Search
Members
Login
Register
Welcome, Guest. Please Login or Register.
May 19th, 2013, 11:03am
   TrojanHunter Forum
   Malware
   Trojans (Moderators: Helena, Gavin_Coe, Magnus)
   should i be worried??		 « Previous topic | Next topic »
Pages: 1 2 3  Reply Reply  Notify of replies Notify of replies   Send Topic Send Topic   Print Print
   Author  Topic: should i be worried??  (Read 6195 times)
cmessman
Newbie
*





   


Posts: 23
Re: should i be worried??
« Reply #15 on: Oct 6th, 2006, 1:39pm »		 Quote Quote  Modify Modify
here is teh log from SS:
 
1:16 PM: Traces Found: 108
1:16 PM: Full Sweep has completed.  Elapsed time 01:06:45
1:16 PM: HKLM\software\em\ (ID = 155618Cool
1:16 PM: File Sweep Complete, Elapsed Time: 01:05:39
12:57 PM:   uninst104.exe (ID = 344944)
12:56 PM:   uni_ehhhh.exe (ID = 344943)
12:51 PM:   justin_new.exe (ID = 373642)
12:50 PM:   justin.exe (ID = 373412)
12:50 PM:   dfndrff_e17.exe (ID = 357756)
12:50 PM:   Found Adware: dollarrevenue
12:50 PM:   mirarsetup_876057.exe (ID = 351397)
12:50 PM:   Found Adware: mirar webband
12:49 PM:   ms03483656553.exe (ID = 360957)
12:49 PM:   Found Adware: enbrowser
12:49 PM:   adrotate.dll (ID = 346110)
12:48 PM:   adrot-uninst.exe (ID = 335877)
12:48 PM:   Found Adware: trafficsolution
12:48 PM:   update.exe (ID = 34568Cool
12:36 PM:   tsuninst.exe (ID = 329490)
12:36 PM:   Found Adware: targetsaver
12:13 PM:   em.ocx (ID = 307277)
12:11 PM:   printview (ID = 2147531721)
12:11 PM:   deskbar (1 subtraces) (ID = 2147527094)
12:10 PM: Starting File Sweep
12:10 PM: Cookie Sweep Complete, Elapsed Time: 00:00:01
12:10 PM:   chris@zedo[1].txt (ID = 3762)
12:10 PM:   Found Spy Cookie: zedo cookie
12:10 PM:   chris@wholesalemarketer.122.2o7[1].txt (ID = 195Cool
12:10 PM:   chris@videodome[1].txt (ID = 363Cool
12:10 PM:   Found Spy Cookie: videodome cookie
12:10 PM:   chris@tribalfusion[1].txt (ID = 3589)
12:10 PM:   Found Spy Cookie: tribalfusion cookie
12:10 PM:   chris@trafficmp[1].txt (ID = 3581)
12:10 PM:   Found Spy Cookie: trafficmp cookie
12:10 PM:   chris@statse.webtrendslive[2].txt (ID = 3667)
12:10 PM:   Found Spy Cookie: webtrendslive cookie
12:10 PM:   chris@server.iad.liveperson[1].txt (ID = 3341)
12:10 PM:   Found Spy Cookie: server.iad.liveperson cookie
12:10 PM:   chris@realmedia[1].txt (ID = 3235)
12:10 PM:   chris@questionmarket[2].txt (ID = 3217)
12:10 PM:   Found Spy Cookie: questionmarket cookie
12:10 PM:   chris@qksrv[2].txt (ID = 3213)
12:10 PM:   Found Spy Cookie: qksrv cookie
12:10 PM:   chris@overture[1].txt (ID = 3105)
12:10 PM:   Found Spy Cookie: overture cookie
12:10 PM:   chris@network.realmedia[1].txt (ID = 3236)
12:10 PM:   Found Spy Cookie: realmedia cookie
12:10 PM:   chris@mygeek[1].txt (ID = 3041)
12:10 PM:   Found Spy Cookie: mygeek cookie
12:10 PM:   chris@mediaplex[1].txt (ID = 6442)
12:10 PM:   Found Spy Cookie: mediaplex cookie
12:10 PM:   chris@exitexchange[2].txt (ID = 2633)
12:10 PM:   chris@entrepreneur.122.2o7[1].txt (ID = 195Cool
12:10 PM:   Found Spy Cookie: 2o7.net cookie
12:10 PM:   chris@dist.belnk[2].txt (ID = 2293)
12:10 PM:   chris@count4.exitexchange[1].txt (ID = 2634)
12:10 PM:   chris@count2.exitexchange[1].txt (ID = 2634)
12:10 PM:   Found Spy Cookie: exitexchange cookie
12:10 PM:   chris@casalemedia[1].txt (ID = 2354)
12:10 PM:   chris@burstnet[1].txt (ID = 2336)
12:10 PM:   Found Spy Cookie: burstnet cookie
12:10 PM:   chris@bluestreak[1].txt (ID = 2314)
12:10 PM:   Found Spy Cookie: bluestreak cookie
12:10 PM:   chris@belnk[1].txt (ID = 2292)
12:10 PM:   Found Spy Cookie: belnk cookie
12:10 PM:   chris@atwola[1].txt (ID = 2255)
12:10 PM:   Found Spy Cookie: atwola cookie
12:10 PM:   chris@atdmt[2].txt (ID = 2253)
12:10 PM:   Found Spy Cookie: atlas dmt cookie
12:10 PM:   chris@as.casalemedia[1].txt (ID = 2355)
12:10 PM:   Found Spy Cookie: casalemedia cookie
12:10 PM:   chris@as-us.falkag[2].txt (ID = 2650)
12:10 PM:   Found Spy Cookie: falkag cookie
12:10 PM:   chris@apmebf[2].txt (ID = 2229)
12:10 PM:   Found Spy Cookie: apmebf cookie
12:10 PM:   chris@advertising[1].txt (ID = 2175)
12:10 PM:   Found Spy Cookie: advertising cookie
12:10 PM:   chris@adserver[1].txt (ID = 2141)
12:10 PM:   Found Spy Cookie: adserver cookie
12:10 PM:   chris@ads.pointroll[2].txt (ID = 314Cool
12:10 PM:   Found Spy Cookie: pointroll cookie
12:10 PM:   chris@adrevolver[2].txt (ID = 208Cool
12:10 PM:   chris@adrevolver[1].txt (ID = 208Cool
12:10 PM:   Found Spy Cookie: adrevolver cookie
12:10 PM:   chris@ad.yieldmanager[2].txt (ID = 3751)
12:10 PM:   Found Spy Cookie: yieldmanager cookie
12:10 PM: Starting Cookie Sweep
12:10 PM: Registry Sweep Complete, Elapsed Time:00:00:28
12:10 PM:   HKU\S-1-5-21-2975269026-2149897979-1700636632-1007\software\printview\ (ID = 1701420)
12:10 PM:   HKU\S-1-5-21-2975269026-2149897979-1700636632-1007\software\microsoft\in ternet explorer\urlsearchhooks\ || {a8b28872-3324-4cd2-8aa3-7d555c872d96} (ID = 1596954)
12:10 PM:   HKU\S-1-5-21-2975269026-2149897979-1700636632-1007\software\microsoft\in ternet explorer\toolbar\webbrowser\ || {cbcc61fa-0221-4ccc-b409-cee865caca3a} (ID = 1530952)
12:10 PM:   Found Adware: maxifiles
12:10 PM:   HKLM\software\classes\typelib\{24723349-c5c0-44c2-837d-84250e6b2a12}\ (ID = 1701527)
12:10 PM:   HKLM\software\classes\printviewbho class\ (ID = 1701524)
12:10 PM:   HKLM\software\classes\printviewbar.printviewbho.1\ (ID = 1701520)
12:10 PM:   HKLM\software\classes\printviewbar.printviewbho\ (ID = 1701519)
12:10 PM:   HKLM\software\classes\printview.printviewbarh.1\ (ID = 1701515)
12:10 PM:   HKLM\software\classes\printview.printviewbarh\ (ID = 1701509)
12:10 PM:   HKLM\software\classes\printview.printviewbar.1\ (ID = 1701505)
12:10 PM:   HKLM\software\classes\printview.printviewbar\ (ID = 1701499)
12:10 PM:   HKLM\software\classes\printview.csinstallinformation_pv.1\ (ID = 1701495)
12:10 PM:   HKLM\software\classes\printview.csinstallinformation_pv\ (ID = 1701489)
12:10 PM:   HKLM\software\classes\clsid\{90fe6c53-f8b4-4631-b42a-02d63d1c949c}\ (ID = 1701461)
12:10 PM:   HKLM\software\classes\clsid\{51c5191a-9880-442f-897b-e96987522fbc}\ (ID = 1701440)
12:10 PM:   HKLM\software\classes\clsid\{10add1e8-ec8a-4719-b39d-b46dd1d6a65d}\ (ID = 1701424)
12:10 PM:   HKCR\typelib\{24723349-c5c0-44c2-837d-84250e6b2a12}\ (ID = 1701410)
12:10 PM:   HKCR\printviewbho class\ (ID = 1701407)
12:10 PM:   HKCR\printviewbar.printviewbho.1\ (ID = 1701403)
12:10 PM:   HKCR\printviewbar.printviewbho\ (ID = 1701402)
12:10 PM:   HKCR\printview.printviewbarh.1\ (ID = 170139Cool
12:10 PM:   HKCR\printview.printviewbarh\ (ID = 1701392)
12:10 PM:   HKCR\printview.printviewbar.1\ (ID = 170138Cool
12:10 PM:   HKCR\printview.printviewbar\ (ID = 1701382)
12:10 PM:   HKCR\printview.csinstallinformation_pv.1\ (ID = 170137Cool
12:10 PM:   HKCR\printview.csinstallinformation_pv\ (ID = 1701372)
12:10 PM:   HKCR\clsid\{90fe6c53-f8b4-4631-b42a-02d63d1c949c}\ (ID = 1701344)
12:10 PM:   HKCR\clsid\{51c5191a-9880-442f-897b-e96987522fbc}\ (ID = 1701323)
12:10 PM:   HKCR\clsid\{10add1e8-ec8a-4719-b39d-b46dd1d6a65d}\ (ID = 1701307)
12:10 PM:   Found Adware: adperform
12:10 PM:   HKLM\software\classes\dbtb00001.deskbarenabler.1\ (ID = 1595846)
12:10 PM:   HKLM\software\classes\dbtb00001.deskbarenabler\ (ID = 1595842)
12:10 PM:   HKCR\dbtb00001.deskbarenabler.1\ (ID = 1595711)
12:10 PM:   HKCR\dbtb00001.deskbarenabler\ (ID = 1595707)
12:10 PM:   Found Adware: desktop bar
12:10 PM:   HKLM\software\classes\typelib\{fdb10602-aa12-4e76-aae2-2b328a3e950a}\ (ID = 1586223)
12:10 PM:   HKLM\software\classes\crypt.core.1\ (ID = 1586219)
12:10 PM:   HKLM\software\classes\crypt.core\ (ID = 1586213)
12:10 PM:   HKLM\software\classes\clsid\{2cab0356-88e3-4902-a85d-379689c625e1}\ (ID = 1586189)
12:10 PM:   HKCR\typelib\{fdb10602-aa12-4e76-aae2-2b328a3e950a}\ (ID = 1586179)
12:10 PM:   HKCR\crypt.core.1\ (ID = 1586175)
12:10 PM:   HKCR\crypt.core\ (ID = 1586169)
12:10 PM:   HKCR\clsid\{2cab0356-88e3-4902-a85d-379689c625e1}\ (ID = 1586145)
12:10 PM:   HKCR\mm06ocx.mm06ocxf\ (ID = 1556189)
12:10 PM:   HKLM\software\classes\interface\{db312456-e762-4369-844a-aed9006b1b2f}\ (ID = 1502064)
12:10 PM:   HKLM\software\classes\interface\{7682c1a6-c500-4c78-93b9-5a76a91520f8}\ (ID = 1502055)
12:10 PM:   HKLM\software\classes\interface\{597aa130-f00b-40b8-adaf-529d4da9be52}\ (ID = 1502046)
12:10 PM:   HKLM\software\classes\interface\{41e1565d-b7a8-4251-bd79-e6c5facb2b5f}\ (ID = 150203Cool
