Post by: Guest_detect2173 on January 16, 2005, 05:33:58 PM
Logfile of HijackThis v1.99.0
Scan saved at 4:28:52 PM, on 01/16/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\iosdt\iosdt.exe
C:\WINDOWS\System32\gearsec.exe
C:\Program Files\HHVcdV5Sys\VC5SecS.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\hkcmd.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\HijackThis\HijackThis.exe
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
http://jfb.cyberwize.com (http://\"http://jfb.cyberwize.com\")
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant
=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = J &
K Marketing Group
N3 - Netscape 7: user_pref("browser.search.defaultengine",
"engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%
5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and
Settings\Owner\Application
Data\Mozilla\Profiles\default\7wfgmvfa.slt\prefs.js)
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} -
C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
O4 - HKLM\..\Run: [zSPGuard] c:\program files\pjw\spguard\spguard.exe
/s /r
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Ad-watch] "C:\Program Files\Lavasoft\Ad-aware 6\Ad
-watch.exe"
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\RunOnce: [SpybotSnD] "C:\Program Files\Spybot - Search &
Destroy\SpybotSD.exe" /autocheck
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI
RoboForm\RoboTaskBarIcon.exe"
O4 - HKCU\..\Run: [Spybot] C:\Program Files\Spybot - Search &
Destroy\SpybotSD.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel
present
O8 - Extra context menu item: Customize Menu &4 - file://C:\Program
Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: E&xport to Microsoft Excel -
res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Fill Forms &] - file://C:\Program
Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: Open Link Target in Firefox -
file://C:\Documents and Settings\Owner\Application
Data\Mozilla\Firefox\Profiles\default.a8o\extensions\{5D558C43-550F-
4b12-84AB-0D8ABDA9F975}\firefoxviewlink.html
O8 - Extra context menu item: RoboForm &2 - file://C:\Program
Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms &[ - file://C:\Program
Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O8 - Extra context menu item: View This Page in Firefox -
file://C:\Documents and Settings\Owner\Application
Data\Mozilla\Firefox\Profiles\default.a8o\extensions\{5D558C43-550F-
4b12-84AB-0D8ABDA9F975}\firefoxviewpage.html
O15 - Trusted Zone: *.allcracks.net
O15 - Trusted Zone: *.musicmatch.com
O15 - Trusted Zone: *.musicmatch.com (HKLM)
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control)
-
http://a840.g.akamai.net/7/840/537/2004061....trendmicro.com (http://\"http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com\")
/housecall/xscan53.cab
O16 - DPF: {BE5431D2-0F30-11D4-89D9-00C04F509C0A} (SDCInstaller Class)
- http://stamps.com/download/us/cab/stamps/stamps.cab (http://\"http://stamps.com/download/us/cab/stamps/stamps.cab\")?
r=0.321751489824742&file=stamps.cab
O18 - Protocol: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} -
C:\Program Files\HP\hpcoretech\comp\hpuiprot.dll
O23 - Service: avast! iAVS4 Control Service - Unknown - C:\Program
Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown - C:\Program Files\Alwil
Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program
Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: distributed.net client - Distributed Computing
Technologies, Inc. - C:\WINDOWS\system32\iosdt\iosdt.exe
O23 - Service: Gear Security Service - GEAR Software -
C:\WINDOWS\System32\gearsec.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program
Files\iPod\bin\iPodService.exe
O23 - Service: SymWMI Service - Symantec Corporation - C:\Program
Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Virtual CD v5 Security service - H+H Software GmbH -
C:\Program Files\HHVcdV5Sys\VC5SecS.exe
Thanks again.
