Hijackthis log please check this out

Started by kaotik, June 14, 2006, 09:17:34 AM

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

Print
Go Down Pages1
User actions

kaotik

June 14, 2006, 09:17:34 AM
Here's my Hijack this log I got after following all your instructions with S&D and Ad-Aware and enabling viewing folders

Logfile of HijackThis v1.99.1
Scan saved at 2:22:22 AM, on 6/14/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\PROGRA~1\CACHEM~1\CachemanXP.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\dcomcfg.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\DOCUME~1\PAULMA~1\APPLIC~1\ICROSO~1.NET\attrib.exe
C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe
C:\Program Files\Azureus\Azureus.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: (no name) - {4179398B-F94F-FC9D-4CC9-A2BFDF8080C1} - C:\WINDOWS\system32\iktwxw.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {4179398B-F94F-FC9D-4CC9-A2BFDF8080C1} - C:\WINDOWS\system32\iktwxw.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Nothing - {686a161d-5bd1-4999-8832-6393f41e564c} - C:\WINDOWS\system32\hp100.tmp
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2006\pccguide.exe"
O4 - HKLM\..\RunOnce: [RUN1] C:\WINDOWS\system32\regsvr32.exe /s C:\PROGRA~1\COMMON~1\SYMANT~1\CCWEBWND.DLL
O4 - HKLM\..\RunOnce: [RUN2] C:\WINDOWS\system32\regsvr32.exe /s C:\PROGRA~1\COMMON~1\SYMANT~1\LiveReg\IRADEFA2.DLL
O4 - HKLM\..\RunOnce: [RUN3] C:\PROGRA~1\COMMON~1\SYMANT~1\LiveReg\IRALRSHL.EXE /REGSERVER
O4 - HKLM\..\RunOnce: [RUN4] C:\WINDOWS\system32\regsvr32.exe /s C:\PROGRA~1\COMMON~1\SYMANT~1\LiveReg\IRALSCL2.DLL
O4 - HKLM\..\RunOnce: [RUN5] C:\WINDOWS\system32\regsvr32.exe /s C:\PROGRA~1\COMMON~1\SYMANT~1\IRALSCLT.DLL
O4 - HKLM\..\RunOnce: [RUN6] C:\WINDOWS\system32\regsvr32.exe /s C:\PROGRA~1\COMMON~1\SYMANT~1\LiveReg\IRALSUI.DLL
O4 - HKLM\..\RunOnce: [RUN7] C:\WINDOWS\system32\regsvr32.exe /s C:\PROGRA~1\COMMON~1\SYMANT~1\LiveReg\IRAVCOBJ.DLL
O4 - HKLM\..\RunOnce: [RUN8] C:\WINDOWS\system32\regsvr32.exe /s C:\PROGRA~1\COMMON~1\SYMANT~1\LiveReg\LRCTRL.DLL
O4 - HKLM\..\RunOnce: [RUN9] C:\WINDOWS\system32\regsvr32.exe /s C:\PROGRA~1\COMMON~1\SYMANT~1\LiveReg\LRRES.DLL
O4 - HKLM\..\RunOnce: [RUNA] C:\WINDOWS\system32\regsvr32.exe /s C:\PROGRA~1\COMMON~1\SYMANT~1\LiveReg\LSCTRL.DLL
O4 - HKLM\..\RunOnce: [RUNB] C:\WINDOWS\system32\regsvr32.exe /s C:\PROGRA~1\COMMON~1\SYMANT~1\LiveReg\LSPLUGIN.DLL
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Tadl] "C:\DOCUME~1\PAULMA~1\APPLIC~1\ICROSO~1.NET\attrib.exe" -vt yazr
O4 - HKCU\..\Run: [Mbv] C:\Program Files\Common Files\?racle\?ttrib.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Azureus.lnk = C:\Program Files\Azureus\Azureus.exe
O4 - Global Startup: Ad-Watch SE Professional.lnk = C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {74CD40EA-EF77-4BAD-808A-B5982DA73F20} - http://yax-download.yazzle.net/YazzleActiveX.cab?refid=1162

SpyDie

#1
June 14, 2006, 03:07:50 PM
Hi there,

Could you please have a go at these instructions please?

PRINT or SAVE these instructions to text where you can access them in safe mode. 
Please follow the instructions in the order given.

INSTRUCTIONS:

A.  Download and/or update the following programs.  Install them but do NOT run them yet.

  • Download SmitfraudFix (© S!Ri) to your Desktop from http://siri.urz.free.fr/Fix/SmitfraudFix.zip .  Extract all the files to your Desktop and a folder named SmitfraudFix will be created on your Desktop.

  • Download CCleaner from the link at the upper right of this page: http://www.filehippo.com/download_ccleaner.html

    Note:  If you don't want the Yahoo toolbar, be sure to UNcheck that option when installing the software or update.
  • Update ewido AntiMalware
B.  Restart your computer in Safe Mode.

  • If the computer is running, shut down Windows, and then turn off the power.
  • Wait 30 seconds, and then turn the computer on.
  • Start tapping the F8 key. The Windows Advanced Options Menu will appear. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
  • Ensure that the Safe Mode option is selected.
  • Press Enter. The computer then begins to start in Safe Mode.
  • Login on your usual account.
    If you need further assistance with Safe Mode, see Symantec

    C.  Open the SmitfraudFix folder

    • Double-click smitfraudfix.cmd file to start the tool.
    • Select option #2 - Clean by typing 2 and press Enter.
      Warning : running option #2 on a uninfected computer will remove your Desktop background.
    • Wait for the tool to complete and disk cleanup to finish.
    • You will be prompted : "Registry cleaning - Do you want to clean the registry?"

      • Answer Yes by typing Y
      • Hit Enter.

    • The tool will also check if wininet.dll is infected. If a clean version is found, you will be prompted to replace wininet.dll.

      • Answer Yes to the question "Replace infected file?" by typing Y
      • Hit Enter.
    • A reboot may be needed to finish the cleaning process.  If your computer does not restart automatically please do it yourself manually.
    • Restart in Safe Mode as instructed above.
    • The tool will create a log named rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.
    D. Clean Temporary Internet files with CCleaner as follows:

    • Close all open programs, including Internet Explorer, Fire Fox and any instances of Windows Explorer.
    • Launch CCleaner and under Options > Advanced > UNcheck "Only delete files in Windows Temp folder older than 48 hours".
    • A pop up box will appear advising this process will permanently delete files from your system.
    • To protect logon cookies that you wish to retain, under Options > Cookies.  Select and using the arrow move those cookies to the "Cookies to keep" column.
    • Then select the items you wish to clean up.

      • In the Windows Tab:

        • Clean all entries in the "Internet Explorer" section.
        • Clean all the entries in the "Windows Explorer" section.
        • Clean all entries in the "System" section except Windows Log Files.
      • In the Applications Tab:

        • Clean all in the Firefox/Mozilla section if you use it.
        • Clean all in the Opera section if you use it.
        • Clean Sun Java in the Internet Section.
        • Please UNcheck "Utilities" (i.e., Ad-Aware, ewido and other security program logs.)
    • Click the "Run Cleaner" button and it will scan and clean your system.
    • Click exit. 
    • Shutdown/restart the computer.
    E.  Run ewido:

    • Open ewido and click on scanner
    • Click on Complete System Scan and the scan will begin.
    • While the scan is in progress, you will be prompted to clean files, click OK
    • When prompted to clean the first file, put a check in the lower left corner of the box that says "Perform action on all infections" then choose clean and click OK.
    • Checkmark the box:  *Create encrypted backup in the quarantine* (recommended).  Click OK.

    • Once the scan has completed, there will be a button located on the bottom of the screen named Save report
    • Click Save report.
    • Save the report .txt file to your desktop, or any other easily accessible location.
    Now close ewido.

    F.Restart in Normal Mode

    G. Optional: To restore IE Trusted & Restricted Zone, open the SmitfraudFix folder

    • Double-click smitfraudfix.cmd
    • Select option #3 - Delete Trusted zone by typing 3 and press Enter

      • Answer Yes to the question "Restore Trusted Zone ?" by typing Y
      • Hit Enter.
    Note: If you use SpywareBlaster and/or IE-SPYAD, it will be necessary to re-install the protection both afford. For SpywareBlaster, run the program and re-protect all items. For IE-SPYAD, run the batch file and reinstall the protection.

    H.  Double-click the HijackThis icon on your desktop.  Choose "Do a system scan and save logfile".  Include the logfile with your post.

    I.  Please post the following logs with your reply:

    • C:\rapport.txt
    • ewido log
    • HijackThis Log
Beta. Software undergoes beta testing shortly before it's released. Beta is Latin for 'still doesn't work.'

kaotik

#2
June 14, 2006, 07:08:23 PM
I noticed a lot of symantec and some norton processes in the Hijackthis log.  I had norton a little while ago, but gave it the boot, unfortunately there was some errors during the uninstall.  Maybe you can help me with this.

SmitFraudFix v2.60

Scan done at 10:23:40.48, Wed 06/14/2006
Run from C:\Documents and Settings\Paul Marques\Desktop\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix ran in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{9ae613a2-a13b-4379-8d0e-86a1a78476ec}"="corindon"

[HKEY_CLASSES_ROOT\CLSID\{9ae613a2-a13b-4379-8d0e-86a1a78476ec}\InProcServer32]
@="C:\WINDOWS\system32\rmzdzx.dll"

[HKEY_CURRENT_USER\Software\Classes\CLSID\{9ae613a2-a13b-4379-8d0e-86a1a78476ec}\InProcServer32]
@="C:\WINDOWS\system32\rmzdzx.dll"


»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

C:\WINDOWS\system32\dcomcfg.exe Deleted
C:\WINDOWS\system32\hp???.tmp Deleted
C:\WINDOWS\system32\ld????.tmp Deleted
C:\WINDOWS\system32\ot.ico Deleted
C:\WINDOWS\system32\regperf.exe Deleted
C:\WINDOWS\system32\simpole.tlb Deleted
C:\WINDOWS\system32\stdole3.tlb Deleted
C:\WINDOWS\system32\1024\ Deleted
C:\DOCUME~1\PAULMA~1\FAVORI~1\Antivirus Test Online.url Deleted

»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri

C:\WINDOWS\system32\rmzdzx.dll -> Missing File


»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{9ae613a2-a13b-4379-8d0e-86a1a78476ec}"="corindon"

[HKEY_CLASSES_ROOT\CLSID\{9ae613a2-a13b-4379-8d0e-86a1a78476ec}\InProcServer32]
@="C:\WINDOWS\system32\rmzdzx.dll"

[HKEY_CURRENT_USER\Software\Classes\CLSID\{9ae613a2-a13b-4379-8d0e-86a1a78476ec}\InProcServer32]
@="C:\WINDOWS\system32\rmzdzx.dll"



»»»»»»»»»»»»»»»»»»»»»»»» End


---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on:         12:07:12 PM, 6/14/2006
+ Report-Checksum:      E3FEFB5A

+ Scan result:

   [364] C:\WINDOWS\SYSTEM32\winrnt32.dll -> Trojan.Agent.vg : Cleaned with backup
   C:\WINDOWS\system32\winrnt32.dll -> Trojan.Agent.vg : Cleaned with backup


::Report End


Logfile of HijackThis v1.99.1
Scan saved at 12:14:31 PM, on 6/14/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\CACHEM~1\CachemanXP.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe
C:\Program Files\Azureus\Azureus.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Outlook Express\msimn.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: (no name) - {4179398B-F94F-FC9D-4CC9-A2BFDF8080C1} - C:\WINDOWS\system32\iktwxw.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {4179398B-F94F-FC9D-4CC9-A2BFDF8080C1} - C:\WINDOWS\system32\iktwxw.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2006\pccguide.exe"
O4 - HKLM\..\RunOnce: [RUN1] C:\WINDOWS\system32\regsvr32.exe /s C:\PROGRA~1\COMMON~1\SYMANT~1\CCWEBWND.DLL
O4 - HKLM\..\RunOnce: [RUN2] C:\WINDOWS\system32\regsvr32.exe /s C:\PROGRA~1\COMMON~1\SYMANT~1\LiveReg\IRADEFA2.DLL
O4 - HKLM\..\RunOnce: [RUN3] C:\PROGRA~1\COMMON~1\SYMANT~1\LiveReg\IRALRSHL.EXE /REGSERVER
O4 - HKLM\..\RunOnce: [RUN4] C:\WINDOWS\system32\regsvr32.exe /s C:\PROGRA~1\COMMON~1\SYMANT~1\LiveReg\IRALSCL2.DLL
O4 - HKLM\..\RunOnce: [RUN5] C:\WINDOWS\system32\regsvr32.exe /s C:\PROGRA~1\COMMON~1\SYMANT~1\IRALSCLT.DLL
O4 - HKLM\..\RunOnce: [RUN6] C:\WINDOWS\system32\regsvr32.exe /s C:\PROGRA~1\COMMON~1\SYMANT~1\LiveReg\IRALSUI.DLL
O4 - HKLM\..\RunOnce: [RUN7] C:\WINDOWS\system32\regsvr32.exe /s C:\PROGRA~1\COMMON~1\SYMANT~1\LiveReg\IRAVCOBJ.DLL
O4 - HKLM\..\RunOnce: [RUN8] C:\WINDOWS\system32\regsvr32.exe /s C:\PROGRA~1\COMMON~1\SYMANT~1\LiveReg\LRCTRL.DLL
O4 - HKLM\..\RunOnce: [RUN9] C:\WINDOWS\system32\regsvr32.exe /s C:\PROGRA~1\COMMON~1\SYMANT~1\LiveReg\LRRES.DLL
O4 - HKLM\..\RunOnce: [RUNA] C:\WINDOWS\system32\regsvr32.exe /s C:\PROGRA~1\COMMON~1\SYMANT~1\LiveReg\LSCTRL.DLL
O4 - HKLM\..\RunOnce: [RUNB] C:\WINDOWS\system32\regsvr32.exe /s C:\PROGRA~1\COMMON~1\SYMANT~1\LiveReg\LSPLUGIN.DLL
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Tadl] "C:\DOCUME~1\PAULMA~1\APPLIC~1\ICROSO~1.NET\attrib.exe" -vt yazr
O4 - HKCU\..\Run: [Mbv] C:\Program Files\Common Files\?racle\?ttrib.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Azureus.lnk = C:\Program Files\Azureus\Azureus.exe
O4 - Global Startup: Ad-Watch SE Professional.lnk = C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {74CD40EA-EF77-4BAD-808A-B5982DA73F20} - http://yax-download.yazzle.net/YazzleActiveX.cab?refid=1162
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O20 - AppInit_DLLs: C:\WINDOWS\system32\mmc.dll
O20 - Winlogon Notify: winrnt32 - winrnt32.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: CachemanXP (CachemanXPService) - OuterTechnologies - C:\PROGRA~1\CACHEM~1\CachemanXP.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset  - C:\Program Files\Eset\nod32krn.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Unknown owner - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe (file missing)
O23 - Service: Norton Protection Center Service (NSCService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR3\RpcDataSrv.exe
O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR3\RpcSandraSrv.exe
O23 - Service: SPBBCSvc - Unknown owner - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe (file missing)
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe (file missing)

SpyDie

#3
June 14, 2006, 08:40:28 PM
Hi,

Yes I know from my own personal experience Norton is a bugger to remove *entirely*. Are there any visible signs that Norton isn't uninstalled completely? (example: some Norton/Symantec icons around)

Note: Adwatch may alert you on a few registry changes when you follow these instructions. You can either accept them or disable Ad-watch temporarily by;

Open AdAware SE.
Go to AdWatch User Interface.
Go to Tools and Preferences.
At the bottom of the screen you will see 2 options Active and Automatic.
Active: This will turn Ad-Watch On\Off without closing it
Automatic: Suspicious activity will be blocked automatically
Uncheck both options. You can enable these after resolving your problem.

OK, please: Launch HijackThis again, and click 'Do a system scan only'. Let it scan and then close all browsers and  windows,  place a checkmark next to the following entries;

R3 - URLSearchHook: (no name) - {4179398B-F94F-FC9D-4CC9-A2BFDF8080C1} - C:\WINDOWS\system32\iktwxw.dll
O2 - BHO: (no name) - {4179398B-F94F-FC9D-4CC9-A2BFDF8080C1} - C:\WINDOWS\system32\iktwxw.dll
O4 - HKLM\..\RunOnce: [RUN1] C:\WINDOWS\system32\regsvr32.exe /s C:\PROGRA~1\COMMON~1\SYMANT~1\CCWEBWND.DLL
O4 - HKLM\..\RunOnce: [RUN2] C:\WINDOWS\system32\regsvr32.exe /s C:\PROGRA~1\COMMON~1\SYMANT~1\LiveReg\IRADEFA2.DLL
O4 - HKLM\..\RunOnce: [RUN3] C:\PROGRA~1\COMMON~1\SYMANT~1\LiveReg\IRALRSHL.EXE /REGSERVER
O4 - HKLM\..\RunOnce: [RUN4] C:\WINDOWS\system32\regsvr32.exe /s C:\PROGRA~1\COMMON~1\SYMANT~1\LiveReg\IRALSCL2.DLL
O4 - HKLM\..\RunOnce: [RUN5] C:\WINDOWS\system32\regsvr32.exe /s C:\PROGRA~1\COMMON~1\SYMANT~1\IRALSCLT.DLL
O4 - HKLM\..\RunOnce: [RUN6] C:\WINDOWS\system32\regsvr32.exe /s C:\PROGRA~1\COMMON~1\SYMANT~1\LiveReg\IRALSUI.DLL
O4 - HKLM\..\RunOnce: [RUN7] C:\WINDOWS\system32\regsvr32.exe /s C:\PROGRA~1\COMMON~1\SYMANT~1\LiveReg\IRAVCOBJ.DLL
O4 - HKLM\..\RunOnce: [RUN8] C:\WINDOWS\system32\regsvr32.exe /s C:\PROGRA~1\COMMON~1\SYMANT~1\LiveReg\LRCTRL.DLL
O4 - HKLM\..\RunOnce: [RUN9] C:\WINDOWS\system32\regsvr32.exe /s C:\PROGRA~1\COMMON~1\SYMANT~1\LiveReg\LRRES.DLL
O4 - HKLM\..\RunOnce: [RUNA] C:\WINDOWS\system32\regsvr32.exe /s C:\PROGRA~1\COMMON~1\SYMANT~1\LiveReg\LSCTRL.DLL
O4 - HKLM\..\RunOnce: [RUNB] C:\WINDOWS\system32\regsvr32.exe /s C:\PROGRA~1\COMMON~1\SYMANT~1\LiveReg\LSPLUGIN.DLL
O4 - HKCU\..\Run: [Tadl] "C:\DOCUME~1\PAULMA~1\APPLIC~1\ICROSO~1.NET\attrib.exe" -vt yazr
O4 - HKCU\..\Run: [Mbv] C:\Program Files\Common Files\?racle\?ttrib.exe
O20 - Winlogon Notify: winrnt32 - winrnt32.dll (file missing)

Click 'Fix Checked' and allow HijackThis to 'fix' the entries you've selected.

Restart the computer and post a fresh new HijackThis logfile.

Do you know anything about this file?

C:\WINDOWS\system32\mmc.dll

Could you please navigate to it and right-click on the file. Select 'Properties' and if it has a version tab, please post all of the details in that tab in your reply. One other thing I'd like you to do is upload that very file to a service called Jotti:

http://virusscan.jotti.org/

Go to that webpage and at the top of the page is a little Browse button and a textbox. Simply click 'Browse' and navigate to that file and click 'Submit'. Post the results of the 'Jotti' scan please (note it may take a few minutes).

Let me know how you get on.

Also, could you tell me what version of Norton did you have?

Beta. Software undergoes beta testing shortly before it's released. Beta is Latin for 'still doesn't work.'

kaotik

#4
June 14, 2006, 10:44:56 PM
I did a search in my whole Windows folder for mmc.dll and couldn't find it... I did find mmc.exe and mmcbase.dll though. 

Logfile of HijackThis v1.99.1
Scan saved at 3:50:24 PM, on 6/14/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\PROGRA~1\CACHEM~1\CachemanXP.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe
C:\Program Files\Azureus\Azureus.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2006\pccguide.exe"
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Azureus.lnk = C:\Program Files\Azureus\Azureus.exe
O4 - Global Startup: Ad-Watch SE Professional.lnk = C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {74CD40EA-EF77-4BAD-808A-B5982DA73F20} - http://yax-download.yazzle.net/YazzleActiveX.cab?refid=1162
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O20 - AppInit_DLLs: C:\WINDOWS\system32\mmc.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: CachemanXP (CachemanXPService) - OuterTechnologies - C:\PROGRA~1\CACHEM~1\CachemanXP.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset  - C:\Program Files\Eset\nod32krn.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Unknown owner - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe (file missing)
O23 - Service: Norton Protection Center Service (NSCService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR3\RpcDataSrv.exe
O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR3\RpcSandraSrv.exe
O23 - Service: SPBBCSvc - Unknown owner - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe (file missing)
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe (file missing)

SpyDie

#5
June 15, 2006, 03:39:27 PM
You did look in the System32 folder right? HijackThis is saying it is indeed there, could you try this file I have attached? It'll look for that file and copy it. It could a totally harmless file but I need to be sure. If it does find it, it'll copy it to the C:\. (If that happens, please do as I said before, see if it has a version tab and note down the details of it)

Of course if it doesnt find it, it really isn't there or it is hiding...

What version of Norton was it that you had installed? There are tools around that can help in removing it in it's entirety. However the tools are specfic to the version of Norton.

How are things now on the computer? Any other problems?

[attachment deleted by admin]
Beta. Software undergoes beta testing shortly before it's released. Beta is Latin for 'still doesn't work.'

kaotik

#6
June 16, 2006, 03:57:38 AM
I had Norton AntiVirus 2005. 

mmc.dll must be hiding somehow
The find.vbs said "it doesn't exist" I ran it both from the desktop and copied it and ran it in the system32 folder.

The computer seems to be running smoother now.  Haven't had any crashes.  I was having a problem with my mouse though.  It hasn't happened in the last 24 hours.  But before that it was happening every so often.  The optical laser would turn off and unplugging and plugging it back into the usb would turn it back on.  It never seemed to turn off when I was playing computer games for some reason, and I play those for hours.

Thanks for your help btw. 

SpyDie

#7
June 18, 2006, 09:31:38 AM
Hmmm...well if you say the computer seems fine it can't be doing much at all....

Could you post a fresh HijackThis logfile please? Before we rap this up, I'd like to see if I can find out what that file is...could you try these two programs please and post the logs each creates?

A.  Please download the free beta trial of Blacklight from F-Secure from http://www.f-secure.com/blacklight/try.shtml

  • Doubleclick on bibeta.exe to run it.
  • Click the *I accept* button near the bottom of that page.
  • Download and run blacklite
  • Click  Scan > Next > Next > Exit
  • Post the text file text file named fsbl.#######.log (the #'s stand for numbers)
  • Do not rename any files
B.  Please download Rootkit Revealer from the bottom of the page at http://www.sysinternals.com/utilities/rootkitrevealer.html

  • Unzip it to your desktop.
  • Open the rootkitrevealer folder and double-click rootkitrevealer.exe
  • Click the Scan button (bottom right)
  • It may take a while to scan (don't do anything while it's running - leave the PC idle)
  • When it is complete, select File > Save
  • Choose to save it to your desktop.
  • Open rootkitrevealer.txt on your desktop and copy the entire contents and paste them here as a reply
One last thing, as to Norton, could you try this?

http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2005033108162039?
Beta. Software undergoes beta testing shortly before it's released. Beta is Latin for 'still doesn't work.'

kaotik

#8
June 18, 2006, 10:25:56 PM
The computer is running fine, but from experience I've noticed that small nuances turn into big problems later on (security leaks, etc).  I plan on reading the "how my computer got this way" section posted in this forum so I have a better idea of how to prevent this stuff in the future.
Ran the Norton remove utility... seemed to work, I guess you'll be able to tell by the Hijackthis log tho... anyway here it is, and the other ones

06/18/06 13:57:58 [Info]: BlackLight Engine 1.0.37 initialized
06/18/06 13:57:58 [Info]: OS: 5.1 build 2600 (Service Pack 2)
06/18/06 13:57:58 [Note]: 7019 4
06/18/06 13:57:58 [Note]: 7005 0
06/18/06 13:58:25 [Note]: 7006 0
06/18/06 13:58:25 [Note]: 7011 1180
06/18/06 13:58:25 [Note]: 7026 0
06/18/06 13:58:25 [Note]: 7026 0
06/18/06 13:58:31 [Note]: FSRAW library version 1.7.1015
06/18/06 14:10:13 [Note]: 7007 0

HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg   5/13/2006 1:47 AM   0 bytes   Access is denied.
HKLM\SYSTEM\ControlSet003\Services\Vax347s\Config\jdgg40   6/18/2006 2:58 PM   0 bytes   Hidden from Windows API.
C:\Program Files\Eset\cache\FND1.NFI   6/18/2006 2:57 PM   481 bytes   Visible in Windows API, but not in MFT or directory index.

Logfile of HijackThis v1.99.1
Scan saved at 3:04:31 PM, on 6/18/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\PROGRA~1\CACHEM~1\CachemanXP.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe
C:\Program Files\Azureus\Azureus.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2006\pccguide.exe"
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Azureus.lnk = C:\Program Files\Azureus\Azureus.exe
O4 - Global Startup: Ad-Watch SE Professional.lnk = C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {74CD40EA-EF77-4BAD-808A-B5982DA73F20} - http://yax-download.yazzle.net/YazzleActiveX.cab?refid=1162
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O20 - AppInit_DLLs: C:\WINDOWS\system32\mmc.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Automatic LiveUpdate Scheduler - Unknown owner - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: CachemanXP (CachemanXPService) - OuterTechnologies - C:\PROGRA~1\CACHEM~1\CachemanXP.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset  - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR3\RpcDataSrv.exe
O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR3\RpcSandraSrv.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe (file missing)


SpyDie

#9
June 19, 2006, 03:23:26 PM
Atleast the computer is running fine :thumbsup:

As for the RootkitRevealer & Blacklight logs, they are fine. I decided to research upon mmc.dll & it's perfectly fine. It's part of Nero!

As for Norton, looks like it did work somewhat. It left this behind:

O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe (file missing)

So, to wrap it up, could you 'fix' that item in HijackThis? (Just like before, place a checkmark next to it's box in the scan results and click 'Fix Checked'.) You can post a new logfile afterwards if you wish to, but there isn't any need.

Also I see you are using two Anti-viruses? (AVG & NOD32). It isn't at all good to have two Anti-viruses running at the same time. To increase the stability of your computer, please uninstall one. (If you want my personal opinion, NOD32 is a hell of alot better than AVG).

HTH
Beta. Software undergoes beta testing shortly before it's released. Beta is Latin for 'still doesn't work.'

kaotik

#10
June 20, 2006, 09:03:12 PM
gotcha, thanks
Print
Go Up Pages1
User actions