Author Topic: Hijack Log *Computer is Infested" (Read 1132 times)

xrayted · « **on:** December 31, 2004, 12:18:28 PM »

Logfile of HijackThis v1.99.0
Scan saved at 10:07:34 PM, on 12/30/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Documents and Settings\Darryl\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.sympatico.ca/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.sympatico.ca/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer provided by Sympatico
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - Default URLSearchHook is missing
O4 - HKLM\..\Run: [Microsoft Data Machine] csdata32.exe
O4 - HKLM\..\Run: [Windows DNS Daemon] windnsd.exe
O4 - HKLM\..\Run: [Sysino] lsess.exe
O4 - HKLM\..\Run: [Windows Dialup Service] dialup.exe
O4 - HKLM\..\Run: [Sygate Personal Firewall] Win32l.exe
O4 - HKLM\..\Run: [MSN Start] msnmsgr7.exe
O4 - HKLM\..\Run: [USB Device] win32usb.exe
O4 - HKLM\..\Run: [Printer] C:\windows\win32sys.exe
O4 - HKLM\..\Run: [Win Users2] uvnczr.exe
O4 - HKLM\..\Run: [Microsoft InstallPatch] ccrs32.exe
O4 - HKLM\..\Run: [iexplore] C:\WINDOWS\TEMP\activex.exe
O4 - HKLM\..\Run: [Win32] C:\windows\system32\dk.exe
O4 - HKLM\..\Run: [Microsoft Disk Scanner] scansdisk.exe
O4 - HKLM\..\Run: [Winamp media player] winapa.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\NETASS~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [Microsoft AOL32 Protocol] aol32.exe
O4 - HKLM\..\Run: [winlogin.exe] C:\WINDOWS\mspaint.exe
O4 - HKLM\..\Run: [taskmgr.exe] C:\WINDOWS\taskmsg.exe
O4 - HKLM\..\Run: [Adobe] C:\WINDOWS\msdos.exe
O4 - HKLM\..\Run: [Spool] C:\windrar.exe
O4 - HKLM\..\Run: [Microsoft ALG32 Protocol] alg32.exe
O4 - HKLM\..\Run: [Microsoft Services] lssrv.exe
O4 - HKLM\..\Run: [notepad.exe] C:\WINDOWS\dllmanger.exe
O4 - HKLM\..\Run: [Norton Guard 32] ntguard32.exe
O4 - HKLM\..\Run: [Windows Network Controller] mqguard.exe
O4 - HKLM\..\Run: [3eduSR] C:\WINDOWS\sdklor.exe
O4 - HKLM\..\Run: [blah service] win32exec.exe
O4 - HKLM\..\Run: [mediamotor.exe] C:\WINDOWS\mmups.exe
O4 - HKLM\..\Run: [loads.exe] C:\WINDOWS\suploads.exe
O4 - HKLM\..\Run: [Microsoft Ansti Update] msie.exe
O4 - HKLM\..\Run: [starter] scvhosting.exe
O4 - HKLM\..\Run: [ÏòõC<ðË‚ïÁzî[8Ü•C:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\sdklor.exe
O4 - HKLM\..\Run: [Ïò˜¿ÇÏÔ@ÔÁß]ú"ü‰üžC:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\sdklor.exe
O4 - HKLM\..\Run: [Ïò˜¿ÇÏÔÁß]ú"ü‰üžigC:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\sdklor.exe
O4 - HKLM\..\Run: [¢‰¸u0–4C
}ïÁzî[8C:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\sdklor.exe
O4 - HKLM\..\Run: [¢‰¸u0–4C
}ïÁzîžigÝC:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\sdklor.exe
O4 - HKLM\..\Run: [¢‰¸u0Ô@ÔÁß]ú"ü‰üžiC:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\sdklor.exe
O4 - HKLM\..\Run: [ur key] sys32pwn.exe
O4 - HKLM\..\Run: [SygateX Personal Firewall] syshdd.exe
O4 - HKLM\..\Run: [start uploading] smsss.exe
O4 - HKLM\..\Run: [MS Windows Update] scguard.exe
O4 - HKLM\..\Run: [Admilli Service] C:\Program Files\Admilli Service\AdmilliServ.exe
O4 - HKLM\..\Run: [¢‰¸u0Ô@ÔÁß]ú"ü‰¸u0C:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\sdklor.exe
O4 - HKLM\..\Run: [¢‰¸u0ÔÁß]ú"ü‰üžigÝC:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\sdklor.exe
O4 - HKLM\..\Run: [Start Upping] iexplorerupdt.exe
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [BootWarn] C:\Program Files\Norton SystemWorks\Norton AntiVirus\BootWarn.exe /a
O4 - HKLM\..\RunServices: [msnmgre] pwned.exe
O4 - HKLM\..\RunServices: [Microsoft Data Machine] csdata32.exe
O4 - HKLM\..\RunServices: [Microsoft Services] lssrv.exe
O4 - HKLM\..\RunServices: [blah service] win32exec.exe
O4 - HKLM\..\RunServices: [Windows DNS Daemon] windnsd.exe
O4 - HKLM\..\RunServices: [MSNMaSRR5] MSNMaSGRS.exe
O4 - HKLM\..\RunServices: [CRC Value Verifier] crsss32.exe
O4 - HKLM\..\RunServices: [Sysino] lsess.exe