12:10 PM:   HKCR\interface\{db312456-e762-4369-844a-aed9006b1b2f}\ (ID = 149793Cool
12:10 PM:   HKCR\interface\{7682c1a6-c500-4c78-93b9-5a76a91520f8}\ (ID = 1497902)
12:10 PM:   HKCR\interface\{597aa130-f00b-40b8-adaf-529d4da9be52}\ (ID = 1497893)
12:10 PM:   HKCR\interface\{41e1565d-b7a8-4251-bd79-e6c5facb2b5f}\ (ID = 1497876)
12:10 PM:   HKLM\software\classes\typelib\{d13decbb-52f8-4bf4-ba6c-b0cc603963c9}\ (ID = 1323842)
12:10 PM:   HKLM\software\classes\clsid\{5526b4c6-63d6-41a1-9783-0fabf529859a}\ (ID = 132381Cool
12:10 PM:   HKLM\software\classes\mm06ocx.mm06ocxf\ (ID = 1323810)
12:10 PM:   HKCR\typelib\{d13decbb-52f8-4bf4-ba6c-b0cc603963c9}\ (ID = 1323794)
12:10 PM:   HKCR\clsid\{5526b4c6-63d6-41a1-9783-0fabf529859a}\ (ID = 1323770)
12:10 PM:   HKLM\software\microsoft\code store database\distribution units\{8a0dcbdb-6e20-489c-9041-c1e8a0352e75}\ (ID = 107449Cool
12:10 PM:   Found Adware: elitemediagroup-mediamotor
12:10 PM: Starting Registry Sweep
12:10 PM: Memory Sweep Complete, Elapsed Time: 00:00:26
12:09 PM: Starting Memory Sweep
12:09 PM: nso282.dll (ID = 1704840)
12:09 PM: HKCR\clsid\{2cab0356-88e3-4902-a85d-379689c625e1}\inprocserver32\ (ID = 1704840)
12:09 PM: Found Adware: ezula ilookup
12:09 PM: Sweep initiated using definitions version 776
12:09 PM: Spy Sweeper 5.0.5.1286 started
12:09 PM: |  Start of Session, Friday, October 06, 2006  |
********
12:09 PM: |  End of Session, Friday, October 06, 2006  |
12:08 PM: Traces Found: 2
12:08 PM: Registry Sweep Complete, Elapsed Time:00:00:13
12:08 PM:   Sweep Canceled
12:08 PM: Starting Registry Sweep
12:08 PM: Memory Sweep Complete, Elapsed Time: 00:00:41
12:08 PM: Starting Memory Sweep
12:07 PM: nso282.dll (ID = 1704840)
12:07 PM: HKCR\clsid\{2cab0356-88e3-4902-a85d-379689c625e1}\inprocserver32\ (ID = 1704840)
12:07 PM: Found Adware: ezula ilookup
12:07 PM: Sweep initiated using definitions version 776
12:07 PM: Spy Sweeper 5.0.5.1286 started
12:07 PM: |  Start of Session, Friday, October 06, 2006  |
********
12:07 PM: |  End of Session, Friday, October 06, 2006  |
12:06 PM: Program Version 5.0.5.1286  Using Spyware Definitions 776
12:03 PM: Your spyware definitions have been updated.
  Keylogger Shield: Off
  BHO Shield: Off
  IE Security Shield: Off
  Alternate Data Stream (ADS) Execution Shield: Off
  Startup Shield: Off
  Common Ad Sites Shield: Off
  Hosts File Shield: Off
  Spy Communication Shield: Off
  ActiveX Shield: Off
  Windows Messenger Service Shield: Off
  IE Favorites Shield: Off
  Spy Installation Shield: Off
  Memory Shield: Off
  IE Hijack Shield: Off
  IE Tracking Cookies Shield: Off
12:00 PM: Shield States
12:00 PM: Spyware Definitions: 775
12:00 PM: Spy Sweeper 5.0.5.1286 started
    Operation: Terminate
    Target: C:\PROGRAM FILES\WEBROOT\SPY SWEEPER\SPYSWEEPERUI.EXE
    Source: C:\WINDOWS\SYSTEM32\CSRSS.EXE
11:56 AM: Tamper Detection
    Operation: Terminate
    Target: C:\PROGRAM FILES\WEBROOT\SPY SWEEPER\SPYSWEEPERUI.EXE
    Source: C:\WINDOWS\SYSTEM32\CSRSS.EXE
11:56 AM: Tamper Detection
      Keylogger Shield: Off
      BHO Shield: Off
      IE Security Shield: Off
      Alternate Data Stream (ADS) Execution Shield: Off
      Startup Shield: Off
      Common Ad Sites Shield: Off
      Hosts File Shield: Off
      Spy Communication Shield: Off
      ActiveX Shield: Off
      Windows Messenger Service Shield: Off
      IE Favorites Shield: Off
      Spy Installation Shield: Off
      Memory Shield: Off
      IE Hijack Shield: Off
      IE Tracking Cookies Shield: Off
9:21 AM: Shield States
9:21 AM: Spyware Definitions: 775
9:20 AM: Spy Sweeper 5.0.5.1286 started
     Operation: File Access
     Target:  
     Source: C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
8:50 AM: Tamper Detection
     Operation: File Access
     Target:  
     Source: C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
8:17 PM: Tamper Detection
     Operation: File Access
     Target:  
     Source: C:\WINDOWS\SYSTEM32\CIDAEMON.EXE
1:15 PM: Tamper Detection
12:49 PM: Your spyware definitions have been updated.
12:48 PM: Automated check for program update in progress.
  Keylogger Shield: Off
  BHO Shield: Off
