Post by: agc8319 on March 20, 2005, 04:34:07 PM
Logfile of HijackThis v1.99.1
Scan saved at 4:32:06 PM, on 3/20/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
D:\AVG7~1.0\avgamsvr.exe
D:\AVG7~1.0\avgupsvc.exe
C:\WINDOWS\System32\cisvc.exe
D:\Program Files\Daemon & Norton Antivirus\Norton Anti-Virus\Norton GoBack\GBPoll.exe
C:\WINDOWS\System32\nvsvc32.exe
D:\Program Files\Panorama\Panorama.exe
C:\WINDOWS\System32\cidaemon.exe
C:\Program Files\Internet Explorer\iexplore.exe
D:\HJT\hijackthis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://rl.webtracer.cc/-/?bayzm (http://\"http://rl.webtracer.cc/-/?bayzm\")
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://rl.webtracer.cc/-/?bayzm (http://\"http://rl.webtracer.cc/-/?bayzm\")
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com (http://\"http://red.clientapps.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com\")
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: Shell=
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O1 - Hosts: 1159680172 auto.search.msn.com
O4 - Startup: Panorama.lnk = D:\Program Files\Panorama\Panorama.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0819.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0819.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.bestbuy.msn.com
O15 - Trusted IP range: 206.161.125.149
O15 - Trusted IP range: 206.161.125.149 (HKLM)
O15 - ProtocolDefaults: 'https' protocol is in Trusted Zone, should be Internet Zone (HKLM)
O16 - DPF: Yahoo! Chess - http://download.games.yahoo.com/games/clients/y/ct1_x.cab (http://\"http://download.games.yahoo.com/games/clients/y/ct1_x.cab\")
O16 - DPF: Yahoo! Dominoes - http://download.games.yahoo.com/games/clients/y/dot8_x.cab (http://\"http://download.games.yahoo.com/games/clients/y/dot8_x.cab\")
O16 - DPF: Yahoo! Literati - http://download.games.yahoo.com/games/clients/y/tt2_x.cab (http://\"http://download.games.yahoo.com/games/clients/y/tt2_x.cab\")
O16 - DPF: Yahoo! Spades - http://download.games.yahoo.com/games/clients/y/st2_x.cab (http://\"http://download.games.yahoo.com/games/clients/y/st2_x.cab\")
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab (http://\"http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab\")
O16 - DPF: {10000000-1000-0000-1000-000000000000} - file://C:\Program Files\Internet Explorer\xxcyfcbo.exe
O16 - DPF: {10003000-1000-0000-1000-000000000000} - ms-its:mhtml:file://C:\foo.mht!http://dl.ad-ware.cc/j1ybNsZSTT69WjQ5tt4.chm::/on-line.exe
O16 - DPF: {11111111-1111-1111-1111-222222222222} - ms-its:mhtml:file://C:\foo.mht!http://t058.com/11cbbd47/x.chm::/open.exe
O16 - DPF: {11311111-1111-1111-1111-111111111157} - file://C:\Recycled\Q330995.exe
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_file.php...8a29296baabe1d6 (http://\"http://public.windupdates.com/get_file.php?bt=ie&p=9eafaeb2a8e2a9518112bc6e0cedee1552dd4ecb1dd748bcf1cf4d42ced1394245b14c137e17952f3a6abadc3d36297b2b37:b70ac5aa8ec48e2e58a29296baabe1d6\")
O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} - file://c:\counter.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwe...etup1.0.0.8.cab (http://\"http://ak.imgfarm.com/images/nocache/funwebproducts/ei/SmileyCentralInitialSetup1.0.0.8.cab\")
O16 - DPF: {24D1BDCE-D835-11D6-BF84-0050047EA0E7} (BlueStream_Flash Class) - http://www.rovion.com/Controls/Rovion.cab (http://\"http://www.rovion.com/Controls/Rovion.cab\")
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab31267.cab (http://\"http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab\")
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst_current.cab (http://\"http://us.dl1.yimg.com/download.yahoo.com/dl/yinst/yinst_current.cab\")
O16 - DPF: {3446598E-00E4-4B5E-99A6-87ECCA8324A2} - http://akamai.downloadv3.com/binaries/EGDA...ESS_1056_XP.cab (http://\"http://akamai.downloadv3.com/binaries/EGDAccess/EGDACCESS_1056_XP.cab\")
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by14fd.bay14.Email (http://\"http://by14fd.bay14.Email\") Removed.msn.com/resources/MsnPUpld.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/04653b4824d567...ip/RdxIE601.cab (http://\"http://software-dl.real.com/04653b4824d567562920/netzip/RdxIE601.cab\")
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1093154352655 (http://\"http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1093154352655\")
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2002092...all/xscan53.cab (http://\"http://a840.g.akamai.net/7/840/537/2002092801/housecall.antivirus.com/housecall/xscan53.cab\")
O16 - DPF: {771A1334-6B08-4A6B-AEDC-CF994BA2CEBE} (Installer Class) - http://www.ysbweb.com/ist/softwares/v4.0/ysb_regular.cab (http://\"http://www.ysbweb.com/ist/softwares/v4.0/ysb_regular.cab\")
O16 - DPF: {79849612-A98F-45B8-95E9-4D13C7B6B35C} (Loader2 Control) - http://static.topconverting.com/activex/loader2.ocx (http://\"http://static.topconverting.com/activex/loader2.ocx\")
O16 - DPF: {7CF052DE-C74F-421B-B04A-3B3037EF5887} (CCMPGui Class) - http://64.124.45.181/chaincast/proxy/CCMP.cab (http://\"http://64.124.45.181/chaincast/proxy/CCMP.cab\")
O16 - DPF: {88D758A3-D33B-45FD-91E3-67749B4057FA} (Sinstaller Class) - http://dm.screensavers.com/dm/installers/si/1/sinstaller.cab (http://\"http://dm.screensavers.com/dm/installers/si/1/sinstaller.cab\")
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab (http://\"http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab\")
O16 - DPF: {8F24DE00-0D66-4F93-9405-3F21E97AEE99} (TestingCtl Control) - http://esb.alcena.com/ESBAdultInstaller.ocx (http://\"http://esb.alcena.com/ESBAdultInstaller.ocx\")
O16 - DPF: {D03A1C33-1913-4533-A8C1-F2C8D13045DE} - http://www.cjb.net/search.cab (http://\"http://www.cjb.net/search.cab\")
O16 - DPF: {D97287B6-4018-4060-948D-54D2122FC5C3} - http://www.fastfind.org/ss/client/52983/vs...03C00/setup.exe (http://\"http://www.fastfind.org/ss/client/52983/vsigns/0003C00/setup.exe\")
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Email Removed Attachments Control) - http://by14fd.bay14.Email (http://\"http://by14fd.bay14.Email\") Removed.msn.com/activex/HMAtchmt.ocx
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab (http://\"http://fdl.msn.com/public/chat/msnchat45.cab\")
O16 - DPF: {FF054BED-D972-4215-897E-726C3488DDBB} (sonyctl.sonycm) - http://supportcentral.sel.sony.com/sdccomm...oad/sonyctl.CAB (http://\"http://supportcentral.sel.sony.com/sdccommon/download/sonyctl.CAB\")
O19 - User stylesheet: C:\WINDOWS\stsheets.dat
O21 - SSODL: Web Event Logger - {7CFEFEF1-ED03-1337-ABCD-526492F5D679} - C:\WINDOWS\System32\Kifibo32.dll (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - D:\AVG7~1.0\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - D:\AVG7~1.0\avgupsvc.exe
O23 - Service: GBPoll - Symantec Corporation - D:\Program Files\Daemon & Norton Antivirus\Norton Anti-Virus\Norton GoBack\GBPoll.exe
O23 - Service: ISEXEng - Unknown owner - C:\WINDOWS\System32\angelex.exe (file missing)
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: ZESOFT - Unknown owner - C:\WINDOWS\zeta.exe (file missing)
Post by: guestolo on March 20, 2005, 05:01:58 PM
Right click an empty spot on the desktop
Select NEW>>FOLDER
Name the new folder Locate
Download and save too desktop Locate.zip (http://\"http://www.atribune.org/downloads/locate.zip\")
UNZIP the contents to that newly created folder
Open the Locate folder and Double click to run Locate.bat
Wait for the report and post it back here with a fresh Hijackthis log
Post by: agc8319 on March 20, 2005, 05:17:54 PM
C:\WINDOWS\System32\cmd.exe
C:\WINDOWS\SYSTEM32\AUTOEXEC.NT. The system file is not suitable for running MS-DOS and Microsoft Windows applications. Choose 'Close' to terminate the application.
