Author Topic: help me! (Read 852 times)

ItTastesLikeBurning · « **on:** February 14, 2005, 05:45:02 AM »

ok, so my computer is getting messed up by dso exploit like so many others apparently, here's my logfile from hjt:
Logfile of HijackThis v1.99.0
Scan saved at 2:43:32 AM, on 2/15/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
c:\Program Files\Norton AntiVirus\navapsvc.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Owner\Desktop\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&t...lion&pf=desktop
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {64B02C29-0DA1-6DD0-5BC1-3DB65EDE291B} - C:\WINDOWS\system32\qvonmzxh.dll
O2 - BHO: (no name) - {85ECDD6F-362A-06E0-015D-E5B8F667DFF4} - C:\WINDOWS\system32\apkslaym.dll
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\RunOnce: [rmoc3260.dll OCX] regsvr32.exe /s "C:\WINDOWS\system32\rmoc3260.dll"
O4 - HKCU\..\RunOnce: [RealPlayer0] "C:\Program Files\Real\RealOne Player\realplay.exe" "/firstrun"
O4 - HKCU\..\RunOnce: [RealPlayer1] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"
O4 - HKCU\..\RunOnce: [RealPlayer2] "C:\Program Files\Common Files\Real\Update_OB\RealOneMessageCenter.exe"
O8 - Extra context menu item: &Viewpoint Search - res://C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll/CXTSEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by20fd.bay20.Email Removed.msn.com/resources/MsnPUpld.cab
O18 - Protocol: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - C:\Program Files\HP\hpcoretech\comp\hpuiprot.dll
O23 - Service: Symantec Event Manager - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Miscrosoft Updates Service 5 - Unknown - C:\WINDOWS\system32\msupd5.exe
O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - c:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - c:\Program Files\Norton AntiVirus\SAVScan.exe

whoever helps me fix this you are a freakin' saint and i hope you live a very long and happy life thanks sooooo much!

guestolo · « **Reply #1 on:** February 18, 2005, 01:33:05 AM »

Can you do me a favor and update your version of Hijackthis

Important: Create a Permanent folder for Hijackthis
Double Click "MY Computer"
Open your C: drive
Click "File" >>> "New" >>>> "Folder"
A new folder will be created, name it HJT

Now you will have C:\HJT

Download Hijackthis from CLICK HERE or CLICK HERE
Save it to that new folder

Do a SCAN and Save a Log file---Save the log----copy and paste the WHOLE contents of the log here... Don't try and fix anything yet----It is all important

Can you also go to this site please
Give this site time to load
http://virusscan.jotti.dhs.org/

Use the browse button and navigate to this file
C:\WINDOWS\system32\rmoc3260.dll <--this file

Right click on the file and choose Select
Then use the Submit button
Let it scan finish scanning
Could you post back the results of the scan back here please

ItTastesLikeBurning · « **Reply #2 on:** February 26, 2005, 02:10:05 PM »

ok i did everything you told me to do, took me a little longer than i had hoped to sit down and actually take care of it though, i hope to hear from you soon as my brand new comp is still getting bogged down by something...i appreciate all your help, here's the new hjt log:
Logfile of HijackThis v1.99.1
Scan saved at 10:59:56 AM, on 2/27/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\VTTimer.exe
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
c:\Program Files\Norton AntiVirus\navapsvc.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft AntiSpyware\GIANTAntiSpywareMain.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\HJT\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&t...lion&pf=desktop
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {64B02C29-0DA1-6DD0-5BC1-3DB65EDE291B} - C:\WINDOWS\system32\qvonmzxh.dll
O2 - BHO: (no name) - {85ECDD6F-362A-06E0-015D-E5B8F667DFF4} - C:\WINDOWS\system32\qilkarec.dll
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\RunOnce: [CleanUp!] C:\Program Files\CleanUp!\Cleanup.exe /WindowsRestart
O8 - Extra context menu item: &Viewpoint Search - res://C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll/CXTSEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by20fd.bay20.Email Removed.msn.com/resources/MsnPUpld.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: srpgwhocdids (MsUpdate6) - Unknown owner - C:\WINDOWS\system32\msupd6.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - c:\Program Files\Norton AntiVirus\SAVScan.exe

beyond that i did the scan u told me to, here are the results:
Service load: 0% 100%