O4 - HKLM\..\RunServices: [Microsoft InstallPatch] ccrs32.exe
O4 - HKLM\..\RunServices: [Microsoft media services] winmplayer.exe
O4 - HKLM\..\RunServices: [Windows Dialup Service] dialup.exe
O4 - HKLM\..\RunServices: [windows update] Isass.exe
O4 - HKLM\..\RunServices: [Sygate Personal Firewall] Win32l.exe
O4 - HKLM\..\RunServices: [MSN Start] msnmsgr7.exe
O4 - HKLM\..\RunServices: [USB Device] win32usb.exe
O4 - HKLM\..\RunServices: [Win Users2] uvnczr.exe
O4 - HKLM\..\RunServices: [Microsoft Disk Scanner] scansdisk.exe
O4 - HKLM\..\RunServices: [Winamp media player] winapa.exe
O4 - HKLM\..\RunServices: [Microsoft AOL32 Protocol] aol32.exe
O4 - HKLM\..\RunServices: [Microsoft ALG32 Protocol] alg32.exe
O4 - HKLM\..\RunServices: [Norton Guard 32] ntguard32.exe
O4 - HKLM\..\RunServices: [Windows Network Controller] mqguard.exe
O4 - HKLM\..\RunServices: [Microsoft Ansti Update] msie.exe
O4 - HKLM\..\RunServices: [starter] scvhosting.exe
O4 - HKLM\..\RunServices: [ur key] sys32pwn.exe
O4 - HKLM\..\RunServices: [SygateX Personal Firewall] syshdd.exe
O4 - HKLM\..\RunServices: [start uploading] smsss.exe
O4 - HKLM\..\RunServices: [MS Windows Update] scguard.exe
O4 - HKLM\..\RunServices: [Start Upping] iexplorerupdt.exe
O4 - HKLM\..\RunOnce: [Microsoft Data Machine] csdata32.exe
O4 - HKLM\..\RunOnce: [Winamp media player] winapa.exe
O4 - HKLM\..\RunOnce: [Windows Network Controller] mqguard.exe
O4 - HKLM\..\RunOnce: [starter] scvhosting.exe
O4 - HKCU\..\Run: [Microsoft Data Machine] csdata32.exe
O4 - HKCU\..\Run: [Windows DNS Daemon] windnsd.exe
O4 - HKCU\..\Run: [Sysino] lsess.exe
O4 - HKCU\..\Run: [Windows Dialup Service] dialup.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Sygate Personal Firewall] Win32l.exe
O4 - HKCU\..\Run: [USB Device] win32usb.exe
O4 - HKCU\..\Run: [msdev] msconfig.exe
O4 - HKCU\..\Run: [Microsoft Disk Scanner] scansdisk.exe
O4 - HKCU\..\Run: [Winamp media player] winapa.exe
O4 - HKCU\..\Run: [Microsoft AOL32 Protocol] aol32.exe
O4 - HKCU\..\Run: [nternet Explorer] iexplore.exe
O4 - HKCU\..\Run: [Microsoft ALG32 Protocol] alg32.exe
O4 - HKCU\..\Run: [Windows Network Controller] mqguard.exe
O4 - HKCU\..\Run: [blah service] win32exec.exe
O4 - HKCU\..\Run: [Microsoft Ansti Update] msie.exe
O4 - HKCU\..\Run: [starter] scvhosting.exe
O4 - HKCU\..\Run: [Ycahoua] C:\WINDOWS\System32\??rss.exe
O4 - HKCU\..\Run: [ur key] sys32pwn.exe
O4 - HKCU\..\Run: [SygateX Personal Firewall] syshdd.exe
O4 - HKCU\..\Run: [start uploading] smsss.exe
O4 - HKCU\..\Run: [prutdct] C:\WINDOWS\System32\prutdct.exe
O4 - HKCU\..\Run: [Start Upping] iexplorerupdt.exe
O4 - HKCU\..\RunServices: [blah service] win32exec.exe
O4 - HKCU\..\RunServices: [start uploading] smsss.exe
O4 - HKCU\..\RunOnce: [Windows Network Controller] mqguard.exe
O4 - HKCU\..\RunOnce: [starter] scvhosting.exe
O4 - HKCU\..\RunOnce: [Microsoft Data Machine] csdata32.exe
O4 - HKCU\..\RunOnce: [Winamp media player] winapa.exe
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: NetAssistant.lnk = C:\Program Files\NetAssistant\bin\matcli.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.awmdabest.com (HKLM)
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - Trusted IP range: 206.161.125.149
O15 - Trusted IP range: (HKLM)
O16 - DPF: {11111111-1111-1111-1111-511111113457} - file://c:\x.cab
O16 - DPF: {11111111-1111-1111-1111-511111113458} - file://c:\x.cab
O16 - DPF: {B1B7606A-D7B9-42A8-AFA2-476308413211} (VacPro.canada_ver4) - http://advnt01.com/dialer/canada_ver4.CAB
O21 - SSODL: SystemCheck2 - {54645654-2225-4455-44A1-9F4543D34545} - C:\WINDOWS\System32\vbsys2 (file missing)
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: ISEXEng - Unknown - C:\WINDOWS\System32\angelex.exe (file missing)
O23 - Service: Microsoft Disk Scanner - Unknown - C:\WINDOWS\System32\scansdisk.exe (file missing)
O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Windows Dialup Service - Unknown - C:\WINDOWS\System32\dialup.exe (file missing)

