TheTechGuide Forum

General Category => Tech Clinic => Topic started by: Barbora on January 07, 2005, 06:52:39 PM

Title: ist svc
Post by: Barbora on January 07, 2005, 06:52:39 PM: Hey,

so I did run the Hijackthis program, did the scan and saved the list, it wrote me that a error occured:

Logfile of HijackThis v1.99.0
Scan saved at 11:44:35 PM, on 1/7/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRAM FILES\ATI TECHNOLOGIES\ATI CONTROL PANEL\ATIPTAXX.EXE
C:\Program Files\HPQ\One-Touch\OneTouch.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\carpserv.exe
C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe
C:\Program Files\ISTsvc\istsvc.exe
C:\Program Files\Internet Optimizer\optimize.exe
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\hmvqcno.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Hsehyj\Hujjdrk.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Optimizer\actalert.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\HPConfig.exe
C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\NMain.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\totalcmd\TOTALCMD.EXE
C:\HJT\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://store.presario.net/scripts/redirect...&c=1c02&lc=0409 (http://\"http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=1c02&lc=0409\")
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.couldnotfind.com/search_page.ht...count_id=138770 (http://\"http://www.couldnotfind.com/search_page.html?&account_id=138770\")
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Compaq
R3 - URLSearchHook: (no name) - _{855F3B16-6D32-4fe6-8A56-BBB695989046} - (no file)
R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQToolbar\toolbaru.dll
O2 - BHO: BHObj Class - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINDOWS\nem220.dll (file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.02.3000.1002\en-xu\stmain.dll
O2 - BHO: BAHelper Class - {A3FDD654-A057-4971-9844-4ED8E67DBBB8} - C:\Program Files\SideFind\sfbho.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQToolbar\toolbaru.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: ISTbar - {5F1ABCDB-A875-46c1-8345-B72A4567E486} - C:\PROGRA~1\ISTbar\istbar.dll (file missing)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ATIPTA] C:\PROGRAM FILES\ATI TECHNOLOGIES\ATI CONTROL PANEL\ATIPTAXX.EXE
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [Display Settings] C:\Program Files\HPQ\Notebook Utilities\hptasks.exe /s
O4 - HKLM\..\Run: [QT4HPOT] C:\Program Files\HPQ\One-Touch\OneTouch.EXE
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe"
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
O4 - HKLM\..\Run: [sais] c:\program files\180solutions\sais.exe
O4 - HKLM\..\Run: [WebRebates0] "C:\Program Files\Web_Rebates\WebRebates0.exe"
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [uZEX] C:\WINDOWS\hmvqcno.exe
O4 - HKLM\..\Run: [rkr] C:\WINDOWS\rkr.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [BO1HelperStartUp] C:\PROGRA~1\BUTTER~1\BO1HEL~1.EXE /partner BO1
O4 - HKLM\..\Run: [Kbitfldp] C:\Program Files\Hsehyj\Hujjdrk.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [-
] C:\WINDOWS\hmvqcno.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &ICQ Toolbar Search - res://C:\Program Files\ICQToolbar\toolbaru.dll/SEARCH.HTML
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xportovat do aplikace Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O8 - Extra context menu item: Web Rebates - file://C:\Program Files\Web_Rebates\Sy1150\Tp1150\scri1150a.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: SideFind - {10E42047-DEB9-4535-A118-B3F6EC39B807} - C:\Program Files\SideFind\sidefind.dll (file missing)
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra button: Advisor - {2516874A-8BF8-4FF9-865A-D7D5C67FFADE} - C:\Program Files\COMPAQ\Compaq Advisor\bin\rbaLauncher.exe (file missing) (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=1c02&lc=0409
O16 - DPF: {386A771C-E96A-421F-8BA7-32F1B706892F} (Installer Class) - http://www.xxxtoolbar.com/ist/softwares/v4...0006_cracks.cab (http://\"http://www.xxxtoolbar.com/ist/softwares/v4.0/0006_cracks.cab\")
O16 - DPF: {53B8B406-42E4-4DD3-96E7-9DEC8CEB3DD8} (ICQVideoControl Class) - http://xtraz.icq.com/xtraz/activex/ICQVideoControl.cab (http://\"http://xtraz.icq.com/xtraz/activex/ICQVideoControl.cab\")
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1101664351169 (http://\"http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1101664351169\")
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: HP Configuration Interface Service - Hewlett-Packard - C:\WINDOWS\system32\HPConfig.exe
O23 - Service: HPWirelessMgr - Hewlett-Packard Co. - C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
O23 - Service: Norton AntiVirus Auto-Protect Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

and now what??? /ohmy.gif\' class=\'bbc_emoticon\' alt=\':o\' />) please!

Thanx
BK
Title: ist svc
Post by: guestolo on January 08, 2005, 01:28:49 AM: Let's try some cleanup,
Access your Add/Remove Programs and Remove if found
180 Search Assistant or 180solutions
NCase
Msbb
Internet Optimizer
WebRebates
ISTbar

RESTART your computer if anything is removed--let me know what was removed

When back in Windows
Download and Install the free version of Ad-Aware SE Personal 1.05 (http://\"http://www.lavasoftusa.com/support/download/\")
Ensure you have this version or the paid version
Open Ad-Aware, ensure to click the check for updates now link and Connect to download the latest updates

Perform a Full system scan--"Uncheck Search for Negligible Risk Entries" before scanning
When it's finished scanning
At this point you should either right click on the screen and and choose the "Select All" Objects option or individually put a checkmark in each objects checkbox
click on the Next button. Ad-Aware SE will now present you with a confirmation box as to whether or not you would like to remove the objects you have just selected. Press the "OK" button