Am I doing something wrong?
Post by: agc8319 on March 20, 2005, 05:21:19 PM
Post by: guestolo on March 20, 2005, 05:24:46 PM
C:\WINDOWS\REPAIR
folder
Copy Autoexec.nt from that folder and paste it too the
C:\WINDOWS\System32 folder
If no go
Go to this link and download the correct copy for your operating system
http://www.tech-forums.net/computer/topic/29806.html (http://\"http://www.tech-forums.net/computer/topic/29806.html\")
If your not sure if you have XP home or pro
Go to START>>RUN>>type in winver
Hit Ok
You may have to restart your computer afterwards
I'll be back later to see how your doing
Post by: agc8319 on March 20, 2005, 05:36:47 PM
Logfile of HijackThis v1.99.1
Scan saved at 5:32:33 PM, on 3/20/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
D:\AVG7~1.0\avgamsvr.exe
D:\AVG7~1.0\avgupsvc.exe
C:\WINDOWS\System32\cisvc.exe
D:\Program Files\Daemon & Norton Antivirus\Norton Anti-Virus\Norton GoBack\GBPoll.exe
C:\WINDOWS\System32\nvsvc32.exe
D:\Program Files\Panorama\Panorama.exe
C:\WINDOWS\System32\cidaemon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Yahoo!\Messenger\YPager.exe
D:\HJT\hijackthis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://rl.webtracer.cc/-/?bayzm (http://\"http://rl.webtracer.cc/-/?bayzm\")
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://rl.webtracer.cc/-/?bayzm (http://\"http://rl.webtracer.cc/-/?bayzm\")
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com (http://\"http://red.clientapps.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com\")
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: Shell=
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O1 - Hosts: 1159680172 auto.search.msn.com
O4 - Startup: Panorama.lnk = D:\Program Files\Panorama\Panorama.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0819.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0819.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.bestbuy.msn.com
O15 - Trusted IP range: 206.161.125.149
O15 - Trusted IP range: 206.161.125.149 (HKLM)
O15 - ProtocolDefaults: 'https' protocol is in Trusted Zone, should be Internet Zone (HKLM)
O16 - DPF: Yahoo! Chess - http://download.games.yahoo.com/games/clients/y/ct1_x.cab (http://\"http://download.games.yahoo.com/games/clients/y/ct1_x.cab\")
O16 - DPF: Yahoo! Dominoes - http://download.games.yahoo.com/games/clients/y/dot8_x.cab (http://\"http://download.games.yahoo.com/games/clients/y/dot8_x.cab\")
O16 - DPF: Yahoo! Literati - http://download.games.yahoo.com/games/clients/y/tt2_x.cab (http://\"http://download.games.yahoo.com/games/clients/y/tt2_x.cab\")
O16 - DPF: Yahoo! Spades - http://download.games.yahoo.com/games/clients/y/st2_x.cab (http://\"http://download.games.yahoo.com/games/clients/y/st2_x.cab\")
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab (http://\"http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab\")
O16 - DPF: {10000000-1000-0000-1000-000000000000} - file://C:\Program Files\Internet Explorer\xxcyfcbo.exe
O16 - DPF: {10003000-1000-0000-1000-000000000000} - ms-its:mhtml:file://C:\foo.mht!http://dl.ad-ware.cc/j1ybNsZSTT69WjQ5tt4.chm::/on-line.exe
O16 - DPF: {11111111-1111-1111-1111-222222222222} - ms-its:mhtml:file://C:\foo.mht!http://t058.com/11cbbd47/x.chm::/open.exe
O16 - DPF: {11311111-1111-1111-1111-111111111157} - file://C:\Recycled\Q330995.exe
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_file.php...8a29296baabe1d6 (http://\"http://public.windupdates.com/get_file.php?bt=ie&p=9eafaeb2a8e2a9518112bc6e0cedee1552dd4ecb1dd748bcf1cf4d42ced1394245b14c137e17952f3a6abadc3d36297b2b37:b70ac5aa8ec48e2e58a29296baabe1d6\")
O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} - file://c:\counter.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwe...etup1.0.0.8.cab (http://\"http://ak.imgfarm.com/images/nocache/funwebproducts/ei/SmileyCentralInitialSetup1.0.0.8.cab\")
O16 - DPF: {24D1BDCE-D835-11D6-BF84-0050047EA0E7} (BlueStream_Flash Class) - http://www.rovion.com/Controls/Rovion.cab (http://\"http://www.rovion.com/Controls/Rovion.cab\")
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab31267.cab (http://\"http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab\")
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst_current.cab (http://\"http://us.dl1.yimg.com/download.yahoo.com/dl/yinst/yinst_current.cab\")
O16 - DPF: {3446598E-00E4-4B5E-99A6-87ECCA8324A2} - http://akamai.downloadv3.com/binaries/EGDA...ESS_1056_XP.cab (http://\"http://akamai.downloadv3.com/binaries/EGDAccess/EGDACCESS_1056_XP.cab\")
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by14fd.bay14.Email (http://\"http://by14fd.bay14.Email\") Removed.msn.com/resources/MsnPUpld.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/04653b4824d567...ip/RdxIE601.cab (http://\"http://software-dl.real.com/04653b4824d567562920/netzip/RdxIE601.cab\")
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1093154352655 (http://\"http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1093154352655\")
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2002092...all/xscan53.cab (http://\"http://a840.g.akamai.net/7/840/537/2002092801/housecall.antivirus.com/housecall/xscan53.cab\")
O16 - DPF: {771A1334-6B08-4A6B-AEDC-CF994BA2CEBE} (Installer Class) - http://www.ysbweb.com/ist/softwares/v4.0/ysb_regular.cab (http://\"http://www.ysbweb.com/ist/softwares/v4.0/ysb_regular.cab\")
O16 - DPF: {79849612-A98F-45B8-95E9-4D13C7B6B35C} (Loader2 Control) - http://static.topconverting.com/activex/loader2.ocx (http://\"http://static.topconverting.com/activex/loader2.ocx\")
O16 - DPF: {7CF052DE-C74F-421B-B04A-3B3037EF5887} (CCMPGui Class) - http://64.124.45.181/chaincast/proxy/CCMP.cab (http://\"http://64.124.45.181/chaincast/proxy/CCMP.cab\")
O16 - DPF: {88D758A3-D33B-45FD-91E3-67749B4057FA} (Sinstaller Class) - http://dm.screensavers.com/dm/installers/si/1/sinstaller.cab (http://\"http://dm.screensavers.com/dm/installers/si/1/sinstaller.cab\")
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab (http://\"http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab\")
O16 - DPF: {8F24DE00-0D66-4F93-9405-3F21E97AEE99} (TestingCtl Control) - http://esb.alcena.com/ESBAdultInstaller.ocx (http://\"http://esb.alcena.com/ESBAdultInstaller.ocx\")
O16 - DPF: {D03A1C33-1913-4533-A8C1-F2C8D13045DE} - http://www.cjb.net/search.cab (http://\"http://www.cjb.net/search.cab\")
O16 - DPF: {D97287B6-4018-4060-948D-54D2122FC5C3} - http://www.fastfind.org/ss/client/52983/vs...03C00/setup.exe (http://\"http://www.fastfind.org/ss/client/52983/vsigns/0003C00/setup.exe\")
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Email Removed Attachments Control) - http://by14fd.bay14.Email (http://\"http://by14fd.bay14.Email\") Removed.msn.com/activex/HMAtchmt.ocx
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab (http://\"http://fdl.msn.com/public/chat/msnchat45.cab\")
O16 - DPF: {FF054BED-D972-4215-897E-726C3488DDBB} (sonyctl.sonycm) - http://supportcentral.sel.sony.com/sdccomm...oad/sonyctl.CAB (http://\"http://supportcentral.sel.sony.com/sdccommon/download/sonyctl.CAB\")
O19 - User stylesheet: C:\WINDOWS\stsheets.dat
O21 - SSODL: Web Event Logger - {7CFEFEF1-ED03-1337-ABCD-526492F5D679} - C:\WINDOWS\System32\Kifibo32.dll (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - D:\AVG7~1.0\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - D:\AVG7~1.0\avgupsvc.exe
O23 - Service: GBPoll - Symantec Corporation - D:\Program Files\Daemon & Norton Antivirus\Norton Anti-Virus\Norton GoBack\GBPoll.exe
O23 - Service: ISEXEng - Unknown owner - C:\WINDOWS\System32\angelex.exe (file missing)
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: ZESOFT - Unknown owner - C:\WINDOWS\zeta.exe (file missing)
Post by: guestolo on March 20, 2005, 05:39:11 PM
If it's there post it back here, if not try running Locate.bat again
I need the hidden installers name or you will just keep getting reinfected
If you can't get this too work we will have to try other methods
Ensure you Unzipped Locate.zip to a folder of it's own
If you can't get the log to show
Can you follow these instructions
Click here and download Startdreck.zip http://www.niksoft.at/_data/startdreck.zip (http://\"http://www.niksoft.at/_data/startdreck.zip\")
UNZIP to a folder. DoubleClick: 'StartDreck.exe'
First click on the config button.
