Jump to content

Change Mode

Recommended Posts

Logfile of HijackThis v1.99.1

Scan saved at 11:24:06 AM, on 7/25/2005

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

D:\Aquarius Soft\PC Shutdown\svchost.exe

C:\WINDOWS\Explorer.exe

D:\DU Meter\DUMeter.exe

C:\WINDOWS\System32\spoolsub.exe

C:\Program Files\Messenger\msmsgs.exe

c:\progra~1\mcafee.com\vso\mcvsescn.exe

c:\windows\system32\okmtnh.exe

c:\progra~1\mcafee.com\vso\mcvsftsn.exe

C:\Program Files\Internet Optimizer\optimize.exe

C:\Program Files\180searchassistant\sac.exe

C:\Program Files\BullsEye Network\bin\bargains.exe

C:\WINDOWS\System32\67aqenvf.exe

C:\Program Files\WeirdOnTheWeb\WeirdOnTheWeb.exe

C:\Documents and Settings\mike\Desktop\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drsnsrch.com/sidesearch.cgi?id=

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

R3 - URLSearchHook: (no name) - _{02EE5B04-F144-47BB-83FB-A60BD91B74A9} - (no file)

R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - C:\Program Files\SurfSideKick 3\SskBho.dll

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe

O2 - BHO: Bucket Class - {00000001-C003-4A2F-9142-7CB1D78DE6C1} - C:\WINDOWS\tct101.dll

O2 - BHO: BHObj Class - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINDOWS\nem220.dll

O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\systb.dll

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\adobe\ActiveX\AcroIEHelper.dll

O2 - BHO: SABHO - {21B4ACC4-8874-4AEC-AEAC-F567A249B4D4} - c:\program files\180searchassistant\sachook.dll

O2 - BHO: (no name) - {23447605-7BAE-3100-4687-08C6C84EEE82} - C:\WINDOWS\cdmagent\daxijvnebu.dll (file missing)

O2 - BHO: AuroraHandlerObj Class - {4AA870AC-8427-42a4-B92E-ECD956197489} - C:\WINDOWS\AuroraHandler.dll (file missing)

O2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINDOWS\System32\msbe.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll

O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)

O3 - Toolbar: UCmore XP - The Search Accelerator - {44BE0690-5429-47f0-85BB-3FFD8020233E} - C:\Program Files\TheSearchAccelerator\UCMTSAIE.dll

O4 - HKLM\..\Run: [DU Meter] D:\DU Meter\DUMeter.exe

O4 - HKLM\..\Run: [spooler Subsystem] spoolsub.exe

O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe

O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\McAgent.exe

O4 - HKLM\..\Run: [surfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe

O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask

O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"

O4 - HKLM\..\Run: [Win Server Updt] C:\WINDOWS\wupdt.exe

O4 - HKLM\..\Run: [pmsblla] c:\windows\system32\okmtnh.exe r

O4 - HKLM\..\Run: [internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"

O4 - HKLM\..\Run: [bullsEye Network] C:\Program Files\BullsEye Network\bin\bargains.exe

O4 - HKLM\..\Run: [sac] c:\program files\180searchassistant\sac.exe

O4 - HKLM\..\Run: [67aqenvf] C:\WINDOWS\System32\67aqenvf.exe

O4 - HKLM\..\Run: [buhsv] C:\WINDOWS\buhsv.exe

O4 - HKLM\..\Run: [WeirdOnTheWeb] "C:\Program Files\WeirdOnTheWeb\WeirdOnTheWeb.exe"

O4 - HKLM\..\RunServices: [spooler Subsystem] spoolsub.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [surfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe

O4 - Global Startup: Aquarius Soft PC Shutdown Tray Icon.lnk = D:\Aquarius Soft\PC Shutdown\assdtray.exe

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\java\bin\npjpi150_04.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\java\bin\npjpi150_04.dll

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\AIM\aim.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab

O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://pcpitstop.com/pcpitstop/PCPitStop.CAB

O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/MediaAcc...e/bridge-c9.cab

O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...90/mcinsctl.cab

O16 - DPF: {99410CDE-6F16-42ce-9D49-3807F78F0287} (ClientInstaller Class) - http://www.180searchassistant.com/180saax.cab

O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/m...,23/mcgdmgr.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{EE20D5A5-87E6-43DE-9C69-76AC0BC71DF4}: NameServer = 216.254.95.2,4.2.2.3

O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: Aquarius Soft PC Shutdown NT Service - Aquarius Soft - D:\Aquarius Soft\PC Shutdown\svchost.exe

 

i think i might have the aurora thing...

Edited by MiG1289
Link to post
Share on other sites

Hi Mike, Indeed you do have the Aurora infection along with others. Please follow these instructions to rid yourself of it and then we can clean up the rest. Thanks.

 

Please download the trial version of Ewido Security Suite here:

http://www.ewido.net/en/download/

Install it, and update the definitions to the newest files. Do NOT run a scan yet.

 

Please download Nailfix from here:

http://www.noidea.us/easyfile/file.php?dow...050515010747824

Unzip it to the desktop but please do NOT run it yet.

 

The above Registry file written by miekiemoes, Swandog and racooper was written specifically for this infection and is not to be used on any other infection as it could damage a person's PC

 

Next, please reboot your computer in Safe Mode by doing the following:

1) Restart your computer

2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.

3) Instead of Windows loading as normal, a menu should appear

4) Select the first option, to run Windows in Safe Mode.

 

For additional help in booting into Safe Mode, see the following site:

http://www.pchell.com/support/safemode.shtml

 

Once in Safe Mode, please double-click on Nailfix.cmd. Your desktop and icons will disappear and reappear, and a window should open and close very quickly --- this is normal.

 

Then please run Ewido, and run a full scan. Save the log from the scan to your Desktop. IMPORTANT! Lately more people choose “Ignore” during the scan, but you’ll have to click/choose “Clean” or “Quarantine”! Otherwise the whole fix will result in a failure.

 

Then please run HijackThis, click Scan, and check (if there):

 

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe

 

Close all open windows except for HijackThis and click Fix Checked.

 

Restart your computer in normal mode, make a new HijackThis log and post it here, as well as the log from the Ewido scan.

 

Thanks...pskelley

Trusted HJT Advisor

PCPitStop forum

Edited by pskelley
Link to post
Share on other sites

Hey Mike, It looks like you are choosing "Ignore" when Ewido finds something to remove? See this:

IMPORTANT! Lately more people choose “Ignore” during the scan, but you’ll have to click/choose “Clean” or “Quarantine”! Otherwise the whole fix will result in a failure.

Though it seems the junk is gone from the last log? If this is the case, please run Ewido again and if it locates anything to remove choose "Clean or Quarantine".

 

This is what you need to remove from the HJT log run in Normal mode.

 

Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

R3 - Default URLSearchHook is missing

O2 - BHO: (no name) - {23447605-7BAE-3100-4687-08C6C84EEE82} - (no file)

O2 - BHO: (no name) - {4AA870AC-8427-42a4-B92E-ECD956197489} - (no file)

O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/MediaAcc...e/bridge-c9.cab

Windows AdTools winad

 

Close all programs but HJT and all browser windows, then click on "Fix Checked"

 

Please post a new HJT log and Ewido scan once these instructions have been followed. Also let me know how the computer is running now.

 

Thanks...Phil

Link to post
Share on other sites

ok i think (hope) i got it right this time, i chose for ewido to fix/remove the bad things it found. here are both of hte logs from safe mode.

 

---------------------------------------------------------

ewido security suite - Scan report

---------------------------------------------------------

 

+ Created on: 8:36:30 PM, 7/27/2005

+ Report-Checksum: 5DFA9B6C

 

+ Scan result:

 

:mozilla.6:C:\Documents and Settings\mike\Application Data\Mozilla\Firefox\Profiles\xviwqm85.default\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup

:mozilla.7:C:\Documents and Settings\mike\Application Data\Mozilla\Firefox\Profiles\xviwqm85.default\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup

:mozilla.19:C:\Documents and Settings\mike\Application Data\Mozilla\Firefox\Profiles\xviwqm85.default\cookies.txt -> Spyware.Cookie.Doubleclick : Cleaned with backup

:mozilla.20:C:\Documents and Settings\mike\Application Data\Mozilla\Firefox\Profiles\xviwqm85.default\cookies.txt -> Spyware.Cookie.Atdmt : Cleaned with backup

:mozilla.26:C:\Documents and Settings\mike\Application Data\Mozilla\Firefox\Profiles\xviwqm85.default\cookies.txt -> Spyware.Cookie.Mediaplex : Cleaned with backup

:mozilla.32:C:\Documents and Settings\mike\Application Data\Mozilla\Firefox\Profiles\xviwqm85.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup

:mozilla.34:C:\Documents and Settings\mike\Application Data\Mozilla\Firefox\Profiles\xviwqm85.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup

:mozilla.35:C:\Documents and Settings\mike\Application Data\Mozilla\Firefox\Profiles\xviwqm85.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup

:mozilla.39:C:\Documents and Settings\mike\Application Data\Mozilla\Firefox\Profiles\xviwqm85.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup

:mozilla.40:C:\Documents and Settings\mike\Application Data\Mozilla\Firefox\Profiles\xviwqm85.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup

:mozilla.41:C:\Documents and Settings\mike\Application Data\Mozilla\Firefox\Profiles\xviwqm85.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup

:mozilla.42:C:\Documents and Settings\mike\Application Data\Mozilla\Firefox\Profiles\xviwqm85.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup

:mozilla.47:C:\Documents and Settings\mike\Application Data\Mozilla\Firefox\Profiles\xviwqm85.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup

C:\WINDOWS\Downloaded Program Files\MediaAccX.dll -> Spyware.WinAD : Cleaned with backup

C:\WINDOWS\SSK3_B5.exe -> TrojanDropper.Small.qn : Cleaned with backup

C:\WINDOWS\system32\spoolsub.exe -> Backdoor.SdBot : Cleaned with backup

D:\firefox\plugins\npzango.dll -> Spyware.WinAD : Cleaned with backup

 

 

::Report End

 

HERE IS THE HIJACK THIS LOG FROM SAFE MODE

 

Logfile of HijackThis v1.99.1

Scan saved at 8:36:41 PM, on 7/27/2005

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\dmadmin.exe

C:\WINDOWS\explorer.exe

C:\Documents and Settings\mike\Desktop\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.com

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

R3 - Default URLSearchHook is missing

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\adobe\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {23447605-7BAE-3100-4687-08C6C84EEE82} - (no file)

O2 - BHO: (no name) - {4AA870AC-8427-42a4-B92E-ECD956197489} - (no file)

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll

O4 - HKLM\..\Run: [DU Meter] D:\DU Meter\DUMeter.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe

O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\McAgent.exe

O4 - Global Startup: Aquarius Soft PC Shutdown Tray Icon.lnk = D:\Aquarius Soft\PC Shutdown\assdtray.exe

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\java\bin\npjpi150_04.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\java\bin\npjpi150_04.dll

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\AIM\aim.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab

O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://pcpitstop.com/pcpitstop/PCPitStop.CAB

O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/MediaAcc...e/bridge-c9.cab

O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...90/mcinsctl.cab

O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/m...,23/mcgdmgr.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{EE20D5A5-87E6-43DE-9C69-76AC0BC71DF4}: NameServer = 216.254.95.2,4.2.2.3

O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: Aquarius Soft PC Shutdown NT Service - Aquarius Soft - D:\Aquarius Soft\PC Shutdown\svchost.exe

O23 - Service: Diskeeper - Executive Software International, Inc. - D:\dklite\DkService.exe

O23 - Service: ewido security suite control - ewido networks - D:\security suite\ewidoctrl.exe

O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe

O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe

O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - McAfee, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe

O23 - Service: McAfee Personal Firewall Service (MpfService) - Unknown owner - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe (file missing)

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

 

i will post the logs from regular boot in a few minutes

Link to post
Share on other sites

here are the logs for the regular boot. ewido scan.

 

---------------------------------------------------------

ewido security suite - Scan report

---------------------------------------------------------

 

+ Created on: 9:14:55 PM, 7/27/2005

+ Report-Checksum: 5BDF0D3B

 

+ Scan result:

 

:mozilla.6:C:\Documents and Settings\mike\Application Data\Mozilla\Firefox\Profiles\xviwqm85.default\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup

:mozilla.11:C:\Documents and Settings\mike\Application Data\Mozilla\Firefox\Profiles\xviwqm85.default\cookies.txt -> Spyware.Cookie.Doubleclick : Cleaned with backup

 

 

::Report End

 

*************HIJACKTHIS SCAN!*************

 

Logfile of HijackThis v1.99.1

Scan saved at 9:15:08 PM, on 7/27/2005

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

D:\DU Meter\DUMeter.exe

C:\PROGRA~1\mcafee.com\agent\McAgent.exe

D:\Aquarius Soft\PC Shutdown\assdtray.exe

C:\WINDOWS\system32\netdde.exe

C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

D:\Aquarius Soft\PC Shutdown\svchost.exe

C:\WINDOWS\system32\cisvc.exe

C:\WINDOWS\system32\clipsrv.exe

C:\WINDOWS\System32\dllhost.exe

D:\dklite\DkService.exe

D:\security suite\ewidoctrl.exe

c:\PROGRA~1\mcafee.com\vso\mcshield.exe

c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\dllhost.exe

C:\WINDOWS\System32\vssvc.exe

C:\WINDOWS\System32\wbem\wmiapsrv.exe

C:\WINDOWS\System32\dmadmin.exe

D:\AIM\aim.exe

C:\WINDOWS\system32\cidaemon.exe

C:\Program Files\Windows Media Player\wmplayer.exe

C:\Documents and Settings\mike\Desktop\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.com

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

R3 - Default URLSearchHook is missing

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\adobe\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {23447605-7BAE-3100-4687-08C6C84EEE82} - (no file)

O2 - BHO: (no name) - {4AA870AC-8427-42a4-B92E-ECD956197489} - (no file)

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll

O4 - HKLM\..\Run: [DU Meter] D:\DU Meter\DUMeter.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe

O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\McAgent.exe

O4 - Global Startup: Aquarius Soft PC Shutdown Tray Icon.lnk = D:\Aquarius Soft\PC Shutdown\assdtray.exe

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\java\bin\npjpi150_04.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\java\bin\npjpi150_04.dll

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\AIM\aim.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab

O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://pcpitstop.com/pcpitstop/PCPitStop.CAB

O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/MediaAcc...e/bridge-c9.cab

O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...90/mcinsctl.cab

O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/m...,23/mcgdmgr.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{EE20D5A5-87E6-43DE-9C69-76AC0BC71DF4}: NameServer = 216.254.95.2,4.2.2.3

O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: Aquarius Soft PC Shutdown NT Service - Aquarius Soft - D:\Aquarius Soft\PC Shutdown\svchost.exe

O23 - Service: Diskeeper - Executive Software International, Inc. - D:\dklite\DkService.exe

O23 - Service: ewido security suite control - ewido networks - D:\security suite\ewidoctrl.exe

O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe

O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe

O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - McAfee, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe

O23 - Service: McAfee Personal Firewall Service (MpfService) - Unknown owner - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe (file missing)

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

Link to post
Share on other sites
  • 2 weeks later...

Ok Mike, once again sorry for this delay and just a little more junk to get rid of.

 

Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

R3 - Default URLSearchHook is missing

O2 - BHO: (no name) - {23447605-7BAE-3100-4687-08C6C84EEE82} - (no file)

O2 - BHO: (no name) - {4AA870AC-8427-42a4-B92E-ECD956197489} - (no file)

O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/MediaAcc...e/bridge-c9.cab

Windows AdTools winad (NASTY)

 

Close all programs but HJT and all browser windows, then click on "Fix Checked"

 

We need to purge your System Restore files to make sure they are clean. Use these instructions to turn SR of, reboot then turn it back on:

http://service1.symantec.com/SUPPORT/tsgen...src=sec_doc_nam

 

Post me a new HJT log for a final look. I'll have some great information to help you stay clean and safe.

 

I have one more issue I need your help with. This item: O17 - HKLM\System\CCS\Services\Tcpip\..\{EE20D5A5-87E6-43DE-9C69-76AC0BC71DF4}: NameServer = 216.254.95.2,4.2.2.3

When I try to validate it I get this information:

 

Server Used: [ rwhois.level3.net ]

4.2.2.3 = [ vnsc-lc.sys.gtei.net ]

ERROR: Unable to connect to rwhois.level3.net for 4.2.2.3 ... Aborting

 

Would you check with your ISP to make sure this is valid. Thanks...Phil

Link to post
Share on other sites
  • 2 weeks later...
Guest
This topic is now closed to further replies.
×
×
  • Create New...