt -> Spyware.Cookie.Bridgetrack : Cleaned with backup
   C:\Documents and Settings\Bardales\Cookies\[email protected][1].txt -> Spyware.Cookie.Coremetrics : Cleaned with backup
   C:\Documents and Settings\Bardales\Cookies\bardales@doubleclick[1].txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
   C:\Documents and Settings\Bardales\Cookies\[email protected][1].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
   C:\Documents and Settings\Bardales\Cookies\[email protected][1].txt -> Spyware.Cookie.2o7 : Cleaned with backup
   C:\Documents and Settings\Bardales\Cookies\bardales@questionmarket[2].txt -> Spyware.Cookie.Questionmarket : Cleaned with backup
   C:\ncj.exe -> Not-A-Virus.Hoax.Win32.Renos.bb : Cleaned with backup
   C:\Program Files\Microsoft AntiSpyware\Quarantine\AAFFBAC7-00EB-4662-8D82-A1F5A8\0E5651E7-9D85-4D11-9EAC-6F5D62 -> Spyware.Comet : Cleaned with backup
   C:\Program Files\Microsoft AntiSpyware\Quarantine\AAFFBAC7-00EB-4662-8D82-A1F5A8\3168D254-DCA7-4477-B762-E1993D -> Spyware.CometCursor : Cleaned with backup
   C:\Program Files\Microsoft AntiSpyware\Quarantine\AAFFBAC7-00EB-4662-8D82-A1F5A8\7DD641D4-E1F4-4E55-B801-FE5546 -> Spyware.CometCursor : Cleaned with backup
   C:\Program Files\Microsoft AntiSpyware\Quarantine\AAFFBAC7-00EB-4662-8D82-A1F5A8\A5381B2F-FD05-41F6-8024-B40C6D -> Spyware.CometCursor : Cleaned with backup
   C:\Program Files\Microsoft AntiSpyware\Quarantine\AAFFBAC7-00EB-4662-8D82-A1F5A8\BE3A31B9-1A42-41DB-B4A8-960127 -> Spyware.Comet : Cleaned with backup
   C:\Program Files\Microsoft AntiSpyware\Quarantine\AAFFBAC7-00EB-4662-8D82-A1F5A8\CBB93235-4A26-4599-8C23-CDF0D3 -> Spyware.Comet : Cleaned with backup
   C:\Program Files\Microsoft AntiSpyware\Quarantine\AAFFBAC7-00EB-4662-8D82-A1F5A8\D138E88C-F543-4B6F-8DAB-D5DE0E -> Spyware.Comet : Cleaned with backup
   C:\Program Files\Microsoft AntiSpyware\Quarantine\AAFFBAC7-00EB-4662-8D82-A1F5A8\D391B04C-E727-4EFE-8B47-33F778 -> Spyware.CometCursor : Cleaned with backup
   C:\Program Files\Microsoft AntiSpyware\Quarantine\AAFFBAC7-00EB-4662-8D82-A1F5A8\DEF913C9-E66C-45D5-A1A6-53EB84 -> Spyware.Comet : Cleaned with backup
   C:\Program Files\PestTrap -> Adware.PestTrap : Cleaned with backup
   C:\Program Files\PestTrap\base.avd -> Adware.PestTrap : Cleaned with backup
   C:\Program Files\PestTrap\base001.avd -> Adware.PestTrap : Cleaned with backup
   C:\Program Files\PestTrap\base002.avd -> Adware.PestTrap : Cleaned with backup
   C:\Program Files\PestTrap\found.wav -> Adware.PestTrap : Cleaned with backup
   C:\Program Files\PestTrap\heur000.dll -> Adware.PestTrap : Cleaned with backup
   C:\Program Files\PestTrap\heur001.dll -> Adware.PestTrap : Cleaned with backup
   C:\Program Files\PestTrap\heur002.dll -> Adware.PestTrap : Cleaned with backup
   C:\Program Files\PestTrap\heur003.dll -> Adware.PestTrap : Cleaned with backup
   C:\Program Files\PestTrap\notfound.wav -> Adware.PestTrap : Cleaned with backup
   C:\Program Files\PestTrap\PestTrap.dvm -> Adware.PestTrap : Cleaned with backup
   C:\Program Files\PestTrap\PestTrap.exe -> Adware.PestTrap : Cleaned with backup
   C:\Program Files\PestTrap\removed.wav -> Adware.PestTrap : Cleaned with backup
   C:\Program Files\PestTrap\Uninstall.exe -> Adware.PestTrap : Cleaned with backup
   C:\winstall.exe -> Not-A-Virus.Hoax.Win32.Renos.bb : Cleaned with backup