RESTART your computer to finish the cleaning process

Download and Install Spybot S&D 1.3 (http://\"http://www.download.com/3000-8022-10122137.html\")
When Installing, please don't enable TEA TIMER, it's a great addon to Spybot but it can get in our way to do any manual fixes.. This can be enabled at a later time if you want it
After installation--Click the Update button on the left, in the window on the right click the
SEARCH FOR UPDATES button, Check and download all updates
Click the "Search and Destroy" Button
In the right window, click the
Check for Problems Let it complete it's scanning---Ensure to check and FIX Checked Problems--- everything in RED---they should be checked by default

RESTART your computer to finish the Cleaning process

Post back here a Fresh Hijackthis log afterwards
Title: ist svc
Post by: Barbora on January 13, 2005, 10:42:33 AM: U probably saved my notebook /ohmy.gif\' class=\'bbc_emoticon\' alt=\':o\' />)

THANK U SO MUCH!

So with Ad-Aware it found 282 and deleted 279 and with Spybot it found other 25 entries and fixed all.... terrible!

And what now? Is the result ok now? Should I run these 2 programs that I've installed once in a while? How often do U suggest???

Thank U again for your help!

Barbora

Here is the new hijackthis:

Logfile of HijackThis v1.99.0
Scan saved at 3:32:45 PM, on 1/13/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRAM FILES\ATI TECHNOLOGIES\ATI CONTROL PANEL\ATIPTAXX.EXE
C:\Program Files\HPQ\One-Touch\OneTouch.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\carpserv.exe
C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Hsehyj\Hujjdrk.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\HPConfig.exe
C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\totalcmd\TOTALCMD.EXE
C:\HJT\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://store.presario.net/scripts/redirect...&c=1c02&lc=0409 (http://\"http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=1c02&lc=0409\")
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Compaq
R3 - URLSearchHook: (no name) - _{855F3B16-6D32-4fe6-8A56-BBB695989046} - (no file)
R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQToolbar\toolbaru.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.02.3000.1002\en-xu\stmain.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQToolbar\toolbaru.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ATIPTA] C:\PROGRAM FILES\ATI TECHNOLOGIES\ATI CONTROL PANEL\ATIPTAXX.EXE
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [Display Settings] C:\Program Files\HPQ\Notebook Utilities\hptasks.exe /s
O4 - HKLM\..\Run: [QT4HPOT] C:\Program Files\HPQ\One-Touch\OneTouch.EXE
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe"
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [uZEX] C:\WINDOWS\hmvqcno.exe
O4 - HKLM\..\Run: [rkr] C:\WINDOWS\rkr.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [BO1HelperStartUp] C:\PROGRA~1\BUTTER~1\BO1HEL~1.EXE /partner BO1
O4 - HKLM\..\Run: [Kbitfldp] C:\Program Files\Hsehyj\Hujjdrk.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &ICQ Toolbar Search - res://C:\Program Files\ICQToolbar\toolbaru.dll/SEARCH.HTML
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xportovat do aplikace Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra button: Advisor - {2516874A-8BF8-4FF9-865A-D7D5C67FFADE} - C:\Program Files\COMPAQ\Compaq Advisor\bin\rbaLauncher.exe (file missing) (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=1c02&lc=0409
O16 - DPF: {53B8B406-42E4-4DD3-96E7-9DEC8CEB3DD8} (ICQVideoControl Class) - http://xtraz.icq.com/xtraz/activex/ICQVideoControl.cab (http://\"http://xtraz.icq.com/xtraz/activex/ICQVideoControl.cab\")
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1101664351169 (http://\"http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1101664351169\")
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: HP Configuration Interface Service - Hewlett-Packard - C:\WINDOWS\system32\HPConfig.exe
O23 - Service: HPWirelessMgr - Hewlett-Packard Co. - C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
O23 - Service: Norton AntiVirus Auto-Protect Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
Title: ist svc
Post by: Barbora on January 13, 2005, 10:53:10 AM: Oh, and I forgot to write to U that before I removed manually
180 Search Assistent
Web Rebates
ITS bar
and some morem but I dont remember the names anymore,
but U couldnt remove
Internet Optimizer
Slotch bar
but after the ad-aware check they were gone too, at least the exe files....

BK
Title: ist svc
Post by: guestolo on January 13, 2005, 11:05:47 AM: hi again barbora
I'm just on my way to work, so I won't be able to look over your log until later

We still have a bit of cleanup to do

Could you do me a favor and try a free Online virus scan at Housecall's

http://housecall.trendmicro.com/ (http://\"http://housecall.trendmicro.com/\")
After the definitions and active x component install
Ensure you set it to Autoclean and check your local disks

Let me know what it finds
If it can't remove something let me know

Post back a fresh Hijackthis log afterwards

You may want to disable Norton's Autoprotect while your running it
Title: ist svc
Post by: Barbora on January 13, 2005, 02:22:53 PM: Hi Questolo,

I am sorry but I couldnt do the housecall scan, b/c I am not using Netscape and so the installation failed. I am using mostly Mozilla or even Explorer... so what should I do? And cant I just try to fix those files in hijackthis???

And I didnt understand in this sentence what should I do:
"After the definitions and active x component install"

Thanx again, I hope your working day is good?

Anyway why R U helping people here? It must take U so much time!

Barbora
Title: ist svc
Post by: guestolo on January 13, 2005, 09:20:02 PM: Let's try a little more cleanup

Because you have/had Coolweb infection let's make sure you run this utility through your computer
Download and save to Desktop
The Standalone version of CWShredder.exe (http://\"http://cwshredder.net/bin/CWShredder.exe\")
Don't run it yet

Download and Install Windows CleanUp! by StevenGould (http://\"http://www.antispyware.nextdesigns.net/installs/cleanup.php?type=exe\")
Install for now but Don't run a scan yet
This will clean all your temp folders, cookies, prefetch folder, etc....

Print this out or save to a Notepad file on your desktop for easy access

Set Windows To Show Hidden Files and Folders
* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.
* Under the Hidden files and folders heading select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Uncheck the Hide Extensions for known file types
* Click Yes to confirm.
* Click OK.

Restart your computer into SAFE MODE (http://\"http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001060608000039\")

Look for and delete these files or folders if they exist
C:\WINDOWS\hmvqcno.exe <--file
C:\WINDOWS\rkr.exe <--file

Stay in safe mode

Do another scan with Hijackthis and put a check next to these entries:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank

R3 - URLSearchHook: (no name) - _{855F3B16-6D32-4fe6-8A56-BBB695989046} - (no file)

O4 - HKLM\..\Run: [uZEX] C:\WINDOWS\hmvqcno.exe
O4 - HKLM\..\Run: [rkr] C:\WINDOWS\rkr.exe

O4 - HKLM\..\Run: [Kbitfldp] C:\Program Files\Hsehyj\Hujjdrk.exe

After you have ticked the above entries, close All other open windows, including this one
Leave Hijackthis open and click FIX CHECKED
YES and exit Hijackthis

Again in safe mode
Open CWShredder and click ONLY the FIX button, let if Fix all problems

Open Windows CleanUp! and click on the Cleanup button
Let it scan for files, when it's done it will prompt you to Log off, simply
Restart back to Normal mode

Back in Normal mode

Can you go to this site please
Give the link time to load
http://virusscan.jotti.dhs.org/ (http://\"http://virusscan.jotti.dhs.org/\")
Use the Browse button at the top of that links page and navigate to this file
C:\Program Files\Hsehyj\Hujjdrk.exe <--this file, notice the spelling
Right click on it and Select it
Use the Submit button on the site
Wait for the scan results and post them back here

Also, let me know what else is in the Hsehyj folder, it may be all malware related

To get the scan to work properly at Housecall's TrendMicro, try using Internet Explorer
It will first install the Active X component and then the virus definitions will load
Make sure to check AutoClean when scanning
On a cable connection this scan won't take long, about 20 minutes
I did one myself there last night, even though I have AV software on my computer
It's just a second opinion... Please try and run one

Post back a fresh hijackthiis log and the info for that file and folder

P.S. Hold onto Ad-Aware and Spybot
I'll give you a rundown on the tools you have after your clean
/biggrin.gif\' class=\'bbc_emoticon\' alt=\':D\' />
Title: ist svc
Post by: Barbora on January 14, 2005, 08:35:10 AM: So here is the scan from the page:

Service load:
0%              100%
File:    Hujjdrk.exe
Status:
INFECTED/MALWARE (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database)
Packers detected:
PETITE

AntiVir
TR/DelProx.A (0.15 seconds taken)
Avast
No viruses found (1.51 seconds taken)
BitDefender
Trojan.Small.CY (0.37 seconds taken)
ClamAV
No viruses found (0.46 seconds taken)
Dr.Web
Trojan.DownLoader.1389 (0.57 seconds taken)
F-Prot Antivirus
W32/Downloader.AAW (0.07 seconds taken)
Kaspersky Anti-Virus
Trojan.Win32.Small.cy (0.70 seconds taken)
mks_vir
Trojan.Small.Cy.A (0.20 seconds taken)
NOD32
No viruses found (0.47 seconds taken)
Norman Virus Control
No viruses found (0.87 seconds taken)

Statistics
Last piece of malware found was Trojan.Small.Cy.A in Hujjdrk.exe, detected by:

Scanner    Malware name    Time taken
AntiVir    TR/DelProx.A    0.15 seconds
Avast    X    1.51 seconds
BitDefender    Trojan.Small.CY    0.36 seconds
ClamAV    X    0.44 seconds
Dr.Web    Trojan.DownLoader.1389    0.57 seconds
F-Prot Antivirus    W32/Downloader.AAW    0.07 seconds
Kaspersky Anti-Virus    Trojan.Win32.Small.cy    0.72 seconds
mks_vir    Trojan.Small.Cy.A    0.22 seconds
NOD32    X    0.49 seconds
Norman Virus Control    X    0.91 seconds
Title: ist svc
Post by: Barbora on January 14, 2005, 08:38:24 AM: And in the Hsehyj folder is nothing but the Hujjdrk.exe
Title: ist svc
Post by: Barbora on January 14, 2005, 09:23:36 AM: So I did the house call finally and it didnt find anything /smile.gif\' class=\'bbc_emoticon\' alt=\':)\' />

Here is the fresh hijackthis log:

Logfile of HijackThis v1.99.0
Scan saved at 2:13:39 PM, on 1/14/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRAM FILES\ATI TECHNOLOGIES\ATI CONTROL PANEL\ATIPTAXX.EXE
C:\Program Files\HPQ\One-Touch\OneTouch.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\carpserv.exe
C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\HPConfig.exe
C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\totalcmd\TOTALCMD.EXE
C:\HJT\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://store.presario.net/scripts/redirect...&c=1c02&lc=0409 (http://\"http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=1c02&lc=0409\")
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Compaq
R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQToolbar\toolbaru.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.02.3000.1002\en-xu\stmain.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQToolbar\toolbaru.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ATIPTA] C:\PROGRAM FILES\ATI TECHNOLOGIES\ATI CONTROL PANEL\ATIPTAXX.EXE
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [Display Settings] C:\Program Files\HPQ\Notebook Utilities\hptasks.exe /s
O4 - HKLM\..\Run: [QT4HPOT] C:\Program Files\HPQ\One-Touch\OneTouch.EXE
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe"
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [BO1HelperStartUp] C:\PROGRA~1\BUTTER~1\BO1HEL~1.EXE /partner BO1
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &ICQ Toolbar Search - res://C:\Program Files\ICQToolbar\toolbaru.dll/SEARCH.HTML
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xportovat do aplikace Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra button: Advisor - {2516874A-8BF8-4FF9-865A-D7D5C67FFADE} - C:\Program Files\COMPAQ\Compaq Advisor\bin\rbaLauncher.exe (file missing) (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=1c02&lc=0409
O16 - DPF: {53B8B406-42E4-4DD3-96E7-9DEC8CEB3DD8} (ICQVideoControl Class) - http://xtraz.icq.com/xtraz/activex/ICQVideoControl.cab (http://\"http://xtraz.icq.com/xtraz/activex/ICQVideoControl.cab\")
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1101664351169 (http://\"http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1101664351169\")
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab (http://\"http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab\")
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: HP Configuration Interface Service - Hewlett-Packard - C:\WINDOWS\system32\HPConfig.exe
O23 - Service: HPWirelessMgr - Hewlett-Packard Co. - C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
O23 - Service: Norton AntiVirus Auto-Protect Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

And here is the info:

* HijackThis v1.99 *
Written by Merijn - [email protected]
http://www.merijn.org/files/hijackthis.zip (http://\"http://www.merijn.org/files/hijackthis.zip\")
http://www.merijn.org/index.html (http://\"http://www.merijn.org/index.html\")

See bottom for version history.

The different sections of hijacking possibilities have been separated into the following groups.
You can get more detailed information about an item by selecting it from the list of found items OR highlighting the relevant line below, and clicking 'Info on selected item'.

R - Registry, StartPage/SearchPage changes
R0 - Changed registry value
R1 - Created registry value
R2 - Created registry key
R3 - Created extra registry value where only one should be
F - IniFiles, autoloading entries
F0 - Changed inifile value
F1 - Created inifile value
F2 - Changed inifile value, mapped to Registry
F3 - Created inifile value, mapped to Registry
N - Netscape/Mozilla StartPage/SearchPage changes
N1 - Change in prefs.js of Netscape 4.x
N2 - Change in prefs.js of Netscape 6
N3 - Change in prefs.js of Netscape 7
N4 - Change in prefs.js of Mozilla
O - Other, several sections which represent:
O1 - Hijack of auto.search.msn.com with Hosts file
O2 - Enumeration of existing MSIE BHO's
O3 - Enumeration of existing MSIE toolbars
O4 - Enumeration of suspicious autoloading Registry entries
O5 - Blocking of loading Internet Options in Control Panel
O6 - Disabling of 'Internet Options' Main tab with Policies
O7 - Disabling of Regedit with Policies
O8 - Extra MSIE context menu items
O9 - Extra 'Tools' menuitems and buttons
O10 - Breaking of Internet access by New.Net or WebHancer
O11 - Extra options in MSIE 'Advanced' settings tab
O12 - MSIE plugins for file extensions or MIME types
O13 - Hijack of default URL prefixes
O14 - Changing of IERESET.INF
O15 - Trusted Zone Autoadd
O16 - Download Program Files item
O17 - Domain hijack
O18 - Enumeration of existing protocols and filters
O19 - User stylesheet hijack
O20 - AppInit_DLLs autorun Registry value
O21 - ShellServiceObjectDelayLoad (SSODL) autorun Registry key
O22 - SharedTaskScheduler autorun Registry key
O23 - Enumeration of NT Services

