Huseyin1
asked on
I used adaware now I'm getting an error message.
Hi all
A customers laptop with XP PRO SP1a was infected with 6 viruses including sassar korgo and more, these were removed and fixed also service packs were installed to prevent them comming back on the machine.
when I connected to the net I was getting many pop ups and IE was hijacked, I ran adaware and removed all it found then on reboot i got this error:
'error loading C:\windows\downloaded programe files\bridge.dll, the specified modual could not be found.'
I found this link on the net:
http://computercops.biz/postt14722.html
but.......this did not help, I did not have those files on the laptop to remove.
so.......I did a hijack this log so maybe some one can tell me what i should remove from the laptop. I'm pritty sure this is to do with maleware.
Logfile of HijackThis v1.97.7
Scan saved at 08:23:46, on 13/08/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.e xe
C:\WINDOWS\system32\winlog on.exe
C:\WINDOWS\system32\servic es.exe
C:\WINDOWS\system32\lsass. exe
C:\WINDOWS\system32\svchos t.exe
C:\WINDOWS\System32\svchos t.exe
C:\WINDOWS\system32\spools v.exe
C:\WINDOWS\System32\Ati2ev xx.exe
C:\WINDOWS\system32\basfip m.exe
C:\Program Files\NavNT\defwatch.exe
C:\PROGRA~1\Iomega\System3 2\AppServi ces.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\System32\svchos t.exe
C:\Program Files\Iomega\AutoDisk\ADSe rvice.exe
C:\WINDOWS\System32\MsgSys .EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\System32\carpse rv.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Dell\QuickSet\quicks et.exe
C:\WINDOWS\System32\DSentr y.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\Iomega\AutoDisk\ADUs erMon.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Iomega\DriveIcons\Im gIcon.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\WINDOWS\System32\zatuyo ia.exe
C:\Documents and Settings\Hou8497a\Applicat ion Data\urpo.exe
C:\WINDOWS\System32\jpgpdn xl.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Hewlett-Packard\HP OfficeJet Series 700\Bin\HPOstr05.exe
C:\Program Files\Hewlett-Packard\HP OfficeJet Series 700\bin\HPOVDX05.EXE
E:\virus\HijackThis.exe
R0 - HKCU\Software\Microsoft\In ternet Explorer\Main,Start Page = http://dew1.dupont.com/
R1 - HKCU\Software\Microsoft\In ternet Explorer\Main,Default_Page _URL = http://www.dellnet.com
R0 - HKLM\Software\Microsoft\In ternet Explorer\Main,Start Page = http://www.dellnet.com
R1 - HKLM\Software\Microsoft\In ternet Explorer\Main,Default_Page _URL = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Wi ndows\Curr entVersion \Internet Settings,AutoConfigURL = http://autoproxy-eu.nib.dupont.com/proxy.auto
R1 - HKCU\Software\Microsoft\Wi ndows\Curr entVersion \Internet Settings,ProxyServer = webproxy-eu.nib.dupont.com :80
R1 - HKCU\Software\Microsoft\Wi ndows\Curr entVersion \Internet Settings,ProxyOverride = *.*.dupont.com;*.dupont.co m;<local>
R1 - HKCU\Software\Microsoft\In ternet Explorer\Main,Start Page_bak = http://www.btbroadbandoffice.com/bbhome
R1 - HKCU\Software\Microsoft\In ternet Connection Wizard,Shellnext = http://www1.lvs.dupont.com/is/csc/ist/virus/defs_32bit.htm
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-7 84B7D6BE0B 3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEH elper.ocx
O2 - BHO: (no name) - {3EAB3371-C41C-7ECC-8626-1 65504A4294 9} - C:\WINDOWS\System32\vtgfo. dll
O2 - BHO: (no name) - {A3FDD654-A057-4971-9844-4 ED8E67DBBB 8} - C:\Program Files\SideFind\sfbho.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-0 0A0C908246 7} - C:\WINDOWS\System32\msdxm. ocx
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quicks et.exe
O4 - HKLM\..\Run: [bascstray] BascsTray.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentr y.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [ZipMagic] C:\PROGRA~1\ZipMagic\zm32. exe
O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUs erMon.exe
O4 - HKLM\..\Run: [Iomega Startup Options] C:\Program Files\Iomega\Common\ImgSta rt.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\Im gIcon.exe
O4 - HKLM\..\Run: [Deskup] C:\Program Files\Iomega\DriveIcons\de skup.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [Microsoft Update Machine] expl0rer.exe
O4 - HKLM\..\Run: [Microsoft Update] wserv32.exe
O4 - HKLM\..\Run: [msn] msnmsgr.exe
O4 - HKLM\..\Run: [Microsoft-Updates] svxhost.exe
O4 - HKLM\..\Run: [Microsoft DLL Extensions] SystemDll.exe
O4 - HKLM\..\Run: [Microsoft Services] lsrv.exe
O4 - HKLM\..\Run: [wtime Service] wtime32.exe
O4 - HKLM\..\Run: [9E105B26] C:\WINDOWS\System32\ziuzli ood.exe
O4 - HKLM\..\Run: [Microsoft IT Updates] seclite.exe
O4 - HKLM\..\Run: [Microsoft AUT Update] MSlti16.exe
O4 - HKLM\..\Run: [Microsoft--Updates] sxvhost.exe
O4 - HKLM\..\Run: [bpraucdee] C:\WINDOWS\System32\zatuyo ia.exe
O4 - HKLM\..\Run: [RunDLL] rundll32.exe "C:\WINDOWS\Downloaded Program Files\bridge.dll",Load
O4 - HKLM\..\Run: [ccEvtMrg.exe] ccEvtMrg.exe
