PDA

View Full Version : Help Please!!



Mattman
2006-01-17, 18:48
Hey ppl,

I've had some major malware problems the past couple of weeks, every time I think i've gotten rid of everything something pops back up. I've used almost every program on the net I think. S&D keeps finding Command Service, but can't remove it. I've also tried deleting the keys in safe mode, didn't work either.. I'll include my hjt log.. thanx already!

Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\svcnet.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Ares\Ares.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
c:\progra~1\intern~1\iexplore.exe
C:\Program Files\Sitecom\Bluetooth Software\BTTray.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Sitecom\Bluetooth Software\bin\btwdins.exe
C:\Program Files\SpywareGuard\sgbhp.exe
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Network Monitor\netmon.exe
C:\Program Files\Cheetah Burner\Cheetah CD Burner\NMSAccess.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.elwxwfqfhie.uk/Vpo6InvvQW/RUT7t89DYKYxDk0ewTjlB3_bymqCH2qhLm2Cthx_82ohYq_wRYUzB.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\program files\hp\digital imaging\bin\hpdtlk02.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [I/O Controllers] svcnet.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [PlusLies] C:\DOCUME~1\Eigenaar\APPLIC~1\KnobItch\soft locks.exe
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
O4 - HKCU\..\Run: [I/O Controllers] svcnet.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: BTTray.lnk = ?
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\Sitecom\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Sitecom\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Sitecom\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1131390874687
O16 - DPF: {A18962F6-E6ED-40B1-97C9-1FB36F38BFA8} (Aurigma Image Uploader 3.5 Control) - http://www.hyves.nl/cab/ImageUploader3.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - AppInit_DLLs: MsgPlusLoader.dll
O20 - Winlogon Notify: docent0 - C:\WINDOWS\SYSTEM32\docent0.dll
O20 - Winlogon Notify: Reliability - C:\WINDOWS\system32\k0jsla171d.dll
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\Sitecom\Bluetooth Software\bin\btwdins.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto-Protect (navapsvc) - Symantec Corporation - c:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe
O23 - Service: NMSAccess - Unknown owner - C:\Program Files\Cheetah Burner\Cheetah CD Burner\NMSAccess.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - c:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe

Mattman
2006-01-17, 19:09
--- System information ---
Windows XP (Build: 2600) Service Pack 2
/ Internet Explorer 6 / SP1: Windows XP Hotfix - KB896688
/ Internet Explorer 6 / SP1: Windows XP Hotfix - KB905915
/ Step By Step Interactive Training / SP2: KB898458: Beveiligingsupdate voor Step by Step Interactive Training
/ Windows Media Player: Windows Media Update 819639
/ Windows XP / SP2: Windows XP Service Pack 2
/ Windows XP / SP3: Windows XP Hotfix - KB873339
/ Windows XP / SP3: Windows XP Hotfix - KB885250
/ Windows XP / SP3: Windows XP Hotfix - KB885835
/ Windows XP / SP3: Windows XP Hotfix - KB885836
/ Windows XP / SP3: Windows XP Hotfix - KB885884
/ Windows XP / SP3: Windows XP Hotfix - KB886185
/ Windows XP / SP3: Windows XP Hotfix - KB887472
/ Windows XP / SP3: Windows XP Hotfix - KB887742
/ Windows XP / SP3: Windows XP Hotfix - KB888113
/ Windows XP / SP3: Windows XP Hotfix - KB888302
/ Windows XP / SP3: Beveiligingsupdate voor Windows XP (KB890046)
/ Windows XP / SP3: Windows XP Hotfix - KB890859
/ Windows XP / SP3: Windows XP Hotfix - KB891781
/ Windows XP / SP3: Beveiligingsupdate voor Windows XP (KB893066)
/ Windows XP / SP3: Beveiligingsupdate voor Windows XP (KB893756)
/ Windows XP / SP3: Windows Installer 3.1 (KB893803)
/ Windows XP / SP3: Beveiligingsupdate voor Windows XP (KB896358)
/ Windows XP / SP3: Beveiligingsupdate voor Windows XP (KB896422)
/ Windows XP / SP3: Beveiligingsupdate voor Windows XP (KB896423)
/ Windows XP / SP3: Beveiligingsupdate voor Windows XP (KB896424)
/ Windows XP / SP3: Beveiligingsupdate voor Windows XP (KB896428)
/ Windows XP / SP3: Update voor Windows XP (KB898461)
/ Windows XP / SP3: Beveiligingsupdate voor Windows XP (KB899587)
/ Windows XP / SP3: Beveiligingsupdate voor Windows XP (KB899591)
/ Windows XP / SP3: Beveiligingsupdate voor Windows XP (KB900725)
/ Windows XP / SP3: Beveiligingsupdate voor Windows XP (KB901017)
/ Windows XP / SP3: Beveiligingsupdate voor Windows XP (KB901214)
/ Windows XP / SP3: Beveiligingsupdate voor Windows XP (KB902400)
/ Windows XP / SP3: Beveiligingsupdate voor Windows XP (KB904706)
/ Windows XP / SP3: Beveiligingsupdate voor Windows XP (KB905414)
/ Windows XP / SP3: Beveiligingsupdate voor Windows XP (KB905749)
/ Windows XP / SP3: Beveiligingsupdate voor Windows XP (KB905915)
/ Windows XP / SP3: Beveiligingsupdate voor Windows XP (KB908519)
/ Windows XP / SP3: Update voor Windows XP (KB910437)
/ Windows XP / SP3: Beveiligingsupdate voor Windows XP (KB912919)


--- Startup entries list ---
Located: HK_LM:Run, AGRSMMSG
command: AGRSMMSG.exe
file: C:\WINDOWS\AGRSMMSG.exe
size: 88363
MD5: e7be65bf79906aebc698e077d53f6a1c

Located: HK_LM:Run, BluetoothAuthenticationAgent
command: rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
file: C:\WINDOWS\system32\rundll32.exe
size: 33792
MD5: 16c68603123832bfd177b8334e9d9cb2

Located: HK_LM:Run, ccApp
command: "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
file: c:\Program Files\Common Files\Symantec Shared\ccApp.exe
size: 70800
MD5: efd660dde902cd2a3cb8de91a35ac0ff

Located: HK_LM:Run, I/O Controllers
command: svcnet.exe
file: C:\WINDOWS\system32\svcnet.exe
size: 184864
MD5: 080f64f9f960a6e9a4fe017e5ade8019

Located: HK_LM:Run, iTunesHelper
command: "C:\Program Files\iTunes\iTunesHelper.exe"
file: C:\Program Files\iTunes\iTunesHelper.exe
size: 278528
MD5: a8cf3f60099eaa123db72611ce7be271

Located: HK_LM:Run, MSConfig
command: C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
file: C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe
size: 160256
MD5: d64d4f300298c5a75e9a0c42c5dfd594

Located: HK_LM:Run, NvCplDaemon
command: RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
file: C:\WINDOWS\system32\RUNDLL32.EXE
size: 33792
MD5: 16c68603123832bfd177b8334e9d9cb2

Located: HK_LM:Run, QuickTime Task
command: "C:\Program Files\QuickTime\qttask.exe" -atboottime
file: C:\Program Files\QuickTime\qttask.exe
size: 155648
MD5: c74c7963eec07af49dce44d64819b2bf

Located: HK_LM:Run, SpySweeper
command: "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
file: C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
size: 3831808
MD5: c650a048802c680a64eb2f49b0e6228a

Located: HK_LM:Run, UserFaultCheck
command: %systemroot%\system32\dumprep 0 -u
file: C:\WINDOWS\system32\dumprep.exe
size: 10752
MD5: b939bc487be956e30ff8981a7b714474

Located: HK_CU:Run, ares
command: "C:\Program Files\Ares\Ares.exe" -h
file: C:\Program Files\Ares\Ares.exe
size: 1209856
MD5: db7746479957ea2d98ceb491418e2bfd

Located: HK_CU:Run, I/O Controllers
command: svcnet.exe
file: C:\WINDOWS\system32\svcnet.exe
size: 184864
MD5: 080f64f9f960a6e9a4fe017e5ade8019

Located: HK_CU:Run, PlusLies
command: C:\DOCUME~1\Eigenaar\APPLIC~1\KnobItch\soft locks.exe
file: C:\DOCUME~1\Eigenaar\APPLIC~1\KnobItch\soft locks.exe
size: 202229
MD5: 35f99c1f3890f54c15c47fd3d4e92fd6

Located: HK_CU:Run, Spyware Doctor
command: "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
file: C:\Program Files\Spyware Doctor\swdoctor.exe
size: 1976544
MD5: 1775096a465e9a1f27b0a37e2bd9f9e5

Located: Startup (common), BTTray.lnk
command: C:\Program Files\Sitecom\Bluetooth Software\BTTray.exe
file: C:\Program Files\Sitecom\Bluetooth Software\BTTray.exe
size: 499779
MD5: cb7365943d62857714ae88c1d109d20c

Located: Startup (user), SpywareGuard.lnk
command: C:\Program Files\SpywareGuard\sgmain.exe
file: C:\Program Files\SpywareGuard\sgmain.exe
size: 360448
MD5: 61c028aba5e49573a6332f4a7c744e87

Located: Startup (disabled), Adobe Reader Snelle start (DISABLED)
command: C:\PROGRA~1\Adobe\ACROBA~2.0\Reader\READER~1.EXE
file: C:\PROGRA~1\Adobe\ACROBA~2.0\Reader\READER~1.EXE
size: 29696
MD5: deb88aef013dd1eefb462d7cad642166

Located: Startup (disabled), BTTray (DISABLED)
command: C:\PROGRA~1\BLUETO~1\BTTray.exe
file:

Located: Startup (disabled), HP Digital Imaging Monitor (DISABLED)
command: C:\PROGRA~1\HP\DIGITA~1\bin\hpqtra08.exe
file: C:\PROGRA~1\HP\DIGITA~1\bin\hpqtra08.exe
size: 237568
MD5: da6b945e561b1d1da67663bb45b4b868

Located: Startup (disabled), Logitech SetPoint (DISABLED)
command: C:\PROGRA~1\Logitech\SetPoint\SetPoint.exe
file: C:\PROGRA~1\Logitech\SetPoint\SetPoint.exe
size: 450560
MD5: 57781b2d6c4ddbf753d820472462e445

Located: Startup (disabled), Microsoft Office (DISABLED)
command: C:\PROGRA~1\MICROS~4\Office10\OSA.EXE -b -l
file: C:\PROGRA~1\MICROS~4\Office10\OSA.EXE
size: 83360
MD5: 5bc65464354a9fd3beaa28e18839734a

Located: Startup (disabled), SpeedTouch 120g Wireless USB Monitor (DISABLED)
command: C:\PROGRA~1\THOMSO~1\SPEEDT~2\st120g.exe
file: C:\PROGRA~1\THOMSO~1\SPEEDT~2\st120g.exe
size: 303104
MD5: b994b48fe75065603e75e0a55f35dd03

Located: Startup (disabled), SpeedTouch 121g Wireless USB Monitor (DISABLED)
command: C:\PROGRA~1\THOMSO~1\SPEEDT~1\st121g.exe
file:

Located: WinLogon, docent0
command: docent0.dll
file: docent0.dll

Located: WinLogon, Reliability
command: C:\WINDOWS\system32\k0jsla171d.dll
file: C:\WINDOWS\system32\k0jsla171d.dll
size: 0
MD5: d41d8cd98f00b204e9800998ecf8427e ???



--- Browser helper object list ---
{5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} (PCTools Site Guard)
BHO name:
CLSID name: PCTools Site Guard
Path: C:\PROGRA~1\SPYWAR~1\tools\
Long name: iesdsg.dll
Short name:
Date (created): 15/01/2006 12:48:40
Date (last access): 17/01/2006 17:29:02
Date (last write): 09/12/2005 16:22:26
Filesize: 786656
Attributes: archive
MD5: 5687E0824D86BCD741FF316B2AAEC223
CRC32: A1216E9B
Version: 3.5.0.65

{B56A7D7D-6927-48C8-A975-17DF180C71AC} (PCTools Browser Monitor)
BHO name:
CLSID name: PCTools Browser Monitor
Path: C:\PROGRA~1\SPYWAR~1\tools\
Long name: iesdpb.dll
Short name:
Date (created): 15/01/2006 12:48:40
Date (last access): 17/01/2006 17:28:58
Date (last write): 09/12/2005 16:17:26
Filesize: 847072
Attributes: archive
MD5: 360D17EF3AB1B495D84C3B66C3BB0C9D
CRC32: BA6D410C
Version: 3.5.0.274



--- ActiveX list ---
{166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control)
DPF name:
CLSID name: Shockwave ActiveX Control
Installer: C:\WINDOWS\Downloaded Program Files\erma.inf
Codebase: http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
description: Macromedia ShockWave Flash Player 7
classification: Legitimate
known filename: SWDIR.DLL
info link:
info source: Patrick M. Kolla
Path: C:\WINDOWS\system32\Macromed\Director\
Long name: SwDir.dll
Short name:
Date (created): 13/11/2005 14:43:36
Date (last access): 17/01/2006 18:03:00
Date (last write): 19/07/2005 15:39:26
Filesize: 54976
Attributes: archive
MD5: 9AB7B8D074FF363415BD3E32F03B0E76
CRC32: 8661EA6D
Version: 10.1.0.11

{17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage)
DPF name:
CLSID name: Windows Genuine Advantage
Installer: C:\WINDOWS\Downloaded Program Files\LegitCheckControl.inf
Codebase: http://go.microsoft.com/fwlink/?linkid=39204
description:
classification: Legitimate
known filename: LegitCheckControl.DLL
info link:
info source: Safer Networking Ltd.
Path: C:\WINDOWS\System32\
Long name: LegitCheckControl.DLL
Short name: LEGITC~1.DLL
Date (created): 04/11/2005 16:27:24
Date (last access): 17/01/2006 18:03:00
Date (last write): 04/11/2005 16:27:24
Filesize: 534280
Attributes: archive
MD5: EC5FE860DD51ABB348B6C6C9EEAD4146
CRC32: 1FD27DDB
Version: 1.4.389.0

{6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class)
DPF name:
CLSID name: WUWebControl Class
Installer: C:\WINDOWS\Downloaded Program Files\wuweb.inf
Codebase: http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1131390874687
description:
classification: Legitimate
known filename: wuweb.dll
info link:
info source: Safer Networking Ltd.
Path: C:\WINDOWS\System32\
Long name: wuweb.dll
Short name:
Date (created): 26/05/2005 04:19:32
Date (last access): 17/01/2006 18:03:00
Date (last write): 26/05/2005 04:19:32
Filesize: 173536
Attributes: archive
MD5: C459F2D5E64C942F3F66E1CD7F1C4C00
CRC32: EEF66B50
Version: 5.8.0.2469

{8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.4.2)
DPF name: Java Runtime Environment 1.4.2
CLSID name: Java Plug-in 1.4.2_03
Installer:
Codebase: http://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
description: Sun Java
classification: Legitimate
known filename: %PROGRAM FILES%\JabaSoft\JRE\*\Bin\npjava131.dll
info link:
info source: Patrick M. Kolla
Path: C:\Program Files\Java\j2re1.4.2_03\bin\
Long name: NPJPI142_03.dll
Short name: NPJPI1~1.DLL
Date (created): 01/01/2004 09:59:40
Date (last access): 17/01/2006 18:03:00
Date (last write): 01/01/2004 09:59:40
Filesize: 65650
Attributes: archive
MD5: 2AD31341BE41AC9B086128AD86A2B53F
CRC32: 081CFB35
Version: 1.4.2.30

{A18962F6-E6ED-40B1-97C9-1FB36F38BFA8} (Aurigma Image Uploader 3.5 Control)
DPF name:
CLSID name: Aurigma Image Uploader 3.5 Control
Installer: C:\WINDOWS\Downloaded Program Files\ImageUploader3.inf
Codebase: http://www.hyves.nl/cab/ImageUploader3.cab
Path: C:\WINDOWS\Downloaded Program Files\
Long name: ImageUploader3.ocx
Short name: IMAGEU~1.OCX
Date (created): 02/07/2005 10:02:30
Date (last access): 17/01/2006 18:03:00
Date (last write): 02/07/2005 10:02:30
Filesize: 1873432
Attributes: archive
MD5: 017B5CF010D8ED9D0001E521AB0BA330
CRC32: 5CE6654A
Version: 3.5.75.0
{B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class)
DPF name:
CLSID name: MsnMessengerSetupDownloadControl Class
Installer: C:\WINDOWS\Downloaded Program Files\CONFLICT.1\MsnMessengerSetupDownloader.inf
Codebase: http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
description:
classification: Legitimate
known filename: MsnMessengerSetupDownloader.ocx
info link:
info source: Safer Networking Ltd.
Path: C:\WINDOWS\Downloaded Program Files\CONFLICT.1\
Long name: MsnMessengerSetupDownloader.ocx
Short name: MSNMES~1.OCX
Date (created): 14/08/2005 00:26:04
Date (last access): 17/01/2006 18:03:00
Date (last write): 14/08/2005 00:26:04
Filesize: 113664
Attributes: archive
MD5: C403792A3FF639C215067D5AA680C482
CRC32: 7CD0769A
Version: 1.0.0.3

{CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} (Java Runtime Environment 1.4.2)
DPF name: Java Runtime Environment 1.4.2
CLSID name: Java Plug-in 1.4.2_03
Installer:
Codebase: http://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
description:
classification: Legitimate
known filename: npjpi142_03.dll
info link:
info source: Safer Networking Ltd.
Path: C:\Program Files\Java\j2re1.4.2_03\bin\
Long name: NPJPI142_03.dll
Short name: NPJPI1~1.DLL
Date (created): 01/01/2004 09:59:40
Date (last access): 17/01/2006 18:03:00
Date (last write): 01/01/2004 09:59:40
Filesize: 65650
Attributes: archive
MD5: 2AD31341BE41AC9B086128AD86A2B53F
CRC32: 081CFB35
Version: 1.4.2.30

Mattman
2006-01-17, 19:10
{D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object)
DPF name:
CLSID name: Shockwave Flash Object
Installer: C:\WINDOWS\Downloaded Program Files\swflash.inf
Codebase: http://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
description: Macromedia Shockwave Flash Player
classification: Legitimate
known filename:
info link:
info source: Patrick M. Kolla
Path: C:\WINDOWS\System32\Macromed\Flash\
Long name: Flash8.ocx
Short name:
Date (created): 27/08/2005 13:38:56
Date (last access): 17/01/2006 18:03:00
Date (last write): 27/08/2005 13:38:56
Filesize: 1435272
Attributes: archive
MD5: 900373C059C2B51CA91BF110DBDECB33
CRC32: F19599BC
Version: 8.0.22.0



--- Process list ---
PID: 0 ( 0) [System]
PID: 604 ( 4) \SystemRoot\System32\smss.exe
PID: 688 ( 604) \??\C:\WINDOWS\system32\winlogon.exe
PID: 732 ( 688) C:\WINDOWS\system32\services.exe
size: 108544
MD5: 39991CD3C17B7529D039151A88E84499
PID: 744 ( 688) C:\WINDOWS\system32\lsass.exe
size: 13312
MD5: 34A82DEBEFB057FCCCBE15F619FC98A7
PID: 896 ( 732) C:\WINDOWS\system32\svchost.exe
size: 14336
MD5: AB8C6D89A897BACBA4657FDF00E344A6
PID: 1048 ( 732) C:\WINDOWS\System32\svchost.exe
size: 14336
MD5: AB8C6D89A897BACBA4657FDF00E344A6
PID: 1348 ( 732) C:\WINDOWS\system32\spoolsv.exe
size: 57856
MD5: DA81EC57ACD4CDC3D4C51CF3D409AF9F
PID: 1376 ( 688) C:\WINDOWS\system32\rundll32.exe
size: 33792
MD5: 16C68603123832BFD177B8334E9D9CB2
PID: 1660 (1596) C:\WINDOWS\Explorer.EXE
size: 1035776
MD5: A1D7304A87FC3093150F5E3CC7B0F338
PID: 1808 (1660) C:\Program Files\iTunes\iTunesHelper.exe
size: 278528
MD5: A8CF3F60099EAA123DB72611CE7BE271
PID: 1816 (1660) C:\Program Files\QuickTime\qttask.exe
size: 155648
MD5: C74C7963EEC07AF49DCE44D64819B2BF
PID: 1832 (1660) C:\WINDOWS\system32\rundll32.exe
size: 33792
MD5: 16C68603123832BFD177B8334E9D9CB2
PID: 1896 (1660) C:\WINDOWS\AGRSMMSG.exe
size: 88363
MD5: E7BE65BF79906AEBC698E077D53F6A1C
PID: 1920 (1660) C:\WINDOWS\system32\svcnet.exe
size: 184864
MD5: 080F64F9F960A6E9A4FE017E5ADE8019
PID: 1928 (1660) C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
size: 3831808
MD5: C650A048802C680A64EB2F49B0E6228A
PID: 156 (1660) C:\Program Files\Ares\Ares.exe
size: 1209856
MD5: DB7746479957EA2D98CEB491418E2BFD
PID: 228 (1660) C:\Program Files\Spyware Doctor\swdoctor.exe
size: 1976544
MD5: 1775096A465E9A1F27B0A37E2BD9F9E5
PID: 232 ( 180) c:\progra~1\intern~1\iexplore.exe
size: 93184
MD5: 78D969F35CD64BF0761F731FCA5FC99D
PID: 308 (1660) C:\Program Files\Sitecom\Bluetooth Software\BTTray.exe
size: 499779
MD5: CB7365943D62857714AE88C1D109D20C
PID: 328 (1660) C:\Program Files\SpywareGuard\sgmain.exe
size: 360448
MD5: 61C028ABA5E49573A6332F4A7C744E87
PID: 352 ( 320) C:\Program Files\Internet Explorer\iexplore.exe
size: 93184
MD5: 78D969F35CD64BF0761F731FCA5FC99D
PID: 528 ( 732) C:\Program Files\Sitecom\Bluetooth Software\bin\btwdins.exe
size: 135168
MD5: 9DB4FCB7BC45E6B08A865E48BCF82C7A
PID: 556 ( 328) C:\Program Files\SpywareGuard\sgbhp.exe
size: 233472
MD5: A80D0704537C0EF97DB2BEF24B99AF1A
PID: 568 ( 732) c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
size: 234640
MD5: E6315ACBEB49EFD397F1B265D9C36291
PID: 640 ( 732) C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
size: 270336
MD5: A66BD9D9057DE92947F4CD81A3FA4DB5
PID: 812 ( 732) c:\Program Files\Norton AntiVirus\navapsvc.exe
size: 158864
MD5: 38D1E06F4D409EF2CE93AFFE5258AF0C
PID: 988 ( 732) C:\Program Files\Network Monitor\netmon.exe
size: 94208
MD5: 32760839E42CC4E151A82BC4D89B02DE
PID: 1020 ( 732) C:\Program Files\Cheetah Burner\Cheetah CD Burner\NMSAccess.exe
size: 45056
MD5: 037B766AB9CEC2F2F0E5963F40E63CBC
PID: 1580 ( 732) C:\WINDOWS\System32\nvsvc32.exe
size: 77824
MD5: 2CA62BC8F42E2690DA1EB8EA75AD2D99
PID: 1192 ( 732) C:\Program Files\Spyware Doctor\sdhelp.exe
size: 870624
MD5: 186EE3B89521257C480E55063A91DE77
PID: 2136 ( 732) C:\WINDOWS\System32\svchost.exe
size: 14336
MD5: AB8C6D89A897BACBA4657FDF00E344A6
PID: 2164 ( 732) C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
size: 2109440
MD5: 50437F0E244920E3962CA5E1D9CC6BA2
PID: 2420 ( 732) c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
size: 255120
MD5: 5D92F66C4BB7BDCE53E544338AD12CAA
PID: 2728 ( 732) C:\Program Files\iPod\bin\iPodService.exe
size: 323584
MD5: EDA049739349F0E837D4F55E8879D665
PID: 2512 (1660) C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
size: 7162979
MD5: F375D4684A1F72D279A7CFA7A5DE1A9C
PID: 3660 (1660) C:\Program Files\MSN Messenger\msnmsgr.exe
size: 7086080
MD5: 55406C4B910C174CDF36F66AFCA1A18C
PID: 1272 ( 896) C:\Program Files\Messenger\msmsgs.exe
size: 1694208
MD5: 74E6E96C6F0E2ECA4EDBB7F7A468F259
PID: 1492 (1660) C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
size: 4393096
MD5: 09CA174A605B480318731E691DC98539
PID: 4 ( 0) System
PID: 664 ( 604) csrss.exe
PID: 952 ( 732) svchost.exe
PID: 1108 ( 732) svchost.exe
PID: 1204 ( 732) svchost.exe
PID: 512 ( 732) svchost.exe
PID: 2368 ( 732) wdfmgr.exe
PID: 3344 ( 732) alg.exe