John
Post by: guestolo on January 16, 2005, 06:45:09 PM
Logfile of HijackThis v1.99.0
Scan saved at 4:28:52 PM, on 01/16/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\iosdt\iosdt.exe
C:\WINDOWS\System32\gearsec.exe
C:\Program Files\HHVcdV5Sys\VC5SecS.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\hkcmd.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\HijackThis\HijackThis.exe
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =http://jfb.cyberwize.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = J &K Marketing Group
N3Netscape7:user_pref("browser.search.defaultengine","engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%
5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\7wfgmvfa.slt\prefs.js)
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} -
C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
O4 - HKLM\..\Run: [zSPGuard] c:\program files\pjw\spguard\spguard.exe/s /r
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Ad-watch] "C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe"
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\RunOnce: [SpybotSnD] "C:\Program Files\Spybot - Search &
Destroy\SpybotSD.exe" /autocheck
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI
RoboForm\RoboTaskBarIcon.exe"
O4 - HKCU\..\Run: [Spybot] C:\Program Files\Spybot - Search &
Destroy\SpybotSD.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Customize Menu &4 - file://C:\Program
Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: E&xport to Microsoft Excel -
res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Fill Forms &] - file://C:\Program
Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: Open Link Target in Firefox -
file://C:\Documents and Settings\Owner\Application
Data\Mozilla\Firefox\Profiles\default.a8o\extensions\{5D558C43-550F-
4b12-84AB-0D8ABDA9F975}\firefoxviewlink.html
O8 - Extra context menu item: RoboForm &2 - file://C:\Program
Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms &[ - file://C:\Program
Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O8 - Extra context menu item: View This Page in Firefox -
file://C:\Documents and Settings\Owner\Application
Data\Mozilla\Firefox\Profiles\default.a8o\extensions\{5D558C43-550F-
4b12-84AB-0D8ABDA9F975}\firefoxviewpage.html
O15 - Trusted Zone: *.allcracks.net
O15 - Trusted Zone: *.musicmatch.com
O15 - Trusted Zone: *.musicmatch.com (HKLM)
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control)
http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab (http://\"http://a840.g.akamai.net/7/840/537/2004061....trendmicro.com/housecall/xscan53.cab\")
O16 - DPF: {BE5431D2-0F30-11D4-89D9-00C04F509C0A} (SDCInstaller Class)- http://stamps.com/download/us/cab/stamps/s...file=stamps.cab (http://\"http://stamps.com/download/us/cab/stamps/stamps.cab?r=0.321751489824742&file=stamps.cab\")
O18 - Protocol: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} -
C:\Program Files\HP\hpcoretech\comp\hpuiprot.dll
O23 - Service: avast! iAVS4 Control Service - Unknown - C:\Program
Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown - C:\Program Files\Alwil
Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program
Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: distributed.net client - Distributed Computing
Technologies, Inc. - C:\WINDOWS\system32\iosdt\iosdt.exe
O23 - Service: Gear Security Service - GEAR Software -
C:\WINDOWS\System32\gearsec.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program
Files\iPod\bin\iPodService.exe
O23 - Service: SymWMI Service - Symantec Corporation - C:\Program
Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Virtual CD v5 Security service - H+H Software GmbH -
C:\Program Files\HHVcdV5Sys\VC5SecS.exe
Post by: guestolo on January 16, 2005, 07:12:36 PM
Can you do me a favor
Could you Download and save to desktop ServiceFilter.zip (http://\"http://home.comcast.net/~rand1038/vbscript/ServiceFilter.zip\")
A script by rand1038 that reveals potential unauthorised running services in your system.
Unzip the contents to a folder
Double-click ServiceFilter.vbs, if you get a prompt from your Anti-Virus, Allow this to run, we are just collecting information
This script will create a text file named 'Post_This.txt' in the same folder as the script itself has been saved - copy and paste the contents of Post_This.txt in your next reply here.
Could you also
Can you Download DLLCompare (http://\"http://downloads.subratam.org/DllCompare.exe\")
Start the Program and click the Run Locate.com
Default settings should work---C:\Windows\System32 directory
Let it complete the SCAN, which won't take long
Click the Compare button to start the next process.This will take a bit longer.
When it's done click the Make a log of what was found button and post it back here
Could you also post back a Fresh Hijackthis log
Don't alter the log in anyway, just copy and paste back the Whole contents, thanks
I also noticed your using an Old version of Ad-Aware
Ad-aware 6 has been updated, you appear to have the paid version
You may want to check out this link
Support and updates for Ad-Aware 6 are discontinued or will be shortly
Click here for more information
http://www.lavasoftusa.com/ (http://\"http://www.lavasoftusa.com/\")
After you update to the latest version, ensure to run a Full System Scan and remove all Critical objects
Restart your computer to finish the cleaning process
You may want to disable Ad-Watch before upgrading
Post by: detect2173 on January 16, 2005, 11:40:29 PM
The script did not recognize the services listed below.
This does not mean that they are a problem.
To copy the entire contents of this document for posting:
At the top of this window click "Edit" then "Select All"
Next click "Edit" again then "Copy"
Now right click in the forum post box then click "Paste"
########################################
ServiceFilter 1.1
by rand1038
Microsoft Windows XP Home Edition
Version: 5.1.2600 Service Pack 2
Jan 16, 2005 10:29:55 PM
---> Begin Service Listing <---
Unknown Service # 1
Service Name: avast! Mail Scanner
Display Name: avast! Mail Scanner
Start Mode: Manual
Start Name: LocalSystem
Description: Implements mail scanning for the avast! ...
Service Type: Own Process
Path: "c:\program files\alwil software\avast4\ashmaisv.exe" /service
State: Running
Process ID: 228
Started: True
Exit Code: 0
Accept Pause: False
Accept Stop: True
Unknown Service # 2
Service Name: dnetc
Display Name: distributed.net client
Start Mode: Auto
Start Name: LocalSystem
Description: ...
Service Type: Own Process
Path: "c:\windows\system32\iosdt\iosdt.exe"
State: Running
Process ID: 1564
Started: True
Exit Code: 0
Accept Pause: True
Accept Stop: True
Unknown Service #3
Service Name: SwPrv
Display Name: MS Software Shadow Copy Provider
Start Mode: Manual
Start Name: LocalSystem
Description: Manages software-based volume shadow copies taken by the Volume Shadow Copy service. If this ...
Service Type: Own Process
Path: c:\windows\system32\dllhost.exe /processid:{b769260f-18dc-4f13-aa8f-20c98b63c4c9}
State: Stopped
Process ID: 0
Started: False
Exit Code: 1077
Accept Pause: False
Accept Stop: False
Unknown Service # 4
Service Name: VC5SecS
Display Name: Virtual CD v5 Security service
Start Mode: Auto
Start Name: LocalSystem
Description: Provides support for using virtual CD ...
Service Type: Own Process
Path: "c:\program files\hhvcdv5sys\vc5secs.exe"
State: Running
Process ID: 1892
Started: True
Exit Code: 0
Accept Pause: False
Accept Stop: True
---> End Service Listing <---
There are 88 Win32 services on this machine.
4 were unrecognized.
Script Execution Time: 3.140625 seconds.
********************************************************
* DLLCompare Log version(1.0.0.127)
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________
O^E says: "There were no files found
/smile.gif\' class=\'bbc_emoticon\' alt=\':)\' />"________________________________________________
1,400 items found: 1,400 files, 0 directories.
Total of file sizes: 304,592,408 bytes 290.48 M
Administrator Account = True
--------------------End log---------------------
********************************************************
Logfile of HijackThis v1.98.2
Scan saved at 10:37:05 PM, on 01/16/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\iosdt\iosdt.exe
C:\WINDOWS\System32\gearsec.exe
C:\Program Files\HHVcdV5Sys\VC5SecS.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\hkcmd.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\WINDOWS\System32\WISPTIS.EXE
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\Ahead\Nero StartSmart\NeroStartSmart.exe
C:\Documents and Settings\Owner\Desktop\HijackThis.exe
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://jfb.cyberwize.com (http://\"http://jfb.cyberwize.com\")
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = J & K Marketing Group
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\7wfgmvfa.slt\prefs.js)
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
O2 - BHO: iWon Co-Pilot BHO - {C298FB42-E3E2-11D3-ADCD-0050DAC24E8F} - C:\Program Files\iWon\iWonBar\3.bin\IWONBAR.DLL
O3 - Toolbar: i&Won Co-Pilot - {CA0B9B71-C2AF-11D3-B376-0800460222F0} - C:\Program Files\iWon\iWonBar\3.bin\IWONBAR.DLL
O4 - HKLM\..\Run: [zSPGuard] c:\program files\pjw\spguard\spguard.exe /s /r
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Ad-watch] "C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe"
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\RunOnce: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - HKCU\..\Run: [Spybot] C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Customize Menu &4 - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Fill Forms &] - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: Open Link Target in Firefox - file://C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\default.a8o\extensions\{5D558C43-550F-4b12-84AB-0D8ABDA9F975}\firefoxviewlink.html
O8 - Extra context menu item: RoboForm &2 - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms &[ - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O8 - Extra context menu item: View This Page in Firefox - file://C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\default.a8o\extensions\{5D558C43-550F-4b12-84AB-0D8ABDA9F975}\firefoxviewpage.html
O15 - Trusted Zone: *.allcracks.net
O15 - Trusted Zone: *.musicmatch.com
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab (http://\"http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab\")
O16 - DPF: {BE5431D2-0F30-11D4-89D9-00C04F509C0A} (SDCInstaller Class) - http://stamps.com/download/us/cab/stamps/s...file=stamps.cab (http://\"http://stamps.com/download/us/cab/stamps/stamps.cab?r=0.321751489824742&file=stamps.cab\")
O18 - Protocol: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - C:\Program Files\HP\hpcoretech\comp\hpuiprot.dll
Thanks again
Post by: guestolo on January 16, 2005, 11:45:26 PM
Can you not update to the latest version
We still have to rid you of a bad Process
C:\WINDOWS\system32\iosdt\iosdt.exe
Can you try an update your version of Ad-Aware and run a full system scan
Restart after removing all Criticals
Post back a Hijackthis log from version 1.99
It's in this location,
C:\Program Files\HijackThis\HijackThis.exe
Post by: detect2173 on January 17, 2005, 12:34:41 AM
Scan saved at 11:30:04 PM, on 01/16/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\hkcmd.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\HHVcdV5Sys\VC5Play.exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\iosdt\iosdt.exe
