Skip to main content
Start a Conversation

Unsolved

This post is more than 5 years old

mesaba

9 Posts

638

October 5th, 2005 05:00

help with maxd1

Hello, need help with the dialer virus maxd1. it kicks me out frem the web, and is giving lots of trouble with the internal use of my computer. I read I could copy paste the log from hijackthis and paste it here for help. thanks for any help that can be provided.
 
Logfile of HijackThis v1.99.1
Scan saved at 2:34:38 AM, on 10/5/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\PROGRA~1\NavNT\DefWatch.exe
C:\LDCLIENT\LOCALSCH.EXE
C:\WINDOWS\system32\cba\pds.exe
C:\LDCLIENT\TMCSVC.EXE
C:\PROGRA~1\NavNT\rtvscan.exe
C:\Program Files\McAfee\Remote Desktop 32\CONNSRV.EXE
C:\WINDOWS\System32\r_server.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\cba\xfr.exe
C:\WINDOWS\system32\MsgSys.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\NavNT\vptray.exe
C:\WINDOWS\System32\carpserv.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Belkin\Belkin 802.11g Wireless Card Configuration Utility\utility.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\explorer.exe
C:\HJT\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = C:\WINDOWS\System32\msblank.html
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SearchToolbar - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - C:\WINDOWS\System32\rrgqy.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: ZeroBar - {F5735C15-1FB2-41FE-BA12-242757E69DDE} - C:\Program Files\NetZero\toolbar.dll (file missing)
O3 - Toolbar: SearchToolbar - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - C:\WINDOWS\System32\rrgqy.dll
O4 - HKLM\..\Run: [DadApp] C:\Program Files\DELL\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AtiPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [OutlookProfileSetup] c:\windows\outlookprf.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Olympic] C:\Documents and Settings\DEBEJ\Application Data\sgrunt\IE4321.exe
O4 - HKLM\..\Run: [ControlPanel] C:\WINDOWS\System32\popcorn72.exe rundll.dll,LoadMouseProfile
O4 - HKLM\..\Run: [dmbad.exe] C:\WINDOWS\System32\dmbad.exe
O4 - HKCU\..\Run: [uoltray] C:\Program Files\NetZero\exec.exe regrun
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Belkin 802.11g Wireless Card Utility.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: www.archiviosex.net
O15 - Trusted Zone: www.skymasters.biz
O15 - Trusted Zone: www.xbeta69.com
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.kodakgallery.com/downloads/BUM/BUM_WIN_IE_1/axofupld.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = mayo.edu
O17 - HKLM\Software\..\Telephony: DomainName = mayo.edu
O17 - HKLM\System\CCS\Services\Tcpip\..\{3D45A35A-D216-47C6-8250-BC982CEE463B}: NameServer = 85.255.113.138,85.255.112.16
O17 - HKLM\System\CCS\Services\Tcpip\..\{4189EBC4-E67A-417B-A2BA-4F90C786DF66}: NameServer = 85.255.113.138,85.255.112.16
O17 - HKLM\System\CCS\Services\Tcpip\..\{49558F6B-D69F-4D95-9EDF-7AF2C1D4764F}: NameServer = 85.255.113.138,85.255.112.16
O17 - HKLM\System\CCS\Services\Tcpip\..\{67DD1F8E-3D0D-4D0C-A536-DF9D88A3A851}: NameServer = 85.255.113.138,85.255.112.16
O17 - HKLM\System\CCS\Services\Tcpip\..\{6907C4E0-6406-4857-8D14-BE4013906E98}: NameServer = 85.255.113.138,85.255.112.16
O17 - HKLM\System\CCS\Services\Tcpip\..\{6CC23EF7-A816-4E24-BF58-3EF291CB8ECA}: NameServer = 85.255.113.138,85.255.112.16
O17 - HKLM\System\CCS\Services\Tcpip\..\{81B956D8-436D-4FD1-A490-C3D426C6FE99}: NameServer = 85.255.113.138,85.255.112.16
O17 - HKLM\System\CCS\Services\Tcpip\..\{8E266353-5BC2-4E74-9792-827BC8BA1C51}: Domain = mayo.edu
O17 - HKLM\System\CCS\Services\Tcpip\..\{8E266353-5BC2-4E74-9792-827BC8BA1C51}: NameServer = 85.255.113.138,85.255.112.16
O17 - HKLM\System\CCS\Services\Tcpip\..\{A7D83E26-BA75-4BB3-B0CD-209D2870AA27}: Domain = mayo.edu
O17 - HKLM\System\CCS\Services\Tcpip\..\{A7D83E26-BA75-4BB3-B0CD-209D2870AA27}: NameServer = 85.255.113.138,85.255.112.16
O17 - HKLM\System\CCS\Services\Tcpip\..\{A7F40F62-B92F-4F59-9DBA-8130C21C6053}: Domain = mayo.edu
O17 - HKLM\System\CCS\Services\Tcpip\..\{A7F40F62-B92F-4F59-9DBA-8130C21C6053}: NameServer = 85.255.113.138,85.255.112.16
O17 - HKLM\System\CCS\Services\Tcpip\..\{AED5D15A-6D2F-41A5-87AF-CA6C605515C1}: NameServer = 85.255.113.138,85.255.112.16
O17 - HKLM\System\CCS\Services\Tcpip\..\{C32FF779-3B67-4F96-95FF-3F3CAAA115E1}: NameServer = 85.255.113.138,85.255.112.16
O17 - HKLM\System\CCS\Services\Tcpip\..\{D188E53A-8FB4-4D99-8EAC-1D2B9FF70F1B}: NameServer = 85.255.113.138,85.255.112.16
O17 - HKLM\System\CCS\Services\Tcpip\..\{D3870151-F2F3-46AE-8875-CE5074033653}: NameServer = 85.255.113.138,85.255.112.16
O17 - HKLM\System\CCS\Services\Tcpip\..\{ED1FAF2B-A95A-479D-B6DB-6966189EFFBF}: NameServer = 85.255.113.138,85.255.112.16
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = mayo.edu
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\NavNT\DefWatch.exe
O23 - Service: Intel File Transfer - Intel® Corporation - C:\WINDOWS\system32\cba\xfr.exe
O23 - Service: Intel Local Scheduler Service - Intel Corporation  - C:\LDCLIENT\LOCALSCH.EXE
O23 - Service: Intel PDS - Intel® Corporation - C:\WINDOWS\system32\cba\pds.exe
O23 - Service: Intel Targeted Multicast - Intel Corporation  - C:\LDCLIENT\TMCSVC.EXE
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\NavNT\rtvscan.exe
O23 - Service: RemoteDesktop Connection Manager (RemoteDesktopConnectionManager) - McAfee Associates Inc - C:\Program Files\McAfee\Remote Desktop 32\CONNSRV.EXE
O23 - Service: Remote Administrator Service (r_server) - Unknown owner - C:\WINDOWS\System32\r_server.exe" /service (file missing)
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe
 

dobhar

2 Intern

 • 

1.1K Posts

October 5th, 2005 16:00

Hi...

My name is dobhar and I will be looking over your log. Looks like you have some "Nasties" so please give me some time to go look it over and I will post back as soon as possible. If you have any questions please post back as a reply to this Thread\Topic and I will be advised by email so I can return and help you. Please do not start another Thread\Topic.

Thank You and Surf Safe... :)

mesaba

9 Posts

October 5th, 2005 21:00

Dobhar, thanks a lot. Just a few more detials in case it helps. My internet window is different than before (have some checks for gambling, adult, etc that were not there before. I have a few wierd things in the running process such as maxd1, popcorn72, svchost, and msblank. Now I founf out my computer does not have a sound system anymore (I found that 5 mintues ago). So getting kind of worried. I'm actually opening the computer only to check if I got some help from the forum. Also, in case it help the computer is a Dell Inspiron 5100 with windows XP proffesional.

thanks for the help

Mesaba

dobhar

2 Intern

 • 

1.1K Posts

October 5th, 2005 22:00

I'm just leaving to go home from work. I will post something for you tonight...after 09:00PM Central.

Thanks,

dobhar

2 Intern

 • 

1.1K Posts

October 6th, 2005 05:00

Hi mesaba...

Sorry for the delay...Got paged...had to do some work...

It will take a couple posts to get everything so please be patient. Thanks...

Is your ISP (Internet Service Provider) Mayo.edu???

OK...Lets get to it... (Note: You must have an active Internet connection when running this fix)
_____________________________________________________

You may want to print out these instructions for reference, since you will have to restart your computer during the fix.
_____________________________________________________

Step 1.
==========
Please download and install CCleaner from http://www.ccleaner.com/download123.asp
(Note: DO NOT run this program yet)

Step 2.
==========
- Download the DelDomains.inf from http://www.mvps.org/winhelp2002/DelDomains.inf to your Desktop
(Note: DO NOT run this program yet)

Step 3.
==========
- Please download FixWareout from one of these sites and save the file to your Desktop
http://forums.subratam.org/index.php?act=A...e=post&id=43811
http://swandog46.geekstogo.com/Fixwareout.exe

Step 4.
==========
- Navigate to your Desktop and double-click the Fixwareout.exe file you just saved to run it
- Click " Next", then " Install", then make sure " Run fixit" is checked and click " Finish"
- The fix will begin; follow the prompts. You will be asked to Reboot your computer; please do so.
(NOTE: Your system may take longer than usual to load. This is normal)

Step 5.
==========
- When your system reboots (Please be patient), follow the prompts
- Afterwards, HijackThis will launch
- Please click Scan, and check the following items:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = C:\WINDOWS\System32\msblank.html
O2 - BHO: SearchToolbar - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - C:\WINDOWS\System32\rrgqy.dll
O3 - Toolbar: ZeroBar - {F5735C15-1FB2-41FE-BA12-242757E69DDE} - C:\Program Files\NetZero\toolbar.dll (file missing)
O3 - Toolbar: SearchToolbar - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - C:\WINDOWS\System32\rrgqy.dll
O4 - HKLM\..\Run: [Olympic] C:\Documents and Settings\DEBEJ\Application Data\sgrunt\IE4321.exe
O4 - HKLM\..\Run: [ControlPanel] C:\WINDOWS\System32\popcorn72.exe rundll.dll,LoadMouseProfile
O4 - HKLM\..\Run: [dmbad.exe] C:\WINDOWS\System32\dmbad.exe
O15 - Trusted Zone: www.archiviosex.net
O15 - Trusted Zone: www.skymasters.biz
O15 - Trusted Zone: www.xbeta69.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{3D45A35A-D216-47C6-8250-BC982CEE463B}: NameServer = 85.255.113.138,85.255.112.16
O17 - HKLM\System\CCS\Services\Tcpip\..\{4189EBC4-E67A-417B-A2BA-4F90C786DF66}: NameServer = 85.255.113.138,85.255.112.16
O17 - HKLM\System\CCS\Services\Tcpip\..\{49558F6B-D69F-4D95-9EDF-7AF2C1D4764F}: NameServer = 85.255.113.138,85.255.112.16
O17 - HKLM\System\CCS\Services\Tcpip\..\{67DD1F8E-3D0D-4D0C-A536-DF9D88A3A851}: NameServer = 85.255.113.138,85.255.112.16
O17 - HKLM\System\CCS\Services\Tcpip\..\{6907C4E0-6406-4857-8D14-BE4013906E98}: NameServer = 85.255.113.138,85.255.112.16
O17 - HKLM\System\CCS\Services\Tcpip\..\{6CC23EF7-A816-4E24-BF58-3EF291CB8ECA}: NameServer = 85.255.113.138,85.255.112.16
O17 - HKLM\System\CCS\Services\Tcpip\..\{81B956D8-436D-4FD1-A490-C3D426C6FE99}: NameServer = 85.255.113.138,85.255.112.16
O17 - HKLM\System\CCS\Services\Tcpip\..\{8E266353-5BC2-4E74-9792-827BC8BA1C51}: NameServer = 85.255.113.138,85.255.112.16
O17 - HKLM\System\CCS\Services\Tcpip\..\{A7D83E26-BA75-4BB3-B0CD-209D2870AA27}: NameServer = 85.255.113.138,85.255.112.16
O17 - HKLM\System\CCS\Services\Tcpip\..\{A7F40F62-B92F-4F59-9DBA-8130C21C6053}: NameServer = 85.255.113.138,85.255.112.16
O17 - HKLM\System\CCS\Services\Tcpip\..\{AED5D15A-6D2F-41A5-87AF-CA6C605515C1}: NameServer = 85.255.113.138,85.255.112.16
O17 - HKLM\System\CCS\Services\Tcpip\..\{C32FF779-3B67-4F96-95FF-3F3CAAA115E1}: NameServer = 85.255.113.138,85.255.112.16
O17 - HKLM\System\CCS\Services\Tcpip\..\{D188E53A-8FB4-4D99-8EAC-1D2B9FF70F1B}: NameServer = 85.255.113.138,85.255.112.16
O17 - HKLM\System\CCS\Services\Tcpip\..\{D3870151-F2F3-46AE-8875-CE5074033653}: NameServer = 85.255.113.138,85.255.112.16
O17 - HKLM\System\CCS\Services\Tcpip\..\{ED1FAF2B-A95A-479D-B6DB-6966189EFFBF}: NameServer = 85.255.113.138,85.255.112.16