Now click the Unmark all button
Under "System/Drivers, put a check by these boxes only:
*Mark NT Services
*List binaries
*NT Kernel- and FS Drivers
Now click the Save button to save that log. Go to the StartDreck folder and find the Startdreck.log file.
Copy and Paste the contents of that log back here
Post by: agc8319 on March 20, 2005, 06:36:59 PM
C:\WINDOWS\SYSTEM32\DRIVERS\BDASUPI.SYS
Post by: agc8319 on March 20, 2005, 08:08:48 PM
»Registry
»Files
»System/Drivers
»NT Services
*Alerter Alerter running auto
`binary: C:\WINDOWS\System32\svchost.exe -k LocalService
*Application Layer Gateway Service ALG - on demand
`binary: C:\WINDOWS\System32\alg.exe
*Application Management AppMgmt - on demand
`binary: C:\WINDOWS\system32\svchost.exe -k netsvcs
*Windows Audio AudioSrv running auto
`binary: C:\WINDOWS\System32\svchost.exe -k netsvcs
*AVG7 Alert Manager Server Avg7Alrt running auto
`binary: D:\AVG7~1.0\avgamsvr.exe
*AVG7 Update Service Avg7UpdSvc running auto
`binary: D:\AVG7~1.0\avgupsvc.exe
*Background Intelligent Transfer Service BITS - on demand
`binary: C:\WINDOWS\System32\svchost.exe -k netsvcs
*Computer Browser Browser running auto
`binary: C:\WINDOWS\System32\svchost.exe -k netsvcs
*Indexing Service cisvc running auto
`binary: C:\WINDOWS\System32\cisvc.exe
*ClipBook ClipSrv - on demand
`binary: C:\WINDOWS\system32\clipsrv.exe
*COM+ System Application COMSysApp - on demand
`binary: C:\WINDOWS\System32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
*Cryptographic Services CryptSvc running auto
`binary: C:\WINDOWS\system32\svchost.exe -k netsvcs
*DHCP Client Dhcp running auto
`binary: C:\WINDOWS\System32\svchost.exe -k netsvcs
*Logical Disk Manager Administrative Service dmadmin - on demand
`binary: C:\WINDOWS\System32\dmadmin.exe /com
*Logical Disk Manager dmserver - on demand
`binary: C:\WINDOWS\System32\svchost.exe -k netsvcs
*DNS Client Dnscache running auto
`binary: C:\WINDOWS\System32\svchost.exe -k NetworkService
*Error Reporting Service ERSvc running auto
`binary: C:\WINDOWS\System32\svchost.exe -k netsvcs
*Event Log Eventlog running auto
`binary: C:\WINDOWS\system32\services.exe
*COM+ Event System EventSystem running on demand
`binary: C:\WINDOWS\System32\svchost.exe -k netsvcs
*Fast User Switching Compatibility FastUserSwitchingCom running on demand
`binary: C:\WINDOWS\System32\svchost.exe -k netsvcs
*GBPoll GBPoll running auto
`binary: D:\Program Files\Daemon & Norton Antivirus\Norton Anti-Virus\Norton GoBack\GBPoll.exe
*Help and Support helpsvc running auto
`binary: C:\WINDOWS\System32\svchost.exe -k netsvcs
*Human Interface Device Access HidServ - disabled
`binary: C:\WINDOWS\System32\svchost.exe -k netsvcs
*IMAPI CD-Burning COM Service ImapiService - on demand
`binary: C:\WINDOWS\System32\imapi.exe
*ISEXEng ISEXEng - auto
`binary: C:\WINDOWS\System32\angelex.exe
*Server lanmanserver running auto
`binary: C:\WINDOWS\System32\svchost.exe -k netsvcs
*Workstation lanmanworkstation running auto
`binary: C:\WINDOWS\System32\svchost.exe -k netsvcs
*TCP/IP NetBIOS Helper LmHosts running auto
`binary: C:\WINDOWS\System32\svchost.exe -k LocalService
*Messenger Messenger - on demand
`binary: C:\WINDOWS\System32\svchost.exe -k netsvcs
*NetMeeting Remote Desktop Sharing mnmsrvc - on demand
`binary: C:\WINDOWS\System32\mnmsrvc.exe
*Distributed Transaction Coordinator MSDTC - on demand
`binary: C:\WINDOWS\System32\msdtc.exe
*Windows Installer MSIServer - on demand
`binary: C:\windows\System32\msiexec.exe /V
*Network DDE NetDDE - on demand
`binary: C:\WINDOWS\system32\netdde.exe
*Network DDE DSDM NetDDEdsdm - on demand
`binary: C:\WINDOWS\system32\netdde.exe
*Net Logon Netlogon - on demand
`binary: C:\WINDOWS\System32\lsass.exe
*Network Connections Netman running on demand
`binary: C:\WINDOWS\System32\svchost.exe -k netsvcs
*Network Location Awareness (NLA) Nla running on demand
`binary: C:\WINDOWS\System32\svchost.exe -k netsvcs
*NT LM Security Support Provider NtLmSsp - on demand
`binary: C:\WINDOWS\System32\lsass.exe
*Removable Storage NtmsSvc - on demand
`binary: C:\WINDOWS\system32\svchost.exe -k netsvcs
*NVIDIA Driver Helper Service NVSvc running auto
`binary: C:\WINDOWS\System32\nvsvc32.exe
*Plug and Play PlugPlay running auto
`binary: C:\WINDOWS\system32\services.exe
*IPSEC Services PolicyAgent running auto
`binary: C:\WINDOWS\System32\lsass.exe
*Protected Storage ProtectedStorage running auto
`binary: C:\WINDOWS\system32\lsass.exe
*Remote Access Auto Connection Manager RasAuto - on demand
`binary: C:\WINDOWS\System32\svchost.exe -k netsvcs
*Remote Access Connection Manager RasMan - on demand
`binary: C:\WINDOWS\System32\svchost.exe -k netsvcs
*Remote Desktop Help Session Manager RDSessMgr - on demand
`binary: C:\WINDOWS\system32\sessmgr.exe
*Routing and Remote Access RemoteAccess - disabled
`binary: C:\WINDOWS\System32\svchost.exe -k netsvcs
*Remote Procedure Call (RPC) Locator RpcLocator - on demand
`binary: C:\WINDOWS\System32\locator.exe
*Remote Procedure Call (RPC) RpcSs running auto
`binary: C:\WINDOWS\system32\svchost -k rpcss
*QoS RSVP RSVP - on demand
`binary: C:\WINDOWS\System32\rsvp.exe
*Security Accounts Manager SamSs running auto
`binary: C:\WINDOWS\system32\lsass.exe
*Smart Card Helper SCardDrv - on demand
`binary: C:\WINDOWS\System32\SCardSvr.exe
*Smart Card SCardSvr - on demand
`binary: C:\WINDOWS\System32\SCardSvr.exe
*Task Scheduler Schedule running auto
`binary: C:\WINDOWS\System32\svchost.exe -k netsvcs
*Secondary Logon seclogon running auto
`binary: C:\WINDOWS\System32\svchost.exe -k netsvcs
*System Event Notification SENS running auto
`binary: C:\WINDOWS\system32\svchost.exe -k netsvcs
*Internet Connection Firewall (ICF) / Internet C SharedAccess - on demand
`onnection Sharing (ICS)
`binary: C:\WINDOWS\System32\svchost.exe -k netsvcs
*Shell Hardware Detection ShellHWDetection running auto
`binary: C:\WINDOWS\System32\svchost.exe -k netsvcs
*Print Spooler Spooler running auto
`binary: C:\WINDOWS\system32\spoolsv.exe
*Sony SPTI Service SPTISRV - on demand
`binary: C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
*System Restore Service srservice - auto
`binary: C:\WINDOWS\System32\svchost.exe -k netsvcs
*SSDP Discovery Service SSDPSRV running on demand
`binary: C:\WINDOWS\System32\svchost.exe -k LocalService
*Windows Image Acquisition (WIA) stisvc - on demand
`binary: C:\WINDOWS\System32\svchost.exe -k imgsvc
*MS Software Shadow Copy Provider SwPrv - on demand
`binary: C:\WINDOWS\System32\dllhost.exe /Processid:{BA72BC4C-14AC-4B54-B08C-9E23DC869967}
*Performance Logs and Alerts SysmonLog - on demand