O4 - HKLM\..\Run: [00000000] C:\WINDOWS\System32\tloycl fhmkenxf.e xe
O4 - HKLM\..\RunServices: [ZipMagic] C:\PROGRA~1\ZipMagic\zm32. exe
O4 - HKLM\..\RunServices: [Microsoft Update Machine] expl0rer.exe
O4 - HKLM\..\RunServices: [Microsoft Update] wserv32.exe
O4 - HKLM\..\RunServices: [System Update] wauluclt.exe
O4 - HKLM\..\RunServices: [msn] msnmsgr.exe
O4 - HKLM\..\RunServices: [Microsoft-Updates] svxhost.exe
O4 - HKLM\..\RunServices: [Microsoft DLL Extensions] SystemDll.exe
O4 - HKLM\..\RunServices: [Microsoft Services] lsrv.exe
O4 - HKLM\..\RunServices: [wtime Service] wtime32.exe
O4 - HKLM\..\RunServices: [19B05C55] C:\WINDOWS\System32\ziuzli ood.exe
O4 - HKLM\..\RunServices: [Microsoft IT Updates] seclite.exe
O4 - HKLM\..\RunServices: [Microsoft AUT Update] MSlti16.exe
O4 - HKLM\..\RunServices: [Microsoft--Updates] sxvhost.exe
O4 - HKLM\..\RunServices: [ccEvtMrg.exe] ccEvtMrg.exe
O4 - HKLM\..\RunServices: [00000000] C:\WINDOWS\System32\tloycl fhmkenxf.e xe
O4 - HKCU\..\Run: [Microsoft Update Machine] expl0rer.exe
O4 - HKCU\..\Run: [Microsoft Update] wserv32.exe
O4 - HKCU\..\Run: [System Update] wauluclt.exe
O4 - HKCU\..\Run: [msn] msnmsgr.exe
O4 - HKCU\..\Run: [Microsoft DLL Extensions] SystemDll.exe
O4 - HKCU\..\Run: [Ncao] C:\Documents and Settings\Hou8497a\Applicat ion Data\urpo.exe
O4 - HKCU\..\Run: [Uvumux] C:\WINDOWS\System32\jpgpdn xl.exe
O4 - HKCU\..\Run: [Microsoft Services] lsrv.exe
O4 - HKCU\..\Run: [wtime Service] wtime32.exe
O4 - HKCU\..\Run: [Microsoft IT Updates] seclite.exe
O4 - HKCU\..\Run: [Microsoft AUT Update] MSlti16.exe
O4 - HKCU\..\Run: [ccEvtMrg.exe] ccEvtMrg.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: HP OfficeJet Series 700 Startup.lnk = C:\Program Files\Hewlett-Packard\HP OfficeJet Series 700\Bin\HPOstr05.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: SideFind (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox. dll
O16 - DPF: {9EB320CE-BE1D-4304-A081-4 B4665414BE F} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsInstaller.cab
O17 - HKLM\System\CS1\Services\T cpip\Param eters: SearchList = dupont.com,herberts.de
O17 - HKLM\System\CCS\Services\T cpip\Param eters: SearchList = dupont.com,herberts.de
thank you all, this is very important.
H
A customers laptop with XP PRO SP1a was infected with 6 viruses including sassar korgo and more, these were removed and fixed also service packs were installed to prevent them comming back on the machine.
when I connected to the net I was getting many pop ups and IE was hijacked, I ran adaware and removed all it found then on reboot i got this error:
'error loading C:\windows\downloaded programe files\bridge.dll, the specified modual could not be found.'
I found this link on the net:
http://computercops.biz/postt14722.html
but.......this did not help, I did not have those files on the laptop to remove.
so.......I did a hijack this log so maybe some one can tell me what i should remove from the laptop. I'm pritty sure this is to do with maleware.
Logfile of HijackThis v1.97.7
Scan saved at 08:23:46, on 13/08/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.e
C:\WINDOWS\system32\winlog
C:\WINDOWS\system32\servic
C:\WINDOWS\system32\lsass.
C:\WINDOWS\system32\svchos
C:\WINDOWS\System32\svchos
C:\WINDOWS\system32\spools
C:\WINDOWS\System32\Ati2ev
C:\WINDOWS\system32\basfip
C:\Program Files\NavNT\defwatch.exe
C:\PROGRA~1\Iomega\System3
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\System32\svchos
C:\Program Files\Iomega\AutoDisk\ADSe
C:\WINDOWS\System32\MsgSys
C:\WINDOWS\Explorer.EXE
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\System32\carpse
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Dell\QuickSet\quicks
C:\WINDOWS\System32\DSentr
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\Iomega\AutoDisk\ADUs
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Iomega\DriveIcons\Im
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\WINDOWS\System32\zatuyo
C:\Documents and Settings\Hou8497a\Applicat
C:\WINDOWS\System32\jpgpdn
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Hewlett-Packard\HP OfficeJet Series 700\Bin\HPOstr05.exe
C:\Program Files\Hewlett-Packard\HP OfficeJet Series 700\bin\HPOVDX05.EXE
E:\virus\HijackThis.exe
R0 - HKCU\Software\Microsoft\In
R1 - HKCU\Software\Microsoft\In
R0 - HKLM\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R1 - HKCU\Software\Microsoft\Wi
R1 - HKCU\Software\Microsoft\Wi
R1 - HKCU\Software\Microsoft\Wi
R1 - HKCU\Software\Microsoft\In
R1 - HKCU\Software\Microsoft\In
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-7
O2 - BHO: (no name) - {3EAB3371-C41C-7ECC-8626-1
O2 - BHO: (no name) - {A3FDD654-A057-4971-9844-4
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-0
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quicks
O4 - HKLM\..\Run: [bascstray] BascsTray.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentr
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [ZipMagic] C:\PROGRA~1\ZipMagic\zm32.
