Jump to content

Build Theme!
  •  
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 93101 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

Help! Thanks... (log file)


  • This topic is locked This topic is locked
11 replies to this topic

#1 bob66

bob66

    New Member

  • New Member
  • Pip
  • 6 posts

Posted 15 January 2006 - 10:14 AM

Logfile of HijackThis v1.99.1
Scan saved at 6:33:51 AM, on 15-Jan-06
Platform: Windows 2000 SP1 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 (5.00.2920.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\snmp.exe
C:\WINNT\System32\snmptrap.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINNT\Explorer.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\MsPMSPSv.exe
C:\WINNT\System32\devldr32.exe
C:\Program Files\Creative\SBLive2k\AudioHQ\AHQTB.EXE
C:\Program Files\Mouse Driver\Mouse Driver\3.5\MOUSE32A.EXE
C:\WINNT\System32\Isass.exe
C:\WINNT\System32\winamp.exe
C:\WINNT\System32\pctspk.exe
C:\WINNT\System32\PV92Tray.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\systems.exe
C:\WINNT\System32\internat.exe
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe
C:\Documents and Settings\Administrator\Desktop\download\hjack\HijackThis.exe

R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: ATLDistrib Object - {83A5F7B7-DC75-44CE-9195-264F41709FA9} - C:\WINNT\System32\pmkll.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [UpdReg] C:\WINNT\Updreg.exe
O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive2k\Program\AHQInit.exe
O4 - HKLM\..\Run: [AudioHQ] C:\Program Files\Creative\SBLive2k\AudioHQ\AHQTB.EXE
O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\Mouse Driver\Mouse Driver\3.5\MOUSE32A.EXE
O4 - HKLM\..\Run: [Local Security Authority Service] C:\WINNT\System32\Isass.exe
O4 - HKLM\..\Run: [Winamp Agent] C:\WINNT\System32\winamp.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [PV92TRAY] PV92Tray.exe
O4 - HKLM\..\Run: [elitemedia] C:\WINNT\elitemediapop.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [nethost.exe] C:\systems.exe
O4 - HKCU\..\Run: [internat.exe] internat.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.elitemediagroup.net
O16 - DPF: {42F2C9BA-614F-47C0-B3E3-ECFD34EED658} - http://promo.dollarr...artload114a.exe
O16 - DPF: {8FCDF9D9-A28B-480F-8C3D-581F119A8AB8} - http://static.zangoc.../bridge-c18.cab
O16 - DPF: {9AC54695-69A4-46F1-BE10-10C74F9520D5} (elitectl.DemoCtl) - http://cabs.elitemed...s/mediaview.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{39525716-FC0A-439F-80D6-C22866F6BD65}: NameServer = 169.169.0.1
O20 - Winlogon Notify: NavLogon - C:\WINNT\System32\NavLogon.dll
O20 - Winlogon Notify: pmkll - C:\WINNT\System32\pmkll.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Service Hosts (ServiceHost) - Unknown owner - C:\WINNT\shost.exe (file missing)
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

    Advertisements

Register to Remove


#2 Siggyx

Siggyx

    SuperHelper

  • Authentic Member
  • PipPipPipPipPipPip
  • 6,776 posts

Posted 15 January 2006 - 01:20 PM

Please download VundoFix.exe to your desktop.
  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will shutdown your computer, click OK.
  • Turn your computer back on.
  • Please post the contents of C:\vundofix.txt and a new HiJackThis log.


#3 bob66

bob66

    New Member

  • New Member
  • Pip
  • 6 posts

Posted 15 January 2006 - 06:09 PM

VundoFix V4.0

Listing files found while scanning....

C:\WINNT\System32\pmkll.dll
C:\WINNT\System32\llkmp.ini

Attempting to delete C:\WINNT\System32\pmkll.dll
C:\WINNT\System32\pmkll.dll Has been deleted!

Attempting to delete C:\WINNT\System32\llkmp.ini
C:\WINNT\System32\llkmp.ini Has been deleted!

Performing Repairs to the registry.
Done!