guestolo · « **Reply #1 on:** December 31, 2004, 07:08:09 PM »

You appear that you may have supplied a Hijackthis log in safe mode
If this is the only way you can get online that's ok for now
In the future I would like to see one in Normal mode

We may not get it all the first go, but we'll try and stop a lot of the malware from running on startup

If you can do the following please, do as much as you can before posting back a new log

Please redownload Hijackthis and save it to a permanent folder
anything we remove will make backups, and we are going to clean your Temp folders
Backups will be lost

Important: Create a Permanent folder for Hijackthis
Double Click "MY Computer"
Open your C: drive
Click "File" >>> "New" >>>> "Folder"
A new folder will be created, name it HJT

Now you will have C:\HJT

Download Hijackthis from This Link--CLICK HERE or This Link--CLICK HERE
Save it to that new folder

Open Notepad (START>>>RUN>>>type in notepad) hit Enter
Copy the contents of the Quote box to notepad
IMPORTANT>>>Change the Save as Type to All Files.
Name the file as search.reg
This will help to restore your default searchhooks

Quote

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\URL\DefaultPrefix]@="http://"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\URL\Prefixes]
"ftp"="ftp://"
"gopher"="gopher://"
"home"="http://"
"mosaic"="http://"
"www"="http://"

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"=""

Open Notepad (START>>>RUN>>>type in notepad) hit Enter
Copy the contents of the Quote box to notepad
IMPORTANT>>>Change the Save as Type to All Files.
Name the file as removetrust.reg
This will help to remove the 015 entries in your log

Quote

REGEDIT4

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains][-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains]

Save this file on the desktop, well need this later, don't run it yet

NEXT:Download and Install the free version of Ad-Aware SE Personal 1.05
Ensure you have this version, or the Professional series
Open Ad-Aware, ensure to click the check for updates online link and Connect to download the latest updates
Don't run a Scan yet

Download and Install Windows CleanUp!
This will cleanup your temp folders, cookies, etc....
Don't run this yet
The above link, you will have to Right click on the link and Copy Shortcut
Paste it to the IE address bar and hit Go

Download and save to Desktop McAfee's stinger
http://download.nai.com/products/mcafee-av...ert/stinger.exe
Don't run this yet

Print this out or save it to a Notepad file on your desktop for easy access, Disconnect from the Internet, I will also need you to Restart into Safe mode
Restart your computer to safe mode

Set Windows To Show Hidden Files and Folders
* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.
* Under the Hidden files and folders heading select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Uncheck the Hide Extensions for known file types
* Click Yes to confirm.
* Click OK.

