Download TrojanHunter Now
Free 30-day trial!
Latest TrojanHunter Version:
TrojanHunter 5.0
Order Now
License file delivered within minutes.
Welcome, Guest. Please Login or Register.
Oct 13th, 2008, 9:25pm
   Mischel Internet Security Forum
   Malware
   Adware, Browser Hijackers and other Malware (Moderators: Helena, Gavin_Coe, Magnus)
   Help! Multiple Attacks! HJT Attached!		 « Previous topic | Next topic »
Pages: 1  Reply Reply  Notify of replies Notify of replies   Send Topic Send Topic   Print Print
   Author  Topic: Help! Multiple Attacks! HJT Attached!  (Read 926 times)
Qball
Newbie
*





   


Posts: 4
Help! Multiple Attacks! HJT Attached!
« on: Apr 11th, 2007, 5:39pm »		 Quote Quote  Modify Modify
Returned from week-long excusion to find home computer infested with multiple viruses. My daughter claims to have tried to fix, ( mainly by downloading lots of antivirus software coupled with bad advice from her peers). PLEASE HELP! here's the HJT Log:
Logfile of HijackThis v1.99.1
Scan saved at 6:37:25 PM, on 4/11/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
 
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\program files\sygate\ssa\smc.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINNT\System32\svchost.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
F:\Program Files\TrojanHunter 4.6\THGuard.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Softwin\BitDefender8\bdmcon.exe
C:\Program Files\Softwin\BitDefender8\bdnagent.exe
F:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe
F:\Downloaded Programs\Process Explorer\ProcessExplorerNt\procexp.exe
C:\WINNT\system32\mshta.exe
F:\Program Files\Hijackthis\HijackThis.exe
C:\WINNT\explorer.exe
F:\Program Files\Mozilla Firefox\firefox.exe
 