O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUs
O4 - HKLM\..\Run: [Iomega Startup Options] C:\Program Files\Iomega\Common\ImgSta
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\Im
O4 - HKLM\..\Run: [Deskup] C:\Program Files\Iomega\DriveIcons\de
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [Microsoft Update Machine] expl0rer.exe
O4 - HKLM\..\Run: [Microsoft Update] wserv32.exe
O4 - HKLM\..\Run: [msn] msnmsgr.exe
O4 - HKLM\..\Run: [Microsoft-Updates] svxhost.exe
O4 - HKLM\..\Run: [Microsoft DLL Extensions] SystemDll.exe
O4 - HKLM\..\Run: [Microsoft Services] lsrv.exe
O4 - HKLM\..\Run: [wtime Service] wtime32.exe
O4 - HKLM\..\Run: [9E105B26] C:\WINDOWS\System32\ziuzli
O4 - HKLM\..\Run: [Microsoft IT Updates] seclite.exe
O4 - HKLM\..\Run: [Microsoft AUT Update] MSlti16.exe
O4 - HKLM\..\Run: [Microsoft--Updates] sxvhost.exe
O4 - HKLM\..\Run: [bpraucdee] C:\WINDOWS\System32\zatuyo
O4 - HKLM\..\Run: [RunDLL] rundll32.exe "C:\WINDOWS\Downloaded Program Files\bridge.dll",Load
O4 - HKLM\..\Run: [ccEvtMrg.exe] ccEvtMrg.exe
O4 - HKLM\..\Run: [00000000] C:\WINDOWS\System32\tloycl
O4 - HKLM\..\RunServices: [ZipMagic] C:\PROGRA~1\ZipMagic\zm32.
O4 - HKLM\..\RunServices: [Microsoft Update Machine] expl0rer.exe
O4 - HKLM\..\RunServices: [Microsoft Update] wserv32.exe
O4 - HKLM\..\RunServices: [System Update] wauluclt.exe
O4 - HKLM\..\RunServices: [msn] msnmsgr.exe
O4 - HKLM\..\RunServices: [Microsoft-Updates] svxhost.exe
O4 - HKLM\..\RunServices: [Microsoft DLL Extensions] SystemDll.exe
O4 - HKLM\..\RunServices: [Microsoft Services] lsrv.exe
O4 - HKLM\..\RunServices: [wtime Service] wtime32.exe
O4 - HKLM\..\RunServices: [19B05C55] C:\WINDOWS\System32\ziuzli
O4 - HKLM\..\RunServices: [Microsoft IT Updates] seclite.exe
O4 - HKLM\..\RunServices: [Microsoft AUT Update] MSlti16.exe
O4 - HKLM\..\RunServices: [Microsoft--Updates] sxvhost.exe
O4 - HKLM\..\RunServices: [ccEvtMrg.exe] ccEvtMrg.exe
O4 - HKLM\..\RunServices: [00000000] C:\WINDOWS\System32\tloycl
O4 - HKCU\..\Run: [Microsoft Update Machine] expl0rer.exe
O4 - HKCU\..\Run: [Microsoft Update] wserv32.exe
O4 - HKCU\..\Run: [System Update] wauluclt.exe
O4 - HKCU\..\Run: [msn] msnmsgr.exe
O4 - HKCU\..\Run: [Microsoft DLL Extensions] SystemDll.exe
O4 - HKCU\..\Run: [Ncao] C:\Documents and Settings\Hou8497a\Applicat
O4 - HKCU\..\Run: [Uvumux] C:\WINDOWS\System32\jpgpdn
O4 - HKCU\..\Run: [Microsoft Services] lsrv.exe
O4 - HKCU\..\Run: [wtime Service] wtime32.exe
O4 - HKCU\..\Run: [Microsoft IT Updates] seclite.exe
O4 - HKCU\..\Run: [Microsoft AUT Update] MSlti16.exe
O4 - HKCU\..\Run: [ccEvtMrg.exe] ccEvtMrg.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: HP OfficeJet Series 700 Startup.lnk = C:\Program Files\Hewlett-Packard\HP OfficeJet Series 700\Bin\HPOstr05.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: SideFind (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.
O16 - DPF: {9EB320CE-BE1D-4304-A081-4
O17 - HKLM\System\CS1\Services\T
O17 - HKLM\System\CCS\Services\T
thank you all, this is very important.
H
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
ok, i will do this but are you sure i should connect the laptop to the internet, is this safe, even though it has ad ware on it?
H
H
ASKER
sorry, ignore the last post, i am doing the housecall scan now.
H
H
:)
ASKER
you were right there were many more viruses on there i've removed them now (i think/hope)
here is the log from the newer hijackthis....that error is still comming up!
Logfile of HijackThis v1.98.2
Scan saved at 09:16:10, on 13/08/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.e xe
C:\WINDOWS\system32\winlog on.exe
C:\WINDOWS\system32\servic es.exe
C:\WINDOWS\system32\lsass. exe
C:\WINDOWS\system32\svchos t.exe
C:\WINDOWS\System32\svchos t.exe
C:\WINDOWS\system32\spools v.exe
C:\WINDOWS\System32\Ati2ev xx.exe
C:\WINDOWS\system32\basfip m.exe
C:\Program Files\NavNT\defwatch.exe
C:\PROGRA~1\Iomega\System3 2\AppServi ces.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\System32\svchos t.exe
C:\Program Files\Iomega\AutoDisk\ADSe rvice.exe
C:\WINDOWS\System32\MsgSys .EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\System32\carpse rv.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Dell\QuickSet\quicks et.exe
C:\Program Files\Apoint\Apntex.exe
C:\WINDOWS\System32\DSentr y.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\Iomega\AutoDisk\ADUs erMon.exe
C:\Program Files\Iomega\DriveIcons\Im gIcon.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\WINDOWS\System32\zatuyo ia.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Hewlett-Packard\HP OfficeJet Series 700\Bin\HPOstr05.exe
C:\Program Files\Hewlett-Packard\HP OfficeJet Series 700\bin\HPOVDX05.EXE
E:\virus\HijackThis.exe
R1 - HKCU\Software\Microsoft\In ternet Explorer\Main,Default_Page _URL = http://www.dellnet.com
R0 - HKCU\Software\Microsoft\In ternet Explorer\Main,Start Page = http://dew1.dupont.com/
R1 - HKLM\Software\Microsoft\In ternet Explorer\Main,Default_Page _URL = http://www.dellnet.com
R0 - HKLM\Software\Microsoft\In ternet Explorer\Main,Start Page = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\In ternet Explorer\Main,Start Page_bak = http://www.btbroadbandoffice.com/bbhome
R1 - HKCU\Software\Microsoft\In ternet Connection Wizard,ShellNext = http://www1.lvs.dupont.com/is/csc/ist/virus/defs_32bit.htm
R1 - HKCU\Software\Microsoft\Wi ndows\Curr entVersion \Internet Settings,AutoConfigURL = http://autoproxy-eu.nib.dupont.com/proxy.auto
R1 - HKCU\Software\Microsoft\Wi ndows\Curr entVersion \Internet Settings,ProxyServer = webproxy-eu.nib.dupont.com :80
R1 - HKCU\Software\Microsoft\Wi ndows\Curr entVersion \Internet Settings,ProxyOverride = *.*.dupont.com;*.dupont.co m;<local>
O2 - BHO: twaintecObj Class - {000020DD-C72E-4113-AF77-D D56626C6C4 2} - C:\WINDOWS\twaintec.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-7 84B7D6BE0B 3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEH elper.ocx
O2 - BHO: (no name) - {3EAB3371-C41C-7ECC-8626-1 65504A4294 9} - C:\WINDOWS\System32\vtgfo. dll (file missing)
O2 - BHO: BAHelper Class - {A3FDD654-A057-4971-9844-4 ED8E67DBBB 8} - C:\Program Files\SideFind\sfbho.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-0 0A0C908246 7} - C:\WINDOWS\System32\msdxm. ocx
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quicks et.exe
O4 - HKLM\..\Run: [bascstray] BascsTray.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentr y.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [ZipMagic] C:\PROGRA~1\ZipMagic\zm32. exe
O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUs erMon.exe
O4 - HKLM\..\Run: [Iomega Startup Options] C:\Program Files\Iomega\Common\ImgSta rt.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\Im gIcon.exe
O4 - HKLM\..\Run: [Deskup] C:\Program Files\Iomega\DriveIcons\de skup.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [Microsoft Update Machine] expl0rer.exe
O4 - HKLM\..\Run: [Microsoft DLL Extensions] SystemDll.exe
O4 - HKLM\..\Run: [Microsoft Services] lsrv.exe
O4 - HKLM\..\Run: [wtime Service] wtime32.exe
O4 - HKLM\..\Run: [9E105B26] C:\WINDOWS\System32\ziuzli ood.exe
O4 - HKLM\..\Run: [Microsoft IT Updates] seclite.exe
O4 - HKLM\..\Run: [Microsoft AUT Update] MSlti16.exe
O4 - HKLM\..\Run: [Microsoft--Updates] sxvhost.exe
O4 - HKLM\..\Run: [bpraucdee] C:\WINDOWS\System32\zatuyo ia.exe
O4 - HKLM\..\Run: [RunDLL] rundll32.exe "C:\WINDOWS\Downloaded Program Files\bridge.dll",Load
O4 - HKLM\..\Run: [00000000] C:\WINDOWS\System32\tloycl fhmkenxf.e xe
O4 - HKLM\..\RunServices: [ZipMagic] C:\PROGRA~1\ZipMagic\zm32. exe
O4 - HKLM\..\RunServices: [Microsoft Update Machine] expl0rer.exe
O4 - HKLM\..\RunServices: [System Update] wauluclt.exe
O4 - HKLM\..\RunServices: [Microsoft DLL Extensions] SystemDll.exe
O4 - HKLM\..\RunServices: [Microsoft Services] lsrv.exe
O4 - HKLM\..\RunServices: [wtime Service] wtime32.exe
O4 - HKLM\..\RunServices: [19B05C55] C:\WINDOWS\System32\ziuzli ood.exe
O4 - HKLM\..\RunServices: [Microsoft IT Updates] seclite.exe
O4 - HKLM\..\RunServices: [Microsoft AUT Update] MSlti16.exe
O4 - HKLM\..\RunServices: [Microsoft--Updates] sxvhost.exe
O4 - HKLM\..\RunServices: [00000000] C:\WINDOWS\System32\tloycl fhmkenxf.e xe
O4 - HKCU\..\Run: [Microsoft Update Machine] expl0rer.exe
O4 - HKCU\..\Run: [System Update] wauluclt.exe
O4 - HKCU\..\Run: [msn] msnmsgr.exe
O4 - HKCU\..\Run: [Microsoft DLL Extensions] SystemDll.exe
O4 - HKCU\..\Run: [Ncao] C:\Documents and Settings\Hou8497a\Applicat ion Data\urpo.exe
O4 - HKCU\..\Run: [Uvumux] C:\WINDOWS\System32\jpgpdn xl.exe
O4 - HKCU\..\Run: [Microsoft Services] lsrv.exe
O4 - HKCU\..\Run: [wtime Service] wtime32.exe
O4 - HKCU\..\Run: [Microsoft IT Updates] seclite.exe
O4 - HKCU\..\Run: [Microsoft AUT Update] MSlti16.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: HP OfficeJet Series 700 Startup.lnk = C:\Program Files\Hewlett-Packard\HP OfficeJet Series 700\Bin\HPOstr05.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: SideFind - {10E42047-DEB9-4535-A118-B 3F6EC39B80 7} - C:\Program Files\SideFind\sidefind.dl l
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox. dll
O16 - DPF: {74D05D43-3236-11D4-BDCD-0 0C04F9A3B6 1} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {9EB320CE-BE1D-4304-A081-4 B4665414BE F} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsInstaller.cab
O17 - HKLM\System\CS1\Services\T cpip\Param eters: SearchList = dupont.com,herberts.de
O17 - HKLM\System\CCS\Services\T cpip\Param eters: SearchList = dupont.com,herberts.de
H
here is the log from the newer hijackthis....that error is still comming up!
Logfile of HijackThis v1.98.2
Scan saved at 09:16:10, on 13/08/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.e
C:\WINDOWS\system32\winlog
C:\WINDOWS\system32\servic
C:\WINDOWS\system32\lsass.
C:\WINDOWS\system32\svchos
C:\WINDOWS\System32\svchos
C:\WINDOWS\system32\spools
C:\WINDOWS\System32\Ati2ev
C:\WINDOWS\system32\basfip
C:\Program Files\NavNT\defwatch.exe
C:\PROGRA~1\Iomega\System3
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\System32\svchos
C:\Program Files\Iomega\AutoDisk\ADSe
C:\WINDOWS\System32\MsgSys
C:\WINDOWS\Explorer.EXE
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\System32\carpse
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Dell\QuickSet\quicks
C:\Program Files\Apoint\Apntex.exe
C:\WINDOWS\System32\DSentr
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\Iomega\AutoDisk\ADUs
C:\Program Files\Iomega\DriveIcons\Im
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\WINDOWS\System32\zatuyo
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Hewlett-Packard\HP OfficeJet Series 700\Bin\HPOstr05.exe
C:\Program Files\Hewlett-Packard\HP OfficeJet Series 700\bin\HPOVDX05.EXE
E:\virus\HijackThis.exe
R1 - HKCU\Software\Microsoft\In
R0 - HKCU\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R0 - HKLM\Software\Microsoft\In
R1 - HKCU\Software\Microsoft\In
R1 - HKCU\Software\Microsoft\In
R1 - HKCU\Software\Microsoft\Wi
R1 - HKCU\Software\Microsoft\Wi
R1 - HKCU\Software\Microsoft\Wi
O2 - BHO: twaintecObj Class - {000020DD-C72E-4113-AF77-D
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-7
O2 - BHO: (no name) - {3EAB3371-C41C-7ECC-8626-1
O2 - BHO: BAHelper Class - {A3FDD654-A057-4971-9844-4
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-0
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quicks
O4 - HKLM\..\Run: [bascstray] BascsTray.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentr
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [ZipMagic] C:\PROGRA~1\ZipMagic\zm32.
O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUs
O4 - HKLM\..\Run: [Iomega Startup Options] C:\Program Files\Iomega\Common\ImgSta
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\Im
O4 - HKLM\..\Run: [Deskup] C:\Program Files\Iomega\DriveIcons\de
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [Microsoft Update Machine] expl0rer.exe
O4 - HKLM\..\Run: [Microsoft DLL Extensions] SystemDll.exe
O4 - HKLM\..\Run: [Microsoft Services] lsrv.exe
O4 - HKLM\..\Run: [wtime Service] wtime32.exe
O4 - HKLM\..\Run: [9E105B26] C:\WINDOWS\System32\ziuzli
O4 - HKLM\..\Run: [Microsoft IT Updates] seclite.exe
O4 - HKLM\..\Run: [Microsoft AUT Update] MSlti16.exe
O4 - HKLM\..\Run: [Microsoft--Updates] sxvhost.exe
O4 - HKLM\..\Run: [bpraucdee] C:\WINDOWS\System32\zatuyo
O4 - HKLM\..\Run: [RunDLL] rundll32.exe "C:\WINDOWS\Downloaded Program Files\bridge.dll",Load
O4 - HKLM\..\Run: [00000000] C:\WINDOWS\System32\tloycl
O4 - HKLM\..\RunServices: [ZipMagic] C:\PROGRA~1\ZipMagic\zm32.
O4 - HKLM\..\RunServices: [Microsoft Update Machine] expl0rer.exe
O4 - HKLM\..\RunServices: [System Update] wauluclt.exe
O4 - HKLM\..\RunServices: [Microsoft DLL Extensions] SystemDll.exe
O4 - HKLM\..\RunServices: [Microsoft Services] lsrv.exe
O4 - HKLM\..\RunServices: [wtime Service] wtime32.exe
O4 - HKLM\..\RunServices: [19B05C55] C:\WINDOWS\System32\ziuzli
O4 - HKLM\..\RunServices: [Microsoft IT Updates] seclite.exe
O4 - HKLM\..\RunServices: [Microsoft AUT Update] MSlti16.exe
O4 - HKLM\..\RunServices: [Microsoft--Updates] sxvhost.exe
O4 - HKLM\..\RunServices: [00000000] C:\WINDOWS\System32\tloycl
O4 - HKCU\..\Run: [Microsoft Update Machine] expl0rer.exe
O4 - HKCU\..\Run: [System Update] wauluclt.exe
O4 - HKCU\..\Run: [msn] msnmsgr.exe
O4 - HKCU\..\Run: [Microsoft DLL Extensions] SystemDll.exe
O4 - HKCU\..\Run: [Ncao] C:\Documents and Settings\Hou8497a\Applicat
O4 - HKCU\..\Run: [Uvumux] C:\WINDOWS\System32\jpgpdn
O4 - HKCU\..\Run: [Microsoft Services] lsrv.exe
O4 - HKCU\..\Run: [wtime Service] wtime32.exe
O4 - HKCU\..\Run: [Microsoft IT Updates] seclite.exe
O4 - HKCU\..\Run: [Microsoft AUT Update] MSlti16.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: HP OfficeJet Series 700 Startup.lnk = C:\Program Files\Hewlett-Packard\HP OfficeJet Series 700\Bin\HPOstr05.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: SideFind - {10E42047-DEB9-4535-A118-B
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.
O16 - DPF: {74D05D43-3236-11D4-BDCD-0
O16 - DPF: {9EB320CE-BE1D-4304-A081-4
O17 - HKLM\System\CS1\Services\T
O17 - HKLM\System\CCS\Services\T
H
I still see a lot, but ok... could be some backdoors.
Tick the checkbox in front of the following lines, afterwards click "fix checked"
O2 - BHO: twaintecObj Class - {000020DD-C72E-4113-AF77-D D56626C6C4 2} - C:\WINDOWS\twaintec.dll
O2 - BHO: (no name) - {3EAB3371-C41C-7ECC-8626-1 65504A4294 9} - C:\WINDOWS\System32\vtgfo. dll (file missing)
O2 - BHO: BAHelper Class - {A3FDD654-A057-4971-9844-4 ED8E67DBBB 8} - C:\Program Files\SideFind\sfbho.dll
O4 - HKLM\..\Run: [Microsoft Update Machine] expl0rer.exe
O4 - HKLM\..\Run: [Microsoft DLL Extensions] SystemDll.exe
O4 - HKLM\..\Run: [Microsoft Services] lsrv.exe
O4 - HKLM\..\Run: [wtime Service] wtime32.exe
O4 - HKLM\..\Run: [9E105B26] C:\WINDOWS\System32\ziuzli ood.exe
O4 - HKLM\..\Run: [Microsoft IT Updates] seclite.exe
O4 - HKLM\..\Run: [Microsoft AUT Update] MSlti16.exe
O4 - HKLM\..\Run: [Microsoft--Updates] sxvhost.exe
O4 - HKLM\..\Run: [bpraucdee] C:\WINDOWS\System32\zatuyo ia.exe
O4 - HKLM\..\Run: [RunDLL] rundll32.exe "C:\WINDOWS\Downloaded Program Files\bridge.dll",Load
O4 - HKLM\..\Run: [00000000] C:\WINDOWS\System32\tloycl fhmkenxf.e xe
O4 - HKLM\..\RunServices: [Microsoft Update Machine] expl0rer.exe
O4 - HKLM\..\RunServices: [System Update] wauluclt.exe
O4 - HKLM\..\RunServices: [Microsoft DLL Extensions] SystemDll.exe
O4 - HKLM\..\RunServices: [Microsoft Services] lsrv.exe
O4 - HKLM\..\RunServices: [wtime Service] wtime32.exe
O4 - HKLM\..\RunServices: [19B05C55] C:\WINDOWS\System32\ziuzli ood.exe
O4 - HKLM\..\RunServices: [Microsoft IT Updates] seclite.exe
O4 - HKLM\..\RunServices: [Microsoft AUT Update] MSlti16.exe
O4 - HKLM\..\RunServices: [Microsoft--Updates] sxvhost.exe
O4 - HKLM\..\RunServices: [00000000] C:\WINDOWS\System32\tloycl fhmkenxf.e xe
O4 - HKCU\..\Run: [Microsoft Update Machine] expl0rer.exe
O4 - HKCU\..\Run: [System Update] wauluclt.exe
O4 - HKCU\..\Run: [msn] msnmsgr.exe
O4 - HKCU\..\Run: [Microsoft DLL Extensions] SystemDll.exe
O4 - HKCU\..\Run: [Ncao] C:\Documents and Settings\Hou8497a\Applicat ion Data\urpo.exe
O4 - HKCU\..\Run: [Uvumux] C:\WINDOWS\System32\jpgpdn xl.exe
O4 - HKCU\..\Run: [Microsoft Services] lsrv.exe
O4 - HKCU\..\Run: [wtime Service] wtime32.exe
O4 - HKCU\..\Run: [Microsoft IT Updates] seclite.exe
O4 - HKCU\..\Run: [Microsoft AUT Update] MSlti16.exe
O9 - Extra button: SideFind - {10E42047-DEB9-4535-A118-B 3F6EC39B80 7} - C:\Program Files\SideFind\sidefind.dl l
O16 - DPF: {9EB320CE-BE1D-4304-A081-4 B4665414BE F} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsInstaller.cab
Then reboot the computer into safe mode and delete all those files if you can find them.
Good luck,
LucF
Tick the checkbox in front of the following lines, afterwards click "fix checked"
O2 - BHO: twaintecObj Class - {000020DD-C72E-4113-AF77-D
O2 - BHO: (no name) - {3EAB3371-C41C-7ECC-8626-1
O2 - BHO: BAHelper Class - {A3FDD654-A057-4971-9844-4
O4 - HKLM\..\Run: [Microsoft Update Machine] expl0rer.exe
O4 - HKLM\..\Run: [Microsoft DLL Extensions] SystemDll.exe
O4 - HKLM\..\Run: [Microsoft Services] lsrv.exe
O4 - HKLM\..\Run: [wtime Service] wtime32.exe
O4 - HKLM\..\Run: [9E105B26] C:\WINDOWS\System32\ziuzli
O4 - HKLM\..\Run: [Microsoft IT Updates] seclite.exe
O4 - HKLM\..\Run: [Microsoft AUT Update] MSlti16.exe
O4 - HKLM\..\Run: [Microsoft--Updates] sxvhost.exe
O4 - HKLM\..\Run: [bpraucdee] C:\WINDOWS\System32\zatuyo
O4 - HKLM\..\Run: [RunDLL] rundll32.exe "C:\WINDOWS\Downloaded Program Files\bridge.dll",Load
O4 - HKLM\..\Run: [00000000] C:\WINDOWS\System32\tloycl
O4 - HKLM\..\RunServices: [Microsoft Update Machine] expl0rer.exe
O4 - HKLM\..\RunServices: [System Update] wauluclt.exe
O4 - HKLM\..\RunServices: [Microsoft DLL Extensions] SystemDll.exe
O4 - HKLM\..\RunServices: [Microsoft Services] lsrv.exe
O4 - HKLM\..\RunServices: [wtime Service] wtime32.exe
O4 - HKLM\..\RunServices: [19B05C55] C:\WINDOWS\System32\ziuzli
O4 - HKLM\..\RunServices: [Microsoft IT Updates] seclite.exe
O4 - HKLM\..\RunServices: [Microsoft AUT Update] MSlti16.exe
O4 - HKLM\..\RunServices: [Microsoft--Updates] sxvhost.exe
O4 - HKLM\..\RunServices: [00000000] C:\WINDOWS\System32\tloycl
O4 - HKCU\..\Run: [Microsoft Update Machine] expl0rer.exe
O4 - HKCU\..\Run: [System Update] wauluclt.exe
O4 - HKCU\..\Run: [msn] msnmsgr.exe
O4 - HKCU\..\Run: [Microsoft DLL Extensions] SystemDll.exe
O4 - HKCU\..\Run: [Ncao] C:\Documents and Settings\Hou8497a\Applicat
O4 - HKCU\..\Run: [Uvumux] C:\WINDOWS\System32\jpgpdn
O4 - HKCU\..\Run: [Microsoft Services] lsrv.exe
O4 - HKCU\..\Run: [wtime Service] wtime32.exe
O4 - HKCU\..\Run: [Microsoft IT Updates] seclite.exe
O4 - HKCU\..\Run: [Microsoft AUT Update] MSlti16.exe
O9 - Extra button: SideFind - {10E42047-DEB9-4535-A118-B
O16 - DPF: {9EB320CE-BE1D-4304-A081-4
Then reboot the computer into safe mode and delete all those files if you can find them.
Good luck,
LucF
ASKER
what do you mean delete the files in safe mode, you mean navigate the registry and delete the entries from with in the regisrty?
H
H
Nope, hijackthis will remove them from the registry, you'll have to remove the actual files yourself. So browse your disk and remove those files then (most of them will be at C:\WINDOWS\system32 for the others, you'll have to search your disk)
Download Aboutbuster (62KB) which will remove any spyware created file in system32 directory. Before that disable system restore.
Run regedit and try to find path where you have "C:\windows\downloaded programe files\bridge.dll". Delete it. It should be in the HKLM\Software\microsoft\wi ndows\curr ent version\run (and runonce).
Also delete anything that shouldn't be starting with windows.
Navigate to HKLM\Software\microsoft\in ternet explorer\advancedoptions\b rowse\useb ho
Delete anything suspicious. (carefull)
Run AV, adaware, aboutnuster, hijack this (in safe mode) and make sure everthing is clear.
Then go to IE properties->advanced and uncheck:
"Enable Install On Demand (Internet Explorer)"
"Enable Install On Demand (Other)"
"Enable Third-Party Browser Extensions"
Also you should consider buying same firewall. It improves the safety and gives you information about incomnig and outgoing traffic.
Run regedit and try to find path where you have "C:\windows\downloaded programe files\bridge.dll". Delete it. It should be in the HKLM\Software\microsoft\wi
Also delete anything that shouldn't be starting with windows.
Navigate to HKLM\Software\microsoft\in
Delete anything suspicious. (carefull)
Run AV, adaware, aboutnuster, hijack this (in safe mode) and make sure everthing is clear.
Then go to IE properties->advanced and uncheck:
"Enable Install On Demand (Internet Explorer)"
"Enable Install On Demand (Other)"
"Enable Third-Party Browser Extensions"
Also you should consider buying same firewall. It improves the safety and gives you information about incomnig and outgoing traffic.
ASKER
ok, I did all you have asked, I finally did a hijack this log, so hopefully im clean....
the error is gone by the way.
Logfile of HijackThis v1.98.2
Scan saved at 10:44:11, on 13/08/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.e xe
C:\WINDOWS\system32\winlog on.exe
C:\WINDOWS\system32\servic es.exe
C:\WINDOWS\system32\lsass. exe
C:\WINDOWS\system32\svchos t.exe
C:\WINDOWS\System32\svchos t.exe
C:\WINDOWS\system32\spools v.exe
C:\WINDOWS\System32\Ati2ev xx.exe
C:\WINDOWS\system32\basfip m.exe
C:\Program Files\NavNT\defwatch.exe
C:\PROGRA~1\Iomega\System3 2\AppServi ces.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\System32\svchos t.exe
C:\Program Files\Iomega\AutoDisk\ADSe rvice.exe
C:\WINDOWS\System32\MsgSys .EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\System32\carpse rv.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Dell\QuickSet\quicks et.exe
C:\WINDOWS\System32\DSentr y.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\Iomega\AutoDisk\ADUs erMon.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Iomega\DriveIcons\Im gIcon.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Hewlett-Packard\HP OfficeJet Series 700\Bin\HPOstr05.exe
C:\Program Files\Hewlett-Packard\HP OfficeJet Series 700\bin\HPOVDX05.EXE
E:\virus\HijackThis.exe
R1 - HKCU\Software\Microsoft\In ternet Explorer\Main,Default_Page _URL = http://www.dellnet.com
R0 - HKCU\Software\Microsoft\In ternet Explorer\Main,Start Page = http://dew1.dupont.com/
R1 - HKLM\Software\Microsoft\In ternet Explorer\Main,Default_Page _URL = http://www.dellnet.com
R0 - HKLM\Software\Microsoft\In ternet Explorer\Main,Start Page = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\In ternet Explorer\Main,Start Page_bak = http://www.btbroadbandoffice.com/bbhome
R1 - HKCU\Software\Microsoft\In ternet Connection Wizard,ShellNext = http://www1.lvs.dupont.com/is/csc/ist/virus/defs_32bit.htm
R1 - HKCU\Software\Microsoft\Wi ndows\Curr entVersion \Internet Settings,AutoConfigURL = http://autoproxy-eu.nib.dupont.com/proxy.auto
R1 - HKCU\Software\Microsoft\Wi ndows\Curr entVersion \Internet Settings,ProxyServer = webproxy-eu.nib.dupont.com :80
R1 - HKCU\Software\Microsoft\Wi ndows\Curr entVersion \Internet Settings,ProxyOverride = *.*.dupont.com;*.dupont.co m;<local>
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-7 84B7D6BE0B 3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEH elper.ocx
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-0 0A0C908246 7} - C:\WINDOWS\System32\msdxm. ocx
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quicks et.exe
O4 - HKLM\..\Run: [bascstray] BascsTray.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentr y.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [ZipMagic] C:\PROGRA~1\ZipMagic\zm32. exe
O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUs erMon.exe
O4 - HKLM\..\Run: [Iomega Startup Options] C:\Program Files\Iomega\Common\ImgSta rt.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\Im gIcon.exe
O4 - HKLM\..\Run: [Deskup] C:\Program Files\Iomega\DriveIcons\de skup.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [alchem] C:\WINDOWS\alchem.exe
O4 - HKLM\..\RunServices: [ZipMagic] C:\PROGRA~1\ZipMagic\zm32. exe
O4 - HKLM\..\RunServices: [Microsoft Update Machine] expl0rer.exe
O4 - HKLM\..\RunServices: [wtime Service] wtime32.exe
O4 - HKLM\..\RunServices: [Microsoft IT Updates] seclite.exe
O4 - HKLM\..\RunServices: [Microsoft--Updates] sxvhost.exe
O4 - HKLM\..\RunServices: [00000000] C:\WINDOWS\System32\tloycl fhmkenxf.e xe
O4 - HKCU\..\Run: [Ncao] C:\Documents and Settings\Hou8497a\Applicat ion Data\urpo.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: HP OfficeJet Series 700 Startup.lnk = C:\Program Files\Hewlett-Packard\HP OfficeJet Series 700\Bin\HPOstr05.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox. dll
O16 - DPF: {74D05D43-3236-11D4-BDCD-0 0C04F9A3B6 1} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O17 - HKLM\System\CS1\Services\T cpip\Param eters: SearchList = dupont.com,herberts.de
O17 - HKLM\System\CCS\Services\T cpip\Param eters: SearchList = dupont.com,herberts.de
am i clean?
the error is gone by the way.
Logfile of HijackThis v1.98.2
Scan saved at 10:44:11, on 13/08/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.e
C:\WINDOWS\system32\winlog
C:\WINDOWS\system32\servic
C:\WINDOWS\system32\lsass.
C:\WINDOWS\system32\svchos
C:\WINDOWS\System32\svchos
C:\WINDOWS\system32\spools
C:\WINDOWS\System32\Ati2ev
C:\WINDOWS\system32\basfip
C:\Program Files\NavNT\defwatch.exe
C:\PROGRA~1\Iomega\System3
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\System32\svchos
C:\Program Files\Iomega\AutoDisk\ADSe
C:\WINDOWS\System32\MsgSys
C:\WINDOWS\Explorer.EXE
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\System32\carpse
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Dell\QuickSet\quicks
C:\WINDOWS\System32\DSentr
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\Iomega\AutoDisk\ADUs
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Iomega\DriveIcons\Im
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Hewlett-Packard\HP OfficeJet Series 700\Bin\HPOstr05.exe
C:\Program Files\Hewlett-Packard\HP OfficeJet Series 700\bin\HPOVDX05.EXE
E:\virus\HijackThis.exe
R1 - HKCU\Software\Microsoft\In
R0 - HKCU\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R0 - HKLM\Software\Microsoft\In
R1 - HKCU\Software\Microsoft\In
R1 - HKCU\Software\Microsoft\In
R1 - HKCU\Software\Microsoft\Wi
R1 - HKCU\Software\Microsoft\Wi
R1 - HKCU\Software\Microsoft\Wi
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-7
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-0
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quicks
O4 - HKLM\..\Run: [bascstray] BascsTray.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentr
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [ZipMagic] C:\PROGRA~1\ZipMagic\zm32.
O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUs
O4 - HKLM\..\Run: [Iomega Startup Options] C:\Program Files\Iomega\Common\ImgSta
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\Im
O4 - HKLM\..\Run: [Deskup] C:\Program Files\Iomega\DriveIcons\de
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [alchem] C:\WINDOWS\alchem.exe
O4 - HKLM\..\RunServices: [ZipMagic] C:\PROGRA~1\ZipMagic\zm32.
O4 - HKLM\..\RunServices: [Microsoft Update Machine] expl0rer.exe
O4 - HKLM\..\RunServices: [wtime Service] wtime32.exe
O4 - HKLM\..\RunServices: [Microsoft IT Updates] seclite.exe
O4 - HKLM\..\RunServices: [Microsoft--Updates] sxvhost.exe
O4 - HKLM\..\RunServices: [00000000] C:\WINDOWS\System32\tloycl
O4 - HKCU\..\Run: [Ncao] C:\Documents and Settings\Hou8497a\Applicat
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: HP OfficeJet Series 700 Startup.lnk = C:\Program Files\Hewlett-Packard\HP OfficeJet Series 700\Bin\HPOstr05.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.
O16 - DPF: {74D05D43-3236-11D4-BDCD-0
O17 - HKLM\System\CS1\Services\T
O17 - HKLM\System\CCS\Services\T
am i clean?
Just some minor thingies left:
Fix these entries:
O4 - HKLM\..\RunServices: [Microsoft Update Machine] expl0rer.exe
O4 - HKLM\..\RunServices: [wtime Service] wtime32.exe
O4 - HKLM\..\RunServices: [Microsoft IT Updates] seclite.exe
Seems like this is a virus, but I can't really find much about it.
O4 - HKLM\..\RunServices: [Microsoft--Updates] sxvhost.exe
http://www.sophos.com/virusinfo/analyses/w32rbotfh.html
O4 - HKLM\..\RunServices: [00000000] C:\WINDOWS\System32\tloycl fhmkenxf.e xe
O4 - HKCU\..\Run: [Ncao] C:\Documents and Settings\Hou8497a\Applicat ion Data\urpo.exe
http://www.pestpatrol.com/pestinfo/u/urpo.asp
LucF
Fix these entries:
O4 - HKLM\..\RunServices: [Microsoft Update Machine] expl0rer.exe
O4 - HKLM\..\RunServices: [wtime Service] wtime32.exe
O4 - HKLM\..\RunServices: [Microsoft IT Updates] seclite.exe
Seems like this is a virus, but I can't really find much about it.
O4 - HKLM\..\RunServices: [Microsoft--Updates] sxvhost.exe
http://www.sophos.com/virusinfo/analyses/w32rbotfh.html
O4 - HKLM\..\RunServices: [00000000] C:\WINDOWS\System32\tloycl
O4 - HKCU\..\Run: [Ncao] C:\Documents and Settings\Hou8497a\Applicat
http://www.pestpatrol.com/pestinfo/u/urpo.asp
LucF
ASKER
ok, will do, im doing a windows update at the moment, 20 critical updates, after the 22MB download and install on our LAN is done, i'll do the above, ta m8.
H
H
ASKER
ok, m8, I'm happy with the machine now, its usable, so thank you very much for your time. thank you for your efforts
i'd give you more points, but not possible, so thanks again.
H
i'd give you more points, but not possible, so thanks again.
H
Glad to help :)
LucF
LucF
ASKER
:0)
H
H
ASKER
this is just a folder i named virus that had the hijack software in
H