###############################

Logfile of HijackThis v1.99.1
Scan saved at 7:00:59 PM, on 15-Jan-06
Platform: Windows 2000 SP1 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 (5.00.2920.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\snmp.exe
C:\WINNT\System32\snmptrap.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINNT\Explorer.exe
C:\WINNT\System32\devldr32.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Program Files\Creative\SBLive2k\AudioHQ\AHQTB.EXE
C:\Program Files\Mouse Driver\Mouse Driver\3.5\MOUSE32A.EXE
C:\WINNT\System32\MsPMSPSv.exe
C:\WINNT\System32\pctspk.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\systems.exe
C:\WINNT\System32\internat.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\WINNT\system32\NOTEPAD.EXE
C:\Documents and Settings\Administrator\Desktop\download\hjack\HijackThis.exe

R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [UpdReg] C:\WINNT\Updreg.exe
O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive2k\Program\AHQInit.exe
O4 - HKLM\..\Run: [AudioHQ] C:\Program Files\Creative\SBLive2k\AudioHQ\AHQTB.EXE
O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\Mouse Driver\Mouse Driver\3.5\MOUSE32A.EXE
O4 - HKLM\..\Run: [Local Security Authority Service] C:\WINNT\System32\Isass.exe
O4 - HKLM\..\Run: [Winamp Agent] C:\WINNT\System32\winamp.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [PV92TRAY] PV92Tray.exe
O4 - HKLM\..\Run: [elitemedia] C:\WINNT\elitemediapop.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [nethost.exe] C:\systems.exe
O4 - HKCU\..\Run: [internat.exe] internat.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.elitemediagroup.net
O16 - DPF: {42F2C9BA-614F-47C0-B3E3-ECFD34EED658} - http://promo.dollarr...artload114a.exe
O16 - DPF: {8FCDF9D9-A28B-480F-8C3D-581F119A8AB8} (MediaGatewayX) - http://static.zangoc.../bridge-c18.cab
O16 - DPF: {9AC54695-69A4-46F1-BE10-10C74F9520D5} (elitectl.DemoCtl) - http://cabs.elitemed...s/mediaview.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{39525716-FC0A-439F-80D6-C22866F6BD65}: NameServer = 169.169.0.1
O17 - HKLM\System\CCS\Services\Tcpip\..\{5636B49E-1CC2-4DC5-AF19-8B48FB5A030D}: NameServer = 142.169.1.16 199.84.242.22
O20 - Winlogon Notify: NavLogon - C:\WINNT\System32\NavLogon.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Service Hosts (ServiceHost) - Unknown owner - C:\WINNT\shost.exe (file missing)
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

#4 Siggyx

Siggyx

    SuperHelper

  • Authentic Member
  • PipPipPipPipPipPip
  • 6,776 posts

Posted 15 January 2006 - 08:12 PM

Scan with hijackthis and put a check beside these lines and choose FIX

R3 - Default URLSearchHook is missing

O4 - HKLM\..\Run: [Local Security Authority Service] C:\WINNT\System32\Isass.exe
O4 - HKLM\..\Run: [Winamp Agent] C:\WINNT\System32\winamp.exe
O4 - HKLM\..\Run: [elitemedia] C:\WINNT\elitemediapop.exe
O4 - HKLM\..\Run: [nethost.exe] C:\systems.exe
O4 - HKCU\..\Run: [internat.exe] internat.exe

O15 - Trusted Zone: *.elitemediagroup.net

O16 - DPF: {42F2C9BA-614F-47C0-B3E3-ECFD34EED658} - http://promo.dollarr...artload114a.exe

O23 - Service: Service Hosts (ServiceHost) - Unknown owner - C:\WINNT\shost.exe (file missing)

Then boot to safe mode (tap f8 while bios loads) look for and delete these files if present (make sure hidden files are visable tutorial here >>>> http://www.xtra.co.n...1916458,00.html )

C:\WINNT\System32\Isass.exe
C:\WINNT\System32\winamp.exe
C:\WINNT\elitemediapop.exe
C:\systems.exe

Then reboot to normal mode and a new hijackthis log please.