File: rmoc3260.dll
Status: OK
Packers detected: None

AntiVir No viruses found (0.77 seconds taken)
Avast No viruses found (3.05 seconds taken)
AVG Antivirus No viruses found (0.90 seconds taken)
BitDefender No viruses found (0.91 seconds taken)
ClamAV No viruses found (1.22 seconds taken)
Dr.Web No viruses found (1.86 seconds taken)
F-Prot Antivirus No viruses found (0.16 seconds taken)
Fortinet No viruses found (0.66 seconds taken)
Kaspersky Anti-Virus No viruses found (1.00 seconds taken)
mks_vir No viruses found (0.25 seconds taken)
NOD32 No viruses found (0.47 seconds taken)
Norman Virus Control No viruses found (0.19 seconds taken)
hope to hear form you soon! you're a lifesaver!

guestolo · « **Reply #3 on:** February 26, 2005, 05:07:48 PM »

rmoc3260.dll
That is probably related too Realplayer, it should be OK

Do another scan with Hijackthis and put a check next to these entries:

R3 - Default URLSearchHook is missing

02 - BHO: (no name) - {64B02C29-0DA1-6DD0-5BC1-3DB65EDE291B} - C:\WINDOWS\system32\qvonmzxh.dll
O2 - BHO: (no name) - {85ECDD6F-362A-06E0-015D-E5B8F667DFF4} - C:\WINDOWS\system32\qilkarec.dll

O8 - Extra context menu item: &Viewpoint Search - res://C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll/CXTSEARCH.HTML

O23 - Service: srpgwhocdids (MsUpdate6) - Unknown owner - C:\WINDOWS\system32\msupd6.exe

After you have ticked the above entries, close All other open windows, including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis

Restart your computer

Ensure that these files are gone, if not delete them
C:\WINDOWS\system32\qvonmzxh.dll <--file
C:\WINDOWS\system32\qilkarec.dll <--file
C:\WINDOWS\system32\msupd6.exe <--file

Post back a fresh Hijackthis log afterwards

ItTastesLikeBurning · « **Reply #4 on:** February 27, 2005, 09:20:25 PM »

ok so i removed all of those files except the 023-... one, although i checked it (twice) it still shows up on the hjt file each time... also when i run spybot, dso exploit still shows up. Any ideas? Thank you sooo much again for your time, you're a life-saver. Here's the new Hjt log..

Scan saved at 6:18:21 PM, on 2/28/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\VTTimer.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
c:\Program Files\Norton AntiVirus\navapsvc.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\HJT\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&t...lion&pf=desktop
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {64B02C29-0DA1-6DD0-5BC1-3DB65EDE291B} - (no file)
O2 - BHO: (no name) - {85ECDD6F-362A-06E0-015D-E5B8F667DFF4} - (no file)
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by20fd.bay20.Email Removed.msn.com/resources/MsnPUpld.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: srpgwhocdids (MsUpdate6) - Unknown owner - C:\WINDOWS\system32\msupd6.exe (file missing)
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - c:\Program Files\Norton AntiVirus\SAVScan.exe

hope to hear from you soon!

guestolo · « **Reply #5 on:** February 27, 2005, 09:34:05 PM »

Don't worry about the DSO exploit in Spybot, it's a bug in the program
I let you know about it later

I have to step out
But could you
Restart into Safe mode

From safe mode
Go to start>>run>>type in services.msc
Hit OK
In the new window do you see this service name?
srpgwhocdids (MsUpdate6)

If so can you double click on it
Ensure the service is stopped and from the drop down menu set to disabled