--- Browser start & search pages list ---
Spybot - Search & Destroy browser pages report, 17/01/2006 18:04:59

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Local Page
C:\WINDOWS\SYSTEM32\blank.htm
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Search Page
http://www.google.com
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Search Bar
http://www.elwxwfqfhie.uk/Vpo6InvvQW/RUT7t89DYKYxDk0ewTjlB3_bymqCH2qhLm2Cthx_82ohYq_wRYUzB.htm
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Default_Page_URL
about:blank
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Default_Search_URL
http://ie.search.msn.com
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Search\SearchAssistant Explorer\Main\Default_Search_URL
about:blank
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchUrl\@
http://www.google.com/keyword/%s
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Local Page
C:\WINDOWS\SYSTEM32\blank.htm
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Default_Page_URL
about:blank
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Default_Search_URL
http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\SearchAssistant
http://www.google.com/ie
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\CustomizeSearch
http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm


--- Winsock Layered Service Provider list ---
Protocol 0: MSAFD Tcpip [TCP/IP]
GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP IP protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip

Protocol 1: MSAFD Tcpip [UDP/IP]
GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP IP protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip

Protocol 2: MSAFD Tcpip [RAW/IP]
GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP IP protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip

Protocol 3: RSVP UDP Service Provider
GUID: {9D60A9E0-337A-11D0-BD88-0000C082E69A}
Filename: %SystemRoot%\system32\rsvpsp.dll
Description: Microsoft Windows NT/2k/XP RVSP
DB filename: %SystemRoot%\system32\rsvpsp.dll
DB protocol: RSVP * Service Provider

Protocol 4: RSVP TCP Service Provider
GUID: {9D60A9E0-337A-11D0-BD88-0000C082E69A}
Filename: %SystemRoot%\system32\rsvpsp.dll
Description: Microsoft Windows NT/2k/XP RVSP
DB filename: %SystemRoot%\system32\rsvpsp.dll
DB protocol: RSVP * Service Provider