`binary: C:\WINDOWS\system32\smlogsvc.exe
*Telephony TapiSrv running on demand
`binary: C:\WINDOWS\System32\svchost.exe -k netsvcs
*Terminal Services TermService running on demand
`binary: C:\WINDOWS\System32\svchost.exe -k netsvcs
*Themes Themes running auto
`binary: C:\WINDOWS\System32\svchost.exe -k netsvcs
*Distributed Link Tracking Client TrkWks running auto
`binary: C:\WINDOWS\system32\svchost.exe -k netsvcs
*Windows User Mode Driver Framework UMWdf running auto
`binary: C:\WINDOWS\System32\wdfmgr.exe
*Upload Manager uploadmgr running auto
`binary: C:\WINDOWS\System32\svchost.exe -k netsvcs
*Universal Plug and Play Device Host upnphost - on demand
`binary: C:\WINDOWS\System32\svchost.exe -k LocalService
*Uninterruptible Power Supply UPS - on demand
`binary: C:\WINDOWS\System32\ups.exe
*Volume Shadow Copy VSS - on demand
`binary: C:\WINDOWS\System32\vssvc.exe
*Windows Time W32Time running auto
`binary: C:\WINDOWS\System32\svchost.exe -k netsvcs
*WebClient WebClient running auto
`binary: C:\WINDOWS\System32\svchost.exe -k LocalService
*Windows Management Instrumentation winmgmt running auto
`binary: C:\WINDOWS\system32\svchost.exe -k netsvcs
*Portable Media Serial Number Service WmdmPmSN - on demand
`binary: C:\WINDOWS\System32\svchost.exe -k netsvcs
*WMI Performance Adapter WmiApSrv - on demand
`binary: C:\WINDOWS\System32\wbem\wmiapsrv.exe
*Automatic Updates wuauserv running auto
`binary: C:\WINDOWS\system32\svchost.exe -k netsvcs
*Wireless Zero Configuration WZCSVC running auto
`binary: C:\WINDOWS\System32\svchost.exe -k netsvcs
*ZESOFT ZESOFT - auto
`binary: C:\WINDOWS\zeta.exe
»NT Kernel- and FS-drivers
*Abiosdsk Abiosdsk - disabled
`binary:
*abp480n5 abp480n5 - disabled
`binary:
*Microsoft ACPI Driver ACPI running boot
`binary: \SystemRoot\System32\DRIVERS\ACPI.sys
*ACPIEC ACPIEC - disabled
`binary:
*adpu160m adpu160m - disabled
`binary:
*Microsoft Kernel Acoustic Echo Canceller aec - on demand
`binary: system32\drivers\aec.sys
*AFD Networking Support Environment AFD running auto
`binary: \SystemRoot\System32\drivers\afd.sys
*Intel AGP Bus Filter agp440 running boot
`binary: \SystemRoot\System32\DRIVERS\agp440.sys
*Aha154x Aha154x - disabled
`binary:
*aic78u2 aic78u2 - disabled
`binary:
*aic78xx aic78xx - disabled
`binary:
*AliIde AliIde - disabled
`binary:
*amsint amsint - disabled
`binary:
*1394 ARP Client Protocol Arp1394 running on demand
`binary: System32\DRIVERS\arp1394.sys
*asc asc - disabled
`binary:
*asc3350p asc3350p - disabled
`binary:
*asc3550 asc3550 - disabled
`binary:
*Aspi32 Aspi32 running auto
`binary:
*RAS Asynchronous Media Driver AsyncMac - on demand
`binary: System32\DRIVERS\asyncmac.sys
*Standard IDE/ESDI Hard Disk Controller atapi running boot
`binary: \SystemRoot\System32\DRIVERS\atapi.sys
*Atdisk Atdisk - disabled
`binary:
*ATM ARP Client Protocol Atmarpc - on demand
`binary: System32\DRIVERS\atmarpc.sys
*Audio Stub Driver audstub running on demand
`binary: System32\DRIVERS\audstub.sys
*AVG7 Kernel Avg7Core running system
`binary: \SystemRoot\System32\Drivers\avg7core.sys
*AVG7 Wrap Driver Avg7RsW running system
`binary: \SystemRoot\System32\Drivers\avg7rsw.sys
*AVG7 Rezident Driver Avg7RsXP running system
`binary: \SystemRoot\System32\Drivers\avg7rsxp.sys
*AVG Network Redirector AvgTdi running auto
`binary: \??\C:\WINDOWS\System32\Drivers\avgtdi.sys
*Broadcom iLine10(tm) Network Adapter Driver BCM42XX - on demand
`binary: System32\DRIVERS\bcm42xx5.sys
*BCM V.90 56K Modem BCMModem - on demand
`binary: System32\DRIVERS\BCMDM.sys
*bdasupi bdasupi running auto
`binary: \??\C:\WINDOWS\System32\drivers\bdasupi.sys
*Beep Beep running system
`binary:
*MAC Bridge Bridge - on demand
`binary: System32\DRIVERS\bridge.sys
*MAC Bridge Miniport BridgeMP running on demand
`binary: System32\DRIVERS\bridge.sys
*cbidf2k cbidf2k - disabled
`binary:
*cd20xrnt cd20xrnt - disabled
`binary:
*Cdaudio Cdaudio - system
`binary:
*Cdfs Cdfs running disabled
`binary:
*CD-ROM Driver Cdrom running system
`binary: System32\DRIVERS\cdrom.sys
*Changer Changer - system
`binary:
*CmdIde CmdIde - disabled
`binary:
*Cpqarray Cpqarray - disabled
`binary:
*dac960nt dac960nt - disabled
`binary:
*Disk Driver Disk running boot
`binary: \SystemRoot\System32\DRIVERS\disk.sys
*dmboot dmboot - disabled
`binary: System32\drivers\dmboot.sys
*Sony DMI Call service DMICall running system
`binary: System32\DRIVERS\DMICall.sys
*dmio dmio - disabled
`binary: System32\drivers\dmio.sys
*dmload dmload - disabled
`binary: System32\drivers\dmload.sys
*Microsoft Kernel DLS Syntheiszer DMusic - on demand
`binary: system32\drivers\DMusic.sys
*dpti2o dpti2o - disabled
`binary:
*Microsoft Kernel DRM Audio Descrambler drmkaud - on demand
`binary: system32\drivers\drmkaud.sys
*Fastfat Fastfat running disabled
`binary:
*Floppy Disk Controller Driver Fdc running on demand
`binary: System32\DRIVERS\fdc.sys
*Fips Fips running system
`binary:
*Floppy Disk Driver Flpydisk running on demand
`binary: System32\DRIVERS\flpydisk.sys
*Volume Manager Driver Ftdisk running boot
`binary: \SystemRoot\System32\DRIVERS\ftdisk.sys
*GBDevice GBDevice running boot
`binary:
*GBFSHook GBFSHook running auto
`binary:
*GoBack2K GoBack2K running boot
`binary:
*Generic Packet Classifier Gpc running on demand
`binary: System32\DRIVERS\msgpc.sys
*Microsoft HID Class Driver HidUsb - on demand
`binary: System32\DRIVERS\hidusb.sys
*hpn hpn - disabled
`binary:
*hpt3xx hpt3xx - disabled
`binary:
*i2omgmt i2omgmt running system
`binary:
*i2omp i2omp - disabled
`binary:
*i8042 Keyboard and PS/2 Mouse Port Driver i8042prt running system
`binary: System32\DRIVERS\i8042prt.sys
*Imapi Imapi running system
`binary:
*ini910u ini910u - disabled
`binary:
*IntelIde IntelIde running boot
`binary: \SystemRoot\System32\DRIVERS\intelide.sys
*IP Traffic Filter Driver IpFilterDriver - on demand
`binary: System32\DRIVERS\ipfltdrv.sys
*IP in IP Tunnel Driver IpInIp - on demand
`binary: System32\DRIVERS\ipinip.sys
*IP Network Address Translator IpNat - on demand
`binary: System32\DRIVERS\ipnat.sys
*IPSEC driver IPSec running system
`binary: System32\DRIVERS\ipsec.sys
*IR Enumerator Service IRENUM - on demand
`binary: System32\DRIVERS\irenum.sys
*PnP ISA/EISA Bus Driver isapnp running boot
`binary: \SystemRoot\System32\DRIVERS\isapnp.sys
*Keyboard Class Driver Kbdclass running system
`binary: System32\DRIVERS\kbdclass.sys
*Microsoft Kernel Wave Audio Mixer kmixer running on demand
`binary: system32\drivers\kmixer.sys
*KSecDD KSecDD running boot
`binary:
*lbrtfdc lbrtfdc - system