Find and delete this folder
Program Files\ISTsvc <--folder
C:\Program Files\Admilli Service <--folder

Find and delete these files if they exist, make sure they have the exact name when deleting, many files have similiar names that are legitimate
Eg..scansdisk.exe <<BAD scandisk.exe <<GOOD
Notice the extra s in the first one, most of these files may be located in your
C:\WINDOWS\system32 folder
But do a search for them

csdata32.exe
windnsd.exe
lsess.exe <--remember, exact spelling, there is a legit lsass.exe in the System32 folder
Win32l.exe
msnmsgr7.exe
win32usb.exe
uvnczr.exe
ccrs32.exe
dk.exe
scansdisk.exe
winapa.exe
aol32.exe
lssrv.exe
ntguard32.exe
mqguard.exe
win32exec.exe
msie.exe
scvhosting.exe
sys32pwn.exe
syshdd.exe
iexplorerupdt.exe

C:\WINDOWS\sdklor.exe <--this file
c:\x.cab <--file
C:\windrar.exe <--file
C:\windows\system32\dk.exe
C:\windows\win32sys.exe
C:\WINDOWS\mmups.exe
C:\WINDOWS\TEMP\activex.exe
C:\WINDOWS\dllmanger.exe
C:\WINDOWS\sdklor.exe
C:\WINDOWS\taskmsg.exe <--careful of the spelling
C:\WINDOWS\msdos.exe
C:\WINDOWS\mspaint.exe <this file, only the one in the Windows folder
There is a legitmate mspaint.exe in the System32 folder

Stay in safe mode
Do another scan with Hijackthis and put a check next to these entries:

O4 - HKLM\..\Run: [Microsoft Data Machine] csdata32.exe
O4 - HKLM\..\Run: [Windows DNS Daemon] windnsd.exe
O4 - HKLM\..\Run: [Sysino] lsess.exe
O4 - HKLM\..\Run: [Windows Dialup Service] dialup.exe
O4 - HKLM\..\Run: [Sygate Personal Firewall] Win32l.exe
O4 - HKLM\..\Run: [MSN Start] msnmsgr7.exe
O4 - HKLM\..\Run: [USB Device] win32usb.exe
O4 - HKLM\..\Run: [Printer] C:\windows\win32sys.exe
O4 - HKLM\..\Run: [Win Users2] uvnczr.exe
O4 - HKLM\..\Run: [Microsoft InstallPatch] ccrs32.exe
O4 - HKLM\..\Run: [iexplore] C:\WINDOWS\TEMP\activex.exe
O4 - HKLM\..\Run: [Win32] C:\windows\system32\dk.exe
O4 - HKLM\..\Run: [Microsoft Disk Scanner] scansdisk.exe
O4 - HKLM\..\Run: [Winamp media player] winapa.exe

O4 - HKLM\..\Run: [Microsoft AOL32 Protocol] aol32.exe
O4 - HKLM\..\Run: [winlogin.exe] C:\WINDOWS\mspaint.exe
O4 - HKLM\..\Run: [taskmgr.exe] C:\WINDOWS\taskmsg.exe
O4 - HKLM\..\Run: [Adobe] C:\WINDOWS\msdos.exe
O4 - HKLM\..\Run: [Spool] C:\windrar.exe
O4 - HKLM\..\Run: [Microsoft ALG32 Protocol] alg32.exe
O4 - HKLM\..\Run: [Microsoft Services] lssrv.exe
O4 - HKLM\..\Run: [notepad.exe] C:\WINDOWS\dllmanger.exe
O4 - HKLM\..\Run: [Norton Guard 32] ntguard32.exe
O4 - HKLM\..\Run: [Windows Network Controller] mqguard.exe
O4 - HKLM\..\Run: [3eduSR] C:\WINDOWS\sdklor.exe
O4 - HKLM\..\Run: [blah service] win32exec.exe
O4 - HKLM\..\Run: [mediamotor.exe] C:\WINDOWS\mmups.exe
O4 - HKLM\..\Run: [loads.exe] C:\WINDOWS\suploads.exe
O4 - HKLM\..\Run: [Microsoft Ansti Update] msie.exe
O4 - HKLM\..\Run: [starter] scvhosting.exe
O4 - HKLM\..\Run: [ÏòõC<ðË‚ïÁzî[8Ü•C:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\sdklor.exe
O4 - HKLM\..\Run: [Ïò˜¿ÇÏÔ@ÔÁß]ú"ü‰üžC:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\sdklor.exe
O4 - HKLM\..\Run: [Ïò˜¿ÇÏÔÁß]ú"ü‰üžigC:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\sdklor.exe
O4 - HKLM\..\Run: [¢‰¸u0–4C
}ïÁzî[8C:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\sdklor.exe
O4 - HKLM\..\Run: [¢‰¸u0–4C
}ïÁzîžigÝC:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\sdklor.exe
O4 - HKLM\..\Run: [¢‰¸u0Ô@ÔÁß]ú"ü‰üžiC:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\sdklor.exe
O4 - HKLM\..\Run: [ur key] sys32pwn.exe
O4 - HKLM\..\Run: [SygateX Personal Firewall] syshdd.exe
O4 - HKLM\..\Run: [start uploading] smsss.exe
O4 - HKLM\..\Run: [MS Windows Update] scguard.exe
O4 - HKLM\..\Run: [Admilli Service] C:\Program Files\Admilli Service\AdmilliServ.exe
O4 - HKLM\..\Run: [¢‰¸u0Ô@ÔÁß]ú"ü‰¸u0C:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\sdklor.exe
O4 - HKLM\..\Run: [¢‰¸u0ÔÁß]ú"ü‰üžigÝC:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\sdklor.exe
O4 - HKLM\..\Run: [Start Upping] iexplorerupdt.exe

