View Full Version : hijacked browser toolbar not removed and still active
vincent1
2006-05-09, 00:11
Greetings,
My IE 6 has a toolbar that should not be there with an uninstall option at the side. If clicked, goes to multiple gambling sites/porn sites.
I just ran Spybot, found a lot of files and duly deleted. Restarted my machine and launched IE but the tool bar is still there and still active.
KIndly advise.
Thanks and regards,
Vincent.
My report:
--- Report generated: 2006-05-09 05:34 ---
Sfonditalia: Settings (Registry change, fixed)
HKEY_USERS\S-1-5-21-789336058-436374069-682003330-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\archiviosex.net\www\*!=W=4
Sfonditalia: Settings (Registry change, fixed)
HKEY_USERS\S-1-5-21-789336058-436374069-682003330-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\redfunny.com\www\*!=W=4
Sfonditalia: Settings (Registry change, fixed)
HKEY_USERS\S-1-5-21-789336058-436374069-682003330-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\skymasters.biz\www\*!=W=4
Sfonditalia: Link (File, fixed)
C:\Documents and Settings\Administrator\My Documents\WinMoviePlugIn.lnk
CnsMin: Settings (Registry value, fixed)
HKEY_USERS\S-1-5-21-789336058-436374069-682003330-500\Software\Microsoft\Internet Explorer\Main\CNSEnable
CnsMin: Settings (Registry value, fixed)
HKEY_USERS\S-1-5-21-789336058-436374069-682003330-500\Software\Microsoft\Internet Explorer\Main\CNSHint
CnsMin: Settings (Registry value, fixed)
HKEY_USERS\S-1-5-21-789336058-436374069-682003330-500\Software\Microsoft\Internet Explorer\Main\CNSList
CnsMin: Settings (Registry value, fixed)
HKEY_USERS\S-1-5-21-789336058-436374069-682003330-500\Software\Microsoft\Internet Explorer\Main\CNSMenu
CnsMin: Settings (Registry value, fixed)
HKEY_USERS\S-1-5-21-789336058-436374069-682003330-500\Software\Microsoft\Internet Explorer\Main\CNSReset
CnsMin: Library (File, fixed)
C:\WINDOWS\Downloaded Program Files\CnsMin.dll
ISearchTech.YSB: Module usage (Registry key, fixed)
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/YSBactivex.dll
Smitfraud-C.: Settings (Registry value, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{0656A137-B161-CADD-9777-E37A75727E78}
SurfSideKick: User settings (Registry value, fixed)
HKEY_USERS\S-1-5-21-789336058-436374069-682003330-500\Software\Microsoft\Internet Explorer\Security\rpt
UnSpyPc: Settings (Registry key, fixed)
HKEY_USERS\S-1-5-21-789336058-436374069-682003330-500\Software\UnSpyPC
UnSpyPc: Uninstall settings (Registry key, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\UnSpyPC
UnSpyPc: Settings (Registry key, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\UnSpyPC
UnSpyPc: Program directory (Directory, fixed)
C:\Program Files\UnSpyPC\
UnSpyPc: Data (File, fixed)
C:\Program Files\UnSpyPC\wover.dat
WareOut: User settings (Registry key, fixed)
HKEY_USERS\S-1-5-21-789336058-436374069-682003330-500\Software\Microsoft\Internet Explorer\Extensions\{BF69DF00-2734-477F-8257-27CD04F88779}
Windows Security Center.SP2Update: Settings (Registry change, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\DoNotAllowXPSP2!=dword:0
Windows Security Center.UpdateDisableNotify: Settings (Registry change, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify!=dword:0
FindSpy.A: Sound file (File, fixed)
C:\WINDOWS\balloon.wav
CnsMin: User settings (Registry value, fixed)
HKEY_USERS\S-1-5-21-789336058-436374069-682003330-500\Software\Microsoft\Internet Explorer\Main\CNSAutoUpdate
Pipas.A: Settings (Registry key, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins
MediaPlex: Tracking cookie (Internet Explorer: Administrator) (Cookie, fixed)
CnsMin: Tracking cookie (Firefox: default) (Cookie, fixed)
Avenue A, Inc.: Tracking cookie (Firefox: default) (Cookie, fixed)
FastClick: Tracking cookie (Firefox: default) (Cookie, fixed)
FastClick: Tracking cookie (Firefox: default) (Cookie, fixed)
--- Spybot - Search & Destroy version: 1.4 (build: 20050523) ---
2005-05-31 blindman.exe (1.0.0.1)
2005-05-31 SpybotSD.exe (1.4.0.3)
2005-05-31 TeaTimer.exe (1.4.0.2)
2006-05-09 unins000.exe (51.41.0.0)
2005-05-31 Update.exe (1.4.0.0)
2006-02-06 advcheck.dll (1.0.2.0)