::Report End

Tech Clinic / DESKTOP HIJACKING-THIS SUCKS-PLEASE HELP

« on: February 01, 2006, 10:49:53 AM »

Ok I ran everything exactly the way you directed and here are the logs you requested. The only thing which I do not have is the Ewido report as your instructions didn't mention anything about that. Is that something else I should do? In the meantime here are the hijackthis and smitrem logs. Thank you so much for your help so far.

Logfile of HijackThis v1.99.1
Scan saved at 10:41:34 AM, on 2/1/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\Ati2evxx.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Intel\Intel® Active Monitor\imonnt.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
C:\Program Files\Intel\Intel® Active Monitor\imontray.exe
C:\WINNT\system32\NWTRAY.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINNT\system32\lib.exe
C:\Program Files\Netscape\Netscape\Netscp.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Documents and Settings\Bardales\Desktop\HijackThis.exe

N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/bookmark/7_2/home.html"); (C:\Documents and Settings\Bardales\Application Data\Mozilla\Profiles\default\46bl92mo.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", ""); (C:\Documents and Settings\Bardales\Application Data\Mozilla\Profiles\default\46bl92mo.slt\prefs.js)
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\system32\hkcmd.exe
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [DrvListnr] C:\Program Files\Analog Devices\SoundMAX\DrvListnr.exe
O4 - HKLM\..\Run: [IMONTRAY] C:\Program Files\Intel\Intel® Active Monitor\imontray.exe
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [MMUpdate] L:\IShield\Update\Disk1\update.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [TempRemove] "C:\Program Files\Crystal Ball\CB Predictor\terminator.exe"
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [cleaner] lib.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\Program Files\Netscape\Netscape\Netscp.exe" -turbo
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst20040510.cab
O16 - DPF: {88D758A3-D33B-45FD-91E3-67749B4057FA} - http://dm.screensavers.com/dm/installers/si/1/sinstaller.cab
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - https://www.gofileroom.com/msxml4.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/shockwa...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{8F845CF9-6846-4E61-A208-5D9181582E12}: NameServer = 64.8.192.9,216.175.203.59
O17 - HKLM\System\CS1\Services\Tcpip\..\{8F845CF9-6846-4E61-A208-5D9181582E12}: NameServer = 64.8.192.9,216.175.203.59
O17 - HKLM\System\CS2\Services\Tcpip\..\{8F845CF9-6846-4E61-A208-5D9181582E12}: NameServer = 64.8.192.9,216.175.203.59
O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: NavLogon - C:\WINNT\system32\NavLogon.dll
O20 - Winlogon Notify: nwprovau - C:\WINNT\SYSTEM32\nwprovau.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINNT\system32\ati2sgag.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Intel® Active Monitor (imonNT) - Intel Corp. - C:\Program Files\Intel\Intel® Active Monitor\imonnt.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe

Here is the SmitRem log:

smitRem © log file
version 2.8

by noahdfear

Microsoft Windows 2000 [Version 5.00.2195]
The current date is: Wed 02/01/2006
The current time is: 10:30:16.34

Running from
C:\Documents and Settings\Bardales\Desktop\Cleanup\smitRem
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

checking for ShudderLTD key

ShudderLTD key not present!

checking for PSGuard.com key

PSGuard.com key not present!

checking for WinHound.com key

WinHound.com key not present!

spyaxe uninstaller NOT present
Winhound uninstaller NOT present
SpywareStrike uninstaller NOT present

Existing Pre-run Files

~~~ Program Files ~~~

~~~ Shortcuts ~~~

Install.dat

~~~ Favorites ~~~

~~~ system32 folder ~~~

~~~ Icons in System32 ~~~

~~~ Windows directory ~~~

desktop.html

~~~ Drive root ~~~

winstall.exe

~~~ Miscellaneous Files/folders ~~~

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 [email protected]
Killing PID 188 'explorer.exe'
Killing PID 188 'explorer.exe'
Error 0x5 : Access is denied.