* Version history *

[v1.99]
* Added O23 (NT Services) in light of newer trojans
* Integrated ADS Spy into Misc Tools section
* Added 'Action taken' to info in 'More info on this item'
[v1.98]
* Definitive support for Japanese/Chinese/Korean systems
* Added O20 (AppInit_DLLs) in light of newer trojans
* Added O21 (ShellServiceObjectDelayLoad, SSODL) in light of newer trojans
* Added O22 (SharedTaskScheduler) in light of newer trojans
* Backups of fixed items are now saved in separate folder
* HijackThis now checks if it was started from a temp folder
* Added a small process manager (Misc Tools section)
[v1.96]
* Lots of bugfixes and small enhancements! Among others:
* Fix for Japanese IE toolbars
* Fix for searchwww.com fake CLSID trick in IE toolbars and BHO's
* Attributes on Hosts file will now be restored when scanning/fixing/restoring it.
* Added several files to the LSP whitelist
* Fixed some issues with incorrectly re-encrypting data, making R0/R1 go undetected until a restart
* All sites in the Trusted Zone are now shown, with the exception of those on the nonstandard but safe domain list
[v1.95]
* Added a new regval to check for from Whazit hijack (Start Page_bak).
* Excluded IE logo change tweak from toolbar detection (BrandBitmap and SmBrandBitmap).
* New in logfile: Running processes at time of scan.
* Checkmarks for running StartupList with /full and /complete in HijackThis UI.
* New O19 method to check for Datanotary hijack of user stylesheet.
* Google.com IP added to whitelist for Hosts file check.
[v1.94]
* Fixed a bug in the Check for Updates function that could cause corrupt downloads on certain systems.
* Fixed a bug in enumeration of toolbars (Lop toolbars are now listed!).
* Added imon.dll, drwhook.dll and wspirda.dll to LSP safelist.
* Fixed a bug where DPF could not be deleted.
* Fixed a stupid bug in enumeration of autostarting shortcuts.
* Fixed info on Netscape 6/7 and Mozilla saying '%[censored]browser%' (oops).
* Fixed bug where logfile would not auto-open on systems that don't have .log filetype registered.
* Added support for backing up F0 and F1 items (d'oh!).
[v1.93]
* Added mclsp.dll (McAfee), WPS.DLL (Sygate Firewall), zklspr.dll (Zero Knowledge) and mxavlsp.dll (OnTrack) to LSP safelist.
* Fixed a bug in LSP routine for Win95.
* Made taborder nicer.
* Fixed a bug in backup/restore of IE plugins.
* Added UltimateSearch hijack in O17 method (I think).
* Fixed a bug with detecting/removing BHO's disabled by BHODemon.
* Also fixed a bug in StartupList (now version 1.52.1).
[v1.92]
* Fixed two stupid bugs in backup restore function.
* Added DiamondCS file to LSP files safelist.
* Added a few more items to the protocol safelist.
* Log is now opened immediately after saving.
* Removed rd.yahoo.com from NSBSD list (spammers are starting to use this, no doubt spyware authors will follow).
* Updated integrated StartupList to v1.52.
* In light of SpywareNuker/BPS Spyware Remover, any strings relevant to reverse-engineers are now encrypted.
* Rudimentary proxy support for the Check for Updates function.
[v1.91]
* Added rd.yahoo.com to the Nonstandard But Safe Domains list.
* Added 8 new protocols to the protocol check safelist, as well as showing the file that handles the protocol in the log (O18).
* Added listing of programs/links in Startup folders (O4).
* Fixed 'Check for Update' not detecting new versions.
[v1.9]
* Added check for Lop.com 'Domain' hijack (O17).
* Bugfix in URLSearchHook (R3) fix.
* Improved O1 (Hosts file) check.
* Rewrote code to delete BHO's, fixing a really nasty bug with orphaned BHO keys.
* Added AutoConfigURL and proxyserver checks (R1).
* IE Extensions (Button/Tools menuitem) in HKEY_CURRENT_USER are now also detected.
* Added check for extra protocols (O18).
[v1.81]
* Added 'ignore non-standard but safe domains' option.
* Improved Winsock LSP hijackers detection.
* Integrated StartupList updated to v1.4.
[v1.8]
* Fixed a few bugs.
* Adds detecting of free.Email Removed in Trusted Zone.
* Adds checking of URLSearchHooks key, which should have only one value.
* Adds listing/deleting of Download Program Files.
* Integrated StartupList into the new 'Misc Tools' section of the Config screen!
[v1.71]
* Improves detecting of O6.
* Some internal changes/improvements.
[v1.7]
* Adds backup function! Yay!
* Added check for default URL prefix
* Added check for changing of IERESET.INF
* Added check for changing of Netscape/Mozilla homepage and default search engine.
[v1.61]
* Fixes Runtime Error when Hosts file is empty.
[v1.6]
* Added enumerating of MSIE plugins
* Added check for extra options in 'Advanced' tab of 'Internet Options'.
[v1.5]
* Adds 'Uninstall & Exit' and 'Check for update online' functions.
* Expands enumeration of autoloading Registry entries (now also scans for .vbs, .js, .dll, rundll32 and service)
[v1.4]
* Adds repairing of broken Internet access (aka Winsock or LSP fix) by New.Net/WebHancer
* A few bugfixes/enhancements
[v1.3]
* Adds detecting of extra MSIE context menu items
* Added detecting of extra 'Tools' menu items and extra buttons
* Added 'Confirm deleting/ignoring items' checkbox
[v1.2]
* Adds 'Ignorelist' and 'Info' functions
[v1.1]
* Supports BHO's, some default URL changes
[v1.0]
* Original release

A good thing to do after version updates is clear your Ignore list and re-add them, as the format of detected items sometimes changes.

Ok, now should I set back the settings for the read only files????

And Is the last hijackthis log ok finally? All those tests took me like forever!!!

Should I use all those programs I've installed? Do they protect my PC automatically or do I need to check for updates and run them sometimes?

Thank U so much for your help! I know that I said it already like 20 times but without U I wouldnt even know about all these stuff in my pc and specially how to get rid of them....

/ohmy.gif\' class=\'bbc_emoticon\' alt=\':o\' />)

Barbora
Title: ist svc
Post by: Barbora on January 14, 2005, 04:01:16 PM: I did Norton Antivirus check and it still found one adware:
The file C:\Program Files\Hsehyj\Hujjdrk.exe is a Adware threat.