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://sympatico.msn.ca/?lang=en-CA
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://sympatico.msn.ca/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =  
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =  
R3 - Default URLSearchHook is missing
O1 - Hosts: 1.1.1.1 securityresponse.symantec.com
O1 - Hosts: 1.1.1.1 symantec.com
O1 - Hosts: 1.1.1.1 www.symantec.com
O1 - Hosts: 1.1.1.1 free.grisoft.com
O1 - Hosts: 1.1.1.1 housecall.trendmicro.com
O1 - Hosts: 1.1.1.1 pandasoftware.com
O1 - Hosts: 1.1.1.1 www.pandasoftware.com
O1 - Hosts: 1.1.1.1 usa.kaspersky.com
O1 - Hosts: 1.1.1.1 ewido.net
O1 - Hosts: 1.1.1.1 zonelabs.com
O1 - Hosts: 1.1.1.1 www.zonelabs.com
O1 - Hosts: 1.1.1.1 bitdefender.com
O1 - Hosts: 1.1.1.1 www.bitdefender.com
O1 - Hosts: 1.1.1.1 download.bitdefender.com
O1 - Hosts: 1.1.1.1 upgrade.bitdefender.com
O1 - Hosts: 1.1.1.1 spywareinfo.com
O1 - Hosts: 1.1.1.1 www.spywareinfo.com
O1 - Hosts: 1.1.1.1 merijn.org
O1 - Hosts: 1.1.1.1 www.merijn.org
O1 - Hosts: 1.1.1.1 sysinternals.com
O1 - Hosts: 1.1.1.1 www.sysinternals.com
O1 - Hosts: 1.1.1.1 onguardonline.gov
O1 - Hosts: 1.1.1.1 www.onguardonline.gov
O1 - Hosts: 1.1.1.1 avast.com
O1 - Hosts: 1.1.1.1 www.avast.com
O1 - Hosts: 1.1.1.1 safety.live.com
O1 - Hosts: 1.1.1.1 www.paretologic.com
O1 - Hosts: 1.1.1.1 paretologic.com
O1 - Hosts: 1.1.1.1 services.google.com
O1 - Hosts: 1.1.1.1 www.webroot.com
O1 - Hosts: 1.1.1.1 webroot.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [THGuard] "F:\Program Files\TrojanHunter 4.6\THGuard.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [avast!] F:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [BDMCon] "C:\Program Files\Softwin\BitDefender8\bdmcon.exe"
O4 - HKLM\..\Run: [BDNewsAgent] "C:\Program Files\Softwin\BitDefender8\bdnagent.exe"
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKCU\..\Run: [FreeRAM XP] "F:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe" -win
O4 - Startup: services.lnk.disabled
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Search - http://kb.bar.need2find.com/KB/menusearch.html?p=KB
O8 - Extra context menu item: Encarta &Definition - http://ca.encarta.msn.com/encnet/features/dictionary/quickDictionary.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {051D0E35-F4E3-4C8D-B411-AB0875F4C683} (Anark Client 4.0 ActiveX Control) - http://install.anark.com/client/version4/windows-ie/en/AMClient.cab
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {131EB16C-BD58-443F-8151-6DFBB0DA1778} (Anark Client 3.0 ActiveX Control) - http://install.anark.com/client/version3/windows-ie/en/AMClient.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1EF9F042-C2EB-4293-8213-474CAEEF531D} (TmHcmsX Control) - http://www.trendsecure.com/framework/control/activex/TmHcmsX.CAB
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32 /activex/hcImpl.cab
O16 - DPF: {23B1D1AE-A29F-4AE2-B76E-CAB6E14811C4} (DHCPConfiguration Class) - http://eserv.sympatico.ca/netassistant/controls/BellCanadaPortalAX.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {352797A0-EFD0-4FA6-B229-145120EA4B8A} (Walt Disney Internet Group Hardware Control) - https://disneyblast.go.com/v3/setup/activex/DIGHardwareControl.cab
O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} (CTVUAxCtrl Object) - http://dl.tvunetworks.com/TVUAx.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com/PhotoUpload/MsnPUpld.cab?10,0,911,0
O16 - DPF: {5CD4310E-88FB-43C1-BE24-5F3FA9C5C9D1} (KooPlayer Control) - http://www.tvlution.com/KooPlayer.ocx
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefender.co.uk/scan_uk/scan8/oscan8.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase8300. cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6E2D6932-3885-4FA2-8DD4-DB63FFE33797} (PhotoPickConvert Class) - http://appdirectory.messenger.msn.com/AppDirectory/P4Apps/PhotoSwap/PhtP kCnv.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/ muweb_site.cab?1149895973109
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Trend Micro ActiveX Scan Agent 6.5) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32 /activex/hcImpl.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://tv.disney.go.com/global/download/otoy/OTOYAX29b.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/aol/unagi/ampx_en_dl.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = implementation.teranet.ca
O17 - HKLM\System\CCS\Services\Tcpip\..\{7BD7C8C2-71C4-419A-BBB2-ADFEA40EC620} : NameServer = 85.255.116.41,85.255.112.125
O17 - HKLM\System\CCS\Services\Tcpip\..\{A5F9D6EC-921F-4085-8DB3-DB898567EAB2} : Domain = sympatico.ca
O17 - HKLM\System\CCS\Services\Tcpip\..\{A5F9D6EC-921F-4085-8DB3-DB898567EAB2} : NameServer = 85.255.116.41,85.255.112.125
O17 - HKLM\System\CCS\Services\Tcpip\..\{BA4DCD52-FABC-405B-919F-B7BFE2A6238B} : NameServer = 85.255.116.41,85.255.112.125
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = implementation.teranet.ca
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = implementation.teranet.ca,teranet.ca,datacentres.teranet.ca,corp.teranet .ca,sandbox.teranet.ca,teranet.on.ca
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.116.41 85.255.112.125
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = implementation.teranet.ca
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = implementation.teranet.ca,teranet.ca,datacentres.teranet.ca,corp.teranet .ca,sandbox.teranet.ca,teranet.on.ca
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.116.41 85.255.112.125
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = implementation.teranet.ca,teranet.ca,datacentres.teranet.ca,corp.teranet .ca,sandbox.teranet.ca,teranet.on.ca
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.116.41 85.255.112.125
O18 - Protocol: CDS300 - {AD43AA67-6860-4531-AC8A-0E68F9CF023E} - D:\CDS300\__CDS2.dll (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: NavLogon - C:\WINNT\System32\NavLogon.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - F:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - F:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - F:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - F:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - F:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe" /service (file missing)
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - F:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINNT\System32\NMSSvc.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: SBHookSvc - Unknown owner - C:\PROGRA~1\NETASS~1\SMARTB~1\SBHookSvc.exe (file missing)
O23 - Service: Sygate Security Agent (SmcService) - Sygate Technologies, Inc. - C:\program files\sygate\ssa\smc.exe
O23 - Service: SysEnforce - Unknown owner - F:\PROGRA~1\TRISNA~1\SSI\SYSENF~1.EXE (file missing)
O23 - Service: BitDefender Communicator (XCOMM) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe" /service (file missing)
 
