[check this plz] -
check this plz
Discuss check this plz
Posted by: pisycowalnut1
Logfile of HijackThis v1.99.1
Scan saved at 9:33:17 PM, on 5/1/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\sj650\hpupdate.exe
C:\sj655\hpupdate.exe
C:\PROGRA~1\MI948F~1\GAMECO~1\common\swtrayv4.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Logitech\SetPoint\KEM.exe
C:\Program Files\Logitech\SetPoint\KHALMNPR.EXE
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\mqsvc.exe
C:\WINDOWS\System32\mqtgsvc.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\System32\msiexec.exe
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\a2 Free\a2scan.exe
C:\Program Files\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int
ernet Settings,ProxyOverride = localhost
R3 - URLSearchHook: (no name) - _{5D60FF48-95BE-4956-B4C6-6BB168A70310} - (no file)
R3 - URLSearchHook: (no name) - {20EC3D2D-33C1-4C9D-BC37-C2D500688DA2} - (no file)
O1 - Hosts: 64.91.255.87 [url]www.dcsresearch.com[/url]
O3 - Toolbar: (no name) - {CC90CDA0-74A0-45b4-80EF-D89CA8C249B8} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [hcpd] C:\WINDOWS\System32\hcpd.exe
O4 - HKLM\..\Run: [dmc] C:\WINDOWS\System32\dmc.exe
O4 - HKLM\..\Run: [z13fi] C:\WINDOWS\System32\z13fi.exe
O4 - HKLM\..\Run: [ootvrfyb] C:\WINDOWS\System32\ootvrfyb.exe
O4 - HKLM\..\Run: [ehljqvyiuele] C:\WINDOWS\System32\cotpbq.exe
O4 - HKLM\..\Run: [SideWinderTrayV4] C:\PROGRA~1\MI948F~1\GAMECO~1\common\swtrayv4.exe
O4 - HKLM\..\Run: [alchem] C:\WINDOWS\alchem.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: GStartup.lnk = C:\Program Files\Common Files\GMT\GMT.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\KEM.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - [url]http://www.musicnotes.com/download/mnviewer.cab[/url]
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - [url]http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_42.cab[/url]
O16 - DPF: {3C648A72-C49A-48EF-9F90-68EF13293F97} (Cacher Class) - [url]http://www.priv.njmls.xmlsweb.com/XMLSearch/XMLCache.CAB[/url]
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - [url]http://appldnld.m7z.net/content.info.apple.com/iTunes4/WW/win/019-0312.20050111.MmVrT/iTunesSetup.exe[/url]
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - [url]http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab[/url]
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - [url]http://ipgweb.cce.hp.com/rdqna/downloads/msxml4.cab[/url]
O16 - DPF: {938527D1-CDB7-4147-998A-B20FCA5CC976} (Cdmcco Class) - [url]http://cafeimg.hanmail.net/cab9/dmcc2.cab[/url]
O16 - DPF: {9FC5238F-12C4-454F-B1B5-74599A21DE47} (Webshots Photo Uploader) - [url]http://community.webshots.com/html/WSPhotoUploader.CAB[/url]
O16 - DPF: {C5E28B9D-0A68-4B50-94E9-E8F6B4697514} (NsvPlayX Control) - [url]http://www.cartoon-fridge.com/nsvplayx_vp3_mp3.cab[/url]
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
Posted by: Lobos
Hi pisycowalnut1
Welcome to Tech Forums
When we're done cleaning off your system, i'd [b]recommend[/b] that you install all the [color=#ff0000][b][i]critical windows updates[/i][/b][/color] available from [b]Microsoft[/b], upto [i]service pack 1[/i]. This will help to make your system more secure and prevent many '[i]problems[/i]' from reoccuring in the future.
===============
Go to [b]Add/Remove programs[/b] and remove(uninstall) the following, if present:
[b][color=#ff0000]GMT, GAIN or GATOR[/color][/b]
The above could appear anywhere within the entry. Be careful not to remove any [i]personal[/i] or [i]system[/i] software.
===============
Run [b]HiJackThis[/b] and click "[b][i]Scan[/i][/b]", then check(tick) the following, if present:
[color=#9933cc][b] R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about :blank [/b][/color]
[color=#9933cc][b] R3 - URLSearchHook: (no name) - _{5D60FF48-95BE-4956-B4C6-6BB168A70310} - (no file) [/b][/color]
[color=#9933cc][b] R3 - URLSearchHook: (no name) - {20EC3D2D-33C1-4C9D-BC37-C2D500688DA2} - (no file) [/b][/color]
[color=#9933cc][b] O3 - Toolbar: (no name) - {CC90CDA0-74A0-45b4-80EF-D89CA8C249B8} - (no file) [/b][/color]
[color=#9933cc][b] O4 - HKLM\..\Run: [hcpd] C:\WINDOWS\System32\hcpd.exe [/b][/color]
[color=#9933cc][b] O4 - HKLM\..\Run: [dmc]C:\WINDOWS\System32\dmc.exe [/b][/color]
[color=#9933cc][b] O4 - HKLM\..\Run: [z13fi] C:\WINDOWS\System32\z13fi.exe [/b][/color]
[color=#9933cc][b] O4 - HKLM\..\Run: [ootvrfyb] C:\WINDOWS\System32\ootvrfyb.exe [/b][/color]
[color=#9933cc][b] O4 - HKLM\..\Run: [ehljqvyiuele] C:\WINDOWS\System32\cotpbq.exe [/b][/color]
[color=#9933cc][b] O4 - HKLM\..\Run: [alchem] C:\WINDOWS\alchem.exe [/b][/color]
[color=#9933cc][b] O4 - Global Startup: GStartup.lnk = C:\Program Files\Common Files\GMT\GMT.exe [/b][/color]
[color=#9933cc][b] O16 - DPF: {3C648A72-C49A-48EF-9F90-68EF13293F97} (Cacher Class) - [url]http://www.priv.njmls.xmlsweb.com/X...ch/XMLCache.CAB[/url] [/b][/color]
[color=#9933cc][b] O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - [url]http://appldnld.m7z.net/content.inf...iTunesSetup.exe[/url] [/b][/color]
[color=#9933cc][b] O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - [url]http://ipgweb.cce.hp.com/rdqna/downloads/msxml4.cab[/url] [/b][/color]
Now, with all windows closed except [b]HiJackThis[/b], click "[b][i]Fix checked[/i][/b]".
===============
Locate and [color=#ff0000][i]delete the following item(s)[/i][/color], if present. Make sure your able to view system and hidden files/ folders:
[i]folders...[/i]
[b]C:\Program Files\Common Files\[color=#ff0000]GMT[/color][/b]
[i]files...[/i]
[b]C:\WINDOWS\System32\[color=#ff0000]hcpd.exe[/color][/b]
[b]C:\WINDOWS\System32\[color=#ff0000]dmc.exe[/color][/b]
[b]C:\WINDOWS\System32\[color=#ff0000]z13fi.exe[/color][/b]
[b]C:\WINDOWS\System32\[color=#ff0000]ootvrfyb.exe[/color][/b]
[b]C:\WINDOWS\System32\[color=#ff0000]cotpbq.exe[/color][/b]
[b]C:\WINDOWS\[color=#ff0000]alchem.exe[/color][/b]
-
Note that some of these file(s) may or may not be present. If present, and cannot be deleted because they're '[i]in use[/i]', try deleting them from "[url=http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406?OpenDocument&src=sec_doc_nam]Safe Mode[/url]".
===============
Post back a new log, and let me know how everything goes.
-
Lobos.
Posted by: pisycowalnut1
i count find ne of the files except alchem..
Posted by: pisycowalnut1
srry for the double post but this did not help at all.. my mIRC still is infected with optic pro
Posted by: Lobos
Please post another hijacj this log
Posted by: pisycowalnut1
Logfile of HijackThis v1.99.1
Scan saved at 4:17:13 PM, on 5/3/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\mqsvc.exe
C:\WINDOWS\System32\mqtgsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\PROGRA~1\MI948F~1\GAMECO~1\common\swtrayv4.exe
C:\WINDOWS\ptcore.exe
C:\DOCUME~1\DENNIS~1\LOCALS~1\Temp\180SACIDInstall
er.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Logitech\SetPoint\KEM.exe
C:\Program Files\Logitech\SetPoint\KHALMNPR.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Ventrilo\Ventrilo.exe
C:\Program Files\Valve\Steam\Steam.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\HijackThis.exe
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int
ernet Settings,ProxyOverride = localhost
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SideWinderTrayV4] C:\PROGRA~1\MI948F~1\GAMECO~1\common\swtrayv4.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [ijrbbpd] C:\WINDOWS\ptcore.exe
O4 - HKLM\..\Run: [180sacidinstaller] C:\DOCUME~1\DENNIS~1\LOCALS~1\Temp\180SACIDInstall
er.exe /did=5594
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\KEM.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {00000EF1-0786-4633-87C6-1AA7A44296DA} (F1 Organizer Class) - [url]http://www.addictivetechnologies.net/DM0/cab/a1bin0us.cab[/url]
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - [url]http://www.musicnotes.com/download/mnviewer.cab[/url]
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - [url]http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_42.cab[/url]
O16 - DPF: {3C648A72-C49A-48EF-9F90-68EF13293F97} (Cacher Class) - [url]http://www.priv.njmls.xmlsweb.com/XMLSearch/XMLCache.CAB[/url]
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - [url]http://appldnld.m7z.net/content.info.apple.com/iTunes4/WW/win/019-0312.20050111.MmVrT/iTunesSetup.exe[/url]
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - [url]http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab[/url]
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - [url]http://ipgweb.cce.hp.com/rdqna/downloads/msxml4.cab[/url]
O16 - DPF: {938527D1-CDB7-4147-998A-B20FCA5CC976} (Cdmcco Class) - [url]http://cafeimg.hanmail.net/cab9/dmcc2.cab[/url]
O16 - DPF: {9FC5238F-12C4-454F-B1B5-74599A21DE47} (Webshots Photo Uploader) - [url]http://community.webshots.com/html/WSPhotoUploader.CAB[/url]
O16 - DPF: {C5E28B9D-0A68-4B50-94E9-E8F6B4697514} (NsvPlayX Control) - [url]http://www.cartoon-fridge.com/nsvplayx_vp3_mp3.cab[/url]
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
Posted by: Lobos
Run [b]HiJackThis[/b] then:
1. Click "[b][i]Config...[/i][/b]"
2. Click "[b][i]Misc Tools[/i][/b]"
3. Click "[b][i]Open Process manager[/i][/b]"
-
Next, while holding down the [b]CTRL[/b] key, locate ([i]if present[/i]) and click on ([i]highlight[/i]) each of the following:
[b][color=#000000]C:\WINDOWS\[/color][color=#ff0000]ptcore.exe[/color][/b]
Now double-check and make sure that only those item(s) above are highlighted, then click "[b][i]Kill process[/i][/b]". Now, click "[b][i]Refresh[/i][/b]", check again, and repeat this step if any remain.
===============
Run [b]HiJackThis[/b] and click "[b][i]Scan[/i][/b]", then check(tick) the following, if present:
[color=#9933cc][b] O4 - HKLM\..\Run: [ijrbbpd] C:\WINDOWS\ptcore.exe [/b][/color]
[color=#9933cc][b] O4 - HKLM\..\Run: [180sacidinstaller] C:\DOCUME~1\DENNIS~1\LOCALS~1\Temp\180SACIDInstall
[/b][/color]
[color=#9933cc][b] O16 - DPF: {3C648A72-C49A-48EF-9F90-68EF13293F97} (Cacher Class) - [url]http://www.priv.njmls.xmlsweb.com/X...ch/XMLCache.CAB[/url] [/b][/color]
[color=#9933cc][b] O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - [url]http://appldnld.m7z.net/content.inf...iTunesSetup.exe[/url] [/b][/color]
[color=#9933cc][b] O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - [url]http://ipgweb.cce.hp.com/rdqna/downloads/msxml4.cab[/url] [/b][/color]
Now, with all windows closed except [b]HiJackThis[/b], click "[b][i]Fix checked[/i][/b]".
===============
Locate and [color=#ff0000][i]delete the following item(s)[/i][/color], if present. Make sure your able to view system and hidden files/ folders:
[i]files...[/i]
[b]C:\WINDOWS\[color=#ff0000]ptcore.exe[/color][/b]
-
The Temp folders should be cleaned out periodically as installation programs and hijack programs leave a lot of junk there. Download CleanUp! [url]http://cleanup.stevengould.org/[/url] (Alternate Link if main link don't work - [url]http://www.greyknight17.com/spy/Cleanup.exe[/url] ) and install it. Run CleanUp! and click on CleanUp! button. When it asks you if you want to logoff, click on Yes.
Please run these two online scans. Make sure they are set to clean automatically:
[URL=http://housecall.trendmicro.com/]TrendMicro's HouseCall[/URL]
[URL=http://www.pandasoftware.com/activescan/]ActiveScan[/URL]
You should try to delete any files that these scanners are unable to clean. Then let us know if its working better and what the scans found.
Then scan again with HijackThis and post another log. along with the av logs if it could not clean something
Lobos
Posted by: Warez Monster
Remove entries at your own risk
O16 - DPF: {00000EF1-0786-4633-87C6-1AA7A44296DA} (F1 Organizer Class) - [url]http://www.addictivetechnologies.ne...ab/a1bin0us.cab[/url] This entry is possibly nasty. Should be fixed.
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - [url]http://a840.g.akamai.net/7/840/537/...all/xscan53.cab[/url] This entry is possibly nasty. Should be fixed.