Show Posts
1
Tech Clinic / Another TopAnitSpyWare victem
« on: March 06, 2005, 12:42:11 PM »
I fixed the O1 - Hosts: http://213.159.117.133/dkprogs/hosts.txt
Open Host File Manager shows a blank page.
C:\WINDOWS\System32\Services\{DF3A1730-0042-4DD4-9442-3ACA286D4F43} contains svchost.dll
The desktop and popups stopped, but my taskbar is still hijacked. Whenever I try to enter the taskbar properties it closses itself immediately
-----------------------------------------
Logfile of HijackThis v1.99.1
Scan saved at 9:38:27 AM, on 3/6/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\nslsvice.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Winamp\Winampa.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\atacdiran\Desktop\HijackThis.exe
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 10.247.16.10:3128
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 10.*;<local>
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: E-mail.lnk = ?
O4 - Startup: translink pivotal.url
O4 - Startup: VirusScan Console.lnk = C:\Program Files\Network Associates\VirusScan\mcconsol.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O16 - DPF: {003D946B-0E64-4C6E-88C6-B5BAB630363E} (Pivotal eRelationship Active Access (Version 5.1) - Portal Preferences Page (rprefs.dll)) - http://asb-sac-pas-001/epower/cab/RDAPREFS.CAB
O16 - DPF: {0047388F-51E3-4F3C-B343-D4C2C6F47E72} (Pivotal eRelationship Active Access (Version 5.1) - Smart Portal (rdaprtl.dll)) - http://asb-sac-pas-001/epower/cab/RDAPRTL.CAB
O16 - DPF: {00479453-31F5-4870-A0FD-BA078BFA789B} (Pivotal eRelationship Active Access (Version 5.1) - Resources (rdares.dll)) - http://asb-sac-pas-001/epower/cab/RDARES.CAB
O16 - DPF: {00499C34-6952-45AD-9697-241B90292833} (Pivotal eRelationship Active Access (Version 5.1) - Stealth Report Interface (rdaRprt.dll)) - http://asb-sac-pas-001/epower/cab/RDARPRT.CAB
O16 - DPF: {00A40008-7D21-4F26-A9D7-A2EFC3771C5F} (Pivotal eRelationship Active Access (Version 5.1) - Shared Object Library Interface (rdashare.dll)) - http://asb-sac-pas-001/epower/cab/RDASHARE.CAB
O16 - DPF: {00FF182B-B4C8-4C76-812F-D24B9A11F242} (Pivotal eRelationship Active Access (Version 5.1) - Portal Control Proxy (rdaui.dll)) - http://asb-sac-pas-001/epower/cab/RdaUI.cab
O16 - DPF: {28E4BE08-1C25-4CE4-A9AA-3495A9D08C8E} (Pivotal eRelationship Active Access (version 5.1) - Shortcut Handler (rshortcut.dll)) - http://asb-sac-pas-001/epower/cab/RSHORTCUT.CAB
O16 - DPF: {3814B215-C77A-4EDB-BE3B-F6CB92DD33C5} (Pivotal ePower Lifecycle Engine (Version 5.1) - Instantiator (rdaobjcreate.dll)) - http://asb-sac-pas-001/epower/cab/RdaObjCreate.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://appldnld.m7z.net/content.info.apple...iTunesSetup.exe
O16 - DPF: {A4BD9732-328D-11D4-BB89-00A0C9843488} (Pivotal ePower Lifecycle Engine (Version 5.1) - EMail Class (rn1sendx.dll)) - http://asb-sac-pas-001/epower/cab/RN1SENDX.CAB
O16 - DPF: {AE4F48D0-6A0A-11D3-9FB0-005004A79108} (Pivotal eRelationship Active Access (Version 5.1) - Plug-in Result Return Collection (dfoutils.dll)) - http://asb-sac-pas-001/epower/cab/DFOUTILS.CAB
O16 - DPF: {C45056F0-B4BC-4A65-85F0-2A131563795B} (Pivotal ePower Lifecycle Engine (Version 5.1) - Platform Access (rdaclnt.dll)) - http://asb-sac-pas-001/epower/cab/RDACLNT.CAB
O16 - DPF: {CD883B96-F640-4B89-BA88-F6AE1E72B65B} (Pivotal eRelationship Active Access (Version 5.1) - Email Connector (rdaemail.dll)) - http://asb-sac-pas-001/epower/cab/RDAEMAIL.CAB
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = erggroup.com
O17 - HKLM\Software\..\Telephony: DomainName = ussfoa.erggroup.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = erggroup.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = erggroup.com
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = erggroup.com
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Lotus Notes Single Logon - Unknown owner - C:\WINDOWS\System32\nslsvice.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
Open Host File Manager shows a blank page.
