1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

BLOODHOUND.EXPLOIT.6 VIRUS

Discussion in 'All other topics' started by vincentd, Nov 17, 2004.

  1. adt10

    adt10 Member

    Joined:
    Jun 11, 2013
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    11
    yo can u tell wat to delete?


    Logfile of HijackThis v1.98.2
    Scan saved at 1:56:27 PM, on 4/20/2005
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\alg.exe
    C:\windows\system\hpsysdrv.exe
    C:\HP\KBD\KBD.EXE
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe
    C:\WINDOWS\System32\ezSP_Px.exe
    C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
    C:\Program Files\Winamp\winampa.exe
    C:\WINDOWS\System32\RUNDLL32.exe
    C:\windows\system32\squvxc.exe
    C:\WINDOWS\System32\gah95on6.exe
    C:\Program Files\AutoUpdate\AutoUpdate.exe
    C:\DOCUME~1\Owner\LOCALS~1\Temp\ICD1.tmp\svcmm32.exe
    C:\windows\system32\packager.exe
    C:\windows\system32\KjukCAv.exe
    C:\windows\system32\7r6sgT.exe
    C:\WINDOWS\System32\oem1_qc.exe
    C:\Program Files\5hw6eb8z\82513475.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\MSN Messenger\MsnMsgr.Exe
    C:\Program Files\Spyware Cleaner\SpywareCleaner.Exe
    C:\Program Files\NetZero\exec.exe
    C:\Program Files\Spyware Doctor\swdoctor.exe
    C:\WINDOWS\System32\nmedim.exe
    C:\WINDOWS\system32\KjukCAv.exe
    C:\Program Files\Secretmaker\secretmaker.exe
    C:\Program Files\Conquer1.0\Qlock\qlock.exe
    C:\Program Files\CxtPls\CxtPls.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\Program Files\NetZero\exec.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Winamp\Winamp.exe
    C:\Program Files\Conquer1.0\Conquer.exe
    c:\docume~1\owner\locals~1\temp\180ax.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINDOWS\System32\nsvsvc\nsvsvc.exe
    C:\WINDOWS\System32\picsvr\picsvr.exe
    C:\Documents and Settings\Owner\Local Settings\Temp\Temporary Directory 4 for hijackthis.zip\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = www.google.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://my.netzero.net/s/search?r=minisearch
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://my.netzero.net/s/search?r=minisearch
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://my.netzero.net/s/search?r=minisearch
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://my.netzero.net/s/search?r=minisearch
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://my.netzero.net/s/search?r=minisearch
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://my.netzero.net/s/search?r=minisearch
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\about.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    R3 - URLSearchHook: URLSearchHook Class - {37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8} - C:\Program Files\NZSearch\SearchEnh1.dll
    O2 - BHO: CExtension Object - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - C:\WINDOWS\cfgmgr51.dll
    O2 - BHO: (no name) - {016235BE-59D4-4CEB-ADD5-E2378282A1D9} - C:\Program Files\CxtPls\cxtpls.dll
    O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\ycomp5_5_5_0.dll
    O2 - BHO: SafeGuard Protect PCShield - {564FFB73-9EEF-4969-92FA-5FC4A92E2C2A} - C:\WINDOWS\System32\sfg.dll
    O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~2\tools\iesdsg.dll
    O2 - BHO: IeHelper Class - {A491D208-B353-490F-B81A-A8A3DC97042D} - C:\WINDOWS\System32\smiehlp.dll
    O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
    O2 - BHO: Band Class - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:\Program Files\SEP\sep.dll
    O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\ycomp5_5_5_0.dll
    O3 - Toolbar: Band Class - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:\Program Files\SEP\sep.dll
    O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
    O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
    O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
    O4 - HKLM\..\Run: [WCOLOREAL] "C:\Program Files\Coloreal\coloreal.exe"
    O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded
    O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe"
    O4 - HKLM\..\Run: [Security iGuard] C:\Program Files\Security iGuard\Security iGuard.exe
    O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
    O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
    O4 - HKLM\..\Run: [AUNPS2] RUNDLL32 AUNPS2.DLL,_Run@16
    O4 - HKLM\..\Run: [5hw6eb8z] C:\Program Files\5hw6eb8z\5hw6eb8z.exe
    O4 - HKLM\..\Run: [Media Access] C:\Program Files\Media Access\MediaAccK.exe
    O4 - HKLM\..\Run: [PCShield] regsvr32 /s "C:\WINDOWS\System32\sfg.dll"
    O4 - HKLM\..\Run: [PaciSoft] C:\WINDOWS\System32\pacis.exe
    O4 - HKLM\..\Run: [squvxc] c:\windows\system32\squvxc.exe
    O4 - HKLM\..\Run: [cfgmgr51] RunDLL32.EXE C:\WINDOWS\cfgmgr51.dll,DllRun
    O4 - HKLM\..\Run: [gah95on6] C:\WINDOWS\System32\gah95on6.exe
    O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
    O4 - HKLM\..\Run: [USB controller] "C:\DOCUME~1\Owner\LOCALS~1\Temp\ICD1.tmp\svcmm32.exe" /startup
    O4 - HKLM\..\Run: [180ax] c:\docume~1\owner\locals~1\temp\180ax.exe
    O4 - HKLM\..\Run: [KjukCAv.exe] c:\windows\system32\KjukCAv.exe
    O4 - HKLM\..\Run: [7r6sgT] C:\windows\system32\7r6sgT.exe
    O4 - HKLM\..\Run: [razin] C:\DOCUME~1\Owner\LOCALS~1\Temp\rm05040901.Stub.exe
    O4 - HKLM\..\Run: [0s9g3Ee] oem1_qc.exe
    O4 - HKLM\..\Run: [kjwfoj] C:\WINDOWS\kjwfoj.exe
    O4 - HKLM\..\Run: [Nsv] C:\WINDOWS\System32\nsvsvc\nsvsvc.exe
    O4 - HKLM\..\Run: [picsvr] C:\WINDOWS\System32\picsvr\picsvr.exe
    O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [spc_w] "C:\Program Files\NZSearch\nzspc.exe" -w
    O4 - HKCU\..\Run: [Spyware Cleaner] "C:\Program Files\Spyware Cleaner\SpywareCleaner.Exe" /boot
    O4 - HKCU\..\Run: [NetZero_uoltray] C:\Program Files\NetZero\exec.exe regrun
    O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
    O4 - HKCU\..\Run: [PCShield] regsvr32 /s "C:\WINDOWS\System32\sfg.dll"
    O4 - HKCU\..\Run: [HBqmROK6U] nmedim.exe
    O4 - Startup: qlock.lnk = C:\Program Files\Conquer1.0\Qlock\qlock.exe
    O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
    O4 - Global Startup: SECRETMAKER.lnk = C:\Program Files\Secretmaker\secretmaker.exe
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
    O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
    O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
    O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
    O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
    O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/MediaAccessVerisign/ie/bridge-c18.cab
    O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwebproducts/ei-2/SmileyCentralFWBInitialSetup1.0.0.8-2.cab
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
    O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
    O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
    O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zone.msn.com/binary/Bankshot.cab31267.cab
    O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
    O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zone.msn.com/binary/Chess.cab31267.cab
    O16 - DPF: {FDCC1518-6A63-11D9-AAC8-91EC5E497716} - http://www.ouchvideo.com/mmviewer_emg11.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{B4D34339-1B7C-4654-9A1C-5401DB775DB1}: NameServer = 64.136.28.120 64.136.20.120
    O18 - Filter: text/html - (no CLSID) - (no file)

     
  2. MHOL

    MHOL Member

    Joined:
    Apr 7, 2005
    Messages:
    4
    Likes Received:
    0
    Trophy Points:
    11
    CJC Could you take a look at this and tell me what to delete? Thanks:

    Logfile of HijackThis v1.99.1
    Scan saved at 6:22:19 PM, on 4/7/2005
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINNT\System32\Ati2evxx.exe
    C:\WINNT\System32\cisvc.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\system32\hidserv.exe
    C:\WINNT\system32\drivers\KodakCCS.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
    C:\Program Files\Kodak\Kodak EasyShare software\bin\ptssvc.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\system32\mspmspsv.exe
    C:\WINNT\Explorer.EXE
    C:\Program Files\Common Files\Symantec Shared\SymTray.exe
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\WINNT\system32\sstray.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Microsoft Hardware\Mouse\point32.exe
    C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe
    C:\WINNT\system32\ctfmon.exe
    C:\Program Files\EarthLink TotalAccess\TaskPanl.exe
    C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
    C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
    C:\Program Files\Microsoft Office\Office10\msoffice.exe
    C:\WINNT\System32\cidaemon.exe
    C:\PROGRA~1\Netscape\Netscape\Netscp.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\PROGRA~1\WINZIP\winzip32.exe
    C:\Documents and Settings\Administrator\Local Settings\Temp\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink.net/partner/more/msie/button/search.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS10
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.earthlink.net/partner/more/msie/button/search.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.earthlink.net/partner/more/msie/button/search.html
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = pop.earthlink.net:110
    N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.bbc.co.uk/?ok"); (C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\vj8lto4v.slt\prefs.js)
    N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CPROGRA%7E1%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\vj8lto4v.slt\prefs.js)
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: EarthLink Popup Blocker - {4B5F2E08-6F39-479a-B547-B2026E4C7EDF} - C:\Program Files\EarthLink TotalAccess\PnEL.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: Pop-Up Blocker - {D7F30B62-8269-41AF-9539-B2697FA7D77E} - C:\Program Files\EarthLink TotalAccess\PnEL.dll
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\Symtray.exe SetReg
    O4 - HKLM\..\Run: [POINTER] C:\Program Files\Microsoft Hardware\Mouse\point32.exe
    O4 - HKLM\..\Run: [AWMON] "C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe"
    O4 - HKLM\..\RunOnce: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\Symtrdr.exe
    O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
    O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\Program Files\Netscape\Netscape\Netscp.exe" -turbo
    O4 - HKCU\..\Run: [E6TaskPanel] "C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" -winstart
    O4 - Global Startup: ItsDeductible7PopUp.lnk = C:\Program Files\ItsDeductible7\ItsD7.exe
    O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
    O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe
    O23 - Service: ATI Smart - Unknown owner - C:\WINNT\system32\ati2sgag.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
    O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINNT\system32\drivers\KodakCCS.exe
    O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
    O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
    O23 - Service: ptssvc - KODAK - C:\Program Files\Kodak\Kodak EasyShare software\bin\ptssvc.exe
    O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
    O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
     
  3. CJC

    CJC Regular member

    Joined:
    Aug 23, 2004
    Messages:
    600
    Likes Received:
    1
    Trophy Points:
    26
    @ahsasa

    Put a tick in and remove the following:

    C:\program files\support.com\client\bin\tgcmd.exe
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
    O4 - HKLM\..\Run: [ZTgServerSwitch] "c:\program files\support.com\client\bin\tgcmd.exe" /server
    O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
    O18 - Protocol: bw+0 - {79D0278E-FC26-48E8-901F-77943B0C89B1} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw+0s - {79D0278E-FC26-48E8-901F-77943B0C89B1} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw-0 - {79D0278E-FC26-48E8-901F-77943B0C89B1} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw-0s - {79D0278E-FC26-48E8-901F-77943B0C89B1} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw00 - {79D0278E-FC26-48E8-901F-77943B0C89B1} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw00s - {79D0278E-FC26-48E8-901F-77943B0C89B1} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw10 - {79D0278E-FC26-48E8-901F-77943B0C89B1} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw10s - {79D0278E-FC26-48E8-901F-77943B0C89B1} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw20 - {79D0278E-FC26-48E8-901F-77943B0C89B1} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw20s - {79D0278E-FC26-48E8-901F-77943B0C89B1} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw30 - {79D0278E-FC26-48E8-901F-77943B0C89B1} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw30s - {79D0278E-FC26-48E8-901F-77943B0C89B1} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw40 - {79D0278E-FC26-48E8-901F-77943B0C89B1} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw40s - {79D0278E-FC26-48E8-901F-77943B0C89B1} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw50 - {79D0278E-FC26-48E8-901F-77943B0C89B1} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw50s - {79D0278E-FC26-48E8-901F-77943B0C89B1} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw60 - {79D0278E-FC26-48E8-901F-77943B0C89B1} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw60s - {79D0278E-FC26-48E8-901F-77943B0C89B1} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw70 - {79D0278E-FC26-48E8-901F-77943B0C89B1} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw70s - {79D0278E-FC26-48E8-901F-77943B0C89B1} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw80 - {79D0278E-FC26-48E8-901F-77943B0C89B1} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw80s - {79D0278E-FC26-48E8-901F-77943B0C89B1} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw90 - {79D0278E-FC26-48E8-901F-77943B0C89B1} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw90s - {79D0278E-FC26-48E8-901F-77943B0C89B1} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwa0 - {79D0278E-FC26-48E8-901F-77943B0C89B1} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwa0s - {79D0278E-FC26-48E8-901F-77943B0C89B1} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwb0 - {79D0278E-FC26-48E8-901F-77943B0C89B1} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwb0s - {79D0278E-FC26-48E8-901F-77943B0C89B1} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwc0 - {79D0278E-FC26-48E8-901F-77943B0C89B1} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwc0s - {79D0278E-FC26-48E8-901F-77943B0C89B1} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwd0 - {79D0278E-FC26-48E8-901F-77943B0C89B1} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwd0s - {79D0278E-FC26-48E8-901F-77943B0C89B1} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwe0 - {79D0278E-FC26-48E8-901F-77943B0C89B1} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwe0s - {79D0278E-FC26-48E8-901F-77943B0C89B1} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwf0 - {79D0278E-FC26-48E8-901F-77943B0C89B1} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwf0s - {79D0278E-FC26-48E8-901F-77943B0C89B1} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
    O18 - Protocol: bwg0 - {79D0278E-FC26-48E8-901F-77943B0C89B1} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwg0s - {79D0278E-FC26-48E8-901F-77943B0C89B1} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwh0 - {79D0278E-FC26-48E8-901F-77943B0C89B1} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwh0s - {79D0278E-FC26-48E8-901F-77943B0C89B1} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwi0 - {79D0278E-FC26-48E8-901F-77943B0C89B1} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwi0s - {79D0278E-FC26-48E8-901F-77943B0C89B1} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwj0 - {79D0278E-FC26-48E8-901F-77943B0C89B1} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwj0s - {79D0278E-FC26-48E8-901F-77943B0C89B1} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwk0 - {79D0278E-FC26-48E8-901F-77943B0C89B1} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwk0s - {79D0278E-FC26-48E8-901F-77943B0C89B1} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwl0 - {79D0278E-FC26-48E8-901F-77943B0C89B1} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwl0s - {79D0278E-FC26-48E8-901F-77943B0C89B1} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwm0 - {79D0278E-FC26-48E8-901F-77943B0C89B1} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwm0s - {79D0278E-FC26-48E8-901F-77943B0C89B1} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwn0 - {79D0278E-FC26-48E8-901F-77943B0C89B1} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwn0s - {79D0278E-FC26-48E8-901F-77943B0C89B1} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwo0 - {79D0278E-FC26-48E8-901F-77943B0C89B1} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwo0s - {79D0278E-FC26-48E8-901F-77943B0C89B1} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwp0 - {79D0278E-FC26-48E8-901F-77943B0C89B1} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwp0s - {79D0278E-FC26-48E8-901F-77943B0C89B1} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwq0 - {79D0278E-FC26-48E8-901F-77943B0C89B1} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwq0s - {79D0278E-FC26-48E8-901F-77943B0C89B1} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwr0 - {79D0278E-FC26-48E8-901F-77943B0C89B1} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwr0s - {79D0278E-FC26-48E8-901F-77943B0C89B1} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bws0 - {79D0278E-FC26-48E8-901F-77943B0C89B1} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bws0s - {79D0278E-FC26-48E8-901F-77943B0C89B1} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwt0 - {79D0278E-FC26-48E8-901F-77943B0C89B1} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwt0s - {79D0278E-FC26-48E8-901F-77943B0C89B1} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwu0 - {79D0278E-FC26-48E8-901F-77943B0C89B1} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwu0s - {79D0278E-FC26-48E8-901F-77943B0C89B1} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwv0 - {79D0278E-FC26-48E8-901F-77943B0C89B1} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwv0s - {79D0278E-FC26-48E8-901F-77943B0C89B1} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bww0 - {79D0278E-FC26-48E8-901F-77943B0C89B1} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bww0s - {79D0278E-FC26-48E8-901F-77943B0C89B1} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwx0 - {79D0278E-FC26-48E8-901F-77943B0C89B1} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwx0s - {79D0278E-FC26-48E8-901F-77943B0C89B1} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwy0 - {79D0278E-FC26-48E8-901F-77943B0C89B1} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwy0s - {79D0278E-FC26-48E8-901F-77943B0C89B1} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwz0 - {79D0278E-FC26-48E8-901F-77943B0C89B1} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwz0s - {79D0278E-FC26-48E8-901F-77943B0C89B1} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: offline-8876480 - {79D0278E-FC26-48E8-901F-77943B0C89B1} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

    CJC
     
  4. CJC

    CJC Regular member

    Joined:
    Aug 23, 2004
    Messages:
    600
    Likes Received:
    1
    Trophy Points:
    26
    @adt10

    First off, your version of HiJack this is out of date.
    You may want to download and install SP2
    You are REALLY infected

    Put a tick in and remove the following.... Also delete the files in the top part of the log, eg squvxc.exem gah95on6.exe, autoupdate.exe, svcmm32.exe etc etc.
    You may have to do it in safe mode.

    C:\windows\system32\squvxc.exe
    C:\WINDOWS\System32\gah95on6.exe
    C:\Program Files\AutoUpdate\AutoUpdate.exe
    C:\DOCUME~1\Owner\LOCALS~1\Temp\ICD1.tmp\svcmm32.exe
    C:\windows\system32\packager.exe
    C:\windows\system32\KjukCAv.exe
    C:\windows\system32\7r6sgT.exe
    C:\WINDOWS\System32\oem1_qc.exe
    C:\Program Files\5hw6eb8z\82513475.exe
    C:\WINDOWS\System32\nmedim.exe
    C:\WINDOWS\system32\KjukCAv.exe
    C:\Program Files\Secretmaker\secretmaker.exe
    C:\Program Files\Conquer1.0\Qlock\qlock.exe
    C:\Program Files\CxtPls\CxtPls.exe
    C:\Program Files\Conquer1.0\Conquer.exe
    c:\docume~1\owner\locals~1\temp\180ax.exe
    C:\WINDOWS\System32\nsvsvc\nsvsvc.exe
    C:\WINDOWS\System32\picsvr\picsvr.exe
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://my.netzero.net/s/search?r=minisearch
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://my.netzero.net/s/search?r=minisearch
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://my.netzero.net/s/search?r=minisearch
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://my.netzero.net/s/search?r=minisearch
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://my.netzero.net/s/search?r=minisearch
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://my.netzero.net/s/search?r=minisearch
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\about.htm
    R3 - URLSearchHook: URLSearchHook Class - {37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8} - C:\Program Files\NZSearch\SearchEnh1.dll
    O2 - BHO: CExtension Object - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - C:\WINDOWS\cfgmgr51.dll
    O2 - BHO: (no name) - {016235BE-59D4-4CEB-ADD5-E2378282A1D9} - C:\Program Files\CxtPls\cxtpls.dll
    O2 - BHO: SafeGuard Protect PCShield - {564FFB73-9EEF-4969-92FA-5FC4A92E2C2A} - C:\WINDOWS\System32\sfg.dll
    O2 - BHO: Band Class - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:\Program Files\SEP\sep.dll
    O3 - Toolbar: Band Class - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:\Program Files\SEP\sep.dll
    O4 - HKLM\..\Run: [AUNPS2] RUNDLL32 AUNPS2.DLL,_Run@16
    O4 - HKLM\..\Run: [5hw6eb8z] C:\Program Files\5hw6eb8z\5hw6eb8z.exe
    O4 - HKLM\..\Run: [PCShield] regsvr32 /s "C:\WINDOWS\System32\sfg.dll"
    O4 - HKLM\..\Run: [PaciSoft] C:\WINDOWS\System32\pacis.exe
    O4 - HKLM\..\Run: [squvxc] c:\windows\system32\squvxc.exe
    O4 - HKLM\..\Run: [cfgmgr51] RunDLL32.EXE C:\WINDOWS\cfgmgr51.dll,DllRun
    O4 - HKLM\..\Run: [gah95on6] C:\WINDOWS\System32\gah95on6.exe
    O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
    O4 - HKLM\..\Run: [USB controller] "C:\DOCUME~1\Owner\LOCALS~1\Temp\ICD1.tmp\svcmm32.exe" /startup
    O4 - HKLM\..\Run: [180ax] c:\docume~1\owner\locals~1\temp\180ax.exe
    O4 - HKLM\..\Run: [KjukCAv.exe] c:\windows\system32\KjukCAv.exe
    O4 - HKLM\..\Run: [7r6sgT] C:\windows\system32\7r6sgT.exe
    O4 - HKLM\..\Run: [razin] C:\DOCUME~1\Owner\LOCALS~1\Temp\rm05040901.Stub.exe
    O4 - HKLM\..\Run: [0s9g3Ee] oem1_qc.exe
    O4 - HKLM\..\Run: [kjwfoj] C:\WINDOWS\kjwfoj.exe
    O4 - HKLM\..\Run: [Nsv] C:\WINDOWS\System32\nsvsvc\nsvsvc.exe
    O4 - HKLM\..\Run: [picsvr] C:\WINDOWS\System32\picsvr\picsvr.exe
    O4 - HKCU\..\Run: [spc_w] "C:\Program Files\NZSearch\nzspc.exe" -w
    O4 - HKCU\..\Run: [NetZero_uoltray] C:\Program Files\NetZero\exec.exe regrun
    O4 - HKCU\..\Run: [PCShield] regsvr32 /s "C:\WINDOWS\System32\sfg.dll"
    O4 - HKCU\..\Run: [HBqmROK6U] nmedim.exe
    O4 - Startup: qlock.lnk = C:\Program Files\Conquer1.0\Qlock\qlock.exe
    O4 - Global Startup: SECRETMAKER.lnk = C:\Program Files\Secretmaker\secretmaker.exe
    O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/MediaAccessVerisign/ie/bridge-c18.cab
    O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwebproducts/ei-2/SmileyCentralFWBInitial Setup1.0.0.8-2.cab
    O16 - DPF: {FDCC1518-6A63-11D9-AAC8-91EC5E497716} - http://www.ouchvideo.com/mmviewer_emg11.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{B4D34339-1B7C-4654-9A1C-5401DB775DB1}: NameServer = 64.136.28.120 64.136.20.120
    O18 - Filter: text/html - (no CLSID) - (no file)
     
  5. CJC

    CJC Regular member

    Joined:
    Aug 23, 2004
    Messages:
    600
    Likes Received:
    1
    Trophy Points:
    26
    And last but not least
    @MHOL

    Hey, the only thing i can really see in your logs is this:
    Not sure what it is.

    O4 - Global Startup: ItsDeductible7PopUp.lnk = C:\Program Files\ItsDeductible7\ItsD7.exe

    CJC
     
  6. MHOL

    MHOL Member

    Joined:
    Apr 7, 2005
    Messages:
    4
    Likes Received:
    0
    Trophy Points:
    11
    CJC,

    Thanks for takin a look.
     
  7. rasdaweed

    rasdaweed Member

    Joined:
    Apr 28, 2005
    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    11
    blessings CJC,
    see u a real expert round yah,
    can u take a look at my HijackThis log?
    and ye... my Norton informed me bout this csrss.exe BloodHound virus today.
    help me


    Logfile of HijackThis v1.99.1
    Scan saved at 8:01:25 PM, on 4/28/2005
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    C:\Program Files\Alwil Software\Avast4\ashServ.exe
    C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\Explorer.EXE
    c:\apache\APACHE.EXE
    c:\apache\APACHE.EXE
    C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe
    D:\Program Files\Winamp\winampa.exe
    C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    C:\WINDOWS\system32\devldr32.exe
    C:\Program Files\MSN Messenger\MsnMsgr.Exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Hewlett-Packard\Toolbox2.0\Javasoft\JRE\1.3.1\bin\javaw.exe
    D:\Program Files\Neobee Speeedy Internet Accelerator\speeedy.exe
    C:\totalcmd\TOTALCMD.EXE
    C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
    C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    D:\Daweed\Internet\Download\HijackThis.exe

    N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/bookmark/7_2/home.html"); (C:\Documents and Settings\Ras Daweed\Application Data\Mozilla\Profiles\default\zcq1t49a.slt\prefs.js)
    N3 - Netscape 7: user_pref("browser.search.defaultengine", ""); (C:\Documents and Settings\Ras Daweed\Application Data\Mozilla\Profiles\default\zcq1t49a.slt\prefs.js)
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: ClickCatcher MSIE handler - {16664845-0E00-11D2-8059-000000000000} - C:\Program Files\Common Files\ReGet Shared\Catcher.dll
    O2 - BHO: PBlockHelper Class - {4115122B-85FF-4DD3-9515-F075BEDE5EB5} - D:\Program Files\Neobee Speeedy Internet Accelerator\PBHelper.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll (file missing)
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll (file missing)
    O3 - Toolbar: ReGet Bar - {17939A30-18E2-471E-9D3A-56DD725F1215} - C:\Program Files\ReGetDx\iebar.dll
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [StatusClient] C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe /auto
    O4 - HKLM\..\Run: [TomcatStartup] C:\Program Files\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe
    O4 - HKLM\..\Run: [WinampAgent] d:\Program Files\Winamp\winampa.exe
    O4 - HKLM\..\Run: [Zone Labs Client] "c:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
    O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
    O4 - HKCU\..\Run: [Mozilla Quick Launch] "d:\Program Files\Netscape\Netscape\Netscp.exe" -turbo
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [System] C:\WINDOWS\csrss.exe
    O4 - Global Startup: KYESCAN.lnk = C:\Program Files\ScannerP\Kyescan.exe
    O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: Neobee Speeedy Internet Accelerator.lnk = D:\Program Files\Neobee Speeedy Internet Accelerator\speeedy.exe
    O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: Do&wnload by ReGet Deluxe - C:\Program Files\Common Files\ReGet Shared\CC_Link.htm
    O8 - Extra context menu item: Download A&ll by ReGet Deluxe - C:\Program Files\Common Files\ReGet Shared\CC_All.htm
    O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O23 - Service: Apache - Unknown owner - D:\Program Files\Apache Group\Apache\Apache.exe" --ntservice (file missing)
    O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
    O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
    O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
    O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
    O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: PHPGeekUtil - Unknown owner - c:\apache\APACHE.EXE" --ntservice (file missing)
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
    O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe
    O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
     
  8. CJC

    CJC Regular member

    Joined:
    Aug 23, 2004
    Messages:
    600
    Likes Received:
    1
    Trophy Points:
    26
    Hey

    Not much really there, put a tick in and remove the following:

    D:\Program Files\Neobee Speeedy Internet Accelerator\speeedy.exe O4 - HKCU\..\Run: [System] C:\WINDOWS\csrss.exe
    O4 - Global Startup: KYESCAN.lnk = C:\Program Files\ScannerP\Kyescan.exe
    O4 - Global Startup: Neobee Speeedy Internet Accelerator.lnk = D:\Program Files\Neobee Speeedy Internet Accelerator\speeedy.exe

    CJC
     
  9. glentg

    glentg Guest

    CJC .......... you appear to be the one who knows ALL that needs to be KNOWN! I, too, have been assaulted by the Bloodhound.Exploit.6 virus....have read this thread and run hijackthis ... here is my log...please let me know what to delete.
    -also-
    I've been told to dl avg70free_298a417.exe and ssfsetup347.exe to my machine ...... ever hear of them? is it a good idea to use them?

    BTW ....... CJC FOR PRESIDENT !!!!!!!!!!!!!!!!

    Logfile of HijackThis v1.99.1
    Scan saved at 9:47:19 AM, on 04/29/2005
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
    C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\WINDOWS\BCMSMMSG.exe
    C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\Program Files\Dell\AccessDirect\dadapp.exe
    C:\Program Files\Dell\QuickSet\quickset.exe
    C:\WINDOWS\system32\dla\tfswctrl.exe
    C:\Program Files\Dell\AccessDirect\DadTray.exe
    C:\WINDOWS\System32\DSentry.exe
    C:\Program Files\Dell\Media Experience\PCMService.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
    C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
    C:\Program Files\Common Files\Dell\EUSW\Support.exe
    C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
    C:\WINDOWS\system32\paytime.exe
    C:\Program Files\Survey Alerts Manager\skinkers.exe
    C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
    C:\WINDOWS\system32\paytime.exe
    C:\Program Files\EarthLink TotalAccess\TaskPanl.exe
    C:\WINDOWS\System32\wbem\wmiapsrv.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\EarthLink TotalAccess\Accelerator\ElinkAcc.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\WebSiteViewer\124843.dlr
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Documents and Settings\Glen Grossi\My Documents\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://81.222.131.49/index.php
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink.net/partner/more/msie/button/search.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://start.earthlink.net/AL/Search
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.earthlink.net/partner/more/msie/button/search.html
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://81.222.131.49/index.php
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://81.222.131.49/index.php
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://81.222.131.49/index.php
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://start.earthlink.net/AL/Search
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://81.222.131.49/index.php
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://81.222.131.49/index.php
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:8080
    R3 - URLSearchHook: SrchHook Class - {44F9B173-041C-4825-A9B9-D914BD9DCBB3} - C:\Program Files\EarthLink TotalAccess\ElnIE.dll
    R3 - URLSearchHook: (no name) - ~CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: EarthLink Popup Blocker - {4B5F2E08-6F39-479a-B547-B2026E4C7EDF} - C:\Program Files\EarthLink TotalAccess\PnEL.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
    O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
    O2 - BHO: (no name) - {A0269420-A638-4509-889C-8FC3CC85DA7E} - C:\WINDOWS\drexinit.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: EarthLink Toolbar - {D7F30B62-8269-41AF-9539-B2697FA7D77E} - C:\Program Files\EarthLink TotalAccess\PnEL.dll
    O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
    O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
    O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exe
    O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
    O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
    O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
    O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
    O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
    O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
    O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
    O4 - HKLM\..\Run: [PayTime] C:\WINDOWS\system32\paytime.exe
    O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
    O4 - HKCU\..\Run: [SAMCluster] C:\Program Files\Survey Alerts Manager\skinkers.exe
    O4 - HKCU\..\Run: [PayTime] C:\WINDOWS\system32\paytime.exe
    O4 - HKCU\..\Run: [E6TaskPanel] "C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" -winstart
    O4 - Startup: winupdate45654501[1].exe
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O8 - Extra context menu item: Refresh Pa&ge with Full Quality - C:\Program Files\EarthLink TotalAccess\Accelerator\\pac-page.html
    O8 - Extra context menu item: Refresh Pi&cture with Full Quality - C:\Program Files\EarthLink TotalAccess\Accelerator\\pac-image.html
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {084F552D-19EB-4668-9788-984CBC781A8F} (AsyncDownloader Class) - http://survey.otxresearch.com/Preloader.dll
    O16 - DPF: {297AEB8E-D78B-427A-BBC2-E6496017D290} (AHLDSync.ctlDataSync) - https://allapp.ahlcorp.com/DataSync/Control/AHLDSync.cab
    O16 - DPF: {61093F1C-B4E6-4CC4-AC44-8EE32A22DD86} (FipFiller Class) - http://localhost:1217/Forms/Control/AHLNetCl.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1103409347681
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
    O16 - DPF: {E5238271-D692-408F-A625-275DF49EE4E3} (AHLInfoUpdate.Login) - https://allapp.ahlcorp.com/InfoUpdate/Control/AHLInfoUpdate.CAB
    O16 - DPF: {E6545011-41C1-41E8-A553-2457571D1BBC} (TimeDlgBox Class) - http://localhost:1217/Sessionctl/control/SessionCtl.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{EB0A72BB-9E42-4FCC-9D03-B9A216574736}: NameServer = 64.49.242.213 212.100.224.173
    O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
    O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
    O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe

     
  10. glentg

    glentg Guest

    OH.....one other thing........i've also been told that sygate is a pretty good firewall that is easy to use and should further protect my system ..... true?
     
  11. rock1911

    rock1911 Member

    Joined:
    May 1, 2005
    Messages:
    1
    Likes Received:
    0
    Trophy Points:
    11
    CJC
    When i downloaded HJthis, my comp got screwy, why? Then I almost could not uninstall it. Right now Norton has found bloodhound, delprot, ezinstall, osrouter, ndnuninstall, upd202, and woinstall. What can I do now? I am using Norton AV2004, Ad-aware, Spybot, and MS's Beta. What do you suggest from here? Any and all help will be greatly appreciated!!!
     
  12. glentg

    glentg Guest

    hello ... anyone out there? i'm desperately hoping that someone can help me rid my system of this exploit virus... any suggestions?
     
  13. nay

    nay Member

    Joined:
    May 4, 2005
    Messages:
    1
    Likes Received:
    0
    Trophy Points:
    11
    CJC, pls check my log...

    Logfile of HijackThis v1.99.1
    Scan saved at 9:44:22 AM, on 5/5/2005
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\Program Files\Norton Personal Firewall\NISUM.EXE
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
    C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
    C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
    C:\Program Files\WinZip\WZQKPICK.EXE
    C:\Program Files\Norton Personal Firewall\ccPxySvc.exe
    C:\PROGRA~1\Symantec\NORTON~1\GHOSTS~2.EXE
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
    C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
    C:\WINDOWS\System32\spool\ugplot\ugiipqd.exe
    C:\Program Files\EDS\License Servers\UGNXFLEXlm\lmgrd.exe
    C:\Program Files\Everstrike Software\Universal Shield 3.3.1\US30Service.exe
    C:\Program Files\EDS\License Servers\UGNXFLEXlm\uglmd.exe
    C:\WINDOWS\System32\fscagent.exe
    C:\WINDOWS\System32\clubbox.exe
    C:\Program Files\NetTransport\NetTransport.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\GRETECH\GomPlayer\GOM.exe
    C:\Program Files\GRETECH\GomPlayer\GOM.exe
    C:\Program Files\GRETECH\GomPlayer\GOM.exe
    C:\Program Files\GRETECH\GomPlayer\GOM.exe
    C:\Program Files\GRETECH\GomPlayer\GOM.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\GRETECH\GomPlayer\GOM.exe
    C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\PROGRA~1\WINZIP\winzip32.exe
    C:\Documents and Settings\Nay Oo Han\Local Settings\Temp\HijackThis.exe

    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
    O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll
    O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O2 - BHO: NTIECatcher Class - {C56CB6B0-0D96-11D6-8C65-B2868B609932} - C:\Program Files\NetTransport\NTIEHelper.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll
    O3 - Toolbar: (no name) - {86227D9C-0EFE-4f8a-AA55-30386A3F5686} - (no file)
    O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
    O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
    O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
    O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
    O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
    O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [FX] C:\WINDOWS\Downloaded Program Files\ieloader.exe
    O4 - HKLM\..\RunOnce: [MicrosoftAntiSpywareCleaner] C:\Program Files\Microsoft AntiSpyware\gcASCleaner.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
    O8 - Extra context menu item: Download all by Net Transport - C:\Program Files\NetTransport\NTAddList.html
    O8 - Extra context menu item: Download by Net Transport - C:\Program Files\NetTransport\NTAddLink.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
    O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll
    O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
    O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1111888049953
    O16 - DPF: {97745861-F1A6-45B2-8AD1-0C17334550E6} (YahooCabinet Control) - http://img.yahoo.co.kr/ycabinet/cab/YahooCabinet.cab
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Symantec Proxy Service (ccPxySvc) - Symantec Corporation - C:\Program Files\Norton Personal Firewall\ccPxySvc.exe
    O23 - Service: GhostStartService - Symantec Corporation - C:\PROGRA~1\Symantec\NORTON~1\GHOSTS~2.EXE
    O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
    O23 - Service: Norton Personal Firewall Accounts Manager (NISUM) - Symantec Corporation - C:\Program Files\Norton Personal Firewall\NISUM.EXE
    O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
    O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
    O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
    O23 - Service: Unigraphics Plot Server (ugiipqd) (ugiipqd) - Unknown owner - C:\WINDOWS\System32\spool\ugplot\ugiipqd.exe
    O23 - Service: Unigraphics License Server (uglmd) - GLOBEtrotter Software Inc. - C:\Program Files\EDS\License Servers\UGNXFLEXlm\lmgrd.exe
    O23 - Service: US30Service - Unknown owner - C:\Program Files\Everstrike Software\Universal Shield 3.3.1\US30Service.exe
     
  14. bent_33

    bent_33 Member

    Joined:
    May 5, 2005
    Messages:
    1
    Likes Received:
    0
    Trophy Points:
    11
    Hi im new here. I also have this kind of problem in my laptop and i need to remove it quickly coz im doing my thesis right now and my laptop is my life! please help me remove this bloodhound.explorer.6 in my notebook as soon as possible. Im posting my hijack file so you can see it an d help me. Thanks in advance!

    Logfile of HijackThis v1.99.1
    Scan saved at 12:41:31 AM, on 5/6/2005
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\S24EvMon.exe
    C:\WINDOWS\System32\ACS.exe
    C:\WINDOWS\system32\ZCfgSvc.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\1XConfig.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\WINDOWS\AGRSMMSG.exe
    C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    C:\Program Files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe
    C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    C:\WINDOWS\system32\dla\tfswctrl.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\WINDOWS\System32\BtUsrBdg.exe
    C:\WINDOWS\System32\BTSetBootKey.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
    C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
    C:\Program Files\TOSHIBA\ConfigFree\CFSServ.exe
    C:\Program Files\TOSHIBA\PadTouch\PadExe.exe
    C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
    C:\WINDOWS\System32\ZoomingHook.exe
    C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
    C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
    C:\Program Files\EzButton\EzButton.EXE
    C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
    C:\Program Files\TOSHIBA\Power Management\CePMTray.exe
    C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
    C:\WINDOWS\system32\usbn.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
    C:\Program Files\Norton SystemWorks\Norton GoBack\GBTray.exe
    C:\WINDOWS\system32\RAMASST.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\TOSHIBA\Power Management\CeEPwrSvc.exe
    C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
    C:\WINDOWS\System32\DVDRAMSV.exe
    C:\Program Files\Norton SystemWorks\Norton GoBack\GBPoll.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
    C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
    C:\WINDOWS\System32\RegSrvc.exe
    C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
    C:\Program Files\Extended Systems\XTNDConnect Blue Manager\XTNDConnect Blue Manager\XCBluMgr.exe
    C:\PROGRA~1\EXTEND~1\XTNDCO~1\XTNDCO~1\SUSHIM~1.EXE
    C:\Program Files\Extended Systems\XTNDConnect Blue Manager\btprot.exe
    C:\PROGRA~1\EXTEND~1\XTNDCO~1\XTNDCO~1\BTUI_M~1.EXE
    C:\WINDOWS\System32\wuauclt.exe
    C:\Documents and Settings\User\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe
    C:\WINDOWS\System32\wuauclt.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://letgohome.com/sp.htm?id=346
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = www.yahoo.com
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://letgohome.com/hp.htm?id=346
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://letgohome.com/hp.htm?id=346
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.yahoo.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
    O2 - BHO: (no name) - {467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E} - C:\WINDOWS\System32\I7GT6D~1.DLL
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
    O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe
    O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
    O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [BTUSRBDG] BtUsrBdg.exe
    O4 - HKLM\..\Run: [BTSETBOOTKEY] BTSetBootKey.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
    O4 - HKLM\..\Run: [NDSTray.exe] C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
    O4 - HKLM\..\Run: [CFSServ.exe] C:\Program Files\TOSHIBA\ConfigFree\CFSServ.exe -NoClient
    O4 - HKLM\..\Run: [PadTouch] "C:\Program Files\TOSHIBA\PadTouch\PadExe.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
    O4 - HKLM\..\Run: [ZoomingHook] c:\WINDOWS\System32\ZoomingHook.exe
    O4 - HKLM\..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
    O4 - HKLM\..\Run: [TPNF] C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
    O4 - HKLM\..\Run: [EzButton] C:\Program Files\EzButton\EzButton.EXE
    O4 - HKLM\..\Run: [CeEKEY] C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
    O4 - HKLM\..\Run: [CeEPOWER] C:\Program Files\TOSHIBA\Power Management\CePMTray.exe
    O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
    O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
    O4 - HKLM\..\Run: [usbn] C:\WINDOWS\system32\usbn.exe -go -c108 -w
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
    O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [Norton SystemWorks] "C:\Program Files\Norton SystemWorks\cfgwiz.exe" /GUID {05858CFD-5CC4-4ceb-AAAF-CF00BF39736A} /MODE CfgWiz
    O4 - Global Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
    O4 - Global Startup: Norton GoBack.lnk = C:\Program Files\Norton SystemWorks\Norton GoBack\GBTray.exe
    O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
    O4 - Global Startup: Startup.exe
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
    O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
    O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
    O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O16 - DPF: {24311111-1111-1121-1111-111191113457} - file://c:\eied_s7.cab
    O16 - DPF: {33331111-1111-1111-1111-611111193458} - file://c:\ex.cab
    O20 - AppInit_DLLs: cvs5inwertuyv9.dll
    O20 - Winlogon Notify: Sebring - C:\WINDOWS\System32\LgNotify.dll
    O21 - SSODL: SystemCheck2 - {54645654-2225-4455-44A1-9F4543D34545} - C:\WINDOWS\System32\vbsys2.dll
    O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\System32\ACS.exe
    O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: CeEPwrSvc - COMPAL ELECTRONIC INC. - C:\Program Files\TOSHIBA\Power Management\CeEPwrSvc.exe
    O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
    O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
    O23 - Service: GoBack Polling Service (GBPoll) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton GoBack\GBPoll.exe
    O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
    O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
    O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
    O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
    O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
    O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe
    O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
    O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

     
  15. kumru

    kumru Member

    Joined:
    May 17, 2005
    Messages:
    8
    Likes Received:
    0
    Trophy Points:
    11
    Please help me. I cannot use my computer, I keep getting these pop ups. Here is my log file
    Thanks

    Logfile of HijackThis v1.99.1
    Scan saved at 01:33:03, on 18/05/2005
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\PROGRA~1\Navnt\defwatch.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\system32\cba\pds.exe
    C:\PROGRA~1\Navnt\rtvscan.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\cba\xfr.exe
    C:\WINNT\system32\MsgSys.EXE
    C:\WINNT\Explorer.EXE
    C:\PROGRA~1\Navnt\vpexrt.exe
    C:\PROGRA~1\Navnt\vptray.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\PROGRA~1\ACDSYS~1\DEVDET~1\DEVDET~1.EXE
    C:\WINNT\system32\internat.exe
    C:\WINNT\System32\cleanmgr.exe
    C:\WINNT\System32\cleanmgr.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\WINNT\System32\svchost.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\PROGRA~1\WINZIP\winzip32.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://minisearch.startnow.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://minisearch.startnow.com/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.jimbutt.com/stuffs/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://minisearch.startnow.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://minisearch.startnow.com/
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://www.york.ac.uk/proxy.config
    R3 - URLSearchHook: transURL Class - {C7EDAB2E-D7F9-11D8-BA48-C79B0C409D70} - C:\WINNT\System32\SEARCH~1.DLL
    O1 - Hosts: 60.50.170.0
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: BL Class - {28F65FCB-D130-11D8-BA48-8BE0C49AF370} - C:\WINNT\System32\popup_bl.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINNT\system32\msbe.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\Navnt\vptray.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [BullsEye Network] C:\Program Files\BullsEye Network\bin\bargains.exe
    O4 - HKLM\..\Run: [hpfsched] C:\WINNT\hpfsched.exe
    O4 - HKLM\..\Run: [Camera Detector] C:\PROGRA~1\ACDSYS~1\DEVDET~1\DEVDET~1.EXE -autorun
    O4 - HKCU\..\Run: [internat.exe] internat.exe
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
    O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
    O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\Navnt\defwatch.exe
    O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
    O23 - Service: Intel File Transfer - Intel Corporation - C:\WINNT\system32\cba\xfr.exe
    O23 - Service: Intel PDS - Intel Corporation - C:\WINNT\system32\cba\pds.exe
    O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\Navnt\rtvscan.exe

     
    Last edited: May 22, 2005
  16. kumru

    kumru Member

    Joined:
    May 17, 2005
    Messages:
    8
    Likes Received:
    0
    Trophy Points:
    11
    My computer has also being infected by bloodhound.exploit 6.

    Please have a look at my hijackthis log above and advise what to change. I cleaned all the cookies and temp internet files and dwonloaded Windows Outlook patches but nothing seems to have helped.
     
  17. dipset121

    dipset121 Regular member

    Joined:
    Apr 12, 2005
    Messages:
    183
    Likes Received:
    0
    Trophy Points:
    26
    can some one please help me this is my hijackthis log file i keep getting redirected to another website everytime I'm online


    Logfile of HijackThis v1.99.1
    Scan saved at 12:36:24 AM, on 5/20/2005
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Ahead\InCD\InCDsrv.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\igfxtray.exe
    C:\WINDOWS\System32\hkcmd.exe
    C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
    C:\Program Files\ASUS\Probe\AsusProb.exe
    C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
    C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
    C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\PROGRA~1\Ahead\NEROPH~1\data\xtras\mssysmgr.exe
    C:\Program Files\AIM\aim.exe
    C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
    C:\Program Files\WinZip\WZQKPICK.EXE
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINDOWS\system32\notepad.exe
    C:\Program Files\WinRAR\WinRAR.exe
    C:\DOCUME~1\Tonya\LOCALS~1\Temp\Rar$EX00.234\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://free.aol.com/tryaolfree/index.adp?promo=564240&service=aol
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: (no name) - {C370527A-24A7-4583-BE01-72E59000EB17} - C:\WINDOWS\system32\n.dll
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
    O4 - HKLM\..\Run: [ASUS Probe] C:\Program Files\ASUS\Probe\AsusProb.exe
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
    O4 - HKLM\..\Run: [C:\WINDOWS\VCMnet11.exe] C:\WINDOWS\VCMnet11.exe
    O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
    O4 - HKLM\..\Run: [4F3f3pj] danrrenu.exe
    O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
    O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Ahead\NEROPH~1\data\xtras\mssysmgr.exe
    O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
    O4 - HKCU\..\Run: [LospRfH9V] wpaprop2.exe
    O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
    O16 - DPF: {47CD99DF-8BCF-4B9B-94EF-02E51B2F79DA} - http://www.alwaysupdatednews.com/install/aun_0027.exe
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1116477052873
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
    O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
    O23 - Service: InCD Helper (read only) (InCDsrvR) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
    O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
    O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe (file missing)

    what do I need to get rid of help me
     
  18. Tmalone

    Tmalone Member

    Joined:
    Feb 24, 2005
    Messages:
    6
    Likes Received:
    0
    Trophy Points:
    11
    any chance this thing might be in the system restore? I've turned my system restore of along time ago do do viruses getting in there and not leaving.
     
  19. CJC

    CJC Regular member

    Joined:
    Aug 23, 2004
    Messages:
    600
    Likes Received:
    1
    Trophy Points:
    26
    Hi
    Sorry have been real busy lately, so if anybody i have missed, just let me know.

    @ dipset121
    I have checked your log on a previous thread

    @kumru

    Put a tick in and remove the following:

    C:\WUTemp\com_microsoft.890175_W2K_SP5_WinSE_143977_Express\Windows2000-KB890175 -x86-Express-ENU.EXE
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://minisearch.startnow.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://minisearch.startnow.com/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.jimbutt.com/stuffs/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://minisearch.startnow.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://minisearch.startnow.com/
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://www.york.ac.uk/proxy.config
    R3 - URLSearchHook: transURL Class - {C7EDAB2E-D7F9-11D8-BA48-C79B0C409D70} - C:\WINNT\System32\SEARCH~1.DLL
    O1 - Hosts: 60.50.170.0
    O2 - BHO: BL Class - {28F65FCB-D130-11D8-BA48-8BE0C49AF370} - C:\WINNT\System32\popup_bl.dll
    O2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINNT\system32\msbe.dll
    O4 - HKLM\..\Run: [BullsEye Network] C:\Program Files\BullsEye Network\bin\bargains.exe

    CJC
     
  20. kumru

    kumru Member

    Joined:
    May 17, 2005
    Messages:
    8
    Likes Received:
    0
    Trophy Points:
    11
    Thanks CJC

    I deleted the lines you said. But now I cannot access the internet. I have the connection but internet explorer cannot seem to start. I keep getting 'this page cannot be found' message. I have the connection because MSN messenger is running fine.

    I was trying to change the intenet explorer settings, may be I messed up something there. Or both, deleting some lines and trying to change the settings.

    what do you advise?

    thanks
    kumru
     

Share This Page