2005-05-31 aports.dll (2.1.0.0)
2005-05-31 borlndmm.dll (7.0.4.453)
2005-05-31 delphimm.dll (7.0.4.453)
2005-05-31 SDHelper.dll (1.4.0.0)
2006-02-20 Tools.dll (2.0.0.2)
2005-05-31 UnzDll.dll (1.73.1.1)
2005-05-31 ZipDll.dll (1.73.2.0)
2006-05-05 Includes\Cookies.sbi (*)
2006-05-05 Includes\Dialer.sbi (*)
2006-05-05 Includes\Hijackers.sbi (*)
2006-05-05 Includes\Keyloggers.sbi (*)
2004-11-29 Includes\LSP.sbi (*)
2006-05-05 Includes\Malware.sbi (*)
2006-05-05 Includes\PUPS.sbi (*)
2006-05-05 Includes\Revision.sbi (*)
2006-05-05 Includes\Security.sbi (*)
2006-05-05 Includes\Spybots.sbi (*)
2005-02-17 Includes\Tracks.uti
2006-05-05 Includes\Trojans.sbi (*)
steamwiz
2006-05-10, 00:51
Hi
Download a self-extracting copy of HijackThis from :-
http://downloads.malwareremoval.com/hijackthis_sfx.exe
1. save it to your Desktop.
2. Double-click on the file hijackthis_sfx.exe and it will self-extract into its own folder,
C:\Program Files\HijackThis
3. Go to this folder and run the hijackthis.exe file
4. click Do a system scan and save a logfile
5. Copy & paste the logfile into your next post here...
steam
vincent1
2006-05-10, 11:07
Thank you for your response. Hijack results:
Logfile of HijackThis v1.99.1
Scan saved at 5:06:04 PM, on 5/10/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SYSTEM32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Yahoo!\Messenger\ypager.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
C:\Program Files\DCPFLICS\DCPFLICS.exe
C:\Program Files\EPSON\ESM2\eEBSVC.exe
C:\PROGRA~1\cebas\ip-clamp\ipclamp.exe
C:\WINDOWS\runservice.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\Tablet.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Documents and Settings\Administrator\Desktop\hijackthis_sfx.exe
C:\Program Files\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.findin.org/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.findin.org/
O1 - Hosts: localhost 127.0.0.1
O2 - BHO: (no name) - {02DCA195-602B-4B1F-83FF-381B7E804BDB} - C:\WINDOWS\system32\HDBHO.dll
O2 - BHO: SearchToolbar - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - C:\WINDOWS\system32\ksnhb.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: SearchToolbar - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - C:\WINDOWS\system32\ksnhb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [FRYMXINS] "C:\Program Files\ATI Technologies\Fire GL 3D Studio Max\atiimxgl"
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe"
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [CorelDRAW Graphics Suite 11b] D:\corel\Languages\EN\Programs\Registration.exe /title="CorelDRAW Graphics Suite 12" /date=122805 serial=DR12WEX-1504397-KTY lang=EN
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [UnSpyPC] "C:\Program Files\UnSpyPC\UnSpyPC.exe"
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by18fd.bay18.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1135418250625
O17 - HKLM\System\CCS\Services\Tcpip\..\{AC5AAC3C-B1AB-4732-AA33-CDEA7B151589}: NameServer = 85.255.115.84,85.255.112.221
O17 - HKLM\System\CCS\Services\Tcpip\..\{E671E59D-00BD-45E8-8520-02DA3F890BCF}: NameServer = 85.255.115.84,85.255.112.221
O17 - HKLM\System\CCS\Services\Tcpip\..\{EB82600F-96B2-4178-A53E-D848E26C61B4}: NameServer = 85.255.115.84,85.255.112.221
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Autodesk Licensing Service - Unknown owner - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
O23 - Service: DCPFLICS - Unknown owner - C:\Program Files\DCPFLICS\DCPFLICS.exe
O23 - Service: EpsonBidirectionalService - Unknown owner - C:\Program Files\EPSON\ESM2\eEBSVC.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: IPCLAMP by cebas Computer GmbH (IPClampService) - Unknown owner - C:\PROGRA~1\cebas\ip-clamp\ipclamp.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LicCtrl Service (LicCtrlService) - Unknown owner - C:\WINDOWS\runservice.exe
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\System32\Tablet.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
vincent1
2006-05-10, 11:13
Redid the hijack as google was not on previously. The unwanted bar is somehow attached to google's.