Thanks in advance.....
IP Logged
siliconman01
Global Moderator
*****



Trojans! Chew 'em Up, Spit 'em Out...

   


Gender: male
 Posts: 5671
Re: Help! Multiple Attacks! HJT Attached!
« Reply #1 on: Apr 12th, 2007, 2:04am »		 Quote Quote  Modify Modify
Welcome to the forum Qball  Cheesy
 
Yes, it looks like you have been hit pretty hard by the cybercriminals.  Please follow the directions below to get started removing the junk they have hit you with.
 
A.  Fix your HOSTS file-
 
1.  Open Notepad
2.  Create a one line entry that is    127.0.0.1     localhost
3.  Save this file using the name  HOSTS.txt into the following system folder:
 
C:\Windows\System32\Drivers\etc
 
4.  Reboot your computer into SAFE MODE
5.  Using Windows Explorer, navigate to the etc folder located at C:\Windows\System32\Drivers\etc and open folder etc
6.  Delete the file that is named  HOSTS.  It will have no extension.
7.  Rename the file HOSTS.txt that you created/saved to the name HOSTS  (with no extension).
8.  Close Windows Explorer.
9.  Reboot your computer back into Normal Mode.
10.  Using Notepad, check the HOSTS file and make sure it still just has the one entry  127.0.0.1   localhost
 
B.  Rename Hijackthis-
 
1.  Using Windows Explorer, locate the file named Hijackthis.exe and rename it to something like AnalyzeMe.exe
 
This is because some malicious elements cause Hijackthis to not report correctly.  By renaming it, this prevents the malicious files from causing false reporting by Hijackthis.
 
C.  Perform initial cleaning-
 
1.  Follow the instructions in the link below to perform initial cleaning.
 
http://www.misec.net/forum/board/FAQ/1170863449
IP Logged
______
TrojanHunter V5.0.962...No. 1 AT in my Book and on my Box!
Qball
Newbie
*





   


Posts: 4
Re: Help! Multiple Attacks! HJT Attached!
« Reply #2 on: Apr 13th, 2007, 5:34pm »		 Quote Quote  Modify Modify
Hi Siliconman01,  
 
Thanks firstly for  the quick reply. Had trouble accessing the internet, so sorry for the delay. Here is what I did
 
A Host file fix:  
 
C:\WINNT\System32\Drivers\etc
 
1.     Used notepad to apply fix but HOSTS file still reads as HOSTS.tx, don't know how to lose the extension but I left it as a text file reading as 127.0.0.1   localhost .
 
2.     Renamed Hijackthis
 
3.     Performed intitial cleaning as per your instructions  
 
4.     Here are the scan results:
 
Logfile of HijackThis v1.99.1
Scan saved at 3:39:40 PM, on 4/13/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
 
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\program files\sygate\ssa\smc.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
F:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
F:\Program Files\Alwil Software\Avast4\ashServ.exe
F:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
F:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\WINNT\System32\svchost.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
F:\Program Files\Alwil Software\Avast4\ashWebSv.exe
F:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINNT\Explorer.EXE
F:\Program Files\TrojanHunter 4.6\THGuard.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
F:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINNT\system32\hkcmd.exe
C:\WINNT\system32\igfxtray.exe
C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe
F:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe
F:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\HijackThis\AnalyzeMe.exe
 