`binary:
*Lucent Modem Driver ltmodem5 running on demand
`binary: System32\DRIVERS\ltmdmnt.sys
*mnmdd mnmdd running system
`binary:
*Modem Modem running on demand
`binary:
*Unimodem Streaming Filter Device MODEMCSA - on demand
`binary: system32\drivers\MODEMCSA.sys
*Mouse Class Driver Mouclass running system
`binary: System32\DRIVERS\mouclass.sys
*Mouse HID Driver mouhid - on demand
`binary: System32\DRIVERS\mouhid.sys
*Mount Point Manager MountMgr running boot
`binary:
*mraid35x mraid35x - disabled
`binary:
*WebDav Client Redirector MRxDAV running on demand
`binary: System32\DRIVERS\mrxdav.sys
*MRxSmb MRxSmb running system
`binary: System32\DRIVERS\mrxsmb.sys
*Msfs Msfs running system
`binary:
*Microsoft Streaming Service Proxy MSKSSRV - on demand
`binary: system32\drivers\MSKSSRV.sys
*Microsoft Streaming Clock Proxy MSPCLOCK - on demand
`binary: system32\drivers\MSPCLOCK.sys
*Microsoft Streaming Quality Manager Proxy MSPQM - on demand
`binary: system32\drivers\MSPQM.sys
*Mup Mup running boot
`binary:
*NDIS System Driver NDIS running boot
`binary:
*Remote Access NDIS TAPI Driver NdisTapi running on demand
`binary: System32\DRIVERS\ndistapi.sys
*NDIS Usermode I/O Protocol Ndisuio running on demand
`binary: System32\DRIVERS\ndisuio.sys
*Remote Access NDIS WAN Driver NdisWan running on demand
`binary: System32\DRIVERS\ndiswan.sys
*NDIS Proxy NDProxy running on demand
`binary:
*NetBIOS Interface NetBIOS running system
`binary: System32\DRIVERS\netbios.sys
*NetBT NetBT running system
`binary: System32\DRIVERS\netbt.sys
*1394 Net Driver NIC1394 running on demand
`binary: System32\DRIVERS\nic1394.sys
*Network Monitor Driver nm - on demand
`binary: System32\DRIVERS\NMnt.sys
*Npfs Npfs running system
`binary:
*Ntfs Ntfs running disabled
`binary:
*Null Null running system
`binary:
*nv nv running on demand
`binary: System32\DRIVERS\nv4_mini.sys
*nv4 nv4 - on demand
`binary: System32\DRIVERS\nv4_mini.sys
*IPX Traffic Filter Driver NwlnkFlt - on demand
`binary: System32\DRIVERS\nwlnkflt.sys
*IPX Traffic Forwarder Driver NwlnkFwd - on demand
`binary: System32\DRIVERS\nwlnkfwd.sys
*NWLink IPX/SPX/NetBIOS Compatible Transport Pro NwlnkIpx running auto
`tocol
`binary: System32\DRIVERS\nwlnkipx.sys
*NWLink NetBIOS NwlnkNb running auto
`binary: System32\DRIVERS\nwlnknb.sys
*NWLink SPX/SPXII Protocol NwlnkSpx running auto
`binary: System32\DRIVERS\nwlnkspx.sys
*Texas Instruments OHCI Compliant IEEE 1394 Host ohci1394 running boot
` Controller
`binary: \SystemRoot\System32\DRIVERS\ohci1394.sys
*Parallel port driver Parport running on demand
`binary: System32\DRIVERS\parport.sys
*Partition Manager PartMgr running boot
`binary:
*ParVdm ParVdm running auto
`binary:
*PCI Bus Driver PCI running boot
`binary: \SystemRoot\System32\DRIVERS\pci.sys
*PCIDump PCIDump - system
`binary:
*PCIIde PCIIde - disabled
`binary:
*Pcmcia Pcmcia - disabled
`binary:
*PDCOMP PDCOMP - on demand
`binary:
*PDFRAME PDFRAME - on demand
`binary:
*PDRELI PDRELI - on demand
`binary:
*PDRFRAME PDRFRAME - on demand
`binary:
*perc2 perc2 - disabled
`binary:
*perc2hib perc2hib - disabled
`binary:
*WAN Miniport (PPTP) PptpMiniport running on demand
`binary: System32\DRIVERS\raspptp.sys
*Processor Driver Processor running system
`binary: System32\DRIVERS\processr.sys
*QoS Packet Scheduler PSched running on demand
`binary: System32\DRIVERS\psched.sys
*Direct Parallel Link Driver Ptilink running on demand
`binary: System32\DRIVERS\ptilink.sys
*PxHelp20 PxHelp20 running boot
`binary: \SystemRoot\System32\DRIVERS\PxHelp20.sys
*ql1080 ql1080 - disabled
`binary:
*Ql10wnt Ql10wnt - disabled
`binary:
*ql12160 ql12160 - disabled
`binary:
*ql1240 ql1240 - disabled
`binary:
*ql1280 ql1280 - disabled
`binary:
*Remote Access Auto Connection Driver RasAcd running system
`binary: System32\DRIVERS\rasacd.sys
*WAN Miniport (L2TP) Rasl2tp running on demand
`binary: System32\DRIVERS\rasl2tp.sys
*Remote Access PPPOE Driver RasPppoe running on demand
`binary: System32\DRIVERS\raspppoe.sys
*Direct Parallel Raspti running on demand
`binary: System32\DRIVERS\raspti.sys
*Rdbss Rdbss running system
`binary: System32\DRIVERS\rdbss.sys
*RDPCDD RDPCDD running system
`binary: System32\DRIVERS\RDPCDD.sys
*RDPWD RDPWD - on demand
`binary:
*Digital CD Audio Playback Filter Driver redbook running system
`binary: System32\DRIVERS\redbook.sys
*Realtek RTL8139(A/B/C)-based PCI Fast Ethernet rtl8139 running on demand
`Adapter NT Driver
`binary: System32\DRIVERS\RTL8139.SYS
*Secdrv Secdrv running auto
`binary: System32\DRIVERS\secdrv.sys
*Serenum Filter Driver serenum running on demand
`binary: System32\DRIVERS\serenum.sys
*Serial port driver Serial running system
`binary: System32\DRIVERS\serial.sys
*Sfloppy Sfloppy - system
`binary:
*Simbad Simbad - disabled
`binary:
*smwdm smwdm running on demand
`binary: system32\drivers\smwdm.sys
*FAN Control Device Service SonyFanC running system
`binary: System32\Drivers\SonyFanC.sys
*Sparrow Sparrow - disabled
`binary:
*Microsoft Kernel Audio Splitter splitter - on demand
`binary: system32\drivers\splitter.sys
*System Restore Filter Driver sr - disabled
`binary: \SystemRoot\System32\DRIVERS\sr.sys
*Srv Srv running on demand
`binary: System32\DRIVERS\srv.sys
*Software Bus Driver swenum running on demand
`binary: System32\DRIVERS\swenum.sys
*Microsoft Kernel GS Wavetable Synthesizer swmidi - on demand
`binary: system32\drivers\swmidi.sys
*symc810 symc810 - disabled
`binary:
*symc8xx symc8xx - disabled
`binary:
*sym_hi sym_hi - disabled
`binary:
*sym_u3 sym_u3 - disabled
`binary:
*Microsoft Kernel System Audio Device sysaudio running on demand
`binary: system32\drivers\sysaudio.sys
*TCP/IP Protocol Driver Tcpip running system
`binary: System32\DRIVERS\tcpip.sys
*TDPIPE TDPIPE - on demand
`binary:
*TDTCP TDTCP - on demand
`binary:
*Terminal Device Driver TermDD running system
`binary: System32\DRIVERS\termdd.sys
*TosIde TosIde - disabled
`binary:
*Udfs Udfs - disabled
`binary:
*ultra ultra - disabled
`binary:
*Microcode Update Driver Update running on demand
`binary: System32\DRIVERS\update.sys
*USB2 Enabled Hub usbhub running on demand
`binary: System32\DRIVERS\usbhub.sys
*USB Mass Storage Driver USBSTOR - on demand
`binary: System32\DRIVERS\USBSTOR.SYS
*Microsoft USB Universal Host Controller Minipor usbuhci running on demand
`t Driver
`binary: System32\DRIVERS\usbuhci.sys
*V7 V7 running auto
`binary:
*VGA Display Controller. VgaSave running system
`binary: \SystemRoot\System32\drivers\vga.sys
*ViaIde ViaIde - disabled
`binary:
*VolSnap VolSnap running boot
`binary:
*Remote Access IP ARP Driver Wanarp running on demand
`binary: System32\DRIVERS\wanarp.sys
*WDICA WDICA - on demand
`binary:
*Microsoft WINMM WDM Audio Compatibility Driver wdmaud running on demand
`binary: system32\drivers\wdmaud.sys
*Windows Socket 2.0 Non-IFS Service Provider Sup WS2IFSL - on demand
`port Environment
`binary: \SystemRoot\System32\drivers\ws2ifsl.sys
»Application specific
Post by: guestolo on March 20, 2005, 09:41:47 PM
Set Windows To Show Hidden Files and Folders
* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.
* Under the Hidden files and folders heading select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Uncheck the Hide Extensions for known file types
* Click Yes to confirm.
* Click OK.
Please save these instructions to a Notepad file and save it to your Desktop
RESTART your Computer in SAFE MODE (http://\"http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001060608000039?OpenDocument&ExpandSection=4#_Section4\")
Go to START>>>RUN>>>type in services.msc and hit Enter
In the next window, look on the right hand side for this service
name---- ISEXEng
Double click on it--- STOP the service--
In the drop down menu, change the startup type to Disabled
Do the same for this one
ZESOFT
Find and delete these files or folders if found
C:\WINDOWS\SYSTEM32\DRIVERS\BDASUPI.SYS <--file
C:\WINDOWS\stsheets.dat
C:\WINDOWS\zeta.exe
C:\WINDOWS\System32\angelex.exe
C:\WINDOWS\System32\Kifibo32.dll
C:\Program Files\Internet Explorer\xxcyfcbo.exe
C:\foo.mht
c:\counter.cab
Stay in safe mode
Navigate to your temp folders and delete the whole contents, or whatever you can
# C:\Windows\Temp\
# C:\Documents and Settings\<Your Profile>\Local Settings\Temporary Internet Files\
# C:\Documents and Settings\<Your Profile>\Local Settings\Temp\
# C:\Documents and Settings\<Any other users Profile>\Local Settings\Temporary Internet Files\
# C:\Documents and Settings\<Any other users Profile>\Local Settings\Temp\
# Empty your "Recycle Bin"
Open Hijackthis>>Open Misc tools section>>Open "Delete an NT service"
Copy and paste the next entry into the blank box and hit OK
ISEXEng
Do the same for this one
ZESOFT
Afterwards, Do another scan with Hijackthis and put a check next to these entries:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://rl.webtracer.cc/-/?bayzm (http://\"http://rl.webtracer.cc/-/?bayzm\")
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://rl.webtracer.cc/-/?bayzm (http://\"http://rl.webtracer.cc/-/?bayzm\")
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com (http://\"http://red.clientapps.yahoo.com/customize/...//www.yahoo.com\")
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: Shell=
O1 - Hosts: 1159680172 auto.search.msn.com
O15 - Trusted IP range: 206.161.125.149
O15 - Trusted IP range: 206.161.125.149 (HKLM)
O15 - ProtocolDefaults: 'https' protocol is in Trusted Zone, should be Internet Zone (HKLM)
O16 - DPF: {10000000-1000-0000-1000-000000000000} - file://C:\Program Files\Internet Explorer\xxcyfcbo.exe
O16 - DPF: {10003000-1000-0000-1000-000000000000} - ms-its:mhtml:file://C:\foo.mht!http://dl.ad-ware.cc/j1ybNsZSTT69WjQ5tt4.chm::/on-line.exe
O16 - DPF: {11111111-1111-1111-1111-222222222222} - ms-its:mhtml:file://C:\foo.mht!http://t058.com/11cbbd47/x.chm::/open.exe
O16 - DPF: {11311111-1111-1111-1111-111111111157} - file://C:\Recycled\Q330995.exe
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_file.php...8a29296baabe1d6 (http://\"http://public.windupdates.com/get_file.php...8a29296baabe1d6\")
O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} - file://c:\counter.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwe...etup1.0.0.8.cab (http://\"http://ak.imgfarm.com/images/nocache/funwe...etup1.0.0.8.cab\")
O16 - DPF: {3446598E-00E4-4B5E-99A6-87ECCA8324A2} - http://akamai.downloadv3.com/binaries/EGDA...ESS_1056_XP.cab (http://\"http://akamai.downloadv3.com/binaries/EGDA...ESS_1056_XP.cab\")
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/04653b4824d567...ip/RdxIE601.cab (http://\"http://software-dl.real.com/04653b4824d567...ip/RdxIE601.cab\")
O16 - DPF: {771A1334-6B08-4A6B-AEDC-CF994BA2CEBE} (Installer Class) - http://www.ysbweb.com/ist/softwares/v4.0/ysb_regular.cab (http://\"http://www.ysbweb.com/ist/softwares/v4.0/ysb_regular.cab\")
O16 - DPF: {79849612-A98F-45B8-95E9-4D13C7B6B35C} (Loader2 Control) - http://static.topconverting.com/activex/loader2.ocx (http://\"http://static.topconverting.com/activex/loader2.ocx\")
O16 - DPF: {8F24DE00-0D66-4F93-9405-3F21E97AEE99} (TestingCtl Control) - http://esb.alcena.com/ESBAdultInstaller.ocx (http://\"http://esb.alcena.com/ESBAdultInstaller.ocx\")
O16 - DPF: {D03A1C33-1913-4533-A8C1-F2C8D13045DE} - http://www.cjb.net/search.cab (http://\"http://www.cjb.net/search.cab\")
O16 - DPF: {D97287B6-4018-4060-948D-54D2122FC5C3} - http://www.fastfind.org/ss/client/52983/vs...03C00/setup.exe (http://\"http://www.fastfind.org/ss/client/52983/vs...03C00/setup.exe\")
O19 - User stylesheet: C:\WINDOWS\stsheets.dat
O21 - SSODL: Web Event Logger - {7CFEFEF1-ED03-1337-ABCD-526492F5D679} - C:\WINDOWS\System32\Kifibo32.dll (file missing)
O23 - Service: ISEXEng - Unknown owner - C:\WINDOWS\System32\angelex.exe (file missing)
O23 - Service: ZESOFT - Unknown owner - C:\WINDOWS\zeta.exe (file missing)
After you have ticked the above entries, close All other open windows, including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis
Restart back to Normal mode
* In Internet Explorer, Tools | Internet Options | Security tab | Custom Level. Make sure that the following settings are correct:
o Download signed ActiveX controls (Prompt)
o Download unsigned ActiveX controls (Disable)
o Initialize and script ActiveX controls not marked as safe (Disable)
o Run ActiveX controls and plug-ins (Enabled)
Post back with a fresh Hijackthis log afterwards
Post by: Guest on March 20, 2005, 10:48:23 PM
Logfile of HijackThis v1.99.1
Scan saved at 10:44:58 PM, on 3/20/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
D:\AVG7~1.0\avgamsvr.exe
D:\AVG7~1.0\avgupsvc.exe
C:\WINDOWS\System32\cisvc.exe
D:\Program Files\Daemon & Norton Antivirus\Norton Anti-Virus\Norton GoBack\GBPoll.exe
C:\WINDOWS\System32\nvsvc32.exe
D:\Program Files\Panorama\Panorama.exe
C:\Program Files\Spyware Doctor\spydoctor.exe
C:\WINDOWS\System32\cidaemon.exe
C:\Program Files\Internet Explorer\iexplore.exe
D:\HJT\hijackthis.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\spydoctor.exe" /Q