  IE Security Shield: Off
  Alternate Data Stream (ADS) Execution Shield: Off
  Startup Shield: Off
  Common Ad Sites Shield: Off
  Hosts File Shield: Off
  Spy Communication Shield: Off
  ActiveX Shield: Off
  Windows Messenger Service Shield: Off
  IE Favorites Shield: Off
  Spy Installation Shield: Off
  Memory Shield: Off
  IE Hijack Shield: Off
  IE Tracking Cookies Shield: Off
10:20 AM: Shield States
10:20 AM: Spyware Definitions: 691
10:20 AM: Spy Sweeper 5.0.5.1286 started
    Operation: Terminate
    Target: C:\PROGRAM FILES\WEBROOT\SPY SWEEPER\SPYSWEEPERUI.EXE
    Source: C:\WINDOWS\SYSTEM32\CSRSS.EXE
11:02 PM: Tamper Detection
    Operation: Terminate
    Target: C:\PROGRAM FILES\WEBROOT\SPY SWEEPER\SPYSWEEPERUI.EXE
    Source: C:\WINDOWS\SYSTEM32\CSRSS.EXE
11:02 PM: Tamper Detection
    Operation: File Access
    Target:  
    Source: C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
3:39 PM: Tamper Detection
      Keylogger Shield: Off
      BHO Shield: Off
      IE Security Shield: Off
      Alternate Data Stream (ADS) Execution Shield: Off
      Startup Shield: Off
      Common Ad Sites Shield: Off
      Hosts File Shield: Off
      Spy Communication Shield: Off
      ActiveX Shield: Off
      Windows Messenger Service Shield: Off
      IE Favorites Shield: Off
      Spy Installation Shield: Off
      Memory Shield: Off
      IE Hijack Shield: Off
      IE Tracking Cookies Shield: Off
2:05 PM: Shield States
2:05 PM: Spyware Definitions: 691
2:04 PM: Spy Sweeper 5.0.5.1286 started
    Operation: Terminate
    Target: C:\PROGRAM FILES\WEBROOT\SPY SWEEPER\SPYSWEEPERUI.EXE
    Source: C:\WINDOWS\SYSTEM32\CSRSS.EXE
2:03 PM: Tamper Detection
    Operation: Terminate
    Target: C:\PROGRAM FILES\WEBROOT\SPY SWEEPER\SPYSWEEPERUI.EXE
    Source: C:\WINDOWS\SYSTEM32\CSRSS.EXE
2:03 PM: Tamper Detection
      Keylogger Shield: Off
      BHO Shield: Off
      IE Security Shield: Off
      Alternate Data Stream (ADS) Execution Shield: Off
      Startup Shield: Off
      Common Ad Sites Shield: Off
      Hosts File Shield: Off
      Spy Communication Shield: Off
      ActiveX Shield: Off
      Windows Messenger Service Shield: Off
      IE Favorites Shield: Off
      Spy Installation Shield: Off
      Memory Shield: Off
      IE Hijack Shield: Off
      IE Tracking Cookies Shield: Off
1:40 PM: Shield States
1:40 PM: Spyware Definitions: 691
1:40 PM: Spy Sweeper 5.0.5.1286 started
12:56 PM: |  End of Session, Wednesday, October 04, 2006  |
12:53 PM: Startup Shield: Off
12:53 PM: Hosts File Shield: Off
12:53 PM: Keylogger Shield: Off
12:53 PM: Spy Communication Shield: Off
12:53 PM: Spy Installation Shield: Off
12:53 PM: Memory Shield: Off
12:53 PM: Windows Messenger Service Shield: Off
12:53 PM: Alternate Data Stream (ADS) Execution Shield: Off
12:53 PM: ActiveX Shield: Off
12:53 PM: IE Hijack Shield: Off
12:53 PM: BHO Shield: Off
12:53 PM: IE Security Shield: Off
12:53 PM: IE Favorites Shield: Off
12:50 PM: The Spy Communication shield has blocked access to: STECH.WEB-NEXUS.NET
12:50 PM: The Spy Communication shield has blocked access to: STECH.WEB-NEXUS.NET
12:49 PM: The Spy Communication shield has blocked access to: DL.WEB-NEXUS.NET
12:49 PM: The Spy Communication shield has blocked access to: DL.WEB-NEXUS.NET
12:49 PM: The Spy Communication shield has blocked access to: DL.WEB-NEXUS.NET
12:49 PM: The Spy Communication shield has blocked access to: STECH.WEB-NEXUS.NET
12:49 PM: The Spy Communication shield has blocked access to: DL.WEB-NEXUS.NET
12:49 PM: The Spy Communication shield has blocked access to: STECH.WEB-NEXUS.NET
  Keylogger Shield: On
  BHO Shield: On
  IE Security Shield: On
  Alternate Data Stream (ADS) Execution Shield: On
  Startup Shield: On
  Common Ad Sites Shield: Off
  Hosts File Shield: On
  Spy Communication Shield: On
  ActiveX Shield: On
  Windows Messenger Service Shield: On
  IE Favorites Shield: On
  Spy Installation Shield: On
  Memory Shield: On
  IE Hijack Shield: On
  IE Tracking Cookies Shield: Off
12:49 PM: Shield States
12:49 PM: Spyware Definitions: 691
12:49 PM: Spy Sweeper 5.0.5.1286 started
12:49 PM: Spy Sweeper 5.0.5.1286 started
IP Logged
cmessman
Newbie
*