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://sympatico.msn.ca/?lang=en-CA
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://sympatico.msn.ca/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =  
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =  
R3 - Default URLSearchHook is missing
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [THGuard] "F:\Program Files\TrojanHunter 4.6\THGuard.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [avast!] F:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [DiskeeperSystray] "F:\Program Files\Executive Software\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\system32\hkcmd.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\system32\igfxtray.exe
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe
O4 - HKLM\..\Run: [gcasServ] "F:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [FreeRAM XP] "F:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe" -win
O4 - Startup: services.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Search - http://kb.bar.need2find.com/KB/menusearch.html?p=KB
O8 - Extra context menu item: Encarta &Definition - http://ca.encarta.msn.com/encnet/features/dictionary/quickDictionary.htm
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {051D0E35-F4E3-4C8D-B411-AB0875F4C683} (Anark Client 4.0 ActiveX Control) - http://install.anark.com/client/version4/windows-ie/en/AMClient.cab
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {131EB16C-BD58-443F-8151-6DFBB0DA1778} (Anark Client 3.0 ActiveX Control) - http://install.anark.com/client/version3/windows-ie/en/AMClient.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1EF9F042-C2EB-4293-8213-474CAEEF531D} (TmHcmsX Control) - http://www.trendsecure.com/framework/control/activex/TmHcmsX.CAB
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32 /activex/hcImpl.cab
O16 - DPF: {23B1D1AE-A29F-4AE2-B76E-CAB6E14811C4} (DHCPConfiguration Class) - http://eserv.sympatico.ca/netassistant/controls/BellCanadaPortalAX.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {352797A0-EFD0-4FA6-B229-145120EA4B8A} (Walt Disney Internet Group Hardware Control) - https://disneyblast.go.com/v3/setup/activex/DIGHardwareControl.cab
O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} (CTVUAxCtrl Object) - http://dl.tvunetworks.com/TVUAx.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com/PhotoUpload/MsnPUpld.cab?10,0,911,0
O16 - DPF: {5CD4310E-88FB-43C1-BE24-5F3FA9C5C9D1} (KooPlayer Control) - http://www.tvlution.com/KooPlayer.ocx
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase8300. cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6E2D6932-3885-4FA2-8DD4-DB63FFE33797} (PhotoPickConvert Class) - http://appdirectory.messenger.msn.com/AppDirectory/P4Apps/PhotoSwap/PhtP kCnv.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/ muweb_site.cab?1149895973109
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Trend Micro ActiveX Scan Agent 6.5) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32 /activex/hcImpl.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://tv.disney.go.com/global/download/otoy/OTOYAX29b.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/aol/unagi/ampx_en_dl.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = implementation.teranet.ca
O17 - HKLM\System\CCS\Services\Tcpip\..\{7BD7C8C2-71C4-419A-BBB2-ADFEA40EC620} : NameServer = 85.255.116.41,85.255.112.125
O17 - HKLM\System\CCS\Services\Tcpip\..\{A5F9D6EC-921F-4085-8DB3-DB898567EAB2} : Domain = sympatico.ca
O17 - HKLM\System\CCS\Services\Tcpip\..\{A5F9D6EC-921F-4085-8DB3-DB898567EAB2} : NameServer = 85.255.116.41,85.255.112.125
O17 - HKLM\System\CCS\Services\Tcpip\..\{BA4DCD52-FABC-405B-919F-B7BFE2A6238B} : NameServer = 85.255.116.41,85.255.112.125
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = implementation.teranet.ca
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = implementation.teranet.ca,teranet.ca,datacentres.teranet.ca,corp.teranet .ca,sandbox.teranet.ca,teranet.on.ca
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.116.41 85.255.112.125
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = implementation.teranet.ca
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = implementation.teranet.ca,teranet.ca,datacentres.teranet.ca,corp.teranet .ca,sandbox.teranet.ca,teranet.on.ca
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.116.41 85.255.112.125
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = implementation.teranet.ca,teranet.ca,datacentres.teranet.ca,corp.teranet .ca,sandbox.teranet.ca,teranet.on.ca
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.116.41 85.255.112.125
O18 - Protocol: CDS300 - {AD43AA67-6860-4531-AC8A-0E68F9CF023E} - D:\CDS300\__CDS2.dll (file missing)
O20 - Winlogon Notify: !SASWinLogon - F:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: NavLogon - C:\WINNT\System32\NavLogon.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - F:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - F:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - F:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - F:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - F:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - F:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINNT\System32\NMSSvc.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: SBHookSvc - Unknown owner - C:\PROGRA~1\NETASS~1\SMARTB~1\SBHookSvc.exe (file missing)
O23 - Service: Sygate Security Agent (SmcService) - Sygate Technologies, Inc. - C:\program files\sygate\ssa\smc.exe
O23 - Service: SysEnforce - Unknown owner - F:\PROGRA~1\TRISNA~1\SSI\SYSENF~1.EXE (file missing)
 