#5 bob66

bob66

    New Member

  • New Member
  • Pip
  • 6 posts

Posted 16 January 2006 - 03:27 AM

Logfile of HijackThis v1.99.1
Scan saved at 4:21:10 AM, on 16-Jan-06
Platform: Windows 2000 SP1 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 (5.00.2920.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\snmp.exe
C:\WINNT\System32\snmptrap.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINNT\Explorer.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\devldr32.exe
C:\WINNT\System32\MsPMSPSv.exe
C:\Program Files\Creative\SBLive2k\AudioHQ\AHQTB.EXE
C:\Program Files\Mouse Driver\Mouse Driver\3.5\MOUSE32A.EXE
C:\WINNT\System32\pctspk.exe
C:\WINNT\System32\PV92Tray.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Documents and Settings\Administrator\Desktop\download\hjack\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = 169.169.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [UpdReg] C:\WINNT\Updreg.exe
O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive2k\Program\AHQInit.exe
O4 - HKLM\..\Run: [AudioHQ] C:\Program Files\Creative\SBLive2k\AudioHQ\AHQTB.EXE
O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\Mouse Driver\Mouse Driver\3.5\MOUSE32A.EXE
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [PV92TRAY] PV92Tray.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {8FCDF9D9-A28B-480F-8C3D-581F119A8AB8} (MediaGatewayX) - http://static.zangoc.../bridge-c18.cab
O16 - DPF: {9AC54695-69A4-46F1-BE10-10C74F9520D5} (elitectl.DemoCtl) - http://cabs.elitemed...s/mediaview.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{39525716-FC0A-439F-80D6-C22866F6BD65}: NameServer = 169.169.0.1
O17 - HKLM\System\CCS\Services\Tcpip\..\{5636B49E-1CC2-4DC5-AF19-8B48FB5A030D}: NameServer = 142.169.1.16 199.84.242.22
O20 - Winlogon Notify: NavLogon - C:\WINNT\System32\NavLogon.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Service Hosts (ServiceHost) - Unknown owner - C:\WINNT\shost.exe (file missing)
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

#6 Siggyx

Siggyx

    SuperHelper

  • Authentic Member
  • PipPipPipPipPipPip
  • 6,776 posts

Posted 16 January 2006 - 04:47 PM

Please download the trial version of Ewido Security Suite here:
http://www.ewido.net/en/download/

Install it, and update the definitions to the newest files.

Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.

Then please run Ewido, and run a full scan. Save the logfile from the scan.

Restart your computer in normal mode and please post a new HijackThis log, as well as the log from the Ewido scan.

#7 bob66

bob66

    New Member

  • New Member
  • Pip
  • 6 posts

Posted 17 January 2006 - 06:11 PM

I would like to thank you very much for your help!!!

I cannot run the Ewido scan in safe mode because my serial mouse wont work.
Can't start the scan with the keyboard...

So I did it in normal mode...

Bye!

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 6:36:46 PM, 17-Jan-06
+ Report-Checksum: 6A232D13

+ Scan result:

:mozilla.12:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\s3071fxu.default\cookies.txt -> Spyware.Cookie.Fastclick : Cleaned with backup
:mozilla.13:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\s3071fxu.default\cookies.txt -> Spyware.Cookie.Fastclick : Cleaned with backup
:mozilla.14:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\s3071fxu.default\cookies.txt -> Spyware.Cookie.Fastclick : Cleaned with backup
:mozilla.19:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\s3071fxu.default\cookies.txt -> Spyware.Cookie.Adserver : Cleaned with backup
:mozilla.20:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\s3071fxu.default\cookies.txt -> Spyware.Cookie.Adserver : Cleaned with backup
:mozilla.34:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\s3071fxu.default\cookies.txt -> Spyware.Cookie.Com : Cleaned with backup
:mozilla.35:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\s3071fxu.default\cookies.txt -> Spyware.Cookie.Com : Cleaned with backup
:mozilla.38:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\s3071fxu.default\cookies.txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
:mozilla.40:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\s3071fxu.default\cookies.txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
:mozilla.42:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\s3071fxu.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.43:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\s3071fxu.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.45:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\s3071fxu.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.52:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\s3071fxu.default\cookies.txt -> Spyware.Cookie.Atdmt : Cleaned with backup
:mozilla.60:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\s3071fxu.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.61:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\s3071fxu.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.66:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\s3071fxu.default\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
:mozilla.67:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\s3071fxu.default\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
:mozilla.88:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\s3071fxu.default\cookies.txt -> Spyware.Cookie.Qksrv : Cleaned with backup
:mozilla.89:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\s3071fxu.default\cookies.txt -> Spyware.Cookie.Qksrv : Cleaned with backup
:mozilla.95:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\s3071fxu.default\cookies.txt -> Spyware.Cookie.Hotlog : Cleaned with backup
:mozilla.124:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\s3071fxu.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.128:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\s3071fxu.default\cookies.txt -> Spyware.Cookie.Spylog : Cleaned with backup
:mozilla.131:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\s3071fxu.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.138:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\s3071fxu.default\cookies.txt -> Spyware.Cookie.Ru4 : Cleaned with backup
:mozilla.144:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\s3071fxu.default\cookies.txt -> Spyware.Cookie.Burstnet : Cleaned with backup
:mozilla.145:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\s3071fxu.default\cookies.txt -> Spyware.Cookie.Burstnet : Cleaned with backup
:mozilla.146:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\s3071fxu.default\cookies.txt -> Spyware.Cookie.Burstbeacon : Cleaned with backup
:mozilla.148:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\s3071fxu.default\cookies.txt -> Spyware.Cookie.Questionmarket : Cleaned with backup
:mozilla.149:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\s3071fxu.default\cookies.txt -> Spyware.Cookie.Adtech : Cleaned with backup
:mozilla.150:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\s3071fxu.default\cookies.txt -> Spyware.Cookie.Adtech : Cleaned with backup
:mozilla.152:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\s3071fxu.default\cookies.txt -> Spyware.Cookie.Centrport : Cleaned with backup
:mozilla.154:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\s3071fxu.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.164:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\s3071fxu.default\cookies.txt -> Spyware.Cookie.Overture : Cleaned with backup
:mozilla.165:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\s3071fxu.default\cookies.txt -> Spyware.Cookie.Overture : Cleaned with backup
:mozilla.182:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\s3071fxu.default\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.183:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\s3071fxu.default\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.184:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\s3071fxu.default\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.185:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\s3071fxu.default\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.214:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\s3071fxu.default\cookies.txt -> Spyware.Cookie.Valuead : Cleaned with backup
:mozilla.215:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\s3071fxu.default\cookies.txt -> Spyware.Cookie.Valuead : Cleaned with backup
:mozilla.216:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\s3071fxu.default\cookies.txt -> Spyware.Cookie.Valuead : Cleaned with backup
:mozilla.217:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\s3071fxu.default\cookies.txt -> Spyware.Cookie.Valuead : Cleaned with backup
C:\Documents and Settings\Administrator\Local Settings\Temp\PCI_800A\WinME\pctptt.ex_ -> Dialer.Generic : Cleaned with backup
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\5UQRWA5F\justin[1].exe -> Adware.EZula : Cleaned with backup
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\K949GRKT\drsmartload_js[1].htm -> Downloader.IstBar.j : Cleaned with backup
C:\Fichier_Install\modem\PCI_800A\WinME\pctptt.ex_ -> Dialer.Generic : Cleaned with backup
C:\Fichier_Install\modem\PCI_800A.zip/PCI_800A/WinME/pctptt.ex_ -> Dialer.Generic : Cleaned with backup
C:\Fichier_Install\Xcel _2000_Motherboard\PCI_800A.zip/PCI_800A/WinME/pctptt.ex_ -> Dialer.Generic : Cleaned with backup
C:\index1.exe -> Trojan.LowZones.cf : Cleaned with backup
C:\WINNT\justin.exe -> Adware.EZula : Cleaned with backup


::Report End

Logfile of HijackThis v1.99.1
Scan saved at 6:49:18 PM, on 17-Jan-06
Platform: Windows 2000 SP1 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 (5.00.2920.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\snmp.exe
C:\WINNT\System32\snmptrap.exe
C:\WINNT\Explorer.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINNT\System32\devldr32.exe
C:\Program Files\Creative\SBLive2k\AudioHQ\AHQTB.EXE
C:\WINNT\System32\pctspk.exe
C:\WINNT\System32\PV92Tray.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Winamp3\winampa.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\MsPMSPSv.exe
C:\Program Files\hjack\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [UpdReg] C:\WINNT\Updreg.exe
O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive2k\Program\AHQInit.exe
O4 - HKLM\..\Run: [AudioHQ] C:\Program Files\Creative\SBLive2k\AudioHQ\AHQTB.EXE
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [PV92TRAY] PV92Tray.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\winampa.exe"
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {8FCDF9D9-A28B-480F-8C3D-581F119A8AB8} (MediaGatewayX) - http://static.zangoc.../bridge-c18.cab
O16 - DPF: {9AC54695-69A4-46F1-BE10-10C74F9520D5} (elitectl.DemoCtl) - http://cabs.elitemed...s/mediaview.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{39525716-FC0A-439F-80D6-C22866F6BD65}: NameServer = 169.169.0.1
O20 - Winlogon Notify: NavLogon - C:\WINNT\System32\NavLogon.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Service Hosts (ServiceHost) - Unknown owner - C:\WINNT\shost.exe (file missing)
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

#8 Siggyx

Siggyx

    SuperHelper

  • Authentic Member
  • PipPipPipPipPipPip
  • 6,776 posts

Posted 17 January 2006 - 08:16 PM

Scan with hijackthis and put a hceck beside this line and choose FIX

O23 - Service: Service Hosts (ServiceHost) - Unknown owner - C:\WINNT\shost.exe (file missing)

Then look for and delete this file if present

C:\WINNT\shost.exe <<only exactly as spelled as it is closely named to a legitimate file.