Logfile of HijackThis v1.99.1
Scan saved at 5:11:59 PM, on 5/10/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SYSTEM32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Yahoo!\Messenger\ypager.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
C:\Program Files\DCPFLICS\DCPFLICS.exe
C:\Program Files\EPSON\ESM2\eEBSVC.exe
C:\PROGRA~1\cebas\ip-clamp\ipclamp.exe
C:\WINDOWS\runservice.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\Tablet.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.findin.org/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.findin.org/
O1 - Hosts: localhost 127.0.0.1
O2 - BHO: (no name) - {02DCA195-602B-4B1F-83FF-381B7E804BDB} - C:\WINDOWS\system32\HDBHO.dll
O2 - BHO: SearchToolbar - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - C:\WINDOWS\system32\ksnhb.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: SearchToolbar - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - C:\WINDOWS\system32\ksnhb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [FRYMXINS] "C:\Program Files\ATI Technologies\Fire GL 3D Studio Max\atiimxgl"
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe"
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [CorelDRAW Graphics Suite 11b] D:\corel\Languages\EN\Programs\Registration.exe /title="CorelDRAW Graphics Suite 12" /date=122805 serial=DR12WEX-1504397-KTY lang=EN
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [UnSpyPC] "C:\Program Files\UnSpyPC\UnSpyPC.exe"
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by18fd.bay18.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1135418250625
O17 - HKLM\System\CCS\Services\Tcpip\..\{AC5AAC3C-B1AB-4732-AA33-CDEA7B151589}: NameServer = 85.255.115.84,85.255.112.221
O17 - HKLM\System\CCS\Services\Tcpip\..\{E671E59D-00BD-45E8-8520-02DA3F890BCF}: NameServer = 85.255.115.84,85.255.112.221
O17 - HKLM\System\CCS\Services\Tcpip\..\{EB82600F-96B2-4178-A53E-D848E26C61B4}: NameServer = 85.255.115.84,85.255.112.221
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Autodesk Licensing Service - Unknown owner - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
O23 - Service: DCPFLICS - Unknown owner - C:\Program Files\DCPFLICS\DCPFLICS.exe
O23 - Service: EpsonBidirectionalService - Unknown owner - C:\Program Files\EPSON\ESM2\eEBSVC.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: IPCLAMP by cebas Computer GmbH (IPClampService) - Unknown owner - C:\PROGRA~1\cebas\ip-clamp\ipclamp.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LicCtrl Service (LicCtrlService) - Unknown owner - C:\WINDOWS\runservice.exe
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\System32\Tablet.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
steamwiz
2006-05-10, 20:48
HI
First go to Add/remove programs in the control panel and uninstall UnSpyPC it is a rogue program...
http://www.spywarewarrior.com/rogue_anti-spyware.htm
Then...
Disconnect from the internet Close ALL browser windows (including this one) - run hijackthis and tick to fix (check the box next to) the list below.........when all are ticked (checked) click the Fix Checked button at the bottom. :-
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.findin.org/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.findin.org/
O2 - BHO: SearchToolbar - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - C:\WINDOWS\system32\ksnhb.dll
O3 - Toolbar: SearchToolbar - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - C:\WINDOWS\system32\ksnhb.dll
O4 - HKCU\..\Run: [UnSpyPC] "C:\Program Files\UnSpyPC\UnSpyPC.exe"
O17 - HKLM\System\CCS\Services\Tcpip\..\{AC5AAC3C-B1AB-4732-AA33-CDEA7B151589}: NameServer = 85.255.115.84,85.255.112.221
O17 - HKLM\System\CCS\Services\Tcpip\..\{E671E59D-00BD-45E8-8520-02DA3F890BCF}: NameServer = 85.255.115.84,85.255.112.221
O17 - HKLM\System\CCS\Services\Tcpip\..\{EB82600F-96B2-4178-A53E-D848E26C61B4}: NameServer = 85.255.115.84,85.255.112.221
Reboot then delete the following files (if found) :-
C:\WINDOWS\system32\ksnhb.dll ... file
C:\Program Files\UnSpyPC ... folder
cheers
steam
vincent1
2006-05-12, 03:53
Thank you for the help. My system is clear.