Trojan Hunter Abbreviated Log:
 
Registry scan
No suspicious entries found
Inifile scan
No suspicious entries found
Port scan
No suspicious open ports found
Memory scan
No trojans found in memory
File scan
.....................etc..............
 
Not scanning password-protected file sbRecovery.ini in C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinXPServicePackCrack.zip
Not scanning password-protected file sbRecovery.ini in C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinXPServicePackCrack1.zip
Not scanning password-protected file sbRecovery.ini in C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinXPServicePackCrack2.zip
Not scanning password-protected file sbRecovery.ini in C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinXPServicePackCrack3.zip
........................................etc............................. ...........
Not scanning password-protected file sbRecovery.ini in C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudCToolbar.zip
Not scanning password-protected file sbRecovery.ini in C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudCToolbar1.zip
........................................etc............................. ..........
 
Not scanning password-protected file sbRecovery.ini in C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinZip9.zip
Found NTFS alternate data stream: C:\Documents and Settings\wtsang01\My Documents\Hbc_stove.htm:<5>Q30lsldxJoudresxAaaqpcawXc:$DATA  
(View ADS stream...)  
(Delete ADS stream)
Found NTFS alternate data stream: C:\Documents and Settings\wtsang01\My Documents\Hbc_stove.htm:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}:$DATA  
(View ADS stream...)  
(Delete ADS stream)
C:\pagefile.sys  Not scanned (in use by another application)
No trojan files found
9708 files scanned in 518 seconds
 
SuperAntispyware Log:........................
 
SUPERAntiSpyware Scan Log
Generated 04/13/2007 at 05:53 AM
 
Application Version : 3.6.1000
 
Core Rules Database Version : 3217
Trace Rules Database Version: 1227
 
Scan type  : Complete Scan
Total Scan Time : 00:23:12
 
Memory items scanned : 138
Memory threats detected   : 0
Registry items scanned    : 5634
Registry threats detected : 0
File items scanned   : 26900
File threats detected     : 0
............................................
 
Can't actually copy what has been caught by Trojan Hunter in quarantine. This was caught before the first HJT log
 
 C:\WINNT\System32\lwexoiu\tci.exe
 C:\WINNT\System32\xlmpho\tci.exe
 
 
Thanks again,
IP Logged
siliconman01
Global Moderator
*****



Trojans! Chew 'em Up, Spit 'em Out...

   


Gender: male
 Posts: 5671
Re: Help! Multiple Attacks! HJT Attached!
« Reply #3 on: Apr 14th, 2007, 2:26am »		 Quote Quote  Modify Modify
Okay, you are making good progress  Smiley
 
First, let's fix the scan log issue in TH scanner where you are getting a lot of messages concerning SpyBot.  This is because SpyBot "LOCKS" its quarantine folder and TH cannot get into it.  Please just not scan this folder by TH.
 
a.  Open TH scanner
b.  Click on the SCAN icon on the left icon bar.
c.  Click on the + sign next to your C drive to expand its tree.
d.  Drill down until you find the RECOVERY folder at C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery.
e.  Uncheck the RECOVERY folder.
 
This will stop TH from scanning the Spybot RECOVERY folder.  
 
Now, concerning your HJT log.
 