C:\WINDOWS\System32\gearsec.exe
C:\Program Files\HHVcdV5Sys\VC5SecS.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Virtual CD v5\System\VC5Tray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HijackThis\HijackThis.exe
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://jfb.cyberwize.com (http://\"http://jfb.cyberwize.com\")
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = J & K Marketing Group
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\7wfgmvfa.slt\prefs.js)
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
O2 - BHO: iWon Co-Pilot BHO - {C298FB42-E3E2-11D3-ADCD-0050DAC24E8F} - C:\Program Files\iWon\iWonBar\3.bin\IWONBAR.DLL
O3 - Toolbar: i&Won Co-Pilot - {CA0B9B71-C2AF-11D3-B376-0800460222F0} - C:\Program Files\iWon\iWonBar\3.bin\IWONBAR.DLL
O4 - HKLM\..\Run: [zSPGuard] c:\program files\pjw\spguard\spguard.exe /s /r
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Ad-watch] "C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe"
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [Errvj] C:\WINDOWS\mqaitfq.exe
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - HKCU\..\Run: [Spybot] C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Customize Menu &4 - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Fill Forms &] - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: Open Link Target in Firefox - file://C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\default.a8o\extensions\{5D558C43-550F-4b12-84AB-0D8ABDA9F975}\firefoxviewlink.html
O8 - Extra context menu item: RoboForm &2 - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms &[ - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O8 - Extra context menu item: View This Page in Firefox - file://C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\default.a8o\extensions\{5D558C43-550F-4b12-84AB-0D8ABDA9F975}\firefoxviewpage.html
O15 - Trusted Zone: *.allcracks.net
O15 - Trusted Zone: *.musicmatch.com
O15 - Trusted Zone: *.musicmatch.com (HKLM)
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab (http://\"http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab\")
O16 - DPF: {BE5431D2-0F30-11D4-89D9-00C04F509C0A} (SDCInstaller Class) - http://stamps.com/download/us/cab/stamps/s...file=stamps.cab (http://\"http://stamps.com/download/us/cab/stamps/stamps.cab?r=0.321751489824742&file=stamps.cab\")
O18 - Protocol: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - C:\Program Files\HP\hpcoretech\comp\hpuiprot.dll
O23 - Service: avast! iAVS4 Control Service - Unknown - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: distributed.net client - Distributed Computing Technologies, Inc. - C:\WINDOWS\system32\iosdt\iosdt.exe
O23 - Service: Gear Security Service - GEAR Software - C:\WINDOWS\System32\gearsec.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: SymWMI Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Virtual CD v5 Security service - H+H Software GmbH - C:\Program Files\HHVcdV5Sys\VC5SecS.exe
I am unable to locate an update for ad-aware. I only find v6.0 build 1.8.1
Post by: guestolo on January 17, 2005, 01:24:52 AM
iWon Plus'
'iWon EZ Setup'
Won Search Assistant'
'iWon co-pilot'
Restart your computer if anything removed
Go to START>>>RUN>>>type in services.msc and hit Enter
In the next window, look on the right hand side for this service
name---- distributed.net client
Double click on it--- STOP the service--
In the drop down menu, change the startup type to Disabled
Access your task manager and ensure this isn't running
iosdt.exe
Do another scan with Hijackthis and put a check next to these entries:
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
O2 - BHO: iWon Co-Pilot BHO - {C298FB42-E3E2-11D3-ADCD-0050DAC24E8F} - C:\Program Files\iWon\iWonBar\3.bin\IWONBAR.DLL
O3 - Toolbar: i&Won Co-Pilot - {CA0B9B71-C2AF-11D3-B376-0800460222F0} - C:\Program Files\iWon\iWonBar\3.bin\IWONBAR.DLL
O4 - HKLM\..\Run: [Errvj] C:\WINDOWS\mqaitfq.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O15 - Trusted Zone: *.allcracks.net
O15 - Trusted Zone: *.musicmatch.com
O15 - Trusted Zone: *.musicmatch.com (HKLM)
O23 - Service: distributed.net client - Distributed Computing Technologies, Inc. - C:\WINDOWS\system32\iosdt\iosdt.exe
After you have ticked the above entries, close All other open windows, including this one
Leave Hijackthis open and click FIX CHECKED
YES and exit Hijackthis
RESTART your Computer in SAFE MODE (http://\"http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001060608000039?OpenDocument&ExpandSection=4#_Section4\")
Find and delete these files or folders if they exist
C:\WINDOWS\mqaitfq.exe <--file
C:\Program Files\iWon <--folder
C:\WINDOWS\system32\iosdt <--folder
RESTART back to Normal Mode
Don't open a browser yet, instead access Internet Options via Control Panel
Under the Programs tab "Reset Web Settings"
Under the General tab---Delete files + offline content---Also Reset home page
Do a Disk Cleanup>>Start--Run--type in cleanmgr
I can't see why you wouldn't be able to upgrade to Ad-Aware 1.05
If you can, would you please upgrade and run the scan
This link gives you the info you need
http://www.lavasoftusa.com/ (http://\"http://www.lavasoftusa.com/\")
Scroll down to
Important notice for users of Ad-Aware 6 all versions!