Starting registry repairs

Registry repairs complete

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SharedTask Export after registry fix

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Deleting files

Remaining Post-run Files

~~~ Program Files ~~~

~~~ Shortcuts ~~~

~~~ Favorites ~~~

~~~ system32 folder ~~~

~~~ Icons in System32 ~~~

~~~ Windows directory ~~~

~~~ Drive root ~~~

~~~ Miscellaneous Files/folders ~~~

~~~ Wininet.dll ~~~

CLEAN!

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/smile.gif\' class=\'bbc_emoticon\' alt=\'

\' />

Tech Clinic / DESKTOP HIJACKING-THIS SUCKS-PLEASE HELP

« on: January 31, 2006, 07:53:37 AM »

Anyone...Anyone?

I hear crickets chirping.

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/biggrin.gif\' class=\'bbc_emoticon\' alt=\'

\' />

Tech Clinic / DESKTOP HIJACKING-THIS SUCKS-PLEASE HELP

« on: January 30, 2006, 10:07:31 AM »

My desktop is hijacked and am not able to customize or change anything. I am running Windows 2000 professional. I had some spyware/adware that I cleaned out but it seems like this is the remnants that I just can't get rid of. Attached is my hijackthis log. Any help will be greatly appreciated.

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\Ati2evxx.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Intel\Intel® Active Monitor\imonnt.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
C:\Program Files\Intel\Intel® Active Monitor\imontray.exe
C:\WINNT\system32\NWTRAY.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Netscape\Netscape\Netscp.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Bardales\Desktop\HijackThis.exe

N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/bookmark/7_2/home.html"); (C:\Documents and Settings\Bardales\Application Data\Mozilla\Profiles\default\46bl92mo.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", ""); (C:\Documents and Settings\Bardales\Application Data\Mozilla\Profiles\default\46bl92mo.slt\prefs.js)
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\system32\hkcmd.exe
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [DrvListnr] C:\Program Files\Analog Devices\SoundMAX\DrvListnr.exe
O4 - HKLM\..\Run: [IMONTRAY] C:\Program Files\Intel\Intel® Active Monitor\imontray.exe
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [MMUpdate] L:\IShield\Update\Disk1\update.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [TempRemove] "C:\Program Files\Crystal Ball\CB Predictor\terminator.exe"
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [cleaner] lib.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\Program Files\Netscape\Netscape\Netscp.exe" -turbo
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst20040510.cab
O16 - DPF: {88D758A3-D33B-45FD-91E3-67749B4057FA} - http://dm.screensavers.com/dm/installers/si/1/sinstaller.cab
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - https://www.gofileroom.com/msxml4.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/shockwa...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{8F845CF9-6846-4E61-A208-5D9181582E12}: NameServer = 64.8.192.9,216.175.203.59
O17 - HKLM\System\CS1\Services\Tcpip\..\{8F845CF9-6846-4E61-A208-5D9181582E12}: NameServer = 64.8.192.9,216.175.203.59
O17 - HKLM\System\CS2\Services\Tcpip\..\{8F845CF9-6846-4E61-A208-5D9181582E12}: NameServer = 64.8.192.9,216.175.203.59
O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: NavLogon - C:\WINNT\system32\NavLogon.dll
O20 - Winlogon Notify: nwprovau - C:\WINNT\SYSTEM32\nwprovau.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINNT\system32\ati2sgag.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Intel® Active Monitor (imonNT) - Intel Corp. - C:\Program Files\Intel\Intel® Active Monitor\imonnt.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe

Pages: [1]

TheTechGuide Forum

News:

Show Posts

Messages - stash3123

Tech Clinic / DESKTOP HIJACKING-THIS SUCKS-PLEASE HELP

Tech Clinic / DESKTOP HIJACKING-THIS SUCKS-PLEASE HELP

Tech Clinic / DESKTOP HIJACKING-THIS SUCKS-PLEASE HELP

Tech Clinic / DESKTOP HIJACKING-THIS SUCKS-PLEASE HELP