View Full Version : Another Pipas.A victim here.
Here is the blacklight log. Appreciate any advice! :scratch:
04/03/06 21:54:33 [Info]: BlackLight Engine 1.0.35 initialized
04/03/06 21:54:33 [Info]: OS: 5.1 build 2600 (Service Pack 2)
04/03/06 21:54:33 [Note]: 7019 4
04/03/06 21:54:33 [Note]: 7005 0
04/03/06 21:54:36 [Note]: 7006 0
04/03/06 21:54:36 [Note]: 7011 1856
04/03/06 21:54:36 [Note]: 7026 0
04/03/06 21:54:36 [Note]: 7026 0
04/03/06 21:54:36 [Note]: FSRAW library version 1.7.1015
04/03/06 21:54:41 [Info]: Hidden file: C:\Program Files\CyberLink\PowerDVD\cltest.exe
04/03/06 21:54:41 [Note]: 10002 1
04/03/06 21:54:47 [Info]: Hidden file: C:\WINDOWS\system32\wbem\wbemtest.exe
04/03/06 21:54:47 [Note]: 10002 1
04/03/06 21:54:48 [Info]: Hidden file: C:\WINDOWS\system32\dmvwg.exe
04/03/06 21:54:48 [Note]: 7002 32
04/03/06 21:54:48 [Note]: 7003 1
04/03/06 21:54:48 [Note]: 10002 1
04/03/06 21:54:49 [Info]: Hidden file: C:\WINDOWS\system32\favset.exe
04/03/06 21:54:49 [Note]: 10002 1
04/03/06 21:54:50 [Info]: Hidden file: C:\WINDOWS\system32\csjes.exe
04/03/06 21:54:50 [Note]: 7002 32
04/03/06 21:54:50 [Note]: 7003 1
04/03/06 21:54:50 [Note]: 10002 1
LonnyRJones
2006-04-04, 08:06
Hi Gruven
Start with a Hijackthis log please
Roger that, will do this eve.
Logfile of HijackThis v1.99.1
Scan saved at 5:02:55 PM, on 4/4/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
c:\program files\mcafee.com\agent\mcupdate.exe
C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDet.EXE
C:\WINDOWS\CTHELPER.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\McAfee.com\VSO\mcshield.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Yahoo!\Messenger\YPager.exe
C:\Program Files\Teamspeak2_RC2\TeamSpeak.exe
C:\hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://login.passport.net/uilogin.srf?id=2
R3 - URLSearchHook: (no name) - {5F6363A0-BE23-D273-2866-1EAE027F7710} - DTOURS.dll (file missing)
O1 - Hosts: localhost 127.0.0.1
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [FlashIcon] C:\Program Files\Generic\USB Card Reader Driver v2.3\FlashIcon.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [VirusScan Online] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
O4 - HKLM\..\Run: [MCAgentExe] C:\Program Files\McAfee.com\Agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\Program Files\McAfee.com\Agent\mcupdate.exe /embedding
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTDVDDET] C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTXFIREG] CTxfiReg.exe
O4 - HKLM\..\Run: [cmon14] MON76234.exe
O4 - HKLM\..\Run: [gabber] browsebar.exe
LonnyRJones
2006-04-05, 02:13
Need to see the entire log next time,.
Please download FixWareout from one of these sites:
http://downloads.subratam.org/Fixwareout.exe
http://www.bleepingcomputer.com/files/lonny/Fixwareout.exe
Save it to your desktop and run it. Click Next, then Install, make sure "Run fixit" is checked and click Finish.
The fix will begin; follow the prompts.
You will be asked to reboot your computer; please do so.
Your system may take longer than usual to load; this is normal.
Once the desktop loads post the text that will open (report.txt) and a new Hijackthis log in the forum please.
Fixwareout ver 1.003
Last edited march/15/2006
Post this report in the forums please
Reg Entries that were deleted
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\kppmd
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\xedocne
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\gib_ogol
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\repiwoh
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\llun
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\23plhps
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\mgcppp
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\tesvaf
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\32refaselif
...
Microsoft (R) Windows Script Host Version 5.6
Random Runs removed from HKLM
"dmppk.exe"=-
...
PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, There WILL be LEGIT FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
»»»»» Search by size and names...
C:\WINDOWS\SYSTEM32\IPSEC6.EXE
* csr.exe C:\WINDOWS\System32\CSPLQ.EXE
»»»»» Misc files
»»»»» Checking for older varients covered by the Rem3 tool
_________________________________________________________________
Logfile of HijackThis v1.99.1
Scan saved at 7:20:32 PM, on 4/4/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\McAfee.com\VSO\mcshield.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\McAfee.com\Agent\mcupdate.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDet.EXE
C:\WINDOWS\CTHELPER.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://login.passport.net/uilogin.srf?id=2
R3 - URLSearchHook: (no name) - {5F6363A0-BE23-D273-2866-1EAE027F7710} - DTOURS.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [FlashIcon] C:\Program Files\Generic\USB Card Reader Driver v2.3\FlashIcon.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [VirusScan Online] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
O4 - HKLM\..\Run: [MCAgentExe] C:\Program Files\McAfee.com\Agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\Program Files\McAfee.com\Agent\mcupdate.exe /embedding
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTDVDDET] C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTXFIREG] CTxfiReg.exe
O4 - HKLM\..\Run: [cmon14] MON76234.exe
O4 - HKLM\..\Run: [gabber] browsebar.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [AdwareAlert] C:\Program Files\AdwareAlert\AdwareAlert.Exe -boot
O4 - HKCU\..\Run: [sysmon12] avpmondll.exe
O4 - HKCU\..\Run: [vxdman] zantu.exe
O4 - HKCU\..\Run: [AppMasterCenter] StartCpl.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) - http://pcpitstop.com/pestscan/pestscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{2F0861AB-9495-4557-8791-CBB26FE248CA}: NameServer = 85.255.114.52,85.255.112.12
O17 - HKLM\System\CCS\Services\Tcpip\..\{B144677D-EC9B-406B-92CF-288B9F4207D2}: NameServer = 85.255.114.52,85.255.112.12
O17 - HKLM\System\CCS\Services\Tcpip\..\{C60D58A3-DE0F-4653-94AE-2923577F0D56}: NameServer = 85.255.114.52,85.255.112.12
O17 - HKLM\System\CS1\Services\Tcpip\..\{2F0861AB-9495-4557-8791-CBB26FE248CA}: NameServer = 85.255.114.52,85.255.112.12
O17 - HKLM\System\CS2\Services\Tcpip\..\{2F0861AB-9495-4557-8791-CBB26FE248CA}: NameServer = 85.255.114.52,85.255.112.12
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - C:\Program Files\McAfee.com\VSO\mcshield.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Mcafee.com Corporation - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
LonnyRJones
2006-04-05, 05:56
Start Hijackthis and place a check next to these items If there.
R3 - URLSearchHook: (no name) - {5F6363A0-BE23-D273-2866-1EAE027F7710} - DTOURS.dll (file missing)
O4 - HKLM\..\Run: [CTXFIREG] CTxfiReg.exe
O4 - HKLM\..\Run: [cmon14] MON76234.exe
O4 - HKLM\..\Run: [gabber] browsebar.exe
O4 - HKLM\..\Run: [AdwareAlert] C:\Program Files\AdwareAlert\AdwareAlert.Exe -boot
O4 - HKCU\..\Run: [sysmon12] avpmondll.exe
O4 - HKCU\..\Run: [vxdman] zantu.exe
O4 - HKCU\..\Run: [AppMasterCenter] StartCpl.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{2F0861AB-9495-4557-8791-CBB26FE248CA}: NameServer = 85.255.114.52,85.255.112.12
O17 - HKLM\System\CCS\Services\Tcpip\..\{B144677D-EC9B-406B-92CF-288B9F4207D2}: NameServer = 85.255.114.52,85.255.112.12
O17 - HKLM\System\CCS\Services\Tcpip\..\{C60D58A3-DE0F-4653-94AE-2923577F0D56}: NameServer = 85.255.114.52,85.255.112.12
O17 - HKLM\System\CS1\Services\Tcpip\..\{2F0861AB-9495-4557-8791-CBB26FE248CA}: NameServer = 85.255.114.52,85.255.112.12
O17 - HKLM\System\CS2\Services\Tcpip\..\{2F0861AB-9495-4557-8791-CBB26FE248CA}: NameServer = 85.255.114.52,85.255.112.12
Optional fix>
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
====================================
Hit fix checked and close Hijackthis.
Restart the PC
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Manualy delete this file
C:\WINDOWS\System32\CSPLQ.EXE
Your antivirus might delete when you get close to them, thats fine.
Note:
If You have connection problems or those 017's ~ 85.255.114.52,85.255.112.12, return >
Before doing this write down all the settings, Note that not all system/setups even have these settings, While some connection service's will require them.
In the windows control panel. If you are using Windows XP's Category View, select the Network and Internet Connections category otherwise double click on Network Connections. Then right click on your default connection, usually local area connection for cable and dsl, and left click on properties. Double-click on the Internet Protocol (TCP/IP) item and select the radio dial that says Obtain DNS servers automatically
Press OK twice to get out of the properties screen and reboot if it asks.
That option might not be avaiable one some systems
Post a fresh hijackthis log please, be sure to mention any current problems.
Logfile of HijackThis v1.99.1
Scan saved at 9:36:15 PM, on 4/4/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
c:\program files\mcafee.com\agent\mcupdate.exe
C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDet.EXE
C:\WINDOWS\CTHELPER.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\McAfee.com\VSO\mcshield.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://login.passport.net/uilogin.srf?id=2
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [FlashIcon] C:\Program Files\Generic\USB Card Reader Driver v2.3\FlashIcon.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [VirusScan Online] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
O4 - HKLM\..\Run: [MCAgentExe] C:\Program Files\McAfee.com\Agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\Program Files\McAfee.com\Agent\mcupdate.exe /embedding
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTDVDDET] C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) - http://pcpitstop.com/pestscan/pestscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - C:\Program Files\McAfee.com\VSO\mcshield.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Mcafee.com Corporation - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
LonnyRJones
2006-04-05, 08:14
Looks good Gruven
Any problems/questions now ?
No probs, all looks great, thanks very much!:bigthumb: What can i run on the machine real time to keep that kind of stuff from recurring?
LonnyRJones
2006-04-05, 11:41
That one is usualy picked up visiting unsavory website's
A hosts file will sure help avoid them :)
Prevention:
Put in place a good hosts file
http://www.mvps.org/winhelp2002/hosts.htm
How To Download and Extract the HOSTS file:
http://www.mvps.org/winhelp2002/hosts2.htm
Replace it about once monthly to keep it updated
To help avoid reinfection see "So how did I get infected in the first place?"
http://forums.spybot.info/showthread.php?t=279
Thank you, Sir, for your time. I am reading how to use the Hosts file, and preparing to interrogate my Son about any "Unsavory Sites" he may of found.
LonnyRJones
2006-04-08, 01:01
Im Glad we could help
Since the problems are solved Im going to close the topic now, this keeps others with similar problems from posting there logs/question here, they should start a new topic.
If you should need to post another log for the same PC let Me or Tashi know.
Regards
Lonny