under News
Post back with a fresh Hijackthis log afterwards
If any entries return we will have to disable Ad-Watch and SpywareGuard until you are clean
If prompted by either of the programs changes are being made, allow them
Post by: detect2173 on January 19, 2005, 06:28:40 PM
(BTW I got the updated ad-aware) Thanks again!
John
Logfile of HijackThis v1.99.0
Scan saved at 5:24:30 PM, on 01/19/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\hkcmd.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\System32\gearsec.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\TaxCut04\Program\TaxCut.exe
C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
C:\Program Files\HijackThis\HijackThis.exe
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://jfb.cyberwize.com (http://\"http://jfb.cyberwize.com\")
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = J & K Marketing Group
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:81
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
O4 - HKLM\..\Run: [zSPGuard] c:\program files\pjw\spguard\spguard.exe /s /r
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - HKCU\..\Run: [Spybot] C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
O4 - HKCU\..\Run: [BackupNotify] C:\Program Files\HP\Digital Imaging\bin\backupnotify.exe
O8 - Extra context menu item: Customize Menu &4 - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Fill Forms &] - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: Open Link Target in Firefox - file://C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\default.a8o\extensions\{5D558C43-550F-4b12-84AB-0D8ABDA9F975}\firefoxviewlink.html
O8 - Extra context menu item: RoboForm &2 - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms &[ - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O8 - Extra context menu item: View This Page in Firefox - file://C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\default.a8o\extensions\{5D558C43-550F-4b12-84AB-0D8ABDA9F975}\firefoxviewpage.html
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab (http://\"http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab\")
O16 - DPF: {BE5431D2-0F30-11D4-89D9-00C04F509C0A} (SDCInstaller Class) - http://stamps.com/download/us/cab/stamps/s...file=stamps.cab (http://\"http://stamps.com/download/us/cab/stamps/stamps.cab?r=0.321751489824742&file=stamps.cab\")
O23 - Service: avast! iAVS4 Control Service - Unknown - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: Gear Security Service - GEAR Software - C:\WINDOWS\System32\gearsec.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: SymWMI Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
Post by: guestolo on January 19, 2005, 06:39:19 PM
I see you have Spybot possibly running on startup, user preference
If disabled, make sure to Check for updates every couple of weeks and run a scan
If everything is running smooth now you should disable system restore---restart your computer--enable system restore
This will clear all your restore points and ensure you don't restore any nasties
Once reenabled it will create a fresh restore point
Here's a link, just in case your unsure how to
http://vil.nai.com/vil/SystemHelpDocs/Disa...eSysRestore.htm (http://\"http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm\")
I see you have SpywareGuard installed, you may want to make sure you also have JavaCools' other excellent program installed too, if you don't have it already
EDIT>>I confused SpywareGuard with StartPageGuard, sorry about that
Ensure to install SpywareBlaster
SpywareBlaster by JavaCool---will block bad ActiveX and malevolent cookies
Install---Check for Updates---Enable all protection
http://www.javacoolsoftware.com/spywareblaster.html (http://\"http://www.javacoolsoftware.com/spywareblaster.html\")
Check for updates every couple of weeks
After installation ensure to check for updates and Enable all protection