If you look at the HJT log, there are some 017 items that are concerning.  They are:  
 
Quote:
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = implementation.teranet.ca  
O17 - HKLM\System\CCS\Services\Tcpip\..\{7BD7C8C2-71C4-419A-BBB2-ADFEA40EC620}  : NameServer = 85.255.116.41,85.255.112.125  
O17 - HKLM\System\CCS\Services\Tcpip\..\{A5F9D6EC-921F-4085-8DB3-DB898567EAB2}  : Domain = sympatico.ca  
O17 - HKLM\System\CCS\Services\Tcpip\..\{A5F9D6EC-921F-4085-8DB3-DB898567EAB2}  : NameServer = 85.255.116.41,85.255.112.125  
O17 - HKLM\System\CCS\Services\Tcpip\..\{BA4DCD52-FABC-405B-919F-B7BFE2A6238B}  : NameServer = 85.255.116.41,85.255.112.125  
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = implementation.teranet.ca  
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = implementation.teranet.ca,teranet.ca,datacentres.teranet.ca,corp.teranet  .ca,sandbox.teranet.ca,teranet.on.ca  
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.116.41 85.255.112.125  
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = implementation.teranet.ca  
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = implementation.teranet.ca,teranet.ca,datacentres.teranet.ca,corp.teranet  .ca,sandbox.teranet.ca,teranet.on.ca  
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.116.41 85.255.112.125  
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = implementation.teranet.ca,teranet.ca,datacentres.teranet.ca,corp.teranet  .ca,sandbox.teranet.ca,teranet.on.ca  
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.116.41 85.255.112.125  

 
1.  Do you know what the sympatico.ca domain is?  
2.  Do you know what the 85.255.116.41 85.255.112.125 IP addresses are?  
 
The IP addresses are the most concerning because they appear to be a server in the Ukraine.  If you have not intentionally set up these as your name server, then we have a problem that needs to be fixed.  
 
Please do this:
 
1.  Run another HJT scan.  When the scan is completed, place a checkmark in the boxes next to the items identified below.  BE SURE these are the only boxes checkmarked.  
 
O8 - Extra context menu item: &Search - http://kb.bar.need2find.com/KB/menusearch.html?p=KB  
 
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
 
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)

 
If you do NOT know what the 85.255.116.41 and 85.255.112.125 IPs are and have NOT added them intentionally, checkmark the following items.
 

O17 - HKLM\System\CCS\Services\Tcpip\..\{7BD7C8C2-71C4-419A-BBB2-ADFEA40EC620}  : NameServer = 85.255.116.41,85.255.112.125  
 
O17 - HKLM\System\CCS\Services\Tcpip\..\{A5F9D6EC-921F-4085-8DB3-DB898567EAB2}  : NameServer = 85.255.116.41,85.255.112.125  
 
O17 - HKLM\System\CCS\Services\Tcpip\..\{BA4DCD52-FABC-405B-919F-B7BFE2A6238B}  : NameServer = 85.255.116.41,85.255.112.125  
 
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.116.41 85.255.112.125  
 
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.116.41 85.255.112.125  
 
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.116.41 85.255.112.125
 
If you do NOT know what the sympatico.ca domain is and have NOT added it intentionally, checkmark the following items.  (I suspect this is actually your ISP domain name...so it is probably ok.)
 

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = implementation.teranet.ca  
 
O17 - HKLM\System\CCS\Services\Tcpip\..\{A5F9D6EC-921F-4085-8DB3-DB898567EAB2}  : Domain = sympatico.ca
 
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = implementation.teranet.ca  
 
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = implementation.teranet.ca,teranet.ca,datacentres.teranet.ca,corp.teranet  .ca,sandbox.teranet.ca,teranet.on.ca  
 
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = implementation.teranet.ca  
 
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = implementation.teranet.ca,teranet.ca,datacentres.teranet.ca,corp.teranet  .ca,sandbox.teranet.ca,teranet.on.ca  
 
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = implementation.teranet.ca,teranet.ca,datacentres.teranet.ca,corp.teranet  .ca,sandbox.teranet.ca,teranet.on.ca

 
2.  Once you have the boxes checkmarked, click on FIX CHECKED on the lower left of the HJT window.  Confirm that you want HJT to fix the items and let it fix them.
 