Then reboot and a new hijackthis log please. How is it running after the reboot?

#9 bob66

bob66

    New Member

  • New Member
  • Pip
  • 6 posts

Posted 18 January 2006 - 02:37 AM

It seems to run 0k for now...
There seems to have funny stuff in the log file ...
But I guess i"m ok For now...
What do you think
Is Fire fox still safe? How can I prevent this carp**?
Thanks a lot!!!!



Logfile of HijackThis v1.99.1
Scan saved at 3:25:30 AM, on 18-Jan-06
Platform: Windows 2000 SP1 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 (5.00.2920.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\snmp.exe
C:\WINNT\System32\snmptrap.exe
C:\WINNT\Explorer.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\devldr32.exe
C:\WINNT\System32\MsPMSPSv.exe
C:\Program Files\Creative\SBLive2k\AudioHQ\AHQTB.EXE
C:\WINNT\System32\pctspk.exe
C:\WINNT\System32\PV92Tray.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Winamp3\winampa.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\WINNT\system32\NOTEPAD.EXE
C:\Program Files\hjack\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [UpdReg] C:\WINNT\Updreg.exe
O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive2k\Program\AHQInit.exe
O4 - HKLM\..\Run: [AudioHQ] C:\Program Files\Creative\SBLive2k\AudioHQ\AHQTB.EXE
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [PV92TRAY] PV92Tray.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\winampa.exe"
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {8FCDF9D9-A28B-480F-8C3D-581F119A8AB8} (MediaGatewayX) - http://static.zangoc.../bridge-c18.cab
O16 - DPF: {9AC54695-69A4-46F1-BE10-10C74F9520D5} (elitectl.DemoCtl) - http://cabs.elitemed...s/mediaview.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{39525716-FC0A-439F-80D6-C22866F6BD65}: NameServer = 169.169.0.1
O17 - HKLM\System\CCS\Services\Tcpip\..\{5636B49E-1CC2-4DC5-AF19-8B48FB5A030D}: NameServer = 142.169.1.16 199.84.242.22
O20 - Winlogon Notify: NavLogon - C:\WINNT\System32\NavLogon.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Service Hosts (ServiceHost) - Unknown owner - C:\WINNT\shost.exe (file missing)
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

#10 Siggyx

Siggyx

    SuperHelper

  • Authentic Member
  • PipPipPipPipPipPip
  • 6,776 posts

Posted 18 January 2006 - 10:06 PM

Click here to run ActiveScan.
  • Once you are on the Panda site click the Scan your PC button
  • A new window will open...click the Check Now button
  • Enter your Country
  • Enter your State/Province
  • Enter your e-mail address and click send
  • Select either Home User or Company
  • Click the big Scan Now button
  • If it wants to install an ActiveX component allow it
  • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
  • When download is complete, click on My Computer to start the scan
  • When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.
Paste the contents of the Panda scan report along with a new HijackThis Log in your next reply.

#11 bob66

bob66

    New Member

  • New Member
  • Pip
  • 6 posts

Posted 25 January 2006 - 02:07 AM

My motherboard is dead... So I"m starting from scratch... Thanks for your help.

#12 Siggyx

Siggyx

    SuperHelper

  • Authentic Member
  • PipPipPipPipPipPip
  • 6,776 posts

Posted 25 January 2006 - 08:41 AM

Glad we could be of assistance. This topic is now closed. If you wish it reopened, please send us an email (Click for address) with a link to your thread.

Do not bother contacting us if you are not the topic starter. A valid, working link to the closed topic is required along with the user name used. If the user name does not match the one in the thread linked, the email will be deleted.
Make sure you use proper prevention to keep from having problems occur to your computer in the future.

Coyote's Installed programs for prevention:

http://forums.tomcoy...showtopic=31418

The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Visit the CoyoteStore http://TomCoyote.org/coyotestore.php

Related Topics



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users