Skip to main content
Start a Conversation

Unsolved

This post is more than 5 years old

jmeredith

8 Posts

1820

January 14th, 2005 21:00

Have Followed the Basic Protocol for Cleaning - Still Can't Get Rid of Item

Hello,
  • Ran the Trend Micro Online Scan and came up clean.
  • Ran Ad Aware and deleted several malware items - also did the VX2 Variant and came up okay.
  • Then I ran Spybot and deleted more junk
  • Also ran CWSShredder due to my homepage being hijacked (plus CoolWWWSearch.SmartSearch killer) - both came up clean.
  • I also installed AVG 7 and Microsoft AntiSpyware and cleaned up everything that appeared.
What I can't run is HiJackThis as it keeps shutting itself down.
My reason for doing all of this is that I googled for information, clicked on one of the resulting links and all heck broke loose. My homepage was hijacked, trojans and viruses appeared. According to everything above (that I just finished running) my system is clean however I CANNOT remove an item from the Trusted Sites list in Internet Explorer (*.frame.crazywinnings.com) - everytime I remove it, it just reappears.
 
I'm sure running HiJackThis would help but as I said - it keeps shutting itself down. I followed the steps listed on the site for reasons why this might be happening but it doesn't help.
 
Short of reformatting my hard drive - is there anything else I can do?
 
Thank you in advance for your help.
 
 

Message Edited by jmeredith on 01-14-2005 05:37 PM

Midnight Star

4.8K Posts

January 15th, 2005 00:00

jmeredith,

Your are more than welcome. I'm not sure how much we're going to be able to do without HiJackThis, so let's see what we can muster...

These are the entry(s) that need to be remove:

+ TSxhL.exe   File not found: C:\documents and settings\julie meredith\local settings\temp\TSxhL.exe

+ Qcsz   File not found: C:\WINDOWS\System32\??chost.exe

(This is the purity scan trojan, the file looks missing, so all we need to do is cleanup the registry entry.)

+ Shortcut to TOOLBAR.lnk Multiple floating toolbars (Not verified) Silent Software c:\program files\toolbar 95\toolbar.exe

(I'm not familar with this toolbar, so if your not sure what it is, locate the file on your harddrive and remove it.)

Now, let's take a look at your system from another angle...

-

Download, and run StartupList and post back the log it creates:

http://www.allsecpros.com/download/StartupList.exe

Mike.

 

jmeredith

8 Posts

January 15th, 2005 00:00

Hi Mike

First of all, THANK YOU for your help - here are the results

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit   

+ C:\WINDOWS\system32\userinit.exe Userinit Logon Application Microsoft Corporation c:\windows\system32\userinit.exe

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell   

+ Explorer.exe Windows Explorer Microsoft Corporation c:\windows\explorer.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run   

+ AdobeVersionCue Adobe Version Cue™ (Not verified) Adobe Sytems c:\program files\adobe\adobe version cue\controlpanel\versioncuetray.exe

+ AsioReg Microsoft(C) Register Server Microsoft Corporation c:\windows\system32\regsvr32.exe

+ ATIPTA ATI Desktop Control Panel (Not verified) ATI Technologies, Inc. c:\program files\ati technologies\ati control panel\atiptaxx.exe

+ AVG7_CC AVG Control Center (Not verified) GRISOFT, s.r.o. c:\program files\grisoft\avg free\avgcc.exe

+ AVG7_EMC AVG E-Mail Scanner (Not verified) GRISOFT, s.r.o. c:\program files\grisoft\avg free\avgemc.exe

+ CTDVDDet CTDVDDET (Not verified) Creative Technology Ltd c:\program files\creative\sbaudigy2\dvdaudio\ctdvddet.exe

+ CTHelper CtHelper MFC Application (Not verified) Creative Technology Ltd c:\windows\system32\cthelper.exe

+ gcasServ Microsoft AntiSpyware Service Microsoft Corporation c:\program files\microsoft antispyware\gcasserv.exe

+ IAAnotif IAA Event Monitor User Notification Tool (Not verified) Intel Corporation c:\program files\intel\intel application accelerator\iaanotif.exe

+ iTunesHelper iTunesHelper Module (Not verified) Apple Computer, Inc. c:\program files\itunes\ituneshelper.exe

+ QuickTime Task  (Not verified) Apple Computer, Inc. c:\program files\quicktime\qttask.exe

+ TSxhL.exe   File not found: C:\documents and settings\julie meredith\local settings\temp\TSxhL.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx   

+ Register Homesite+.exe HomeSite (Not verified) Macromedia, Inc. c:\program files\macromedia\homesite+\homesite+.exe

C:\Documents and Settings\All Users\Start Menu\Programs\Startup   

+ Acrobat Assistant.lnk AcroTray (Not verified) Adobe Systems Inc. c:\program files\adobe\acrobat 6.0\distillr\acrotray.exe

+ Adobe Gamma Loader.lnk Adobe Gamma Loader (Not verified) Adobe Systems, Inc. c:\program files\common files\adobe\calibration\adobe gamma loader.exe

+ Shortcut to TOOLBAR.lnk Multiple floating toolbars (Not verified) Silent Software c:\program files\toolbar 95\toolbar.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Run   

+ ctfmon.exe CTF Loader Microsoft Corporation c:\windows\system32\ctfmon.exe

+ MSMSGS Messenger Microsoft Corporation c:\program files\messenger\msmsgs.exe

+ Qcsz   File not found: C:\WINDOWS\System32\??chost.exe

Midnight Star

4.8K Posts

January 15th, 2005 00:00

jmeredith,

Go to www.sysinternals.org and download and run autorunsc.exe. It'll display some of the registry entry(s) used to start programs on that system. Use the "File/Save as..." function to save the log to your harddrive, then just copy/paste the text back here.

Here's the link:

http://www.sysinternals.com/ntw2k/freeware/autoruns.shtml

-

Mike.

jmeredith

8 Posts

January 15th, 2005 01:00

Here is the Autoruns WITH VIEW SERVICES

HKLM\System\CurrentControlSet\Services   

+ Ati HotKey Poller ATI External Event Utility EXE Module ATI Technologies Inc. c:\windows\system32\ati2evxx.exe

+ AudioSrv Manages audio devices for Windows-based programs. If this service is stopped, audio devices and effects will not function properly. If this service is disabled, any services that explicitly depend on it will fail to start. Microsoft Corporation c:\windows\system32\svchost.exe

+ Avg7Alrt AVG Alert Manager (Not verified) GRISOFT, s.r.o. c:\program files\grisoft\avg free\avgamsvr.exe

+ Avg7UpdSvc AVG Update Service (Not verified) GRISOFT, s.r.o. c:\program files\grisoft\avg free\avgupsvc.exe

+ BAsfIpM IP monitoring service for Broadcom ASF applications. (Not verified) Broadcom Corp. c:\windows\system32\basfipm.exe

+ BITS Uses idle network bandwidth to transfer data. Microsoft Corporation c:\windows\system32\svchost.exe

+ Browser Generic Host Process for Win32 Services Microsoft Corporation c:\windows\system32\svchost.exe

+ ColdFusion MX Application Server ColdFusion MX Application Server (Not verified) Macromedia Inc. c:\cfusionmx\runtime\bin\jrunsvc.exe

+ ColdFusion MX ODBC Agent   File not found: C:\CFusionMX\db\slserver52\bin\swagent.exe "ColdFusion MX ODBC Agent"

+ ColdFusion MX ODBC Server   File not found: C:\CFusionMX\db\slserver52\bin\swstrtr.exe "ColdFusion MX ODBC Server"

+ Creative Service for CDROM Access Creative Service for CDROM Access (Not verified) Creative Technology Ltd c:\windows\system32\ctsvccda.exe

+ CryptSvc Generic Host Process for Win32 Services Microsoft Corporation c:\windows\system32\svchost.exe

+ Dhcp Manages network configuration by registering and updating IP addresses and DNS names. Microsoft Corporation c:\windows\system32\svchost.exe

+ dmserver Generic Host Process for Win32 Services Microsoft Corporation c:\windows\system32\svchost.exe

+ Dnscache Generic Host Process for Win32 Services Microsoft Corporation c:\windows\system32\svchost.exe

+ ERSvc Allows error reporting for services and applictions running in non-standard environments. Microsoft Corporation c:\windows\system32\svchost.exe

+ Eventlog Enables event log messages issued by Windows-based programs and components to be viewed in Event Viewer. This service cannot be stopped. Microsoft Corporation c:\windows\system32\services.exe

+ Fax Enables you to send and receive faxes, utilizing fax resources available on this computer or on the network. Microsoft Corporation c:\windows\system32\fxssvc.exe

+ helpsvc Enables Help and Support Center to run on this computer. If this service is stopped, Help and Support Center will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start. Microsoft Corporation c:\windows\system32\svchost.exe

+ IAANTMon Intel Application Accelerator RAID Monitor (Not verified) Intel Corporation c:\program files\intel\intel application accelerator\iaantmon.exe

+ lanmanserver Supports file, print, and named-pipe sharing over the network for this computer. If this service is stopped, these functions will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start. Microsoft Corporation c:\windows\system32\svchost.exe

+ lanmanworkstation Creates and maintains client network connections to remote servers. If this service is stopped, these connections will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start. Microsoft Corporation c:\windows\system32\svchost.exe

+ LmHosts Enables support for NetBIOS over TCP/IP (NetBT) service and NetBIOS name resolution. Microsoft Corporation c:\windows\system32\svchost.exe

+ MDM Supports local and remote debugging for Visual Studio and script debuggers. If this service is stopped, the debuggers will not function properly. Microsoft Corporation c:\program files\common files\microsoft shared\vs7debug\mdm.exe

+ MSSQL$MICROSOFTBCM SQL Server Windows NT (Not verified) Microsoft Corporation c:\program files\microsoft sql server\mssql$microsoftbcm\binn\sqlservr.exe

+ PlugPlay Enables a computer to recognize and adapt to hardware changes with little or no user input. Stopping or disabling this service will result in system instability. Microsoft Corporation c:\windows\system32\services.exe

+ PolicyAgent Manages IP security policy and starts the ISAKMP/Oakley (IKE) and the IP security driver. Microsoft Corporation c:\windows\system32\lsass.exe

+ ProtectedStorage Provides protected storage for sensitive data, such as private keys, to prevent access by unauthorized services, processes, or users. Microsoft Corporation c:\windows\system32\lsass.exe

+ RemoteRegistry Enables remote users to modify registry settings on this computer. If this service is stopped, the registry can be modified only by users on this computer. If this service is disabled, any services that explicitly depend on it will fail to start. Microsoft Corporation c:\windows\system32\svchost.exe

+ RpcSs Provides the endpoint mapper and other miscellaneous RPC services. Microsoft Corporation c:\windows\system32\svchost.exe

+ SamSs Stores security information for local user accounts. Microsoft Corporation c:\windows\system32\lsass.exe

+ Schedule Enables a user to configure and schedule automated tasks on this computer. If this service is stopped, these tasks will not be run at their scheduled times. If this service is disabled, any services that explicitly depend on it will fail to start. Microsoft Corporation c:\windows\system32\svchost.exe

+ seclogon Enables starting processes under alternate credentials. If this service is stopped, this type of logon access will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start. Microsoft Corporation c:\windows\system32\svchost.exe

+ SENS Tracks system events such as Windows logon, network, and power events.  Notifies COM+ Event System subscribers of these events. Microsoft Corporation c:\windows\system32\svchost.exe

+ SharedAccess Provides network address translation, addressing, name resolution and/or intrusion prevention services for a home or small office network. Microsoft Corporation c:\windows\system32\svchost.exe

+ ShellHWDetection Generic Host Process for Win32 Services Microsoft Corporation c:\windows\system32\svchost.exe

+ Spooler Loads files to memory for later printing. Microsoft Corporation c:\windows\system32\spoolsv.exe

+ srservice Performs system restore functions. To stop service, turn off System Restore from the System Restore tab in My Computer->Properties Microsoft Corporation c:\windows\system32\svchost.exe

+ Themes Provides user experience theme management. Microsoft Corporation c:\windows\system32\svchost.exe

+ TrkWks Maintains links between NTFS files within a computer or across computers in a network domain. Microsoft Corporation c:\windows\system32\svchost.exe

+ uploadmgr Generic Host Process for Win32 Services Microsoft Corporation c:\windows\system32\svchost.exe

+ w32time Maintains date and time synchronization on all clients and servers in the network. If this service is stopped, date and time synchronization will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.

 Microsoft Corporation c:\windows\system32\svchost.exe

+ WebClient Enables Windows-based programs to create, access, and modify Internet-based files. If this service is stopped, these functions will not be available. If this service is disabled, any services that explicitly depend on it will fail to start. Microsoft Corporation c:\windows\system32\svchost.exe

+ winmgmt Generic Host Process for Win32 Services Microsoft Corporation c:\windows\system32\svchost.exe

+ WMDM PMSP Service WMDM PMSP Service (Not verified) Microsoft Corporation c:\windows\system32\mspmspsv.exe

+ wuauserv Enables the download and installation of critical Windows updates. If the service is disabled, the operating system can be manually updated at the Windows Update Web site. Microsoft Corporation c:\windows\system32\svchost.exe

+ WZCSVC Provides automatic configuration for the 802.11 adapters Microsoft Corporation c:\windows\system32\svchost.exe

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit   

+ C:\WINDOWS\system32\userinit.exe Userinit Logon Application Microsoft Corporation c:\windows\system32\userinit.exe

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell   

+ Explorer.exe Windows Explorer Microsoft Corporation c:\windows\explorer.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run   

+ AdobeVersionCue Adobe Version Cue™ (Not verified) Adobe Sytems c:\program files\adobe\adobe version cue\controlpanel\versioncuetray.exe

+ AsioReg Microsoft(C) Register Server Microsoft Corporation c:\windows\system32\regsvr32.exe

+ ATIPTA ATI Desktop Control Panel (Not verified) ATI Technologies, Inc. c:\program files\ati technologies\ati control panel\atiptaxx.exe

+ AVG7_CC AVG Control Center (Not verified) GRISOFT, s.r.o. c:\program files\grisoft\avg free\avgcc.exe

+ AVG7_EMC AVG E-Mail Scanner (Not verified) GRISOFT, s.r.o. c:\program files\grisoft\avg free\avgemc.exe

+ CTDVDDet CTDVDDET (Not verified) Creative Technology Ltd c:\program files\creative\sbaudigy2\dvdaudio\ctdvddet.exe

+ CTHelper CtHelper MFC Application (Not verified) Creative Technology Ltd c:\windows\system32\cthelper.exe

+ gcasServ Microsoft AntiSpyware Service Microsoft Corporation c:\program files\microsoft antispyware\gcasserv.exe

+ IAAnotif IAA Event Monitor User Notification Tool (Not verified) Intel Corporation c:\program files\intel\intel application accelerator\iaanotif.exe

+ iTunesHelper iTunesHelper Module (Not verified) Apple Computer, Inc. c:\program files\itunes\ituneshelper.exe

+ QuickTime Task  (Not verified) Apple Computer, Inc. c:\program files\quicktime\qttask.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx   

+ Register Homesite+.exe HomeSite (Not verified) Macromedia, Inc. c:\program files\macromedia\homesite+\homesite+.exe

C:\Documents and Settings\All Users\Start Menu\Programs\Startup   

+ Acrobat Assistant.lnk AcroTray (Not verified) Adobe Systems Inc. c:\program files\adobe\acrobat 6.0\distillr\acrotray.exe

+ Adobe Gamma Loader.lnk Adobe Gamma Loader (Not verified) Adobe Systems, Inc. c:\program files\common files\adobe\calibration\adobe gamma loader.exe

+ Shortcut to TOOLBAR.lnk Multiple floating toolbars (Not verified) Silent Software c:\program files\toolbar 95\toolbar.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Run   

+ ctfmon.exe CTF Loader Microsoft Corporation c:\windows\system32\ctfmon.exe

+ MSMSGS Messenger Microsoft Corporation c:\program files\messenger\msmsgs.exe

 

jmeredith

8 Posts

January 15th, 2005 01:00

Hi Mike

I deleted the first 2 you mentioned (they looked suspicious to me too). The third one is okay - it's a software program I downloaded years ago and have used for quite some time.