Next with just Hijackthis open
Fix checked these entries

O2 - BHO: (no name) - {64B02C29-0DA1-6DD0-5BC1-3DB65EDE291B} - (no file)
O2 - BHO: (no name) - {85ECDD6F-362A-06E0-015D-E5B8F667DFF4} - (no file)

O23 - Service: srpgwhocdids (MsUpdate6) - Unknown owner - C:\WINDOWS\system32\msupd6.exe (file missing)

I want to see if they return

Restart back into Normal mode post back a fresh hijackthis log

Could you also
Download ServiceFilter.zip
Unzip the contents to a folder
Double-click ServiceFilter.vbs, if you get a prompt from your Anti-Virus, Allow this to run, we are just collecting information
This script will create a text file named 'Post_This.txt' in the same folder as the script itself has been saved - copy and paste the contents of Post_This.txt in your next reply here.

ItTastesLikeBurning · « **Reply #6 on:** March 15, 2005, 01:43:57 PM »

k i did what u said, here's current hjt log followed by post this:

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&t...lion&pf=desktop
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {64B02C29-0DA1-6DD0-5BC1-3DB65EDE291B} - (no file)
O2 - BHO: (no name) - {85ECDD6F-362A-06E0-015D-E5B8F667DFF4} - (no file)
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKCU\..\RunOnce: [CleanUp!] C:\Program Files\CleanUp!\Cleanup.exe /WindowsRestart
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by20fd.bay20.Email Removed.msn.com/resources/MsnPUpld.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - c:\Program Files\Norton AntiVirus\SAVScan.exe

and post this:
---> Begin Service Listing <---

Unknown Service # 1
Service Name: MsUpdate6
Display Name: srpgwhocdids
Start Mode: Disabled
Start Name: LocalSystem
Description: ...
Service Type: Own Process
Path: c:\windows\system32\msupd6.exe
State: Stopped
Process ID: 0
Started: False
Exit Code: 1077
Accept Pause: False
Accept Stop: False

Unknown Service #2
Service Name: SAVScan
Display Name: SAVScan
Start Mode: Manual
Start Name: LocalSystem
Description: Handles Norton AntiVirus Auto-Protect Archive ...
Service Type: Own Process
Path: c:\program files\norton antivirus\savscan.exe
State: Stopped
Process ID: 0
Started: False
Exit Code: 1077
Accept Pause: False
Accept Stop: False

Unknown Service #3
Service Name: SwPrv
Display Name: MS Software Shadow Copy Provider
Start Mode: Manual
Start Name: LocalSystem
Description: Manages software-based volume shadow copies taken by the Volume Shadow Copy service. If this ...
Service Type: Own Process
Path: c:\windows\system32\dllhost.exe /processid:{e4bcb320-70ef-43ec-8fb9-38b4d4f46161}
State: Stopped
Process ID: 0
Started: False
Exit Code: 1077
Accept Pause: False
Accept Stop: False

---> End Service Listing <---
Thanks so much for your help and always replying so shortly after i post, can't thank you enough =).

guestolo · « **Reply #7 on:** March 15, 2005, 07:23:57 PM »

It's been awhile since you posted back
I need to see the WHOLE hijackthis log, not just the bottom part of it

Could you also ensure your running Hijackthis 1.99.1
You can get the updated version from my Signature below
Save it to a permanent folder

Rescan and post the log
All of it

ItTastesLikeBurning · « **Reply #8 on:** March 16, 2005, 02:45:41 AM »

Logfile of HijackThis v1.99.1
Scan saved at 11:42:13 PM, on 3/15/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\VTTimer.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
c:\Program Files\Norton AntiVirus\navapsvc.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HJT\hijackthis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&t...lion&pf=desktop
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {64B02C29-0DA1-6DD0-5BC1-3DB65EDE291B} - (no file)
O2 - BHO: (no name) - {85ECDD6F-362A-06E0-015D-E5B8F667DFF4} - (no file)
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKCU\..\RunOnce: [CleanUp!] C:\Program Files\CleanUp!\Cleanup.exe /WindowsRestart
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by20fd.bay20.Email Removed.msn.com/resources/MsnPUpld.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - c:\Program Files\Norton AntiVirus\SAVScan.exe

k that's the new log! sorry i didn't reply earlier. you, however, came through as punctually as ever and i greaty appreciate it! thank you so much. can't wait to hear back.

guestolo · « **Reply #9 on:** March 17, 2005, 11:23:10 PM »

Open Hijackthis>>Open Misc tools section>>Click the
"Delete an NT Service"
In the box copy and paste the below in bold

srpgwhocdids

Hit OK

Afterwards
Could you please go to this link
http://www.billsway.com/vbspage/ and scroll down to
Registry Search Tool
Download,UNZIP and run "RegSrch.vbs"
Copy and paste this in the dialog box:
{64B02C29-0DA1-6DD0-5BC1-3DB65EDE291B}

Click OK
After a while a prompt will come up.
Click OK to open in Notepad or Wordpad
Post back the results that are found

Do the same for this one too
{85ECDD6F-362A-06E0-015D-E5B8F667DFF4}

ItTastesLikeBurning · « **Reply #10 on:** March 19, 2005, 02:04:50 PM »

ok, as far as the srpgwhocdids, when i tried to delete it with hjt it said it wasn't found. I downloaded the reg search and ran the scans u suggested, here's the first:
REGEDIT4
; RegSrch.vbs © Bill James

; Registry search results for string "{64B02C29-0DA1-6DD0-5BC1-3DB65EDE291B}" 3/19/2005 10:58:01 AM

; NOTE: This file will be deleted when you close WordPad.
; You must manually save this file to a new location if you want to refer to it again later.
; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.)

[HKEY_USERS\S-1-5-21-1837791230-566809135-3639824827-1003\Software\GIANTCompany\AntiSpyware\Alerts\6779FE23-A617-42FE-BAB1-5B0EAE]
"RegistryFullPath"="HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Browser Helper Objects\\{64B02C29-0DA1-6DD0-5BC1-3DB65EDE291B}"

[HKEY_USERS\S-1-5-21-1837791230-566809135-3639824827-1003\Software\GIANTCompany\AntiSpyware\Alerts\6779FE23-A617-42FE-BAB1-5B0EAE]
"RegistryKey"="{64B02C29-0DA1-6DD0-5BC1-3DB65EDE291B}"

[HKEY_USERS\S-1-5-21-1837791230-566809135-3639824827-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{64B02C29-0DA1-6DD0-5BC1-3DB65EDE291B}]

[HKEY_USERS\S-1-5-21-1837791230-566809135-3639824827-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{64B02C29-0DA1-6DD0-5BC1-3DB65EDE291B}\iexplore]

here's the second:
REGEDIT4
; RegSrch.vbs © Bill James

; Registry search results for string "{85ECDD6F-362A-06E0-015D-E5B8F667DFF4}" 3/19/2005 11:01:05 AM

; NOTE: This file will be deleted when you close WordPad.
; You must manually save this file to a new location if you want to refer to it again later.
; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.)

[HKEY_USERS\S-1-5-21-1837791230-566809135-3639824827-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{85ECDD6F-362A-06E0-015D-E5B8F667DFF4}]

[HKEY_USERS\S-1-5-21-1837791230-566809135-3639824827-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{85ECDD6F-362A-06E0-015D-E5B8F667DFF4}\iexplore]

can't thank you enough for all your help =) be hearing from you soon hopefully!

TheTechGuide Forum

News:

Author Topic: help me! (Read 852 times)

ItTastesLikeBurning

help me!

guestolo

help me!

ItTastesLikeBurning

help me!

guestolo

help me!

ItTastesLikeBurning

help me!

guestolo

help me!

ItTastesLikeBurning

help me!

guestolo

help me!

ItTastesLikeBurning

help me!

guestolo

help me!

ItTastesLikeBurning

help me!