Click "Fix Checked". Close HijackThis, and click OK to proceed

Step 6.
==========
Delete the following file(s) and folder(s) in BOLD only. (Note: Don't be concern if can't find but advise if not found)
Folder(s)...
C:\Documents and Settings\DEBEJ\Application Data\ sgrunt <<<= Delete This Folder

File(s)...
C:\WINDOWS\System32\ msblank.html <<<= Delete This File
C:\WINDOWS\System32\ rrgqy.dll <<<= Delete This File
C:\WINDOWS\System32\ popcorn72.exe <<<= Delete This File
C:\WINDOWS\System32\ dmbad.exe <<<= Delete This File

Step 7.
==========
We now need to cleanup all the Temp, Temorary Internet Files, Recycle Bin, etc...
- Start the CCleaner program
- Get into " Options" => Select " Advanced" => Deselect\uncheck " Only delete files in Windows Temp folders older than 48 hours"
- We are only going to work with the "Cleaner" section. (Note: Do not use the "Issues" section)
- click on the Run Cleaner button in the lower right-hand corner
- After complete close program
- Empty Recycle Bin

Step 8.
==========
- Navigate to the DelDomains.inf file on your Desktop
- Right-click on it and choose " Install"

Step 9.
==========
- Please restart your computer
- After restarting please go to " Start" -> " Control Panel", and choose " Network Connections". Then right-click on your default connection, usually " Local Area Connection" or " Dial-up Connection" if you are using Dial-up, and left-click on " Properties". Double-click on the " Internet Protocol (TCP/IP)" item and select the radio button that says " Obtain DNS servers automatically". Click OK twice, and restart your computer.

Step 10.
==========
- There is 1 file that might or might not be legitimate so let's check it out. <<<== You can skip this step if you KNOW this file is definitly legitimate
- Go to the Jotti's Online Malware Scan page at http://virusscan.jotti.org/
- Use the buttons at the top of the page to browse to this file(s) on your hard drive to submit for a scan:

c:\windows\outlookprf.exe

- Several scanning engines will be used to check the file for any threats. Please post the results of the scans back here.

Step 11.
==========
- Post a fresh new HijackThis log
- Post the contents of C:\fixwareout\report.txt
- Post back results of Jotti scan

mesaba

9 Posts

October 11th, 2005 01:00

Dobhar, I did what you indicated, things looking promising so far. I do not see the wierd window for internet, and that is great!. yes, my internet server is Mayo.edu
I'm posting below the results of the Jotti scan on the outlook file (by the way, I could not connect to outlook wither before, need to check now) and the fixwareout report.
let me inform you that I could not find all the files such as popcorn72, dmbad and sgrunt (also the respective file and msblank did not show in the hijackthis scan).
I'll let you know tomorrow if everytihng keeps working Ok. So far, I cannot thank you enough!
Mesaba
 
 
load:0%  100%File utlookprf.exeStatus:
OK
MD5965dd434b2d161fe8e7ed210a46504e1Packers detected:
-
Scanner results
AntiVir
Found nothing
ArcaVir
Found nothing
Avast
Found nothing
AVG Antivirus
Found nothing
BitDefender
Found nothing
ClamAV
Found nothing
Dr.Web
Found nothing
F-Prot Antivirus
Found nothing
Fortinet
Found nothing
Kaspersky Anti-Virus
Found nothing
NOD32
Found nothing
Norman Virus Control
Found nothing
UNA
Found nothing
VBA32
Found nothing

Fixwareout ver 1.002
Post this report in the forums please
 
Reg Entries that were deleted
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\asimd
 
PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, There WILL be LEGIT FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
 
»»»»» Search by size and names...
 
»»»»» Misc files
 
»»»»» Checking for older varients covered by the Rem3 tool

 

mesaba

9 Posts

October 11th, 2005 01:00

Hey Dobhar, me again, sorry. I posted the previous message in a different log and now did it on the old one. I can connect to internet now, but my connection to 1-888 (wich was my default) is closed now and cannot use it. Also, Amost always the first time I open internet it says it has to close due to a problem, and have to open it again (sometime twice). So is definitely working better, but I'm not sure I'm virus-free yet. Any advice?

thanks

Mesaba

dobhar

2 Intern

 • 

1.1K Posts

October 11th, 2005 02:00

Please post a new HijackThis log.

Thanks,

mesaba

9 Posts

October 11th, 2005 12:00

Sorry, here it is. Thanks
Mesaba
 
Logfile of HijackThis v1.99.1
Scan saved at 9:45:53 AM, on 10/11/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\PROGRA~1\NavNT\DefWatch.exe
C:\LDCLIENT\LOCALSCH.EXE
C:\WINDOWS\system32\cba\pds.exe
C:\LDCLIENT\TMCSVC.EXE
C:\PROGRA~1\NavNT\rtvscan.exe
C:\Program Files\McAfee\Remote Desktop 32\CONNSRV.EXE
C:\WINDOWS\System32\r_server.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\system32\cba\xfr.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\MsgSys.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\DELL\AccessDirect\dadapp.exe
C:\Program Files\DELL\AccessDirect\DadTray.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\NavNT\vptray.exe
C:\WINDOWS\System32\carpserv.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Belkin\Belkin 802.11g Wireless Card Configuration Utility\utility.exe
C:\HJT\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bbc.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [DadApp] C:\Program Files\DELL\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AtiPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [OutlookProfileSetup] c:\windows\outlookprf.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [dmjuv.exe] C:\WINDOWS\System32\dmjuv.exe
O4 - HKCU\..\Run: [uoltray] C:\Program Files\NetZero\exec.exe regrun
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Belkin 802.11g Wireless Card Utility.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.kodakgallery.com/downloads/BUM/BUM_WIN_IE_1/axofupld.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = mayo.edu
O17 - HKLM\Software\..\Telephony: DomainName = mayo.edu
O17 - HKLM\System\CCS\Services\Tcpip\..\{49558F6B-D69F-4D95-9EDF-7AF2C1D4764F}: NameServer = 85.255.113.138,85.255.112.16
O17 - HKLM\System\CCS\Services\Tcpip\..\{8E266353-5BC2-4E74-9792-827BC8BA1C51}: Domain = mayo.edu
O17 - HKLM\System\CCS\Services\Tcpip\..\{A7D83E26-BA75-4BB3-B0CD-209D2870AA27}: Domain = mayo.edu
O17 - HKLM\System\CCS\Services\Tcpip\..\{A7F40F62-B92F-4F59-9DBA-8130C21C6053}: Domain = mayo.edu
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = mayo.edu
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\NavNT\DefWatch.exe
O23 - Service: Intel File Transfer - Intel® Corporation - C:\WINDOWS\system32\cba\xfr.exe
O23 - Service: Intel Local Scheduler Service - Intel Corporation  - C:\LDCLIENT\LOCALSCH.EXE
O23 - Service: Intel PDS - Intel® Corporation - C:\WINDOWS\system32\cba\pds.exe
O23 - Service: Intel Targeted Multicast - Intel Corporation  - C:\LDCLIENT\TMCSVC.EXE
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\NavNT\rtvscan.exe
O23 - Service: RemoteDesktop Connection Manager (RemoteDesktopConnectionManager) - McAfee Associates Inc - C:\Program Files\McAfee\Remote Desktop 32\CONNSRV.EXE
O23 - Service: Remote Administrator Service (r_server) - Unknown owner - C:\WINDOWS\System32\r_server.exe" /service (file missing)
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe
 

dobhar

2 Intern

 • 

1.1K Posts

October 11th, 2005 19:00

Hi mesaba...

Your HJT log is 99.99999% clean but one of the O17 Entries is still hanging around. The "Wareout" nasty you had likes to change ISP (Internet Service Provider) information (IP Addresses). I need some info...

Please go to " Start" -> " Control Panel", and choose " Network Connections". Then right-click on your default connection, usually " Local Area Connection" or " Dial-up Connection" if you are using Dial-up, and left-click on " Properties". Double-click on the " Internet Protocol (TCP/IP)" item. What is the Radio button on...
- " Obtain DNS servers automatically"
- " Use the following DNS server addresses"

If it is on " Use the following DNS server addresses" what is the Primary & Alternative DNS Server IP addresses??? I'm going to guess and say the Primary is 85.255.113.138 and the Alternateive is 85.255.112.16. If that is the case then that is our problem. Those IP Addresses belong to our "Nasty". So if the setting is " Use the following DNS server addresses" then change it by selecting the radio button that says " Obtain DNS servers automatically". Click OK twice, and restart your computer.

If you cannot get back on the Internet after rebooting you may need to contact your ISP as they may use " Use the following DNS server addresses" so you will have to get their Primary & Alternative DNS Server IP addresses. If you do contact your ISP mention the fact that you were Hijacked and you need help setting up your Internet information.

Post back a new fresh HJT log.

Thanks,

dobhar

2 Intern

 • 

1.1K Posts

October 18th, 2005 22:00

It has been 7 days since I last heard from you. I will be monitoring this thread for another 7 days. If unanswered at the end of those 7 days I will be considering this topic closed and will not be monitoring it for replies.

Thank You,

dobhar

2 Intern

 • 

1.1K Posts

October 20th, 2005 03:00

As it has been 7 days please post a new HijackThis log.

Thanks,

mesaba

9 Posts

October 20th, 2005 03:00

Hey Dobhar, sorry, I tried to do what you mentioned regarding the dial up connection, but the connection I usually use (which is 1-800 free) doesn't even show in the connection network. I have in other folder but not in there, and cannot install it. Still have to open the explorer like 3 or 4 times to get it. Would it be any use if I re-do what you advised before and try to erase the wareout?

By the way, other to connections, the ones that show in the connection folder are set as "automatic connection" and there are no numbers if I choose the other mode.

Jose

Was this post helpful?

View All

No Events found!

Top