|
WE HAVE MOVED. Please see our NEW Computer Forums |
11-23-2009: Sorry for the inconvenience. We finally upgraded to vBulletin 3 !! See you there, Larry check this plzGo to the Tech-Forums Discussion Home PagePosted by: pisycowalnut1 Logfile of HijackThis v1.99.1 Scan saved at 9:33:17 PM, on 5/1/2005 Platform: Windows XP (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 (6.00.2600.0000) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe C:\sj650\hpupdate.exe C:\sj655\hpupdate.exe C:\PROGRA~1\MI948F~1\GAMECO~1\common\swtrayv4.exe C:\WINDOWS\System32\ctfmon.exe C:\Program Files\Logitech\SetPoint\KEM.exe C:\Program Files\Logitech\SetPoint\KHALMNPR.EXE C:\WINDOWS\System32\inetsrv\inetinfo.exe C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\WINDOWS\System32\nvsvc32.exe C:\WINDOWS\System32\tcpsvcs.exe C:\WINDOWS\System32\snmp.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\mqsvc.exe C:\WINDOWS\System32\mqtgsvc.exe C:\WINDOWS\System32\wuauclt.exe C:\Program Files\AIM\aim.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\WINDOWS\System32\msiexec.exe C:\Program Files\Microsoft Office\Office10\WINWORD.EXE C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe C:\Program Files\Microsoft AntiSpyware\gcasServ.exe C:\Program Files\a2 Free\a2scan.exe C:\Program Files\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = localhost R3 - URLSearchHook: (no name) - _{5D60FF48-95BE-4956-B4C6-6BB168A70310} - (no file) R3 - URLSearchHook: (no name) - {20EC3D2D-33C1-4C9D-BC37-C2D500688DA2} - (no file) O1 - Hosts: 64.91.255.87 [url]www.dcsresearch.com[/url] O3 - Toolbar: (no name) - {CC90CDA0-74A0-45b4-80EF-D89CA8C249B8} - (no file) O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [hcpd] C:\WINDOWS\System32\hcpd.exe O4 - HKLM\..\Run: [dmc] C:\WINDOWS\System32\dmc.exe O4 - HKLM\..\Run: [z13fi] C:\WINDOWS\System32\z13fi.exe O4 - HKLM\..\Run: [ootvrfyb] C:\WINDOWS\System32\ootvrfyb.exe O4 - HKLM\..\Run: [ehljqvyiuele] C:\WINDOWS\System32\cotpbq.exe O4 - HKLM\..\Run: [SideWinderTrayV4] C:\PROGRA~1\MI948F~1\GAMECO~1\common\swtrayv4.exe O4 - HKLM\..\Run: [alchem] C:\WINDOWS\alchem.exe O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe" O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: GStartup.lnk = C:\Program Files\Common Files\GMT\GMT.exe O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\KEM.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - [url]http://www.musicnotes.com/download/mnviewer.cab[/url] O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - [url]http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_42.cab[/url] O16 - DPF: {3C648A72-C49A-48EF-9F90-68EF13293F97} (Cacher Class) - [url]http://www.priv.njmls.xmlsweb.com/XMLSearch/XMLCache.CAB[/url] O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - [url]http://appldnld.m7z.net/content.info.apple.com/iTunes4/WW/win/019-0312.20050111.MmVrT/iTunesSetup.exe[/url] O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - [url]http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab[/url] O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - [url]http://ipgweb.cce.hp.com/rdqna/downloads/msxml4.cab[/url] O16 - DPF: {938527D1-CDB7-4147-998A-B20FCA5CC976} (Cdmcco Class) - [url]http://cafeimg.hanmail.net/cab9/dmcc2.cab[/url] O16 - DPF: {9FC5238F-12C4-454F-B1B5-74599A21DE47} (Webshots Photo Uploader) - [url]http://community.webshots.com/html/WSPhotoUploader.CAB[/url] O16 - DPF: {C5E28B9D-0A68-4B50-94E9-E8F6B4697514} (NsvPlayX Control) - [url]http://www.cartoon-fridge.com/nsvplayx_vp3_mp3.cab[/url] O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe Posted by: Lobos Hi pisycowalnut1 Welcome to Tech Forums When we're done cleaning off your system, i'd [b]recommend[/b] that you install all the [color=#ff0000][b][i]critical windows updates[/i][/b][/color] available from [b]Microsoft[/b], upto [i]service pack 1[/i]. This will help to make your system more secure and prevent many '[i]problems[/i]' from reoccuring in the future. =============== Go to [b]Add/Remove programs[/b] and remove(uninstall) the following, if present: [b][color=#ff0000]GMT, GAIN or GATOR[/color][/b] The above could appear anywhere within the entry. Be careful not to remove any [i]personal[/i] or [i]system[/i] software. =============== Run [b]HiJackThis[/b] and click "[b][i]Scan[/i][/b]", then check(tick) the following, if present: [color=#9933cc][b] R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about :blank [/b][/color] [color=#9933cc][b] R3 - URLSearchHook: (no name) - _{5D60FF48-95BE-4956-B4C6-6BB168A70310} - (no file) [/b][/color] [color=#9933cc][b] R3 - URLSearchHook: (no name) - {20EC3D2D-33C1-4C9D-BC37-C2D500688DA2} - (no file) [/b][/color] [color=#9933cc][b] O3 - Toolbar: (no name) - {CC90CDA0-74A0-45b4-80EF-D89CA8C249B8} - (no file) [/b][/color] [color=#9933cc][b] O4 - HKLM\..\Run: [hcpd] C:\WINDOWS\System32\hcpd.exe [/b][/color] [color=#9933cc][b] O4 - HKLM\..\Run: [dmc]C:\WINDOWS\System32\dmc.exe [/b][/color] [color=#9933cc][b] O4 - HKLM\..\Run: [z13fi] C:\WINDOWS\System32\z13fi.exe [/b][/color] [color=#9933cc][b] O4 - HKLM\..\Run: [ootvrfyb] C:\WINDOWS\System32\ootvrfyb.exe [/b][/color] [color=#9933cc][b] O4 - HKLM\..\Run: [ehljqvyiuele] C:\WINDOWS\System32\cotpbq.exe [/b][/color] [color=#9933cc][b] O4 - HKLM\..\Run: [alchem] C:\WINDOWS\alchem.exe [/b][/color] [color=#9933cc][b] O4 - Global Startup: GStartup.lnk = C:\Program Files\Common Files\GMT\GMT.exe [/b][/color] [color=#9933cc][b] O16 - DPF: {3C648A72-C49A-48EF-9F90-68EF13293F97} (Cacher Class) - [url]http://www.priv.njmls.xmlsweb.com/X...ch/XMLCache.CAB[/url] [/b][/color] [color=#9933cc][b] O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - [url]http://appldnld.m7z.net/content.inf...iTunesSetup.exe[/url] [/b][/color] [color=#9933cc][b] O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - [url]http://ipgweb.cce.hp.com/rdqna/downloads/msxml4.cab[/url] [/b][/color] Now, with all windows closed except [b]HiJackThis[/b], click "[b][i]Fix checked[/i][/b]". =============== Locate and [color=#ff0000][i]delete the following item(s)[/i][/color], if present. Make sure your able to view system and hidden files/ folders: [i]folders...[/i] [b]C:\Program Files\Common Files\[color=#ff0000]GMT[/color][/b] [i]files...[/i] [b]C:\WINDOWS\System32\[color=#ff0000]hcpd.exe[/color][/b] [b]C:\WINDOWS\System32\[color=#ff0000]dmc.exe[/color][/b] [b]C:\WINDOWS\System32\[color=#ff0000]z13fi.exe[/color][/b] [b]C:\WINDOWS\System32\[color=#ff0000]ootvrfyb.exe[/color][/b] [b]C:\WINDOWS\System32\[color=#ff0000]cotpbq.exe[/color][/b] [b]C:\WINDOWS\[color=#ff0000]alchem.exe[/color][/b] - Note that some of these file(s) may or may not be present. If present, and cannot be deleted because they're '[i]in use[/i]', try deleting them from "[url=http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406?OpenDocument&src=sec_doc_nam]Safe Mode[/url]". =============== Post back a new log, and let me know how everything goes. - Lobos. Posted by: pisycowalnut1 i count find ne of the files except alchem.. Posted by: pisycowalnut1 srry for the double post but this did not help at all.. my mIRC still is infected with optic pro Posted by: Lobos Please post another hijacj this log Posted by: pisycowalnut1 Logfile of HijackThis v1.99.1 Scan saved at 4:17:13 PM, on 5/3/2005 Platform: Windows XP (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 (6.00.2600.0000) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\System32\inetsrv\inetinfo.exe C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\WINDOWS\System32\nvsvc32.exe C:\WINDOWS\System32\tcpsvcs.exe C:\WINDOWS\System32\snmp.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\mqsvc.exe C:\WINDOWS\System32\mqtgsvc.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe C:\PROGRA~1\MI948F~1\GAMECO~1\common\swtrayv4.exe C:\WINDOWS\ptcore.exe C:\DOCUME~1\DENNIS~1\LOCALS~1\Temp\180SACIDInstall er.exe C:\WINDOWS\System32\ctfmon.exe C:\Program Files\AIM\aim.exe C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe C:\Program Files\Logitech\SetPoint\KEM.exe C:\Program Files\Logitech\SetPoint\KHALMNPR.EXE C:\WINDOWS\System32\wuauclt.exe C:\Program Files\Ventrilo\Ventrilo.exe C:\Program Files\Valve\Steam\Steam.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files\HijackThis.exe R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = localhost O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [SideWinderTrayV4] C:\PROGRA~1\MI948F~1\GAMECO~1\common\swtrayv4.exe O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe" O4 - HKLM\..\Run: [ijrbbpd] C:\WINDOWS\ptcore.exe O4 - HKLM\..\Run: [180sacidinstaller] C:\DOCUME~1\DENNIS~1\LOCALS~1\Temp\180SACIDInstall er.exe /did=5594 O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\KEM.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O16 - DPF: {00000EF1-0786-4633-87C6-1AA7A44296DA} (F1 Organizer Class) - [url]http://www.addictivetechnologies.net/DM0/cab/a1bin0us.cab[/url] O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - [url]http://www.musicnotes.com/download/mnviewer.cab[/url] O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - [url]http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_42.cab[/url] O16 - DPF: {3C648A72-C49A-48EF-9F90-68EF13293F97} (Cacher Class) - [url]http://www.priv.njmls.xmlsweb.com/XMLSearch/XMLCache.CAB[/url] O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - [url]http://appldnld.m7z.net/content.info.apple.com/iTunes4/WW/win/019-0312.20050111.MmVrT/iTunesSetup.exe[/url] O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - [url]http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab[/url] O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - [url]http://ipgweb.cce.hp.com/rdqna/downloads/msxml4.cab[/url] O16 - DPF: {938527D1-CDB7-4147-998A-B20FCA5CC976} (Cdmcco Class) - [url]http://cafeimg.hanmail.net/cab9/dmcc2.cab[/url] O16 - DPF: {9FC5238F-12C4-454F-B1B5-74599A21DE47} (Webshots Photo Uploader) - [url]http://community.webshots.com/html/WSPhotoUploader.CAB[/url] O16 - DPF: {C5E28B9D-0A68-4B50-94E9-E8F6B4697514} (NsvPlayX Control) - [url]http://www.cartoon-fridge.com/nsvplayx_vp3_mp3.cab[/url] O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe Posted by: Lobos Run [b]HiJackThis[/b] then: 1. Click "[b][i]Config...[/i][/b]" 2. Click "[b][i]Misc Tools[/i][/b]" 3. Click "[b][i]Open Process manager[/i][/b]" - Next, while holding down the [b]CTRL[/b] key, locate ([i]if present[/i]) and click on ([i]highlight[/i]) each of the following: [b][color=#000000]C:\WINDOWS\[/color][color=#ff0000]ptcore.exe[/color][/b] Now double-check and make sure that only those item(s) above are highlighted, then click "[b][i]Kill process[/i][/b]". Now, click "[b][i]Refresh[/i][/b]", check again, and repeat this step if any remain. =============== Run [b]HiJackThis[/b] and click "[b][i]Scan[/i][/b]", then check(tick) the following, if present: [color=#9933cc][b] O4 - HKLM\..\Run: [ijrbbpd] C:\WINDOWS\ptcore.exe [/b][/color] [color=#9933cc][b] O4 - HKLM\..\Run: [180sacidinstaller] C:\DOCUME~1\DENNIS~1\LOCALS~1\Temp\180SACIDInstall [/b][/color] [color=#9933cc][b] O16 - DPF: {3C648A72-C49A-48EF-9F90-68EF13293F97} (Cacher Class) - [url]http://www.priv.njmls.xmlsweb.com/X...ch/XMLCache.CAB[/url] [/b][/color] [color=#9933cc][b] O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - [url]http://appldnld.m7z.net/content.inf...iTunesSetup.exe[/url] [/b][/color] [color=#9933cc][b] O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - [url]http://ipgweb.cce.hp.com/rdqna/downloads/msxml4.cab[/url] [/b][/color] Now, with all windows closed except [b]HiJackThis[/b], click "[b][i]Fix checked[/i][/b]". =============== Locate and [color=#ff0000][i]delete the following item(s)[/i][/color], if present. Make sure your able to view system and hidden files/ folders: [i]files...[/i] [b]C:\WINDOWS\[color=#ff0000]ptcore.exe[/color][/b] - The Temp folders should be cleaned out periodically as installation programs and hijack programs leave a lot of junk there. Download CleanUp! [url]http://cleanup.stevengould.org/[/url] (Alternate Link if main link don't work - [url]http://www.greyknight17.com/spy/Cleanup.exe[/url] ) and install it. Run CleanUp! and click on CleanUp! button. When it asks you if you want to logoff, click on Yes. Please run these two online scans. Make sure they are set to clean automatically: [URL=http://housecall.trendmicro.com/]TrendMicro's HouseCall[/URL] [URL=http://www.pandasoftware.com/activescan/]ActiveScan[/URL] You should try to delete any files that these scanners are unable to clean. Then let us know if its working better and what the scans found. Then scan again with HijackThis and post another log. along with the av logs if it could not clean something Lobos Posted by: Warez Monster Remove entries at your own risk O16 - DPF: {00000EF1-0786-4633-87C6-1AA7A44296DA} (F1 Organizer Class) - [url]http://www.addictivetechnologies.ne...ab/a1bin0us.cab[/url] This entry is possibly nasty. Should be fixed. O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - [url]http://a840.g.akamai.net/7/840/537/...all/xscan53.cab[/url] This entry is possibly nasty. Should be fixed. Please Visit the Online Configurator, Email Hosting, Internet Marketing , Computer Schools , Software for Real Estate , AAOutlook , Search Engine Site |