3.  Close the HJT window.
 
4.  Reboot your computer immediately.
 
5.  Run another HJT scan and post the log back here.  
 
Also, what is your primary realtime antivirus program?  I'm seeing evidence that you have 2-3 anti-virus programs installed and running.  You should be using ONLY one because of known conflicts between AVs.
 
 
« Last Edit: Apr 14th, 2007, 6:15am by siliconman01 » IP Logged
______
TrojanHunter V5.0.962...No. 1 AT in my Book and on my Box!
Qball
Newbie
*





   


Posts: 4
Re: Help! Multiple Attacks! HJT Attached!
« Reply #4 on: Apr 17th, 2007, 12:55am »		 Quote Quote  Modify Modify
Sorry for the delay Siliconman01,
 
I lost my internet access, when HJT ( I mean ME ) removed the 85.255.116.41,85.255.112.125 IP addresses along with my Tcpip stack. I only checked the bad ones but they all went. The correct info was still there for my ISP, but I had to re-enter the info and 'OK' my way from the local area network properties tab to re-register the HKLM keys in the registry. Got help from my ISP on that fix.  
 
You'll see the correct info in the logs. I still have to put back the  networking Ip stuff, but the logs are good now on the 017's.
 
Thanks again.  Wink
 
 
Logfile of HijackThis v1.99.1
Scan saved at 11:24:50 AM, on 4/15/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
 
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\program files\sygate\ssa\smc.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
F:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
F:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\NMSSvc.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
F:\Program Files\TrojanHunter 4.6\THGuard.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINNT\system32\hkcmd.exe
C:\WINNT\system32\igfxtray.exe
C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe
F:\Program Files\QuickTime\qttask.exe
F:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe
C:\Program Files\HijackThis\AnalyzeMe.exe
 
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://sympatico.msn.ca/?lang=en-CA
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://sympatico.msn.ca/
R3 - Default URLSearchHook is missing
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [THGuard] "F:\Program Files\TrojanHunter 4.6\THGuard.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [DiskeeperSystray] "F:\Program Files\Executive Software\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\system32\hkcmd.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\system32\igfxtray.exe
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe
O4 - HKLM\..\Run: [QuickTime Task] "F:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Smctray] "C:\Program Files\sygate\ssa\Smc.exe" -start
O4 - HKCU\..\Run: [FreeRAM XP] "F:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe" -win
O4 - Startup: services.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: Encarta &Definition - http://ca.encarta.msn.com/encnet/features/dictionary/quickDictionary.htm
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {051D0E35-F4E3-4C8D-B411-AB0875F4C683} (Anark Client 4.0 ActiveX Control) - http://install.anark.com/client/version4/windows-ie/en/AMClient.cab
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {131EB16C-BD58-443F-8151-6DFBB0DA1778} (Anark Client 3.0 ActiveX Control) - http://install.anark.com/client/version3/windows-ie/en/AMClient.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1EF9F042-C2EB-4293-8213-474CAEEF531D} (TmHcmsX Control) - http://www.trendsecure.com/framework/control/activex/TmHcmsX.CAB
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32 /activex/hcImpl.cab
O16 - DPF: {23B1D1AE-A29F-4AE2-B76E-CAB6E14811C4} (DHCPConfiguration Class) - http://eserv.sympatico.ca/netassistant/controls/BellCanadaPortalAX.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {352797A0-EFD0-4FA6-B229-145120EA4B8A} (Walt Disney Internet Group Hardware Control) - https://disneyblast.go.com/v3/setup/activex/DIGHardwareControl.cab
O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} (CTVUAxCtrl Object) - http://dl.tvunetworks.com/TVUAx.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com/PhotoUpload/MsnPUpld.cab?10,0,911,0
O16 - DPF: {5CD4310E-88FB-43C1-BE24-5F3FA9C5C9D1} (KooPlayer Control) - http://www.tvlution.com/KooPlayer.ocx
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase8300. cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6E2D6932-3885-4FA2-8DD4-DB63FFE33797} (PhotoPickConvert Class) - http://appdirectory.messenger.msn.com/AppDirectory/P4Apps/PhotoSwap/PhtP kCnv.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/ muweb_site.cab?1149895973109
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Trend Micro ActiveX Scan Agent 6.5) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32 /activex/hcImpl.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://tv.disney.go.com/global/download/otoy/OTOYAX29b.cab
O16 - DPF: {819F8533-D935-4183-B692-587F8D56AC3C} (iolo.AV.OnlineVirusScanner) - http://www.iolo.com/threatcenter/App/ocx/AVCheckUp.ocx
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/aol/unagi/ampx_en_dl.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = implementation.teranet.ca
O17 - HKLM\System\CCS\Services\Tcpip\..\{A5F9D6EC-921F-4085-8DB3-DB898567EAB2} : Domain = sympatico.ca
O17 - HKLM\System\CCS\Services\Tcpip\..\{A5F9D6EC-921F-4085-8DB3-DB898567EAB2} : NameServer = 209.226.175.223,198.235.216.134
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = implementation.teranet.ca
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = implementation.teranet.ca
O20 - Winlogon Notify: !SASWinLogon - F:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: NavLogon - C:\WINNT\System32\NavLogon.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - F:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - F:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINNT\System32\NMSSvc.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: SBHookSvc - Unknown owner - C:\PROGRA~1\NETASS~1\SMARTB~1\SBHookSvc.exe (file missing)
O23 - Service: Sygate Security Agent (SmcService) - Sygate Technologies, Inc. - C:\program files\sygate\ssa\smc.exe
 