   


Posts: 23
Re: should i be worried??
« Reply #16 on: Oct 6th, 2006, 1:40pm »		 Quote Quote  Modify Modify
here is the log from hijackthis:
 
Logfile of HijackThis v1.99.1
Scan saved at 1:28:24 PM, on 10/6/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
 
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\WINDOWS\elitepop06.exe
C:\Program Files\AIM\aim.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Pure Networks\Network Magic\nmsrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\BigKilla\BigKillBugs.exe
 
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.purdue.edu/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.insightbb.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Insight Broadband
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\jgjla.exe
F2 - REG:system.ini: UserInit=userinit.exe,tcppkkp.exe
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKLM\..\Run: [1pop06apelt2] C:\WINDOWS\elitepop06.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Royal Vegas Poker - {FA4904B4-1FAF-4afd-886C-C19D2297BA62} - C:\Program Files\royalvegasMPP\MPPoker.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://www.insightbb.com
O15 - Trusted Zone: *.elitemediagroup.net
O15 - Trusted Zone: *.media-motor.net
O15 - Trusted Zone: *.mmohsix.com
O16 - DPF: LotusMenu - http://discoverypark.e-enterprise.purdue.edu/wps/menu/menudisp.cab
O16 - DPF: Yahoo! Euchre - http://download.games.yahoo.com/games/clients/y/et1_x.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkId=39204&clcid=0x409
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6FDB0065-2787-11D6-B1D8-0001023916FC} (CLOActiveXInstaller Control) - http://www.igl.net/clo/install/CLOActiveXInstallerProj1.cab
O18 - Protocol: pure-go - {4746C79A-2042-4332-8650-48966E44ABA8} - C:\Program Files\Common Files\Pure Networks Shared\puresp.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: MATLAB Server (matlabserver) - Unknown owner - C:\MATLAB701\webserver\bin\win32\matlabserver.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe (file missing)
O23 - Service: Pure Networks Net2Go Service (nmraapache) - Unknown owner - C:\Program Files\Pure Networks\Network Magic\WebServer\bin\nmraapache.exe" -k runservice (file missing)
O23 - Service: Pure Networks Network Magic Service (nmservice) - Pure Networks, Inc. - C:\Program Files\Pure Networks\Network Magic\nmsrvc.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
 
IP Logged
siliconman01
Global Moderator
*****



siliconman01

   


Gender: male
 Posts: 7666
Re: should i be worried??
« Reply #17 on: Oct 6th, 2006, 1:49pm »		 Quote Quote  Modify Modify
1.  Did you let Spy Sweeper clean and quarantine all the items that it found?
IP Logged
TrojanHunter V5.5.1003...No. 1 AT in my Book and on my Box(es)! Windows 8 x64 Professional on a Dell XPS 410, 8 gbyte RAM, dual Intel SSDs, dual 24" UltraSharp FPD monitors, Logitech 5.1 Surround Sound; Windows 7 x86 Professional on a Dell Vostro 220s, 4 gbyte RAM, dual WD VelociRaptors. Common: NetGear R6300 router, cable modem. Also 128 gbyte Surface Pro 8 tablet.
cmessman
Newbie
*





   


Posts: 23
Re: should i be worried??
« Reply #18 on: Oct 6th, 2006, 1:52pm »		 Quote Quote  Modify Modify
i did download the GUI version of blacklight, and then saved it to my desktop... which gave this "F" icon on the desk top.  i then rt clicked this and had it "create a shortcut" and ran it from the shortcut icon... came up with the same msg as before.  Sad
IP Logged
cmessman
Newbie
*





   


Posts: 23
Re: should i be worried??
« Reply #19 on: Oct 6th, 2006, 1:56pm »		 Quote Quote  Modify Modify
yup
IP Logged
cmessman
Newbie
*





   


Posts: 23
Re: should i be worried??
« Reply #20 on: Oct 6th, 2006, 2:03pm »		 Quote Quote  Modify Modify
i dunno if this matters or not, but when xp booted up in safe mode, it prompted me with which user is this: chris (me) or administrator.  is the "administrator" something that comes up by default?  because there isnt any other users for this pc other than myself.
IP Logged
siliconman01
Global Moderator
*****



siliconman01

   


Gender: male
 Posts: 7666
Re: should i be worried??
« Reply #21 on: Oct 6th, 2006, 2:07pm »		 Quote Quote  Modify Modify
Okay,
 
Now please download the latest rulesets for TrojanHunter through its LiveUpdate feature.  If you are running the Trial version of TH, please go to the link below and obtain the latest updates.  Follow the instructions on the link as to how to install these.
 
http://www.misec.net/trojanhunter/updating/
 
Then reboot again back into SAFE MODE.
 
1.  Open the TH scanner.
 
2.  Select the Options icon on the left sidebar.
 
3.  Checkmark every option in the list except the very last one which is to LOG executables with double extensions.  
 
4.  Select the Scan icon on the left sidebar and select the disks that you want to scan.  
 
5.  Run a FULL scan of your system with TH scanner.  Let it clean what it finds.
 
6.  Reboot into Normal Mode and post the scan log from TH scanner.
 
7.  Post a new HJT log.
IP Logged
TrojanHunter V5.5.1003...No. 1 AT in my Book and on my Box(es)! Windows 8 x64 Professional on a Dell XPS 410, 8 gbyte RAM, dual Intel SSDs, dual 24" UltraSharp FPD monitors, Logitech 5.1 Surround Sound; Windows 7 x86 Professional on a Dell Vostro 220s, 4 gbyte RAM, dual WD VelociRaptors. Common: NetGear R6300 router, cable modem. Also 128 gbyte Surface Pro 8 tablet.
siliconman01
Global Moderator
*****



siliconman01

   


Gender: male
 Posts: 7666
Re: should i be worried??
« Reply #22 on: Oct 6th, 2006, 2:09pm »		 Quote Quote  Modify Modify
Quote:
i dunno if this matters or not, but when xp booted up in safe mode, it prompted me with which user is this: chris (me) or administrator.  is the "administrator" something that comes up by default?  because there isnt any other users for this pc other than myself.

 
Yes, the administrator account is hidden in Windows XP except for when booting into SAFE MODE.  As long as your "Chris" account has full Admin privileges, then use "Chris".
IP Logged
TrojanHunter V5.5.1003...No. 1 AT in my Book and on my Box(es)! Windows 8 x64 Professional on a Dell XPS 410, 8 gbyte RAM, dual Intel SSDs, dual 24" UltraSharp FPD monitors, Logitech 5.1 Surround Sound; Windows 7 x86 Professional on a Dell Vostro 220s, 4 gbyte RAM, dual WD VelociRaptors. Common: NetGear R6300 router, cable modem. Also 128 gbyte Surface Pro 8 tablet.
siliconman01
Global Moderator
*****



siliconman01

   


Gender: male
 Posts: 7666
Re: should i be worried??
« Reply #23 on: Oct 6th, 2006, 2:32pm »		 Quote Quote  Modify Modify
Please check this:
 
1.  Go START>Settings>Control Panel>User Accounts
 
Does your personal account say "Computer Administrator"?
 
IP Logged
TrojanHunter V5.5.1003...No. 1 AT in my Book and on my Box(es)! Windows 8 x64 Professional on a Dell XPS 410, 8 gbyte RAM, dual Intel SSDs, dual 24" UltraSharp FPD monitors, Logitech 5.1 Surround Sound; Windows 7 x86 Professional on a Dell Vostro 220s, 4 gbyte RAM, dual WD VelociRaptors. Common: NetGear R6300 router, cable modem. Also 128 gbyte Surface Pro 8 tablet.
cmessman
Newbie
*





   


Posts: 23
Re: should i be worried??
« Reply #24 on: Oct 6th, 2006, 3:19pm »		 Quote Quote  Modify Modify
yup my acct does say computer admin.  thanks.  here is the latest TH log when i ran it in safe mode:
 
Registry scan
No suspicious entries found
Inifile scan
No suspicious entries found
Port scan
No suspicious open ports found
Memory scan
No trojans found in memory
File scan
Found NTFS alternate data stream: C:\DELL\mmsetup_10002047b_ENU.exe:Zone.Identifier:$DATA (View ADS stream...) (Delete ADS stream)
Found NTFS alternate data stream: C:\Documents and Settings\Chris\Desktop\aawsepersonal.exe:Zone.Identifier:$DATA (View ADS stream...) (Delete ADS stream)
Found NTFS alternate data stream: C:\Documents and Settings\Chris\Desktop\AbsolutePoker5_3_6.exe:Zone.Identifier:$DATA (View ADS stream...) (Delete ADS stream)
Found NTFS alternate data stream: C:\Documents and Settings\Chris\Desktop\accel.zip:Zone.Identifier:$DATA (View ADS stream...) (Delete ADS stream)
Warning: Unable to unpack UPX-packed file C:\Documents and Settings\Chris\Desktop\AdbeRdr60_enu_full.exe (Add to ignore list)
Found NTFS alternate data stream: C:\Documents and Settings\Chris\Desktop\AutostartExplorer\AutostartExplorer.exe:Zone.Iden tifier:$DATA (View ADS stream...) (Delete ADS stream)
Found NTFS alternate data stream: C:\Documents and Settings\Chris\Desktop\AutostartExplorer\Descriptions.ini:Zone.Identifie r:$DATA (View ADS stream...) (Delete ADS stream)
Found NTFS alternate data stream: C:\Documents and Settings\Chris\Desktop\AutostartExplorer.zip:Zone.Identifier:$DATA (View ADS stream...) (Delete ADS stream)
Found NTFS alternate data stream: C:\Documents and Settings\Chris\Desktop\blbeta.exe:<5>SummaryInformation:$DATA (View ADS stream...) (Delete ADS stream)
Found NTFS alternate data stream: C:\Documents and Settings\Chris\Desktop\blbeta.exe:Zone.Identifier:$DATA (View ADS stream...) (Delete ADS stream)
Found NTFS alternate data stream: C:\Documents and Settings\Chris\Desktop\blbeta.exe:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d} :$DATA (View ADS stream...) (Delete ADS stream)
Found NTFS alternate data stream: C:\Documents and Settings\Chris\Desktop\MTB1412_30DAY.exe:Zone.Identifier:$DATA (View ADS stream...) (Delete ADS stream)
Found NTFS alternate data stream: C:\Documents and Settings\Chris\Desktop\PokerChampsInstaller.exe:Zone.Identifier:$DATA (View ADS stream...) (Delete ADS stream)
Found NTFS alternate data stream: C:\Documents and Settings\Chris\Desktop\setup.exe:Zone.Identifier:$DATA (View ADS stream...) (Delete ADS stream)
Found NTFS alternate data stream: C:\Documents and Settings\Chris\Desktop\studentversion11_1.zip:Zone.Identifier:$DATA (View ADS stream...) (Delete ADS stream)
Found NTFS alternate data stream: C:\Documents and Settings\Chris\Desktop\ubsetup.exe:Zone.Identifier:$DATA (View ADS stream...) (Delete ADS stream)
Found NTFS alternate data stream: C:\Documents and Settings\Chris\Local Settings\Temporary Internet Files\Content.IE5\257KKTZ0\blbeta[1].exe:Zone.Identifier:$DATA (View ADS stream...) (Delete ADS stream)
Found NTFS alternate data stream: C:\Documents and Settings\Chris\Local Settings\Temporary Internet Files\Content.IE5\CJBLYE3S\blbetac[1].exe:Zone.Identifier:$DATA (View ADS stream...) (Delete ADS stream)
Found NTFS alternate data stream: C:\Documents and Settings\Chris\My Documents\install_vs710.exe:Zone.Identifier:$DATA (View ADS stream...) (Delete ADS stream)
Found NTFS alternate data stream: C:\Documents and Settings\Chris\My Documents\mmsetup_10002047b_ENU.exe:Zone.Identifier:$DATA (View ADS stream...) (Delete ADS stream)
Found NTFS alternate data stream: C:\Documents and Settings\Chris\My Documents\install_vs710.exe:Zone.Identifier:$DATA (View ADS stream...) (Delete ADS stream)
Found NTFS alternate data stream: C:\Documents and Settings\Chris\My Documents\mmsetup_10002047b_ENU.exe:Zone.Identifier:$DATA (View ADS stream...) (Delete ADS stream)
Warning: Unable to unpack UPX-packed file C:\I386\USBUHCI.SYS (Add to ignore list)
Found NTFS alternate data stream: C:\Program Files\AIM\spotlight.htm:Zone.Identifier:$DATA (View ADS stream...) (Delete ADS stream)
Found NTFS alternate data stream: C:\Program Files\LimeWire.exe:Zone.Identifier:$DATA (View ADS stream...) (Delete ADS stream)
Found NTFS alternate data stream: C:\Program Files\mame082b\roms\mame082b_i686\roms\Super Breakout (1982) (Atari) (U).zip:Zone.Identifier:$DATA (View ADS stream...) (Delete ADS stream)
Found NTFS alternate data stream: C:\Program Files\mame082b\roms\mame082b_i686\roms\superb.zip:Zone.Identifier:$DATA (View ADS stream...) (Delete ADS stream)
Found NTFS alternate data stream: C:\Program Files\MTB14_StandardSetup.exe:Zone.Identifier:$DATA (View ADS stream...) (Delete ADS stream)
Warning: Unable to unpack UPX-packed file C:\Program Files\TrojanHunter 4.2\InstTimeUpdater.exe (Add to ignore list)
Found NTFS alternate data stream: C:\studentversion11_1\setup.exe:Zone.Identifier:$DATA (View ADS stream...) (Delete ADS stream)
Found NTFS alternate data stream: C:\Task6\bigkilla.zip:Zone.Identifier:$DATA (View ADS stream...) (Delete ADS stream)
Warning: Unable to unpack UPX-packed file C:\WINDOWS\$NtServicePackUninstall$\usbuhci.sys (Add to ignore list)
Found NTFS alternate data stream: C:\WINDOWS\SYSTEM32\winbrand.dll:<5>SummaryInformation:$DATA (View ADS stream...) (Delete ADS stream)
Found NTFS alternate data stream: C:\WINDOWS\SYSTEM32\winbrand.dll:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}: $DATA (View ADS stream...) (Delete ADS stream)
No trojan files found
20975 files scanned in 2938 seconds
 
IP Logged
cmessman
Newbie
*





   


Posts: 23
Re: should i be worried??
« Reply #25 on: Oct 6th, 2006, 3:20pm »		 Quote Quote  Modify Modify
here's the HJT log:
 
Logfile of HijackThis v1.99.1
Scan saved at 3:16:41 PM, on 10/6/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
 
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\AIM\aim.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Pure Networks\Network Magic\nmsrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\System32\svchost.exe
C:\BigKilla\BigKillBugs.exe
C:\WINDOWS\system32\wuauclt.exe
 