C:\WINDOWS\System32\Services\{DF3A1730-0042-4DD4-9442-3ACA286D4F43} contains svchost.dll
The desktop and popups stopped, but my taskbar is still hijacked. Whenever I try to enter the taskbar properties it closses itself immediately
-----------------------------------------
Logfile of HijackThis v1.99.1
Scan saved at 9:38:27 AM, on 3/6/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\nslsvice.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Winamp\Winampa.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\atacdiran\Desktop\HijackThis.exe
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 10.247.16.10:3128
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 10.*;<local>
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: E-mail.lnk = ?
O4 - Startup: translink pivotal.url
O4 - Startup: VirusScan Console.lnk = C:\Program Files\Network Associates\VirusScan\mcconsol.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O16 - DPF: {003D946B-0E64-4C6E-88C6-B5BAB630363E} (Pivotal eRelationship Active Access (Version 5.1) - Portal Preferences Page (rprefs.dll)) - http://asb-sac-pas-001/epower/cab/RDAPREFS.CAB
O16 - DPF: {0047388F-51E3-4F3C-B343-D4C2C6F47E72} (Pivotal eRelationship Active Access (Version 5.1) - Smart Portal (rdaprtl.dll)) - http://asb-sac-pas-001/epower/cab/RDAPRTL.CAB
O16 - DPF: {00479453-31F5-4870-A0FD-BA078BFA789B} (Pivotal eRelationship Active Access (Version 5.1) - Resources (rdares.dll)) - http://asb-sac-pas-001/epower/cab/RDARES.CAB
O16 - DPF: {00499C34-6952-45AD-9697-241B90292833} (Pivotal eRelationship Active Access (Version 5.1) - Stealth Report Interface (rdaRprt.dll)) - http://asb-sac-pas-001/epower/cab/RDARPRT.CAB
O16 - DPF: {00A40008-7D21-4F26-A9D7-A2EFC3771C5F} (Pivotal eRelationship Active Access (Version 5.1) - Shared Object Library Interface (rdashare.dll)) - http://asb-sac-pas-001/epower/cab/RDASHARE.CAB
O16 - DPF: {00FF182B-B4C8-4C76-812F-D24B9A11F242} (Pivotal eRelationship Active Access (Version 5.1) - Portal Control Proxy (rdaui.dll)) - http://asb-sac-pas-001/epower/cab/RdaUI.cab
O16 - DPF: {28E4BE08-1C25-4CE4-A9AA-3495A9D08C8E} (Pivotal eRelationship Active Access (version 5.1) - Shortcut Handler (rshortcut.dll)) - http://asb-sac-pas-001/epower/cab/RSHORTCUT.CAB
O16 - DPF: {3814B215-C77A-4EDB-BE3B-F6CB92DD33C5} (Pivotal ePower Lifecycle Engine (Version 5.1) - Instantiator (rdaobjcreate.dll)) - http://asb-sac-pas-001/epower/cab/RdaObjCreate.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://appldnld.m7z.net/content.info.apple...iTunesSetup.exe
O16 - DPF: {A4BD9732-328D-11D4-BB89-00A0C9843488} (Pivotal ePower Lifecycle Engine (Version 5.1) - EMail Class (rn1sendx.dll)) - http://asb-sac-pas-001/epower/cab/RN1SENDX.CAB
O16 - DPF: {AE4F48D0-6A0A-11D3-9FB0-005004A79108} (Pivotal eRelationship Active Access (Version 5.1) - Plug-in Result Return Collection (dfoutils.dll)) - http://asb-sac-pas-001/epower/cab/DFOUTILS.CAB
O16 - DPF: {C45056F0-B4BC-4A65-85F0-2A131563795B} (Pivotal ePower Lifecycle Engine (Version 5.1) - Platform Access (rdaclnt.dll)) - http://asb-sac-pas-001/epower/cab/RDACLNT.CAB
O16 - DPF: {CD883B96-F640-4B89-BA88-F6AE1E72B65B} (Pivotal eRelationship Active Access (Version 5.1) - Email Connector (rdaemail.dll)) - http://asb-sac-pas-001/epower/cab/RDAEMAIL.CAB
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = erggroup.com
O17 - HKLM\Software\..\Telephony: DomainName = ussfoa.erggroup.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = erggroup.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = erggroup.com
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = erggroup.com
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Lotus Notes Single Logon - Unknown owner - C:\WINDOWS\System32\nslsvice.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe