This is really messing with my computer I need serious help getting rid of this virus....PLEASE HELP!! aahhhhhhhhh!


p.s. Norton will not remove this item....its very frustrating

Moved to Applications & Security so the experts can see it.

You are going to need to give us more info to help you... Post a HijackThis log to start:

To run HJT, extract it to a permanent folder such as one
you create like C:\HJT. Close all open windows and
browsers and make sure that all programs are enabled if
you use msconfig. Run it and Scan, then Save the log.
When the log window appears, Right click to Copy it, open
your browser and come here to Paste the entire log. Do
not make any changes until it is checked since most items
are either benign or essential to the computer.

http://www.downloads.subratam.org/hijackthis.zip

You can also run a rootkit tool and see if that can take some or all of it out:

http://www.f-secure.com/blacklight/

If the problem seems to be fixed, run and post the HJT log anyway... Chances are good that there is more...

Logfile of HijackThis v1.99.1
Scan saved at 10:25:04 AM, on 10/11/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\GEARSec.exe
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Symantec\Norton Ghost\Agent\PQV2iSvc.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Symantec\Norton Ghost\Agent\GhostTray.exe
C:\WINDOWS\system32\lockx.exe
C:\PROGRA~1\Ahead\NEROPH~1\data\Xtras\mssysmgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\cmd.exe
C:\Program Files\Common Files\services.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\etb\pokapoka75.exe
C:\Documents and Settings\Chris Thurber\Desktop\hijackthis\HijackThis.exe
C:\Program Files\Messenger\msmsgs.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.seektheglobe.com/sp2.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.seektheglobe.com/sp2.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.seektheglobe.com/sp2.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = C:\DOCUME~1\CHRIST~1\LOCALS~1\Temp\\xx.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.seektheglobe.com/sp2.php
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O2 - BHO: Internet Explorer Web Content Catcher - {FFF4E223-7019-4ce7-BE03-D7D3C8CCE884} - C:\Program Files\DNS\Catcher.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTDVDDET] "C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE"
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [mcappins.exe] "C:\DOCUME~1\CHRIST~1\LOCALS~1\Temp\VSO90D~1.TMP\mc appins.exe" vsocfg.ini
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [Openwares LiveUpdate] C:\Program Files\LiveUpdate\LiveUpdate.exe
O4 - HKLM\..\Run: [Norton Ghost 9.0] C:\Program Files\Symantec\Norton Ghost\Agent\GhostTray.exe
O4 - HKLM\..\Run: [stratas] lockx.exe
O4 - HKLM\..\Run: [System service75] C:\WINDOWS\etb\pokapoka75.exe
O4 - HKLM\..\RunServices: [stratas] lockx.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Zinio DLM] C:\PROGRA~1\Zinio\ZDLM.exe /hide
O4 - HKCU\..\Run: [AccuWeatherDesktopAlerts] C:\Program Files\AccuWeatherDesktopAlerts\AccuWeatherDesktopA lerts.exe
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Ahead\NEROPH~1\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [googletalk] "C:\Program Files\Google\Google Talk\googletalk.exe" /autostart
O4 - HKCU\..\Run: [stratas] lockx.exe
O4 - HKCU\..\Run: [services32] C:\Program Files\Common Files\Windows\mc-50-597-0000166.exe
O4 - HKCU\..\Run: [DNS] C:\Program Files\Common Files\mc-50-597-0000166.exe
O4 - Startup: Stardock ObjectDock.lnk = C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: strings.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - [url]http://housecall60.trendmicro.com/housecall/xscan60.cab[/url]
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage) - [url]http://go.microsoft.com/fwlink/?linkid=39204[/url]
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - [url]http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,84/mcinsctl.cab[/url]
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - [url]http://by102fd.bay102.hotmail.msn.com/resources/MsnPUpld.cab[/url]
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - [url]http://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,21/mcgdmgr.cab[/url]
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe
O23 - Service: IAA Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Symantec\Norton Ghost\Agent\PQV2iSvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

PS Blacklight does nothing on my computer...I start the scan and it just stops

Try it in Safe Mode... If it still doesn't work, try this:

Please download RootkitRevealer.exe and unzip it into a folder. Run a scan and produce a log...
http://www.sysinternals.com/ntw2k/freeware/rootkitreveal.shtml
When it is done, go to File and select Save...
Include the log in your next reply.
Do not worry if there are a large number of items, this is normal.
It is a deep scan which will take a considerable amount of time, I suggest you disconnect from the internet and leave the PC alone until its finished.

To reduce the size of the log posted here, please edit out items that appear in these folders if there are some:
C:\RECYCLER\NPROTECT
C:\System Volume Information
before you post the log....

I haven't got the knowledge to analyze a HTJ log for anyone else, but I did notice something that caught my attention. Someone recently asked about using StyleXP to change their boot screen. Your log shows StyleXPService.exe running both as a service, and as a regular process with a "hide" parameter. This seems pretty questionable to me. Do your woes coincide with the installation of that app by any chance?

No I have had Style XP on the system for almost a year now with no problems...I just contracted this virus from a file my friend sent me through AIM.....

get some new friends......:)

HKLM\SOFTWARE\Microsoft\Microsoft SQL Server\MICROSOFTBCM\MSSQLServer\uptime_time_utc 10/11/2005 9:54 PM 8 bytes Data mismatch between Windows API and raw hive data.
C:\$AttrDef 11/17/2004 4:53 PM 2.50 KB Hidden from Windows API.
C:\$BadClus 11/17/2004 4:53 PM 0 bytes Hidden from Windows API.
C:\$BadClus:$Bad 11/17/2004 4:53 PM 32.01 GB Hidden from Windows API.
C:\$Bitmap 11/17/2004 4:53 PM 4.55 MB Hidden from Windows API.
C:\$Boot 11/17/2004 4:53 PM 8.00 KB Hidden from Windows API.
C:\$Extend 11/17/2004 4:53 PM 0 bytes Hidden from Windows API.
C:\$Extend\$ObjId 11/17/2004 4:53 PM 0 bytes Hidden from Windows API.
C:\$Extend\$Quota 11/17/2004 4:53 PM 0 bytes Hidden from Windows API.
C:\$Extend\$Reparse 11/17/2004 4:53 PM 0 bytes Hidden from Windows API.
C:\$LogFile 11/17/2004 4:53 PM 64.00 MB Hidden from Windows API.
C:\$MFT 11/17/2004 4:53 PM 110.44 MB Hidden from Windows API.
C:\$MFTMirr 11/17/2004 4:53 PM 4.00 KB Hidden from Windows API.
C:\$Secure 11/17/2004 4:53 PM 0 bytes Hidden from Windows API.
C:\$UpCase 11/17/2004 4:53 PM 128.00 KB Hidden from Windows API.
C:\$Volume 11/17/2004 4:53 PM 0 bytes Hidden from Windows API.

it was accidental i'm sure....he was an old roomate from college though.... :)

Did you try BlackLight in Safe Mode?? If so, what happened??

This is a very serious infection and you have a bunch of stuff on there that needs to be cleaned... Please provide as much information as possible so that I can see more clearly what is going on...

Also, you need to contact any bank or credit company that you might have done business with on this computer and let them know that your computer has been compromised... You probably need new account numbers or other protections and you need to avoid entering any of that information on your computer until we are pretty sure it is clean... The sooner you act, the less likely you will have to spend the next 3 years cleaning up an identity theft situation...

tried blacklight in safe mode...it told me that it cannot run in safe mode.

would it be to my benefit to just wipe the whole thing clean and reformat although I don't know how to with XP, 98 yes but not XP...kinda dropped out of heavy computing for a while....or should I try and fix it?

Ok, RootKitRevealer is not showing anything helpful... We can do some cleanup and then try BlackLight again to see if it will run properly then...

Please download, install, and update the NEW free version of Ewido trojan scanner (http://www.ewido.net/en/download/):

When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".

When you run ewido for the first time, you may get a warning "Database could not be found!". Click OK. We will fix this in a moment.

From the main ewido screen, click on update in the left menu, then click the Start update button.

After the update finishes (the status bar at the bottom will display "Update successful")

Click on the Scanner button in the left menu, then click on Complete System Scan. This scan can take quite a while to run.

If ewido finds anything, it will pop up a notification. We have been finding some cases of false positives with the new version of Ewido, so we need to step through the fixes one-by-one. If Ewido finds something that you KNOW is legitimate (for example, parts of AVG Antivirus, pcAnywhere and the game "Risk" have been flagged), select "none" as the action. DO NOT check "Perform action with all infections". If you are unsure of an entry, select "none" for the time being. I'll see that in the log you will post later and let you know if ewido needs to be run again.

When the scan finishes, click on "Save Report". This will create a text file. Make sure you know where to find this file again.


Please download LQfix.exe from one of the following locations:

http://www.downloads.subratam.org/LQfix.exe
http://miekiemoes.geekstogo.com/tools/LQfix.exe

Save it to your desktop.
Double-Click LQfix.exe and click Next > Next > Install.
Leave the default settings, if you change them, the fix will Fail!
You need an active Internet connection, so make sure your connection is enabled.
Now make sure the "Launch LQfix" box is checked.
Click the Finish button, after clicking the Finish button the fix will start.
Follow the on-screen prompts.
Your system will reboot afterwards.
Please be patient after the reboot, there is a script running in the background that needs to complete.

Then open an HJT scan and put checks by any of these that remain:
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.seektheglobe.com/sp2.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.seektheglobe.com/sp2.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.seektheglobe.com/sp2.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = C:\DOCUME~1\CHRIST~1\LOCALS~1\Temp\\xx.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.seektheglobe.com/sp2.php
O2 - BHO: Internet Explorer Web Content Catcher - {FFF4E223-7019-4ce7-BE03-D7D3C8CCE884} - C:\Program Files\DNS\Catcher.dll
O4 - HKLM\..\Run: [stratas] lockx.exe
O4 - HKLM\..\RunServices: [stratas] lockx.exe
O4 - HKCU\..\Run: [stratas] lockx.exe
O4 - HKLM\..\Run: [System service75] C:\WINDOWS\etb\pokapoka75.exe
O4 - HKCU\..\Run: [services32] C:\Program Files\Common Files\Windows\mc-50-597-0000166.exe
O4 - HKCU\..\Run: [DNS] C:\Program Files\Common Files\mc-50-597-0000166.exe

Close all open windows except HJT and click Fix checked...

Find and delete:

C:\WINDOWS\system32\lockx.exe
C:\WINDOWS\etb\pokapoka75.exe (the folder)
C:\Program Files\Common Files\Windows\mc-50-597-0000166.exe
C:\Program Files\Common Files\mc-50-597-0000166.exe

You may need to set Windows to show hidden files to find them... In Windows XP, on the taskbar, click Start > My Computer.
In Windows Me/2000/XP, on the Tools menu, click Folder Options.
On the View tab, uncheck Hide file extensions for known file types.
In Windows Me/2000/XP, uncheck Hide protected operating system files. Then, under the "Hidden files" folder, click Show hidden files and folders.
If you see a warning message, click Yes.
Click Apply.
Click OK.

Then reboot and post a fresh HJT log with a report on how things went... Post the Ewido log too...

I just saw your latest post... If you really have a rootkit, it can be a good idea to reformat and reinstall... However, RootKitRevealer isn't showing one, so we need to see if we can run Blacklight later... There is certainly a pile of malware there, but no clear sign of a rootkit yet... How did you originally come to the conclusion that you have a rootkit??

Everytime I run Norton (2005) it comes up with the following Hacktool.Rootkit as the name of the virus and it is found in msdirectx.sys. It tells me that the file cannot be deleted I am assuming this is because the file is in use.

I have also tried ewido...I have tried to do as much as I could with some suggestions from other posts on here and ran quite a few programs you suggest

let me try your suggestions and get back to you

As I said, the more info you give me, the more likely I can help... What other tools have you already run... Keep in mind that some of them may actually interfere with the fix, especially if I don't know you have used them...

Also, read this:

http://securityresponse.symantec.com/avcenter/venc/data/hacktool.rootkit.html

OK here are my log files....I already ran Norton in safe mode...it didn't come up with anything but I will try again....I really need to get to bed soon so i will try that and then check the thread in the morning...Thank you for you help so far...Hope we can get this worked out


ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 12:14:16 AM, 10/12/2005
+ Report-Checksum: 77C60A51

+ Scan result:

HKU\S-1-5-21-3980655531-2173368617-11147193-1007\Software\DNS -> Adware.Shorty : Cleaned with backup
:mozilla.34:C:\Documents and Settings\Chris Thurber\Application Data\Mozilla\Firefox\Profiles\3roqe5dw.default\coo kies.txt -> Spyware.Cookie.Sexcounter : Cleaned with backup
:mozilla.36:C:\Documents and Settings\Chris Thurber\Application Data\Mozilla\Firefox\Profiles\3roqe5dw.default\coo kies.txt -> Spyware.Cookie.Sexcounter : Cleaned with backup
:mozilla.37:C:\Documents and Settings\Chris Thurber\Application Data\Mozilla\Firefox\Profiles\3roqe5dw.default\coo kies.txt -> Spyware.Cookie.Sexcounter : Cleaned with backup
:mozilla.38:C:\Documents and Settings\Chris Thurber\Application Data\Mozilla\Firefox\Profiles\3roqe5dw.default\coo kies.txt -> Spyware.Cookie.Sexcounter : Cleaned with backup
:mozilla.82:C:\Documents and Settings\Chris Thurber\Application Data\Mozilla\Firefox\Profiles\3roqe5dw.default\coo kies.txt -> Spyware.Cookie.Googleadservices : Cleaned with backup
C:\Documents and Settings\Chris Thurber\Cookies\chris thurber@z1.adserver[1].txt -> Spyware.Cookie.Adserver : Cleaned with backup
C:\Documents and Settings\Chris Thurber\Local Settings\Temp\131372_876_552_3952_75.41.tmp -> TrojanDownloader.Agent.tv : Cleaned with backup
C:\Documents and Settings\Chris Thurber\Local Settings\Temp\131372_876_552_3952_75.41.tmp1 -> Trojan.EliteBar.d : Cleaned with backup
C:\Documents and Settings\Chris Thurber\Local Settings\Temp\131372_876_552_3960_75.41.tmp -> TrojanDownloader.Agent.tv : Cleaned with backup
C:\Documents and Settings\Chris Thurber\Local Settings\Temp\131372_876_552_3960_75.41.tmp1 -> Trojan.EliteBar.d : Cleaned with backup
C:\Documents and Settings\Chris Thurber\Local Settings\Temp\131436_2712_536_1220_75.41.tmp -> TrojanDownloader.Agent.tv : Cleaned with backup
C:\Documents and Settings\Chris Thurber\Local Settings\Temp\131436_2712_536_1220_75.41.tmp1 -> Trojan.EliteBar.d : Cleaned with backup
C:\Documents and Settings\Chris Thurber\Local Settings\Temp\131532_3104_1464_2508_75.41.tmp -> TrojanDownloader.Agent.tv : Cleaned with backup
C:\Documents and Settings\Chris Thurber\Local Settings\Temp\131532_3104_1464_2508_75.41.tmp1 -> Trojan.EliteBar.d : Cleaned with backup
C:\Documents and Settings\Chris Thurber\Local Settings\Temp\3211600_448_2844_3588_75.41.tmp -> TrojanDownloader.Agent.tv : Cleaned with backup
C:\Documents and Settings\Chris Thurber\Local Settings\Temp\3211600_448_2844_3588_75.41.tmp1 -> Trojan.EliteBar.d : Cleaned with backup
C:\Documents and Settings\Chris Thurber\Local Settings\Temp\65842_1360_576_1780_75.41.tmp -> TrojanDownloader.Agent.tv : Cleaned with backup
C:\Documents and Settings\Chris Thurber\Local Settings\Temp\65842_1360_576_1780_75.41.tmp1 -> Trojan.EliteBar.d : Cleaned with backup
C:\Documents and Settings\Chris Thurber\Local Settings\Temp\65842_1360_576_1784_75.41.tmp -> TrojanDownloader.Agent.tv : Cleaned with backup
C:\Documents and Settings\Chris Thurber\Local Settings\Temp\65842_1360_576_1784_75.41.tmp1 -> Trojan.EliteBar.d : Cleaned with backup
C:\Documents and Settings\Chris Thurber\Local Settings\Temp\66188_1056_3060_1176_75.41.tmp -> TrojanDownloader.Agent.tv : Cleaned with backup
C:\Documents and Settings\Chris Thurber\Local Settings\Temp\66188_1056_3060_1736_75.41.tmp -> TrojanDownloader.Agent.tv : Cleaned with backup
C:\Documents and Settings\Chris Thurber\Local Settings\Temporary Internet Files\Content.IE5\2YNHLV5J\silent_jocker[1].exe -> Spyware.EliteBar : Cleaned with backup
C:\Program Files\Common Files\services.exe -> Spyware.Maxifiles : Cleaned with backup
C:\Program Files\Common Files\system32.dll/gui.exe -> TrojanDownloader.Agent.rv : Error during cleaning
C:\Program Files\DNS\gui.exe -> TrojanDownloader.Agent.rv : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\DD9E0A1B-EDF9-4D8F-A237-F71B51\6FD70669-C3AB-4B3A-BCB4-312458 -> Spyware.Maxifiles : Cleaned with backup
C:\xz.bat -> Trojan.KillProc.a : Cleaned with backup


::Report End

Logfile of HijackThis v1.99.1
Scan saved at 12:31:31 AM, on 10/12/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Symantec\Norton Ghost\Agent\GhostTray.exe
C:\WINDOWS\etb\pokapoka75.exe
C:\PROGRA~1\Zinio\ZDLM.exe
C:\PROGRA~1\Ahead\NEROPH~1\data\Xtras\mssysmgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\cmd.exe
C:\Program Files\Common Files\services.exe
C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\GEARSec.exe
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Symantec\Norton Ghost\Agent\PQV2iSvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\cmd.exe
C:\Program Files\Common Files\services.exe
C:\Documents and Settings\Chris Thurber\Desktop\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.myseachexplorer.com/sp2.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.myseachexplorer.com/sp2.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.myseachexplorer.com/sp2.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.myseachexplorer.com/sp2.php
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTDVDDET] "C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE"
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [mcappins.exe] "C:\DOCUME~1\CHRIST~1\LOCALS~1\Temp\VSO90D~1.TMP\mc appins.exe" vsocfg.ini
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [Openwares LiveUpdate] C:\Program Files\LiveUpdate\LiveUpdate.exe
O4 - HKLM\..\Run: [Norton Ghost 9.0] C:\Program Files\Symantec\Norton Ghost\Agent\GhostTray.exe
O4 - HKLM\..\Run: [System service75] C:\WINDOWS\etb\pokapoka75.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Zinio DLM] C:\PROGRA~1\Zinio\ZDLM.exe /hide
O4 - HKCU\..\Run: [AccuWeatherDesktopAlerts] C:\Program Files\AccuWeatherDesktopAlerts\AccuWeatherDesktopA lerts.exe
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Ahead\NEROPH~1\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [googletalk] "C:\Program Files\Google\Google Talk\googletalk.exe" /autostart
O4 - HKCU\..\Run: [DNS] C:\Program Files\Common Files\mc-50-597-0000166.exe
O4 - Startup: Stardock ObjectDock.lnk = C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: strings.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)

O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,84/mcinsctl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by102fd.bay102.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefender.com/scan8/oscan8.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,21/mcgdmgr.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe
O23 - Service: IAA Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Symantec\Norton Ghost\Agent\PQV2iSvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

Everything went good. I was unable to locate the four files you mentioned

C:\WINDOWS\system32\lockx.exe
C:\WINDOWS\etb\pokapoka75.exe
C:\Program Files\Common Files\Windows\mc-50-597-0000166.exe
C:\Program Files\Common Files\mc-50-597-0000166.exe

Been trying to figure this whole thing out with hidden files being shown ever since I got the GD problem...so I know thats not why I didn't find them

Why do you keep deleting your log after you post it?? You can just edit the post to reflect whatever change you want to make...

Also, did you run LQfix?? The infection it is supposed to kill is still there...

Please download and run CWShredder to see if it can take out some of this too...

http://www.intermute.com/spysubtract/cwshredder_download.html

I deleted the log cause I skipped a step before I ran HJT...I did run LQfix....I will run it again though...and repost the log.... Oh yeah I ran Norton last night just like the website told me to...still wouldn't delete it...ran it in safe mode this morning and I doesn't even show up...Blacklight still won't work and now my Norton window keeps popping up with Trojan.Elitebar "unable to repair this file" fun fun

Hey budfred thanks for your help so far but I think I am just going to wipe the slate clean and reformat....got a bunch of usless junk on here anyway....I belive this is the best solution and I think it should be done once in a while anyway..

Okay well its done and over...now I have a few things to reinstall...thanks for all your help...i'm sure I will talk to you later if anything else happens....hopefully it won't but who knows...

If you haven't already loaded everything... I suggest that you use a low level format to truly wipe the disk clean... When you do a standard format it basically just wipes the FAT... That means the data is still on the disk and rootkits may even have found a way to hide files in a hidden partition... Wipe it to the base and make sure the number of gigs reported matches the drive, then reinstall...

Also, as I said earlier, get in touch with any bank or credit card company that you have done business with on the computer and get those numbers changed... Also, change ALL passwords...

Then armor up your clean system BEFORE going online... This means having at least a firewall and antivirus in place before connecting to the internet... Once you get online, set up other protections... Here is my standard prevention speech... the article is likely to be quite helpful...

This is a good time to set up protection against further
attacks. Read the article linked below about "How did I
get infected". You need an antivirus that is updated, a
good firewall (a router firewall is not enough) and a
spyware blocker like SpywareBlaster and also IE-Spyads.
All of these have good free versions available... be very
cautious about any security software that advertises in
popups or other intrusive ways, they are not only usually
useless, but also often have malware in them....

http://www.computercops.biz/postlite7736-.html

Thanks budfred...I did as you suggested..I am reading the article right now and following all directions...thank you for all your help...