vincent1
2006-05-12, 10:20
Greetings,
After having remove spyware and malware with help from here (thank you!) from my windows xp pro, it seems that whenever I open a few windows (not Browser windows) my computer hangs, i.e perpetual sand timer and nothing works except ctrl alt delete and I have to restart.
After clicking Restart, either "ending pccguide.exe or ending explorer.exe" windows pops up and I have to press "end now" before it will restart.
If I don't open any XP windows, everything seems to work fine.
Any idea how to fix this?
steamwiz
2006-05-12, 23:37
You're very welcome :)
Happy surfing
steam
LonnyRJones
2006-05-13, 04:54
Merged post seven to this thread
steamwiz will continue with you vincent1
steamwiz
2006-05-13, 19:31
Thanks Lonny :wink::
vincent1 ... It's not unusual to receive an "ending process" box for an application, when shutting down windows .. it shouldn't happen, but it sometimes does, this is because the application has not been properly released from memory...in fact it's "stuck" in memory...
pccguide.exe is part of your Trend Micro\Internet Security 2005 program (don't ask me exactly what is does)
explorer.exe is your windows shell, desktop, taskbar etc,
First I'd like you to post a new hijackthis log...
Did you delete this file C:\WINDOWS\system32\ksnhb.dll like I asked you too ?
It's OK if you did (it's malware) but the dll may still be in memory and causing the problem...
It's also possible you have new malware attached to explorer.exe
steam
steamwiz
2006-05-13, 21:24
Hi
Please do this for me as well...
Please download & run blacklight Rootkit diagnostic tool from :-
http://www.f-secure.com/blacklight/try.shtml
click I ACCEPT
click download > save it to your desktop
then ...
1. Double-click blbeta.exe
2. Accept the agreement > click next
3. click scan
4. A list of all items found will be displayed, or it will say "No hidden items found"
if anything is found do NOT elect to rename or clean anything, as legitimate entries could be found - click close
5. if you see "No hidden items found" click next then exit
On your desktop you will now see a log file, it will look something like this fsbl-20060105183235.log
6. open the log file and paste the contents into a post here... (if the log is too large to paste, then please attach it)
steam
vincent1
2006-05-14, 16:22
Hi Steam,
Thank you for your response. Ran the diagnostic and log duly posted:
05/14/06 22:16:33 [Info]: BlackLight Engine 1.0.36 initialized
05/14/06 22:16:33 [Info]: OS: 5.1 build 2600 (Service Pack 2)
05/14/06 22:16:33 [Note]: 7019 4
05/14/06 22:16:33 [Note]: 7005 0
05/14/06 22:17:01 [Note]: 7006 0
05/14/06 22:17:01 [Note]: 7011 128
05/14/06 22:17:02 [Note]: 7026 0
05/14/06 22:17:02 [Note]: 7026 0
05/14/06 22:17:09 [Note]: FSRAW library version 1.7.1015
05/14/06 22:17:30 [Info]: Hidden file: c:\Program Files\CyberLink DVD Solution\PowerDVD\cltest.exe
05/14/06 22:17:30 [Note]: 10002 1
05/14/06 22:18:31 [Info]: Hidden file: c:\WINDOWS\system32\cssjc.exe
05/14/06 22:18:31 [Note]: 7002 32
05/14/06 22:18:31 [Note]: 7003 1
05/14/06 22:18:31 [Note]: 10002 1
05/14/06 22:18:32 [Info]: Hidden file: c:\WINDOWS\system32\favset.exe
05/14/06 22:18:32 [Note]: 10002 1
05/14/06 22:18:33 [Info]: Hidden file: c:\WINDOWS\system32\filesafer23.exe
05/14/06 22:18:33 [Note]: 10002 1
05/14/06 22:18:33 [Info]: Hidden file: c:\WINDOWS\system32\howiper.exe
05/14/06 22:18:33 [Note]: 10002 1