What should I do?
Title: ist svc
Post by: Barbora on January 14, 2005, 04:18:42 PM: and now Microsoft is offering for free
Microsoft Windows AntiSpyware beta 1.0 – freeware
Microsoft Windows Malicious Software Removal Tool 1.0 – freeware
are they any good?

which programs do u recommand and how should i use them?

thanx BK
Title: ist svc
Post by: guestolo on January 15, 2005, 08:15:02 PM: Looking good, let's review /biggrin.gif\' class=\'bbc_emoticon\' alt=\':D\' />

Make sure that you delete this folder if you haven't already
C:\Program Files\Hsehyj

If everything is running smooth now you should disable system restore---restart your computer--enable system restore
This will clear all your restore points and ensure you don't restore any nasties
Once reenabled it will create a fresh restore point

Here's a link, just in case your unsure how to
http://vil.nai.com/vil/SystemHelpDocs/Disa...eSysRestore.htm (http://\"http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm\")

You should set up extra protection against future attacks

SpywareBlaster by JavaCool---will block bad ActiveX and malevolent cookies
Install---Check for Updates---Enable all protection
http://www.javacoolsoftware.com/spywareblaster.html (http://\"http://www.javacoolsoftware.com/spywareblaster.html\")

IE-Spyad---IE-SPYAD puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
Here is a tutorial and download link
TUTORIAL==Link to Tutorial (http://\"http://www.bleepingcomputer.com/forums/index.php?showtutorial=53\")
Download link==Download link (http://\"https://netfiles.uiuc.edu/ehowes/www/resource.htm#IESPYAD\")
Scroll down and click on IE-SPYAD.EXE Free! or IE-SPYAD2.EXE Free!

Regular IE-Spyad for the individual user or IE-Spyad 2 for global protection(All users) on your computer
You only need one or the other

With both, Check for updates every couple of weeks
Keep the link to IE-Spyad bookmarked so you can check for updates
SpywareBlaster, after every update just simply enable all protection

Hold onto Spybot and Ad-Aware, check for updates every couple of weeks and run a scan
With Ad-Aware, you may choose to do a Smart system scan, it's a lot quicker
Ensure to do a Full System scan once in a while

hold onto Windows CleanUp! and clean those temp folders every couple of weeks
Best done after you first restart the computer
You may want to check it's options and uncheck Prefetch
You may want to choose that option once every couple of months

Could you let me know what this entry in your log is related too, thanks
O4 - HKLM\..\Run: [BO1HelperStartUp] C:\PROGRA~1\BUTTER~1\BO1HEL~1.EXE /partner BO1

Navigate to C:\Program Files
Right click on \BUTTER~1 and left click properities and version
Any idea what it's related too
Or do the same for this file BO1HEL~1.EXE
Not sure of the exact names but they start with Butter or BO1HEL

Microsoft Windows AntiSpyware beta 1.0
I don't use it, it seems to be related too Microsoft's new Spyware Remover
In Cooperation with Giant's Spyware Remover
Giant's has never been on the Rogue list so I will leave this up to you if Install it or not
Title: ist svc
Post by: Barbora on January 16, 2005, 06:45:37 AM: I dont know how to find out info about
O4 - HKLM\..\Run: [BO1HelperStartUp] C:\PROGRA~1\BUTTER~1\BO1HEL~1.EXE /partner BO1

And I didnt find any BUTTER~1 in C:\Program Files
But I found it in C:\WINDOW - it said it was a txt document so I deleted it and I found also BUTTERFL.BM_ and I deleted it, too.

And I didnt find any BO1HEL~1.EXE at all

So is my PC finally clean? /ohmy.gif\' class=\'bbc_emoticon\' alt=\':o\' />)

I hope so, b/c it was a disaster! Really and I have to tell U that U R incredibly patient, thanx /biggrin.gif\' class=\'bbc_emoticon\' alt=\':D\' />

BK
Title: ist svc
Post by: guestolo on January 16, 2005, 10:17:05 AM: If you delete it you should remove the entry from Hijackthis
Can I see one last log, thanks

By the way, I installed Microsoft Anti-Spyware version to see what it's like

It's not too bad
However it flagged a couple entries that were OK
They were entries added by IE-Spyad or SpywareBlaster
to my Restricted Zones settings

Probably just a bug in Microsoft's, or should I say Giant's software /biggrin.gif\' class=\'bbc_emoticon\' alt=\':D\' />
I sent out a Report about it, I'm sure I won't be the only one

I shut down all the Auto features that it applies by default
That's up to you to have them running
The auto protect---bho----autoupdater

I'll check for updates when I want too
I use SpywareGuard for Realtime protection
Take a look
http://www.javacoolsoftware.com/spywareguard.html (http://\"http://www.javacoolsoftware.com/spywareguard.html\")
Title: ist svc
Post by: Barbora on January 16, 2005, 01:19:02 PM: How do I remove the entry from Hijackthis ????

Here is the log:

Logfile of HijackThis v1.99.0
Scan saved at 6:13:48 PM, on 1/16/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRAM FILES\ATI TECHNOLOGIES\ATI CONTROL PANEL\ATIPTAXX.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\HPQ\One-Touch\OneTouch.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\carpserv.exe
C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\HPConfig.exe
C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\totalcmd\TOTALCMD.EXE
C:\Program Files\Winamp\winamp.exe
C:\Program Files\ICQLite\ICQLite.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\HJT\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://store.presario.net/scripts/redirect...&c=1c02&lc=0409 (http://\"http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=1c02&lc=0409\")
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Compaq
R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQToolbar\toolbaru.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.02.3000.1002\en-xu\stmain.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQToolbar\toolbaru.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ATIPTA] C:\PROGRAM FILES\ATI TECHNOLOGIES\ATI CONTROL PANEL\ATIPTAXX.EXE
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [Display Settings] C:\Program Files\HPQ\Notebook Utilities\hptasks.exe /s
O4 - HKLM\..\Run: [QT4HPOT] C:\Program Files\HPQ\One-Touch\OneTouch.EXE
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe"
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [BO1HelperStartUp] C:\PROGRA~1\BUTTER~1\BO1HEL~1.EXE /partner BO1
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\RunOnce: [ICQ Lite] C:\Program Files\ICQLite\ICQLite.exe -trayboot
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &ICQ Toolbar Search - res://C:\Program Files\ICQToolbar\toolbaru.dll/SEARCH.HTML
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xportovat do aplikace Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra button: Advisor - {2516874A-8BF8-4FF9-865A-D7D5C67FFADE} - C:\Program Files\COMPAQ\Compaq Advisor\bin\rbaLauncher.exe (file missing) (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=1c02&lc=0409
O16 - DPF: {53B8B406-42E4-4DD3-96E7-9DEC8CEB3DD8} (ICQVideoControl Class) - http://xtraz.icq.com/xtraz/activex/ICQVideoControl.cab (http://\"http://xtraz.icq.com/xtraz/activex/ICQVideoControl.cab\")
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1101664351169 (http://\"http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1101664351169\")
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab (http://\"http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab\")
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: HP Configuration Interface Service - Hewlett-Packard - C:\WINDOWS\system32\HPConfig.exe
O23 - Service: HPWirelessMgr - Hewlett-Packard Co. - C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
O23 - Service: Norton AntiVirus Auto-Protect Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
Title: ist svc
Post by: Barbora on January 16, 2005, 01:22:21 PM: U know U made me instal like 5 programs and I am confused... do I need all of them? And also many times I dont know what to do w/the result... Hopefully they will do everything for me, b/c without a guide like U I am lost!

/huh.gif\' class=\'bbc_emoticon\' alt=\':huh:\' />

BK
Title: ist svc
Post by: Barbora on January 16, 2005, 01:31:03 PM: I've just checked and I have 8 programs installed to protect my PC, I feel really safe now! /biggrin.gif\' class=\'bbc_emoticon\' alt=\':D\' /> What do U think???

BK
Title: ist svc
Post by: guestolo on January 16, 2005, 01:34:05 PM: Hold onto Spybot and Ad-Aware
Hold onto Windows CleanUp!

Hold onto IE-Spyad and SpywareBlaster
/biggrin.gif\' class=\'bbc_emoticon\' alt=\':D\' />

Windows Beta Anti-Spyware is up to you

Spybot and Ad-aware have been around a lot longer

If you installed SpywareGuard
Open SpywareGuard and click LiveUpdate
Click Next>>If there's an update let it download them
It doesn't need to and won't update that often, but check once a month

SpywareBlaster>>Check for updates every couple of weeks

Ad-Aware and Spybot>>Check for updates every couple of weeks

Windows CleanUp! >> Use it every couple of weeks to clean your temp folders, etc....

Any questions, don't be scared to ask /biggrin.gif\' class=\'bbc_emoticon\' alt=\':D\' />

EDIT>>Sorry, forgot to add

Do another scan with Hijackthis and put a check next to these entries:

O4 - HKLM\..\Run: [BO1HelperStartUp] C:\PROGRA~1\BUTTER~1\BO1HEL~1.EXE /partner BO1

After you have ticked the above entries, close All other open windows, including this one
Leave Hijackthis open and click FIX CHECKED
YES and exit Hijackthis

RESTART your computer and make sure it is gone by doing another scan, if it's gone I don't need to see another log
Title: ist svc
Post by: Barbora on January 16, 2005, 05:09:12 PM: So I fixed it and it's gone, but when I was restarting the PC, a blue screen appeared (it has happened several times already and even when I installed windows again). The screen says:

A problem has been detected and windows has been shut down to prevent damage to your computer.

If it is the first time you've seen this Stop error screen, restart your computer. If this screen appears again, follow these steps:

Check to be sure you have adequate disk space. If a driver is identified in the Stop message, disable the driver or check with the manufacturer for drivers update. Try changing video adapters.

Check with your hardware vendor for any BIOS updates. Disable BIOS memory options such as caching or shadowing. If you need to use Safe mode to remove or disable componets, restart your computer, press F8 to select Select Advanced Startup Options, and then select Safe mode.

Technical information:

*** STOP: 0x0000008E (0xC0000005, 0x805F4788, 0xF2D50ADC, 0x00000000)

WHAT DOES IT ALL MEAN??? And what is caching or shadowing? /unsure.gif\' class=\'bbc_emoticon\' alt=\':unsure:\' />
Title: ist svc
Post by: Barbora on January 16, 2005, 05:30:24 PM: And I am holding onto all of those programs U have recommanded to me, I trust U! /smile.gif\' class=\'bbc_emoticon\' alt=\':)\' />

But help me to understand....

Ad-adware SE Personal: I have to run it by myself - does it even remove the worms or only finds them? (I call them worms b/c I dont know the differences between them)

Windows CleanUp: I have to run, too and it removes temporary files from my PC. Should I disable the Prefetch?

Spyware Guard and Spyware Blaster run when I start my PC? They dont let worms to be downloaded???

And these belowe - do I have to run them or do they start automatically, or do they notice me when I visit some ensecure site or what????
CWShredder: ???

SpyBot: ???

IE-SPYAD: ?????????????

As U can see, I am little bit confused... is there any site FOR BEGINNERS(!) that explains what are those sywares, adwares, malwares or whatever it is???

Thanx BK
Title: ist svc
Post by: Barbora on January 16, 2005, 05:52:13 PM: Oh, and what about the hidden files and folders, shouldnt I hide them again?