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.purdue.edu/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.insightbb.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Insight Broadband
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\jgjla.exe
F2 - REG:system.ini: UserInit=userinit.exe,tcppkkp.exe
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKLM\..\Run: [1pop06apelt2] C:\WINDOWS\elitepop06.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Royal Vegas Poker - {FA4904B4-1FAF-4afd-886C-C19D2297BA62} - C:\Program Files\royalvegasMPP\MPPoker.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://www.insightbb.com
O15 - Trusted Zone: *.elitemediagroup.net
O15 - Trusted Zone: *.media-motor.net
O15 - Trusted Zone: *.mmohsix.com
O16 - DPF: LotusMenu - http://discoverypark.e-enterprise.purdue.edu/wps/menu/menudisp.cab
O16 - DPF: Yahoo! Euchre - http://download.games.yahoo.com/games/clients/y/et1_x.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkId=39204&clcid=0x409
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6FDB0065-2787-11D6-B1D8-0001023916FC} (CLOActiveXInstaller Control) - http://www.igl.net/clo/install/CLOActiveXInstallerProj1.cab
O18 - Protocol: pure-go - {4746C79A-2042-4332-8650-48966E44ABA8} - C:\Program Files\Common Files\Pure Networks Shared\puresp.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: MATLAB Server (matlabserver) - Unknown owner - C:\MATLAB701\webserver\bin\win32\matlabserver.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe (file missing)
O23 - Service: Pure Networks Net2Go Service (nmraapache) - Unknown owner - C:\Program Files\Pure Networks\Network Magic\WebServer\bin\nmraapache.exe" -k runservice (file missing)
O23 - Service: Pure Networks Network Magic Service (nmservice) - Pure Networks, Inc. - C:\Program Files\Pure Networks\Network Magic\nmsrvc.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
 
IP Logged
cmessman
Newbie
*





   


Posts: 23
Re: should i be worried??
« Reply #26 on: Oct 6th, 2006, 3:26pm »		 Quote Quote  Modify Modify
i know this doesnt solve the root problem... but i saw those O15's on the HJT log and have removed them from my trust zone
IP Logged
cmessman
Newbie
*





   


Posts: 23
Re: should i be worried??
« Reply #27 on: Oct 6th, 2006, 3:29pm »		 Quote Quote  Modify Modify
i also took off elitepop06.exe (number 04 i believe) like an hour ago and its back!
IP Logged
siliconman01
Global Moderator
*****



siliconman01

   


Gender: male
 Posts: 7666
Re: should i be worried??
« Reply #28 on: Oct 6th, 2006, 3:35pm »		 Quote Quote  Modify Modify
Okay, so TH is scanning clean.  Please do this:
 
1.  Run another HJT scan.  
 
2.  When the scan is completed, place a checkmark in the boxes for the items shown below.  
 

 
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)  
 
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)  
 
O15 - Trusted Zone: *.elitemediagroup.net  
 
O15 - Trusted Zone: *.media-motor.net  
 
O15 - Trusted Zone: *.mmohsix.com  
 
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
 
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe (file missing)  
 
3.  Click on Fix Checked and then confirm that you want HJT to FIX them.
 
4.  After the fix is completed, close HJT and REBOOT.
 
5.  Run another HJT log and post it back here.
IP Logged
TrojanHunter V5.5.1003...No. 1 AT in my Book and on my Box(es)! Windows 8 x64 Professional on a Dell XPS 410, 8 gbyte RAM, dual Intel SSDs, dual 24" UltraSharp FPD monitors, Logitech 5.1 Surround Sound; Windows 7 x86 Professional on a Dell Vostro 220s, 4 gbyte RAM, dual WD VelociRaptors. Common: NetGear R6300 router, cable modem. Also 128 gbyte Surface Pro 8 tablet.
cmessman
Newbie
*





   


Posts: 23
Re: should i be worried??
« Reply #29 on: Oct 6th, 2006, 3:55pm »		 Quote Quote  Modify Modify
new hjt log:
 
Logfile of HijackThis v1.99.1
Scan saved at 3:55:14 PM, on 10/6/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
 
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\AIM\aim.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Pure Networks\Network Magic\nmsrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\BigKilla\BigKillBugs.exe
 
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.purdue.edu/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.insightbb.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Insight Broadband
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\jgjla.exe
F2 - REG:system.ini: UserInit=userinit.exe,tcppkkp.exe
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKLM\..\Run: [1pop06apelt2] C:\WINDOWS\elitepop06.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Royal Vegas Poker - {FA4904B4-1FAF-4afd-886C-C19D2297BA62} - C:\Program Files\royalvegasMPP\MPPoker.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://www.insightbb.com
O16 - DPF: LotusMenu - http://discoverypark.e-enterprise.purdue.edu/wps/menu/menudisp.cab
O16 - DPF: Yahoo! Euchre - http://download.games.yahoo.com/games/clients/y/et1_x.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkId=39204&clcid=0x409
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6FDB0065-2787-11D6-B1D8-0001023916FC} (CLOActiveXInstaller Control) - http://www.igl.net/clo/install/CLOActiveXInstallerProj1.cab
O18 - Protocol: pure-go - {4746C79A-2042-4332-8650-48966E44ABA8} - C:\Program Files\Common Files\Pure Networks Shared\puresp.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: MATLAB Server (matlabserver) - Unknown owner - C:\MATLAB701\webserver\bin\win32\matlabserver.exe
O23 - Service: Pure Networks Net2Go Service (nmraapache) - Unknown owner - C:\Program Files\Pure Networks\Network Magic\WebServer\bin\nmraapache.exe" -k runservice (file missing)
O23 - Service: Pure Networks Network Magic Service (nmservice) - Pure Networks, Inc. - C:\Program Files\Pure Networks\Network Magic\nmsrvc.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
 
IP Logged
Pages: 1 2 3  Reply Reply  Notify of replies Notify of replies   Send Topic Send Topic   Print Print

« Previous topic | Next topic »