05/14/06 22:18:36 [Info]: Hidden file: c:\WINDOWS\system32\pppcgm.exe
05/14/06 22:18:36 [Note]: 10002 1
05/14/06 22:18:38 [Info]: Hidden file: c:\WINDOWS\system32\sphlp32.exe
05/14/06 22:18:38 [Note]: 10002 1
05/14/06 22:18:39 [Info]: Hidden file: c:\WINDOWS\system32\dmqrg.exe
05/14/06 22:18:39 [Note]: 7002 32
05/14/06 22:18:39 [Note]: 7003 1
05/14/06 22:18:39 [Note]: 10002 1
05/14/06 22:19:20 [Info]: Hidden file: c:\WINDOWS\system32\wbem\wbemtest.exe
05/14/06 22:19:20 [Note]: 10002 1
05/14/06 22:21:04 [Note]: 7007 0
Thanks and regards,
Vincent1
steamwiz
2006-05-14, 22:18
HI
1. Download Pocket KillBox .. http://www.help2go.com/modules.php?name=Forums&file=download&id=378 (unzip to the desktop)
2. Run the Killbox.exe file
check the box "Delete on Reboot"
copy and paste the following bold lines into the "Full Path of File to Delete" box in Killbox (one at a time) ...after each
one,click the red button with the white X on it.
Say yes to "delete on reboot" and NO to reboot now, untill you have entered ALL the files, then say "yes" to
reboot now...
c:\WINDOWS\system32\cssjc.exe
c:\WINDOWS\system32\favset.exe
c:\WINDOWS\system32\filesafer23.exe
c:\WINDOWS\system32\howiper.exe
c:\WINDOWS\system32\pppcgm.exe
c:\WINDOWS\system32\sphlp32.exe
c:\WINDOWS\system32\dmqrg.exe
Let it reboot - If you get a PendingOperations message (reboot manualy) ...
THEN...
Print out these instructions for reference, since you will have to restart your computer during the fix.
1. Please download FixWareout from one of these sites:-
http://forums.subratam.org/index.php?act=Attach&type=post&id=43811
http://swandog46.geekstogo.com/Fixwareout.exe
2. Save it to your desktop and run it.
3. Click Next > then Install > then make sure "Run fixit" is checked and click Finish.
4. The fix will begin, follow the prompts.
5. You will be asked to reboot your computer, please do so. Your system may take longer than usual to load this is
normal.
6. When your system reboots (BE patient), follow the prompts. Afterwards, HijackThis may launch. Please Close HijackThis,
and click OK to proceed.
At the end of the fix, you may need to restart your computer again, restart if prompted.
Finally, please post the contents of :-
C:\fixwareout\report.txt
A new HijackThis log.
steam
vincent1
2006-05-15, 03:00
HI Steamwiz,
I did as instructed until Run Fix it for Fixwareout, the programme did not ask to reboot after that and this is the report that came out immediately:
Check for missing files
.....
C:\WINDOWS\system32\AUTOEXEC.NT not there
.....
End check for missing files
.....
VXD Check
REGEDIT4
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\VirtualDeviceDrivers]
"VDD"=hex(7):43,3a,5c,50,52,4f,47,52,41,7e,31,5c,53,79,6d,61,6e,74,65,63,5c,53,\
33,32,45,56,4e,54,31,2e,44,4c,4c,00,52,4e,42,4f,56,44,44,2e,44,4c,4c,00,00
.....
End vxd check
.....
please post this at the forum
Kindly advise.
vincent1
2006-05-15, 09:29
some of my Google search results are still being diverted to elsewhere when clicked. So something must still be active.
Diverted to places like:
http://www.casinocaesar.com/
http://oldhetaira.com/books.cfm?nft=1&t=4&p=4
Thanks for your assistance.
steamwiz
2006-05-15, 16:56
HI vincent
Please go here :-
http://www.tech-forums.net/computer/topic/29806.html
Download the appropriate exe file for your Operating system... doubleclick on the exe file you downloaded and it will replace the file...
Then please follow the instructions for running FixWareout again...
cheers
steam
vincent1
2006-05-15, 18:26
Hello Steamwiz,
Done as instructed.
Regards,
Vincent.
Reports below:
Fixwareout ver 1.003
Last edited 04/26/2006
Post this report in the forums please
Reg Entries that were deleted
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\xammd
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\xedocne
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\gib_ogol
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\repiwoh
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\llun
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\23plhps
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\mgcppp
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\tesvaf
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\32refaselif
...
Microsoft (R) Windows Script Host Version 5.6
Random Runs removed from HKLM
"dmmax.exe"=-
...
PLEASE NOTE, There WILL be LEGIT FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
Example ipsec6.exe is lagitamate
»»»»» Search by size and names...
* csr.exe C:\WINDOWS\System32\CSUYU.EXE
»»»»» Misc files
»»»»» Checking for older varients covered by the Rem3 tool
»»»»»
Search five digit cs, dm and jb files
This WILL/CAN also list Legit Files, Submit them at Virustotal
C:\WINDOWS\SYSTEM32\CSUYU.EXE 51,262 2006-05-09
C:\WINDOWS\SYSTEM32\DMMAX.EXE 44,045 2004-08-04
Logfile of HijackThis v1.99.1
Scan saved at 12:25:48 AM, on 5/16/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SYSTEM32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
C:\Program Files\DCPFLICS\DCPFLICS.exe
C:\Program Files\EPSON\ESM2\eEBSVC.exe
C:\PROGRA~1\cebas\ip-clamp\ipclamp.exe
C:\WINDOWS\runservice.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\Tablet.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PccGuide.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Yahoo!\Messenger\ypager.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\PROGRA~1\TRENDM~1\INTERN~1\pcclient.exe
C:\Program Files\HijackThis\HijackThis.exe
O2 - BHO: (no name) - {02DCA195-602B-4B1F-83FF-381B7E804BDB} - C:\WINDOWS\system32\HDBHO.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [FRYMXINS] "C:\Program Files\ATI Technologies\Fire GL 3D Studio Max\atiimxgl"
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe"
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [CorelDRAW Graphics Suite 11b] D:\corel\Languages\EN\Programs\Registration.exe /title="CorelDRAW Graphics Suite 12" /date=122805 serial=DR12WEX-1504397-KTY lang=EN
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by18fd.bay18.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1135418250625
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Autodesk Licensing Service - Unknown owner - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
O23 - Service: DCPFLICS - Unknown owner - C:\Program Files\DCPFLICS\DCPFLICS.exe
O23 - Service: EpsonBidirectionalService - Unknown owner - C:\Program Files\EPSON\ESM2\eEBSVC.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: IPCLAMP by cebas Computer GmbH (IPClampService) - Unknown owner - C:\PROGRA~1\cebas\ip-clamp\ipclamp.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LicCtrl Service (LicCtrlService) - Unknown owner - C:\WINDOWS\runservice.exe
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\System32\Tablet.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
steamwiz
2006-05-15, 19:52
HI
Note these files found by fixwareout :-
C:\WINDOWS\SYSTEM32\CSUYU.EXE 51,262 2006-05-09
C:\WINDOWS\SYSTEM32\DMMAX.EXE 44,045 2004-08-04
The first is abviously a bad file..
Look at the date the second one was created, it looks like it's been on your computer for nearly 2 years...
I want you to get the second file scanned (it's almost certainly malware, but maybe not associated with this infection)
& while you're at it, you may as well scan the first one as well, then we can compare the results...
Please go here :-
http://virusscan.jotti.org/
Upload this file from your computer :-
C:\WINDOWS\SYSTEM32\CSUYU.EXE
copy & paste the above bold line into the "File to upload and scan" box...
or click the browse button and browse to the file on your computer...
Then click the submit button
Then do the same with this :-
C:\WINDOWS\SYSTEM32\DMMAX.EXE
Post back the results
cheers
steam
vincent1
2006-05-16, 04:25
HI Steamwiz,
Run scan on dmmax.exe and uploaded image file. Jotti went offline before I could scan csuyu.exe. Will post this when jotti comes online again.
Thanks.
vincent1
2006-05-16, 16:20
have scanned csuyu and results posted:
steamwiz
2006-05-16, 19:01
HI Vincent
Use killbox to delete these 2 files :-
C:\WINDOWS\SYSTEM32\CSUYU.EXE
C:\WINDOWS\SYSTEM32\DMMAX.EXE
Follow the same procedure as before, in post #13
Then please run the Blacklight & FixWareout programs again and post the new logs...
cheers
steam
vincent1
2006-05-17, 05:28
Greetings Steam,
Attached all the latest logs. Looking forward to a clean system again.
Thanks for your help.
05/17/06 11:10:57 [Info]: BlackLight Engine 1.0.36 initialized
05/17/06 11:10:57 [Info]: OS: 5.1 build 2600 (Service Pack 2)
05/17/06 11:10:57 [Note]: 7019 4
05/17/06 11:10:57 [Note]: 7005 0
05/17/06 11:11:07 [Note]: 7006 0
05/17/06 11:11:07 [Note]: 7011 2024
05/17/06 11:11:07 [Note]: 7026 0
05/17/06 11:11:07 [Note]: 7026 0
05/17/06 11:11:17 [Note]: FSRAW library version 1.7.1015
05/17/06 11:15:24 [Note]: 7007 0
Fixwareout ver 1.003
Last edited 04/26/2006
Post this report in the forums please
Reg Entries that were deleted
...
Microsoft (R) Windows Script Host Version 5.6
Random Runs removed from HKLM
...
PLEASE NOTE, There WILL be LEGIT FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
Example ipsec6.exe is lagitamate
»»»»» Search by size and names...
»»»»» Misc files
»»»»» Checking for older varients covered by the Rem3 tool
»»»»»
Search five digit cs, dm and jb files
This WILL/CAN also list Legit Files, Submit them at Virustotal
Logfile of HijackThis v1.99.1
Scan saved at 11:24:06 AM, on 5/17/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\savedump.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
C:\Program Files\DCPFLICS\DCPFLICS.exe
C:\Program Files\EPSON\ESM2\eEBSVC.exe
C:\PROGRA~1\cebas\ip-clamp\ipclamp.exe
C:\WINDOWS\runservice.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\Tablet.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\WINDOWS\SYSTEM32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Yahoo!\Messenger\ypager.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HijackThis\HijackThis.exe
O2 - BHO: (no name) - {02DCA195-602B-4B1F-83FF-381B7E804BDB} - C:\WINDOWS\system32\HDBHO.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [FRYMXINS] "C:\Program Files\ATI Technologies\Fire GL 3D Studio Max\atiimxgl"
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe"
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [CorelDRAW Graphics Suite 11b] D:\corel\Languages\EN\Programs\Registration.exe /title="CorelDRAW Graphics Suite 12" /date=122805 serial=DR12WEX-1504397-KTY lang=EN
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by18fd.bay18.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1135418250625
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Autodesk Licensing Service - Unknown owner - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
O23 - Service: DCPFLICS - Unknown owner - C:\Program Files\DCPFLICS\DCPFLICS.exe
O23 - Service: EpsonBidirectionalService - Unknown owner - C:\Program Files\EPSON\ESM2\eEBSVC.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: IPCLAMP by cebas Computer GmbH (IPClampService) - Unknown owner - C:\PROGRA~1\cebas\ip-clamp\ipclamp.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LicCtrl Service (LicCtrlService) - Unknown owner - C:\WINDOWS\runservice.exe
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\System32\Tablet.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
steamwiz
2006-05-17, 12:05
Hi vincent
All your logs are clean :)
Are your problems resolved ?
steam
vincent1
2006-05-17, 17:31
HI Steam,
Everything seems fine and dandy so far!
Is there any way to check for reinfection? Seeing how dmmax.exe (whatever that was) has been in my computer for two years undetected by the virus software I have been using.
In any case, thank you very much for your time, assistance and patience in resolving my problems. :bigthumb:
Cheers,
Vincent Wan
steamwiz
2006-05-17, 18:33
Hi Vincent
You're very welcome...
There's so much malware out there, all the different anti malware programs catch some of it, but it's impossible for any program to keep up with all of it...
The file you had for so long was not active, that's how it got missed, I doubt there is such a thing as a clean computer anymore, unless you format and reinstall..
Have a look at this link :-
So how did I get infected in the first place? ... >
http://forums.spybot.info/showthread.php?t=279
cheers
steam