Protocol 5: MSAFD NetBIOS [\Device\NetBT_Tcpip_{5F45B298-E2D8-4917-9E3C-471DD952C928}] SEQPACKET 6
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 6: MSAFD NetBIOS [\Device\NetBT_Tcpip_{5F45B298-E2D8-4917-9E3C-471DD952C928}] DATAGRAM 6
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 7: MSAFD NetBIOS [\Device\NetBT_Tcpip_{420DE968-A38E-4C18-ACBA-106A3F766908}] SEQPACKET 4
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 8: MSAFD NetBIOS [\Device\NetBT_Tcpip_{420DE968-A38E-4C18-ACBA-106A3F766908}] DATAGRAM 4
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 9: MSAFD NetBIOS [\Device\NetBT_Tcpip_{C1EBF466-9A58-492F-B5BD-637314C47123}] SEQPACKET 3
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 10: MSAFD NetBIOS [\Device\NetBT_Tcpip_{C1EBF466-9A58-492F-B5BD-637314C47123}] DATAGRAM 3
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 11: MSAFD NetBIOS [\Device\NetBT_Tcpip_{F3923CCB-EE9E-4997-880E-DDF08863376D}] SEQPACKET 0
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 12: MSAFD NetBIOS [\Device\NetBT_Tcpip_{F3923CCB-EE9E-4997-880E-DDF08863376D}] DATAGRAM 0
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 13: MSAFD NetBIOS [\Device\NetBT_Tcpip_{CCC7BC6C-771F-4FEB-BF5B-47287FBAC5CA}] SEQPACKET 1
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 14: MSAFD NetBIOS [\Device\NetBT_Tcpip_{CCC7BC6C-771F-4FEB-BF5B-47287FBAC5CA}] DATAGRAM 1
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 15: MSAFD NetBIOS [\Device\NetBT_Tcpip_{93C4F9B0-BBEF-40B5-99A8-E0A54C6CB4D7}] SEQPACKET 2
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 16: MSAFD NetBIOS [\Device\NetBT_Tcpip_{93C4F9B0-BBEF-40B5-99A8-E0A54C6CB4D7}] DATAGRAM 2
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Namespace Provider 0: Tcpip
GUID: {22059D40-7E9E-11CF-AE5A-00AA00A7112B}
Filename: %SystemRoot%\System32\mswsock.dll
Description: Microsoft Windows NT/2k/XP TCP/IP name space provider
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: TCP/IP

Namespace Provider 1: NTDS
GUID: {3B2637EE-E580-11CF-A555-00C04FD8D4AC}
Filename: %SystemRoot%\System32\winrnr.dll
Description: Microsoft Windows NT/2k/XP name space provider
DB filename: %SystemRoot%\system32\winrnr.dll
DB protocol: NTDS

Namespace Provider 2: Naamruimte voor Network Location Awareness (NLA)
GUID: {6642243A-3BA8-4AA6-BAA5-2E0BD71FDD83}
Filename: %SystemRoot%\System32\mswsock.dll
Description: Microsoft Windows NT/2k/XP name space provider
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: NLA-Namespace

LonnyRJones
2006-01-20, 22:49
Welcome to the forum Mattman

Is your XP and upgrade from a previous windows version ?

In the windows control panel > addremove program
uninstall "Network Monitor"

Look for an item called "Search Plugin" if its there uninstall it then restart your PC
If its not there start the uninstall of messengerplus and atleast uninstall its sponcer software
I suggest canning(uninstalling) the whole program.


Start Hijackthis and place a check next to these items If there.
Close all browser windows and shut down all other programs that show in the taskbar.(even Folders)

O4 - HKLM\..\Run: [I/O Controllers] svcnet.exe
O4 - HKCU\..\Run: [I/O Controllers] svcnet.exe
====================================
Hit fix checked and close Hijackthis.
Restart the PC
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Delete C:\WINDOWS\system32\svcnet.exe
and the C:\Program Files\Network Monitor folder

Post a fresh hijackthis log please, Also >
Post a report from this tool
F-Secure Blacklight: http://www.f-secure.com/blacklight/try.shtml
Click the i accept button near the bottom of that page.
Download and run blacklite click > scan then > next, next again then exit
there will be a new txt near blacklite. post it please.
!!Do not rename any files yet

tashi
2006-01-24, 22:14
Mattman, still with us?

LonnyRJones
2006-01-28, 14:32
Due to lack of responses this thread is closed
If you still need assistance a new log will be needed, send me or Tashi a PM or email and we will re-open it.