 
 
Btw, I have trimmed the Anti-Virus programs to just AVG.
IP Logged
siliconman01
Global Moderator
*****



Trojans! Chew 'em Up, Spit 'em Out...

   


Gender: male
 Posts: 5671
Re: Help! Multiple Attacks! HJT Attached!
« Reply #5 on: Apr 17th, 2007, 1:21am »		 Quote Quote  Modify Modify
Welcome back.   Wink
 
Sorry that you lost your internet connection.  There must have some significant intertwining between your connection registry entries caused by the infection.  Glad your ISP was able to assist in getting you back online.  
 
Your HJT log looks CLEAN and okay.    
 
Is your system "acting" normal/okay now?
 
You may wish to install some of the freebie security software to assist in protecting yourself from infections in the future.
 
SpywareBlaster to block thousands of malicious ActiveX sites.
 
http://www.javacoolsoftware.com/spywareblaster.html
 
HostsXpert to protect your HOSTS file.  (Check first if it works on NT)
 
http://www.wilderssecurity.com/showthread.php?t=171804
 
SuperAntiSpyware (free) is a good anti-spyware program to keep around for scanning your system routinely.  The PRO version provides realtime protection, but requires a license fee.
IP Logged
______
TrojanHunter V5.0.962...No. 1 AT in my Book and on my Box!
Qball
Newbie
*





   


Posts: 4
Re: Help! Multiple Attacks! HJT Attached!
« Reply #6 on: May 3rd, 2007, 11:38am »		 Quote Quote  Modify Modify
Huge Thanks Siliconman!!!!! Wink
 
Yes the system appears to be running normally with no adverse knee jerk reactions to the cure applied. I have implemented the recommendations that you had suggested with great success. A repeated tutorial with the kids on internet safety and security also helped, (this time I think they were actually listening).
 
Sorry that it took so long to reply,... but it's conference season  and sales must go on where ever you may be....Thanks again for all your help and if you have any other suggestions they are gladly welcome.
 
Qball Cool
« Last Edit: May 3rd, 2007, 11:40am by Qball » IP Logged
siliconman01
Global Moderator
*****



Trojans! Chew 'em Up, Spit 'em Out...

   


Gender: male
 Posts: 5671
Re: Help! Multiple Attacks! HJT Attached!
« Reply #7 on: May 3rd, 2007, 12:33pm »		 Quote Quote  Modify Modify
You are very welcome.  Glad to hear that all is working as designed.  No further suggestions at the present time other than to keep "training" your computer users on surfing and email security tactics for staying uninfected.  Wink
IP Logged
______
TrojanHunter V5.0.962...No. 1 AT in my Book and on my Box!
Pages: 1  Reply Reply  Notify of replies Notify of replies   Send Topic Send Topic   Print Print

« Previous topic | Next topic »
Search
Members
Login
Register