O4 - Startup: Panorama.lnk = D:\Program Files\Panorama\Panorama.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0819.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0819.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.bestbuy.msn.com
O15 - Trusted IP range: 206.161.125.149
O15 - Trusted IP range: 206.161.125.149 (HKLM)
O16 - DPF: Yahoo! Chess - http://download.games.yahoo.com/games/clients/y/ct1_x.cab (http://\"http://download.games.yahoo.com/games/clients/y/ct1_x.cab\")
O16 - DPF: Yahoo! Dominoes - http://download.games.yahoo.com/games/clients/y/dot8_x.cab (http://\"http://download.games.yahoo.com/games/clients/y/dot8_x.cab\")
O16 - DPF: Yahoo! Literati - http://download.games.yahoo.com/games/clients/y/tt2_x.cab (http://\"http://download.games.yahoo.com/games/clients/y/tt2_x.cab\")
O16 - DPF: Yahoo! Spades - http://download.games.yahoo.com/games/clients/y/st2_x.cab (http://\"http://download.games.yahoo.com/games/clients/y/st2_x.cab\")
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab (http://\"http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab\")
O16 - DPF: {24D1BDCE-D835-11D6-BF84-0050047EA0E7} (BlueStream_Flash Class) - http://www.rovion.com/Controls/Rovion.cab (http://\"http://www.rovion.com/Controls/Rovion.cab\")
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab31267.cab (http://\"http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab\")
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst_current.cab (http://\"http://us.dl1.yimg.com/download.yahoo.com/dl/yinst/yinst_current.cab\")
O16 - DPF: {3446598E-00E4-4B5E-99A6-87ECCA8324A2} - http://akamai.downloadv3.com/binaries/EGDA...ESS_1056_XP.cab (http://\"http://akamai.downloadv3.com/binaries/EGDAccess/EGDACCESS_1056_XP.cab\")
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by14fd.bay14.Email (http://\"http://by14fd.bay14.Email\") Removed.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1093154352655 (http://\"http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1093154352655\")
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2002092...all/xscan53.cab (http://\"http://a840.g.akamai.net/7/840/537/2002092801/housecall.antivirus.com/housecall/xscan53.cab\")
O16 - DPF: {7CF052DE-C74F-421B-B04A-3B3037EF5887} (CCMPGui Class) - http://64.124.45.181/chaincast/proxy/CCMP.cab (http://\"http://64.124.45.181/chaincast/proxy/CCMP.cab\")
O16 - DPF: {88D758A3-D33B-45FD-91E3-67749B4057FA} (Sinstaller Class) - http://dm.screensavers.com/dm/installers/si/1/sinstaller.cab (http://\"http://dm.screensavers.com/dm/installers/si/1/sinstaller.cab\")
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab (http://\"http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab\")
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Email Removed Attachments Control) - http://by14fd.bay14.Email (http://\"http://by14fd.bay14.Email\") Removed.msn.com/activex/HMAtchmt.ocx
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab (http://\"http://fdl.msn.com/public/chat/msnchat45.cab\")
O16 - DPF: {FF054BED-D972-4215-897E-726C3488DDBB} (sonyctl.sonycm) - http://supportcentral.sel.sony.com/sdccomm...oad/sonyctl.CAB (http://\"http://supportcentral.sel.sony.com/sdccommon/download/sonyctl.CAB\")
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - D:\AVG7~1.0\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - D:\AVG7~1.0\avgupsvc.exe
O23 - Service: GBPoll - Symantec Corporation - D:\Program Files\Daemon & Norton Antivirus\Norton Anti-Virus\Norton GoBack\GBPoll.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
Post by: guestolo on March 21, 2005, 12:17:46 AM
===Download DelDomains.inf
http://www.mvps.org/winhelp2002/DelDomains.inf (http://\"http://www.mvps.org/winhelp2002/DelDomains.inf\") and save it to desktop
We'll need this later>>If using a Mozilla browser, right click on that link and SAVE Link As, save it to desktop
===Right Click on DelDomains.inf>>Choose Install from the menu bar
This will delete all your Trusted and Ranges entries
===Do another scan with Hijackthis and put a check next to these entries:
O15 - Trusted IP range: 206.161.125.149
O15 - Trusted IP range: 206.161.125.149 (HKLM)
O16 - DPF: {3446598E-00E4-4B5E-99A6-87ECCA8324A2} - http://akamai.downloadv3.com/binaries/EGDA...ESS_1056_XP.cab (http://\"http://akamai.downloadv3.com/binaries/EGDA...ESS_1056_XP.cab\")
O16 - DPF: {7CF052DE-C74F-421B-B04A-3B3037EF5887} (CCMPGui Class) - http://64.124.45.181/chaincast/proxy/CCMP.cab (http://\"http://64.124.45.181/chaincast/proxy/CCMP.cab\")
O16 - DPF: {88D758A3-D33B-45FD-91E3-67749B4057FA} (Sinstaller Class) - http://dm.screensavers.com/dm/installers/si/1/sinstaller.cab (http://\"http://dm.screensavers.com/dm/installers/si/1/sinstaller.cab\")
After you have ticked the above entries, close All other open windows, including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis
Restart your computer and post back a fresh hijackthis log
When did the problems start with the Yahoo toobar
The one entry we fixed related to Yahoo was also related too RedSheriff spyware
But should have no effect on the toolbar
Did you try any fixes beforehand
I haven't noticed the Toolbar in your log at all, I should of seen it from your first post
Post by: agc8319 on March 21, 2005, 07:59:04 PM
Post by: agc8319 on March 21, 2005, 08:14:26 PM
O15 - Trusted IP range: 206.161.125.149
O15 - Trusted IP range: 206.161.125.149 (HKLM)
Logfile of HijackThis v1.99.1
Scan saved at 8:09:21 PM, on 3/21/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
D:\AVG7~1.0\avgamsvr.exe
D:\AVG7~1.0\avgupsvc.exe
C:\WINDOWS\System32\cisvc.exe
D:\Program Files\Daemon & Norton Antivirus\Norton Anti-Virus\Norton GoBack\GBPoll.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Spyware Doctor\spydoctor.exe
D:\Program Files\Panorama\Panorama.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
D:\HJT\hijackthis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html (http://\"http://red.clientapps.yahoo.com/customize/ycomp/defaults/sb/*http://www.yahoo.com/search/ie.html\")
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com (http://\"http://red.clientapps.yahoo.com/customize/ycomp/defaults/sp/*http://www.yahoo.com\")
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com (http://\"http://red.clientapps.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com\")
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\ycomp5_6_0_0.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\ycomp5_6_0_0.dll
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\spydoctor.exe" /Q