Too many questions??? /biggrin.gif\' class=\'bbc_emoticon\' alt=\':D\' />
Title: ist svc
Post by: guestolo on January 16, 2005, 07:30:21 PM: Go ahead and hide hidden files and folders again

Go ahead and Delete CWShredder

Let's see
You have the free versions of everything

AD-Aware---Check for updates every couple of weeks--Click the Connect to Download the updates and run a scan
As mentioned, you may want to do a smart system scan and just do a Full once a month
After the scan is done, check all Critical objects and let Ad-Aware fix them, they will Autoquarantine

Spybot--Check for updates every couple of weeks also
If there's an update, check all of them and then download them
Check for Problems--When the scan is complete all bad entries will be in RED
Make sure there all checked and then FIX CHECKED problems

SpywareBlaster--Doesn't run in the background, just sets Registry entries
Simply check for updates every couple of weeks, when there's an update it will be downloaded and then Enable All Protection
Make sure you check for updates now and Enable all protection

IE-Spyad---It's a little different
Again, it doesn't run in the background, just sets registry entries
Bad sites have to follow the Restricted Sites settings, these sites are added by IE-Spyad
Keep the link bookmarked to their download site
Check for updates every couple of weeks
When there's an update
Download IE-Spyad.exe to desktop and double click to run it
It will unzip to the C:\IE-Spyad folder, overwriting the old version
Navigate to that folder and open it up
After every update you will have to Uninstall the Old Registry entries and then Install the new ones
There are 2 methods, but you may choose to just Double click on the
Install.bat follow the prompts to Uninstall and then run Install.bat again ,but this time Install
Do this after every update

Windows CleanUp!
I keep Prefetch checked and do a Standard Cleanup, but I install and uninstall a lot of programs
I mentioned you may want to uncheck that option, but run it once every couple of months.... Leave the other defaults as is......

If you installed SpywareGuard, It won't update as much, but check every couple of weeks anyways
This is the only program I had you install that will run in the background
Real time protection against Spyware
Acts much like an Anti-Virus software
But they both have they're own jobs......

I hope everything is a little clearer
/biggrin.gif\' class=\'bbc_emoticon\' alt=\':D\' />

I think I'll save this info so I don't have to type it out again /tongue.gif\' class=\'bbc_emoticon\' alt=\':P\' />

That Stop Error message, I just notice your reply about it
When exactly did this start to happen, before we started the fixes?
It sounds like it
Did it happen after you installed Service Pack 2?

STOP: 0x0000008E (0xC0000005, 0x805F4788, 0xF2D50ADC, 0x00000000)
Is that the whole message, is there anything after the 000000, any file name?

Could be a corrupt driver
Can you do me a favor
Enter your Control Panel and Double click on Adminstrative Tools
You will have to be In Classic View
Open Event Viewer
Highlight Applications---Do you see any Red Error messages on the Right
If so, Double click on them and let me know what program they are related too

Next--Highlight System and let me know about any errors

Can you also look in your Device Manager for any yellow exclamation marks or red x's
Right click MyComputer---Left click Properties---Select Hardware tab
Device Manager
Title: ist svc
Post by: Barbora on January 17, 2005, 06:18:50 AM: Yes, I had the problems since I installed Windows.

There was nothinh in Device Manager.

But the Event View is worse....

There are 24 Errors and 59 Warnings in Applications
problems:

-bs player, version 1.0.0.811, faulting module ntdll.dll, version 5.1.2600.2180, fault address 0x00011c48.

-firefox.exe, version 1.0.0.0, hang module hungapp, version 0.0.0.0, hang address 0x00000000. (my mozilla browser I think)

-EXCEL.EXE, version 10.0.2701.12, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

-winword.exe, version 10.0.2627.0, faulting module winword.exe, version 10.0.2627.0, fault address 0x002378a8.

-iexplore.exe, version 6.0.2900.2180, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

-winamp.exe, version 5.0.0.7, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

-actalert.exe, version 0.0.0.0, faulting module actalert.exe, version 0.0.0.0, fault address 0x00007257.

-devdetect.exe, version 2.0.0.12, faulting module mfc70.dll, version 7.0.9466.0, fault address 0x0000f442.

-lexicon.exe, version 4.0.0.2, faulting module lexicon.exe, version 4.0.0.2, fault address 0x00020f20.

-wmplayer.exe, version 10.0.0.3646, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

-TOTALCMD.EXE, version 6.0.3.0, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

And those programs are repeating.... should I uninstall them and then install again?

Then in Security there are 2 Failure Audits:

-IPSec Services: IPSec Services failed to get the complete list of network interfaces on the machine. This can be a potential security hazard to the machine since some of the network interfaces may not get the protection as desired by the applied IPSec filters. Please run IPSec monitor snap-in to further diagnose the problem.

-IPSec Services: IPSec Services failed to get the complete list of network interfaces on the machine. This can be a potential security hazard to the machine since some of the network interfaces may not get the protection as desired by the applied IPSec filters. Please run IPSec monitor snap-in to further diagnose the problem.

And in System there are so many Errors and Warnings that I cant even count them.... /ohmy.gif\' class=\'bbc_emoticon\' alt=\':o\' />(

Why there are so many complications with Windows???? /mad.gif\' class=\'bbc_emoticon\' alt=\':angry:\' />

U know I had Linux for few months and I never had any problems.... only I wasnt able to use it properly /sad.gif\' class=\'bbc_emoticon\' alt=\':(\' />

So I am again a windows user ....
Title: ist svc
Post by: guestolo on January 18, 2005, 01:35:52 AM: The first thing you should do
Make it over to the manufacturers website of the Laptop and ensure you have the latest drivers installed
Make sure you have the latest Video Drivers for sure

Also check any third party software installed on your machine for any program updates