I went to the link you mentioned but couldn't seem to find Startup List - also, when I clicked on any of the links in the Software Categories section... I got a page not found error for all. Am I just going blind?

Also... in the Autoruns software you first mentioned, I noticed there are more options under View - should I be checking any of those and posting the results back here? I just went with the defaults the first time.

Midnight Star

4.8K Posts

January 15th, 2005 01:00

jmeredith,
 
I'll look at that closer for you tommorrow and see if anything looks suspicious; nothing turned up in my first pass on the "startuplist".
 
-
 
Until then, let's try the last version of HiJackThis and see if it will work. If it does, go ahead and post up a log for me.
 
Mike.

jmeredith

8 Posts

January 15th, 2005 01:00

Here are the results from using HiJackThis 1.98.2

Logfile of HijackThis v1.98.2
Scan saved at 7:43:50 PM, on 1/14/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
C:\WINDOWS\System32\CTHELPER.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Adobe\Adobe Version Cue\ControlPanel\VersionCueTray.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Toolbar 95\TOOLBAR.EXE
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\basfipm.exe
C:\CFusionMX\runtime\bin\jrunsvc.exe
C:\CFusionMX\db\slserver52\bin\swagent.exe
C:\CFusionMX\runtime\bin\jrun.exe
C:\CFusionMX\db\slserver52\bin\swstrtr.exe
C:\CFusionMX\db\slserver52\bin\swsoc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\PROGRA~1\WINZIP\winzip32.exe
C:\HJT\HJT 1.98.2\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.digitaljuice.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.com/
F2 - REG:system.ini: Shell=
F2 - REG:system.ini: UserInit=
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O15 - Trusted Zone: *.frame.crazywinnings.com
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=34738&clcid=0x409
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {9059F30F-4EB1-4BD2-9FDC-36F43A218F4A} (Microsoft RDP Client Control (redist)) - http://terminal.mointel.com/tsweb/msrdp.cab

 

jmeredith

8 Posts

January 15th, 2005 01:00

Here is the StartupList Log

StartupList report, 1/14/2005, 7:17:57 PM
StartupList version: 1.52
Started from : C:\HJT\StartupList\StartupList.EXE
Detected: Windows XP SP1 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
* Using default options
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
C:\WINDOWS\System32\CTHELPER.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Adobe\Adobe Version Cue\ControlPanel\VersionCueTray.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Toolbar 95\TOOLBAR.EXE
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\basfipm.exe
C:\CFusionMX\runtime\bin\jrunsvc.exe
C:\CFusionMX\db\slserver52\bin\swagent.exe
C:\CFusionMX\runtime\bin\jrun.exe
C:\CFusionMX\db\slserver52\bin\swstrtr.exe
C:\CFusionMX\db\slserver52\bin\swsoc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\HJT\StartupList\StartupList.exe

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

[AutorunsDisabled]
QuickTime Task = "C:\Program Files\QuickTime\qttask.exe" -atboottime
iTunesHelper = C:\Program Files\iTunes\iTunesHelper.exe
IAAnotif = C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
gcasServ = "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
CTHelper = CTHELPER.EXE
CTDVDDet = C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
AVG7_EMC = C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
AVG7_CC = C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
ATIPTA = C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
AsioReg = REGSVR32.EXE /S CTASIO.DLL
AdobeVersionCue = C:\Program Files\Adobe\Adobe Version Cue\ControlPanel\VersionCueTray.exe

[OptionalComponents]
*No values found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

[AutorunsDisabled]
Register Homesite+.exe = "C:\Program Files\Macromedia\HomeSite+\Homesite+.exe" /REGSERVER

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

[AutorunsDisabled]
ctfmon.exe = C:\WINDOWS\System32\ctfmon.exe
MSMSGS = "C:\Program Files\Messenger\msmsgs.exe" /background

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=*Registry value not found*
SCRNSAVE.EXE=C:\WINDOWS\System32\SSTEXT3D.SCR
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry key not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------


Enumerating Browser Helper Objects:

(no name) - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
(no name) - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll - {53707962-6F74-2D53-2644-206D7942484F}
(no name) - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll - {AE7CD045-E861-484f-8273-0445EE161910}

--------------------------------------------------

Enumerating Download Program Files:

[SysProWmi Class]
InProcServer32 = C:\WINDOWS\System32\Dell\SystemProfiler\SysPro.ocx
CODEBASE = http://support.dell.com/systemprofiler/SysPro.CAB

[Shockwave ActiveX Control]
InProcServer32 = C:\WINDOWS\SYSTEM32\Macromed\Director\SwDir.dll
CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

[Windows Genuine Advantage Validation Tool]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\LegitCheckControl.DLL
CODEBASE = http://go.microsoft.com/fwlink/?linkid=34738&clcid=0x409

[Office Update Installation Engine]
InProcServer32 = C:\WINDOWS\opuc.dll
CODEBASE = http://office.microsoft.com/officeupdate/content/opuc.cab

[HouseCall Control]
InProcServer32 = C:\WINDOWS\DOWNLO~1\xscan53.ocx
CODEBASE = http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab

[Microsoft RDP Client Control (redist)]
InProcServer32 = C:\WINDOWS\DOWNLO~1\msrdp.ocx
CODEBASE = http://terminal.mointel.com/tsweb/msrdp.cab

[DoomCln Object]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\DoomCln.dll
CODEBASE = http://www.microsoft.com/security/controls/DoomCln.CAB

[SassCln Object]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\SassCln.dll
CODEBASE = http://www.microsoft.com/security/controls/Sasser/20/SassCln.CAB

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\System32\webcheck.dll
SysTray: C:\WINDOWS\System32\stobject.dll

Midnight Star

4.8K Posts

January 15th, 2005 01:00

jmeredith,

Yes, go ahead and check(tick) "View | Services" and let's see what we have there. Here's a new link to download the:

StartupList

-

Mike.

 

jmeredith

8 Posts

January 15th, 2005 02:00

One more thing... even though when I try and run the latest version of HijackThis and it crashes... I can see under the Microsoft Error Message and it appears to catch more than 1.98.2 does.

HijackThis 1.98.2 only shows 1 item under "015" while the new version shows 3 - will we still be able to get rid of all of this junk?
015 - Trusted Zone: *.frame.crazywinnings.com
015 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
015 - Trusted IP Range: 206.161.125.149 (HKLM)

I can also see at least 6 "023" items but they at least look familiar to me.
2 Adobe items, 1 ATI, 2 AVG7, and 1 Broadcom

Message Edited by jmeredith on 01-14-2005 10:25 PM

Midnight Star

4.8K Posts

January 15th, 2005 19:00

jmeredith,

It looks like you've done an excellent job in removing the problems from your system. This is the only thing that I could see right off:

O15 - Trusted Zone: *.frame.crazywinnings.com

I checked the services and other processes in the Startup List manually, and I didn't see anything that I would recognize as spyware. Are you still having the same problem with your system?

-

Mike.

jmeredith

8 Posts

January 17th, 2005 15:00

Hi Mike

Sorry for the delayed response but it turns out that I must have killed something important when I ran Spybot and deleted all the junk it found. I powered down my PC that day we were exchanging emails and when I went to log on the next morning to finish the job... it got into a terminal loop - I'd enter my password and hit okay, it would think for a couple seconds and go right back to the Login screen so...

Brought my PC into work this morning and will let the IT guy reinstall Windows.

Thank you so much for your help and hopefully this won't happen again :)

Julie

Midnight Star

4.8K Posts

January 17th, 2005 16:00

Julie,

Your more than welcome!

Sorry to hear that, but glad your back up and running. That sounds like the c:\windows\system32\userinit.exe file was missing problem that seems to crop up when malware writers will write applications that 'damange' your system when cleaned.

Mike.

Message Edited by Midnight Star on 01-17-2005 12:35 PM

Was this post helpful?

View All

No Events found!

Top