O4 - Startup: Panorama.lnk = D:\Program Files\Panorama\Panorama.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0819.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0819.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.bestbuy.msn.com
O16 - DPF: Yahoo! Chess - http://download.games.yahoo.com/games/clients/y/ct1_x.cab (http://\"http://download.games.yahoo.com/games/clients/y/ct1_x.cab\")
O16 - DPF: Yahoo! Dominoes - http://download.games.yahoo.com/games/clients/y/dot8_x.cab (http://\"http://download.games.yahoo.com/games/clients/y/dot8_x.cab\")
O16 - DPF: Yahoo! Literati - http://download.games.yahoo.com/games/clients/y/tt2_x.cab (http://\"http://download.games.yahoo.com/games/clients/y/tt2_x.cab\")
O16 - DPF: Yahoo! Spades - http://download.games.yahoo.com/games/clients/y/st2_x.cab (http://\"http://download.games.yahoo.com/games/clients/y/st2_x.cab\")
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab (http://\"http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab\")
O16 - DPF: {24D1BDCE-D835-11D6-BF84-0050047EA0E7} (BlueStream_Flash Class) - http://www.rovion.com/Controls/Rovion.cab (http://\"http://www.rovion.com/Controls/Rovion.cab\")
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab31267.cab (http://\"http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab\")
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst_current.cab (http://\"http://us.dl1.yimg.com/download.yahoo.com/dl/yinst/yinst_current.cab\")
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by14fd.bay14.Email (http://\"http://by14fd.bay14.Email\") Removed.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1093154352655 (http://\"http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1093154352655\")
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2002092...all/xscan53.cab (http://\"http://a840.g.akamai.net/7/840/537/2002092801/housecall.antivirus.com/housecall/xscan53.cab\")
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab (http://\"http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab\")
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Email Removed Attachments Control) - http://by14fd.bay14.Email (http://\"http://by14fd.bay14.Email\") Removed.msn.com/activex/HMAtchmt.ocx
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab (http://\"http://fdl.msn.com/public/chat/msnchat45.cab\")
O16 - DPF: {FF054BED-D972-4215-897E-726C3488DDBB} (sonyctl.sonycm) - http://supportcentral.sel.sony.com/sdccomm...oad/sonyctl.CAB (http://\"http://supportcentral.sel.sony.com/sdccommon/download/sonyctl.CAB\")
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - D:\AVG7~1.0\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - D:\AVG7~1.0\avgupsvc.exe
O23 - Service: GBPoll - Symantec Corporation - D:\Program Files\Daemon & Norton Antivirus\Norton Anti-Virus\Norton GoBack\GBPoll.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
Post by: guestolo on March 21, 2005, 08:22:40 PM
Installing Yahoo Toolbar also sets entries related too RedSheriff spyware
The toobar itself is ok, but the settings are not
Can you do another scan with Hijackthis and with all other windows closed
Fix these entries related to Red Sheriff spyware
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html (http://\"http://red.clientapps.yahoo.com/customize/.../search/ie.html\")
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com (http://\"http://red.clientapps.yahoo.com/customize/...//www.yahoo.com\")
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com (http://\"http://red.clientapps.yahoo.com/customize/...//www.yahoo.com\")
Restart your computer
Access Internet Options via Control Panel
Under the Programs tab "Reset Web Settings"
Under the General tab---Delete files + offline content---Also Reset home page
Post back one more log and let me know how things are running and if removing those entries have any effect on the Yahoo toolbar
This would be of some help as some users find those entries to cause troubles
Others don't
Post by: agc8319 on March 22, 2005, 12:01:17 AM
Logfile of HijackThis v1.99.1
Scan saved at 11:57:19 PM, on 3/21/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
D:\AVG7~1.0\avgamsvr.exe
D:\AVG7~1.0\avgupsvc.exe
C:\WINDOWS\System32\cisvc.exe
D:\Program Files\Daemon & Norton Antivirus\Norton Anti-Virus\Norton GoBack\GBPoll.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Spyware Doctor\spydoctor.exe
D:\Program Files\Panorama\Panorama.exe
C:\WINDOWS\System32\wuauclt.exe
D:\HJT\hijackthis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.yahoo.com/search/ie.html (http://\"http://www.yahoo.com/search/ie.html\")
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bestbuy.msn.com/ (http://\"http://www.bestbuy.msn.com/\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.bestbuy.msn.com (http://\"http://www.bestbuy.msn.com\")
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\ycomp5_6_0_0.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\ycomp5_6_0_0.dll
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\spydoctor.exe" /Q
O4 - Startup: Panorama.lnk = D:\Program Files\Panorama\Panorama.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0819.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0819.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.bestbuy.msn.com
O16 - DPF: Yahoo! Chess - http://download.games.yahoo.com/games/clients/y/ct1_x.cab (http://\"http://download.games.yahoo.com/games/clients/y/ct1_x.cab\")
O16 - DPF: Yahoo! Dominoes - http://download.games.yahoo.com/games/clients/y/dot8_x.cab (http://\"http://download.games.yahoo.com/games/clients/y/dot8_x.cab\")
O16 - DPF: Yahoo! Literati - http://download.games.yahoo.com/games/clients/y/tt2_x.cab (http://\"http://download.games.yahoo.com/games/clients/y/tt2_x.cab\")
O16 - DPF: Yahoo! Spades - http://download.games.yahoo.com/games/clients/y/st2_x.cab (http://\"http://download.games.yahoo.com/games/clients/y/st2_x.cab\")
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab (http://\"http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab\")
O16 - DPF: {24D1BDCE-D835-11D6-BF84-0050047EA0E7} (BlueStream_Flash Class) - http://www.rovion.com/Controls/Rovion.cab (http://\"http://www.rovion.com/Controls/Rovion.cab\")
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab31267.cab (http://\"http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab\")
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst_current.cab (http://\"http://us.dl1.yimg.com/download.yahoo.com/dl/yinst/yinst_current.cab\")
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by14fd.bay14.Email (http://\"http://by14fd.bay14.Email\") