HT log, having some problems

Status
Not open for further replies.

Seestar

Beta member
Messages
2
Hi there,

I'm experiencing some strange problems with my pc. When opening different programs, ao, IE6, McAfee SecurityCenter (MSC) a part of the window is white, so it's impossible to read texts and some buttons are displayed white.
Before this had happened I had just installed the MSC, updated the virus definitions, and scanned my system. The program found 3 trojans and a list of possible spyware if I remember it right.

-----complete McAfee SecurityCenter Log---------------
06/09/2005 04:37:33 PM -- Scan Started: 9-6-2005 16:37:33
06/09/2005 04:56:52 PM -- "C:\WINNT\autoheal.exe" "Adware-BB" "5"
06/09/2005 04:56:54 PM -- "C:\WINNT\Belt.ini" "IPSentry" "5"
06/09/2005 04:56:54 PM -- "C:\WINNT\BTGrab.dll" "Adware-Searchcentrix" "5"
06/09/2005 04:56:59 PM -- "C:\WINNT\Downloaded Program Files\UniDist.ocx" "Adware-DFC" "5"
06/09/2005 05:08:00 PM -- "C:\WINNT\satmat.exe" "Adware-abetterintrnt" "5"
06/09/2005 05:08:00 PM -- "C:\WINNT\satmat.ini" "IPSentry" "5"
06/09/2005 05:09:09 PM -- "C:\WINNT\system32\angelex.exe" "Adware-BB" "5"
06/09/2005 05:10:10 PM -- "C:\WINNT\system32\exul.exe" "Adware-BB" "5"
06/09/2005 05:10:20 PM -- "C:\WINNT\system32\instsrv.exe" "Tool-SRunner" "5"
06/09/2005 05:10:21 PM -- "C:\WINNT\system32\javexulm.vxd" "Adware-BB" "5"
06/09/2005 05:10:42 PM -- "C:\WINNT\system32\netut80ex.vxd" "Adware-BB, Tool-SRunner" "5"
06/09/2005 05:11:08 PM -- "C:\WINNT\system32\trkgif.exe" "QLowZones-10" "5"
06/09/2005 05:11:33 PM -- "C:\WINNT\UnstSA2.exe" "Adware-IESearchBar" "5"
06/09/2005 05:11:47 PM -- "C:\WINNT\wsem214.dll" "Adware-DFC" "5"
06/09/2005 05:11:47 PM -- "C:\WINNT\zeta.exe" "Adware-BB" "5"
06/09/2005 05:49:19 PM -- "E:\software\windows commander\Total Commander 5.5 Crack [found via www.fileDonkey.com].exe" "Downloader-OS" "5"
06/09/2005 05:51:26 PM -- -------------------
06/09/2005 05:51:26 PM -- Total files scanned: 62146
06/09/2005 05:51:26 PM -- Files detected: 16
06/09/2005 05:51:26 PM -- Scan Done: 9-6-2005 17:51:26
-------end MSC log-----------

I removed and cleaned everything with MSC. There appeared to be no problem at that moment. But before I had used the Norton anti virus program and I was not able to uninstall this now obsolete program because it said there was a problem with the Windows Installer and it could not uninstall. Finally, a little desperate and annoyed I decided to just delete all Norton program files and delete also the part that referred to Norton from the registry with regedit.
After this I got a lot of failure notices so I decided to restore my system state with the windows Backup Tool.
This didn't solve the problem, now MSC doesn't start up anymore and my internet connection is blocked by ZoneAlarm. (I'm now typing this on another pc)

I hope you can help me out a little, altough I'm already preparing a little for a new Windows istallation because of my stupid registry-editing.

below the complete logfile of Hijackthis

Already thanks in advance, I'm happy there's someone I can turn to.

Seestar


Logfile of HijackThis v1.99.1
Scan saved at 14:49:10, on 10-6-2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\Ctsvccda.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\mgabg.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\tcpsvcs.exe
C:\WINNT\System32\snmp.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\PDesk\PDesk.exe
C:\WINNT\system32\CTHELPER.EXE
C:\Program Files\Common Files\Totem Shared\Uninstall0001\upd.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\WINNT\System32\xrtrxtl.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\inetsrv\inetinfo.exe
C:\WINNT\wincmd\TOTALCMD.EXE
C:\Program Files\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer - TELE2Internet
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
F2 - REG:system.ini: UserInit=C:\WINNT\system32\userinit.exe
O2 - BHO: BTGrabObj Class - {00000000-F09C-02B4-6EC2-AD0300000000} - C:\WINNT\BTGrab.dll (file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\program files\adobe acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: DgnWebIE - {2843DAC1-05EF-11D2-95BA-0060083493D6} - C:\Program Files\DragonNaturallySpeaking\Program\web_ie.dll
O2 - BHO: Setup.Setup1 - {2E65A557-173C-4DE9-860B-28FC5CACA542} - C:\DOCUME~1\ALLUSE~1\APPLIC~1\Setup\Setup.dll
O2 - BHO: (no name) - {83DE62E0-5805-11D8-9B25-00E04C60FAF2} - C:\WINNT\2_0_1browserhelper2.dll (file missing)
O2 - BHO: (no name) - {8F4E5661-F99E-4B3E-8D85-0EA71C0748E4} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll (file missing)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: (no name) - {71ED4FBA-4024-4bbe-91DC-9704C93F453E} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll (file missing)
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Matrox Powerdesk] C:\WINNT\System32\PDesk\PDesk.exe /Autolaunch
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINNT\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [Uninstall0001] "C:\Program Files\Common Files\Totem Shared\Uninstall0001\upd.exe" LASTCALL!adverts.virtuagirl.com!StatsVirtuaGirl
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [msbb] c:\winnt\temp\msbb.exe
O4 - HKLM\..\Run: [CLM Front Panel] clmpanel /i
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [zidcxwj] C:\WINNT\zidcxwj.exe
O4 - HKLM\..\Run: [satmat] C:\WINNT\satmat.exe
O4 - HKLM\..\Run: [dwroghyoq] C:\WINNT\System32\xrtrxtl.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe
O4 - HKLM\..\Run: [MCAgentExe] C:\PROGRA~1\McAfee.com\Agent\McAgent.exe
O4 - Startup: Copy of Windows Commander.lnk = C:\WINNT\wincmd\TOTALCMD.EXE
O4 - Startup: Workrave.lnk = C:\Program Files\Workrave\lib\Workrave.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O16 - DPF: {05D96F71-87C6-11D3-9BE4-00902742D6E0} (QuickPlace Class) - http://quickplace.wau.nl/qp2.cab
O16 - DPF: {DE591B16-A452-11D6-AED1-0001030A4E46} (PBGNX Control) - https://gto.postbank.nl/GTO/PBGNX.cab
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINNT\system32\Ctsvccda.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ISEXEng - Unknown owner - C:\WINNT\System32\angelex.exe (file missing)
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - McAfee, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: MGABGEXE - Matrox Graphics Inc. - C:\WINNT\System32\mgabg.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Unknown owner - C:\Program Files\Norton AntiVirus\navapsvc.exe (file missing)
O23 - Service: ScriptBlocking Service (SBService) - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe
O23 - Service: ZESOFT - Unknown owner - C:\WINNT\zeta.exe (file missing)
 

Osiris

Golden Master
Messages
36,817
Location
Kentucky
Remove entries at your own risk


C:\Program Files\Common Files\Totem Shared\Uninstall0001\upd.exe Adult content based screen saver where after Uninstall can be any number This is a nasty process! You should fix it and try to delete it manually!

C:\WINNT\System32\xrtrxtl.exe This is a unknown process.

R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file) Should be fixed.

O2 - BHO: BTGrabObj Class - {00000000-F09C-02B4-6EC2-AD0300000000} - C:\WINNT\BTGrab.dll (file missing) Unknown application.
Unnecessary (deactivated) entry that can be fixed.

O2 - BHO: Setup.Setup1 - {2E65A557-173C-4DE9-860B-28FC5CACA542} - C:\DOCUME~1\ALLUSE~1\APPLIC~1\Setup\Setup.dll Must be fixed!

O2 - BHO: (no name) - {83DE62E0-5805-11D8-9B25-00E04C60FAF2} - C:\WINNT\2_0_1browserhelper2.dll (file missing)
Unnecessarily Entries found in this registry zone are potentially nasty. This application ([83DE62E0-5805-11D8-9B25-00E04C60FAF2] - Result: 83DE62E0-5805-11D8-9B25-00E04C60FAF2) has been checked. Must be fixed!
Unnecessary (deactivated) entry that can be fixed.

O2 - BHO: (no name) - {8F4E5661-F99E-4B3E-8D85-0EA71C0748E4} - (no file)
Unnecessarily Entries found in this registry zone are potentially nasty. This application ([8F4E5661-F99E-4B3E-8D85-0EA71C0748E4] - Result: 8F4E5661-F99E-4B3E-8D85-0EA71C0748E4) has been checked. Must be fixed!
Unnecessary (deactivated) entry that can be fixed.

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll (file missing) Must be fixed!
Unnecessary (deactivated) entry that can be fixed.

O3 - Toolbar: (no name) - {71ED4FBA-4024-4bbe-91DC-9704C93F453E} - (no file) Must be fixed!

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll (file missing) Unnecessary (deactivated) entry that can be fixed.

O4 - HKLM\..\Run: [Uninstall0001] "C:\Program Files\Common Files\Totem Shared\Uninstall0001\upd.exe" LASTCALL!adverts.virtuagirl.com!StatsVirtuaGirl Must be fixed!

O4 - HKLM\..\Run: [msbb] c:\winnt\temp\msbb.exe Malware Must be fixed!

O4 - HKLM\..\Run: [zidcxwj] C:\WINNT\zidcxwj.exe Unknown application.

O4 - HKLM\..\Run: [dwroghyoq] C:\WINNT\System32\xrtrxtl.exe Unknown application.



O4 - HKLM\..\Run: [CLM Front Panel] clmpanel /i Must be fixed!
 

Seestar

Beta member
Messages
2
ok, thanks

I followed the instructions, below is my new HJT-log.
But I still have the problem with the white windows and disappearing text and images while trying to re-install McAffee Security Center.



Logfile of HijackThis v1.99.1
Scan saved at 11:56:24, on 13-6-2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\Ctsvccda.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\mgabg.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\tcpsvcs.exe
C:\WINNT\System32\snmp.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\inetsrv\inetinfo.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\PDesk\PDesk.exe
C:\WINNT\system32\CTHELPER.EXE
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\WINNT\wincmd\TOTALCMD.EXE
C:\Program Files\Workrave\lib\Workrave.exe
C:\WINNT\system32\NOTEPAD.EXE
C:\Program Files\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer - TELE2Internet
F2 - REG:system.ini: UserInit=C:\WINNT\system32\userinit.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\program files\adobe acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: DgnWebIE - {2843DAC1-05EF-11D2-95BA-0060083493D6} - C:\Program Files\DragonNaturallySpeaking\Program\web_ie.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll (file missing)
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Matrox Powerdesk] C:\WINNT\System32\PDesk\PDesk.exe /Autolaunch
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINNT\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [satmat] C:\WINNT\satmat.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe
O4 - HKLM\..\Run: [MCAgentExe] C:\PROGRA~1\McAfee.com\Agent\McAgent.exe
O4 - Startup: Copy of Windows Commander.lnk = C:\WINNT\wincmd\TOTALCMD.EXE
O4 - Startup: Workrave.lnk = C:\Program Files\Workrave\lib\Workrave.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O16 - DPF: {05D96F71-87C6-11D3-9BE4-00902742D6E0} (QuickPlace Class) - http://quickplace.wau.nl/qp2.cab
O16 - DPF: {DE591B16-A452-11D6-AED1-0001030A4E46} (PBGNX Control) - https://gto.postbank.nl/GTO/PBGNX.cab
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINNT\system32\Ctsvccda.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - McAfee, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: MGABGEXE - Matrox Graphics Inc. - C:\WINNT\System32\mgabg.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Unknown owner - C:\Program Files\Norton AntiVirus\navapsvc.exe (file missing)
O23 - Service: ScriptBlocking Service (SBService) - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Unknown owner - C:\WINNT\system32\ZoneLabs\vsmon.exe (file missing)
 
Status
Not open for further replies.
Top