O4 - HKLM\..\RunServices: [msnmgre] pwned.exe
O4 - HKLM\..\RunServices: [Microsoft Data Machine] csdata32.exe
O4 - HKLM\..\RunServices: [Microsoft Services] lssrv.exe
O4 - HKLM\..\RunServices: [blah service] win32exec.exe
O4 - HKLM\..\RunServices: [Windows DNS Daemon] windnsd.exe
O4 - HKLM\..\RunServices: [MSNMaSRR5] MSNMaSGRS.exe
O4 - HKLM\..\RunServices: [CRC Value Verifier] crsss32.exe
O4 - HKLM\..\RunServices: [Sysino] lsess.exe
O4 - HKLM\..\RunServices: [Microsoft InstallPatch] ccrs32.exe
O4 - HKLM\..\RunServices: [Microsoft media services] winmplayer.exe
O4 - HKLM\..\RunServices: [Windows Dialup Service] dialup.exe
O4 - HKLM\..\RunServices: [windows update] Isass.exe
O4 - HKLM\..\RunServices: [Sygate Personal Firewall] Win32l.exe
O4 - HKLM\..\RunServices: [MSN Start] msnmsgr7.exe
O4 - HKLM\..\RunServices: [USB Device] win32usb.exe
O4 - HKLM\..\RunServices: [Win Users2] uvnczr.exe
O4 - HKLM\..\RunServices: [Microsoft Disk Scanner] scansdisk.exe
O4 - HKLM\..\RunServices: [Winamp media player] winapa.exe
O4 - HKLM\..\RunServices: [Microsoft AOL32 Protocol] aol32.exe
O4 - HKLM\..\RunServices: [Microsoft ALG32 Protocol] alg32.exe
O4 - HKLM\..\RunServices: [Norton Guard 32] ntguard32.exe
O4 - HKLM\..\RunServices: [Windows Network Controller] mqguard.exe
O4 - HKLM\..\RunServices: [Microsoft Ansti Update] msie.exe
O4 - HKLM\..\RunServices: [starter] scvhosting.exe
O4 - HKLM\..\RunServices: [ur key] sys32pwn.exe
O4 - HKLM\..\RunServices: [SygateX Personal Firewall] syshdd.exe
O4 - HKLM\..\RunServices: [start uploading] smsss.exe
O4 - HKLM\..\RunServices: [MS Windows Update] scguard.exe
O4 - HKLM\..\RunServices: [Start Upping] iexplorerupdt.exe
O4 - HKLM\..\RunOnce: [Microsoft Data Machine] csdata32.exe
O4 - HKLM\..\RunOnce: [Winamp media player] winapa.exe
O4 - HKLM\..\RunOnce: [Windows Network Controller] mqguard.exe
O4 - HKLM\..\RunOnce: [starter] scvhosting.exe
O4 - HKCU\..\Run: [Microsoft Data Machine] csdata32.exe
O4 - HKCU\..\Run: [Windows DNS Daemon] windnsd.exe
O4 - HKCU\..\Run: [Sysino] lsess.exe
O4 - HKCU\..\Run: [Windows Dialup Service] dialup.exe

O4 - HKCU\..\Run: [Sygate Personal Firewall] Win32l.exe
O4 - HKCU\..\Run: [USB Device] win32usb.exe
O4 - HKCU\..\Run: [msdev] msconfig.exe
O4 - HKCU\..\Run: [Microsoft Disk Scanner] scansdisk.exe
O4 - HKCU\..\Run: [Winamp media player] winapa.exe
O4 - HKCU\..\Run: [Microsoft AOL32 Protocol] aol32.exe
O4 - HKCU\..\Run: [nternet Explorer] iexplore.exe
O4 - HKCU\..\Run: [Microsoft ALG32 Protocol] alg32.exe
O4 - HKCU\..\Run: [Windows Network Controller] mqguard.exe
O4 - HKCU\..\Run: [blah service] win32exec.exe
O4 - HKCU\..\Run: [Microsoft Ansti Update] msie.exe
O4 - HKCU\..\Run: [starter] scvhosting.exe
O4 - HKCU\..\Run: [Ycahoua] C:\WINDOWS\System32\??rss.exe
O4 - HKCU\..\Run: [ur key] sys32pwn.exe
O4 - HKCU\..\Run: [SygateX Personal Firewall] syshdd.exe
O4 - HKCU\..\Run: [start uploading] smsss.exe
O4 - HKCU\..\Run: [prutdct] C:\WINDOWS\System32\prutdct.exe
O4 - HKCU\..\Run: [Start Upping] iexplorerupdt.exe
O4 - HKCU\..\RunServices: [blah service] win32exec.exe
O4 - HKCU\..\RunServices: [start uploading] smsss.exe
O4 - HKCU\..\RunOnce: [Windows Network Controller] mqguard.exe
O4 - HKCU\..\RunOnce: [starter] scvhosting.exe
O4 - HKCU\..\RunOnce: [Microsoft Data Machine] csdata32.exe
O4 - HKCU\..\RunOnce: [Winamp media player] winapa.exe

O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.awmdabest.com (HKLM)
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - Trusted IP range: 206.161.125.149
O15 - Trusted IP range: (HKLM)
O16 - DPF: {11111111-1111-1111-1111-511111113457} - file://c:\x.cab
O16 - DPF: {11111111-1111-1111-1111-511111113458} - file://c:\x.cab
O16 - DPF: {B1B7606A-D7B9-42A8-AFA2-476308413211} (VacPro.canada_ver4) - http://advnt01.com/dialer/canada_ver4.CAB
O21 - SSODL: SystemCheck2 - {54645654-2225-4455-44A1-9F4543D34545} - C:\WINDOWS\System32\vbsys2 (file missing)

O23 - Service: ISEXEng - Unknown - C:\WINDOWS\System32\angelex.exe (file missing)
O23 - Service: Microsoft Disk Scanner - Unknown - C:\WINDOWS\System32\scansdisk.exe (file missing)

O23 - Service: Windows Dialup Service - Unknown - C:\WINDOWS\System32\dialup.exe (file missing)

Look over all the entries carefully that I asked you to put a check beside, try not to miss any or don't tick additional ones
After you have ticked the above entries, close All other open windows, including this one
Leave Hijackthis open and click FIX CHECKED
YES and exit Hijackthis

Double click on search.reg and Allow it to merge to the registry
Double click on removetrust.reg and Allow also

Stay in safe mode
Open Up Cleanup and click the Cleanup button
Let it finish scanning for files, when it's done it will prompt you that you need to log off and back on again
Don't do it yet, instead

Open Up Ad-Aware
Perform a Full system scan
When it's finished scanning
At this point you should either right click on the screen and and choose the "Select All" Objects option or individually put a checkmark in each objects checkbox
click on the Next button. Ad-Aware SE will now present you with a confirmation box as to whether or not you would like to remove the objects you have just selected. Press the "OK" button

Please Restart your computer at this time, but try to Restart back to Safe Mode

Again in Safe mode
Open up McAfee's Stinger and let it run and fix whatever it finds

Restart your computer to Normal Mode

I suggest that you try an Online Virus scan at TrendMicro's Housecall
Set to Autoclean
http://housecall.trendmicro.com/

Post back with a fresh Hijackthis log afterwards

As I said earlier, do as much as you can before posting back
Be sure to include a fresh hijackthis log, preferrably one in Normal mode

TheTechGuide Forum

News:

Author Topic: Hijack Log *Computer is Infested" (Read 1132 times)

xrayted

Hijack Log *Computer is Infested"

guestolo

Hijack Log *Computer is Infested"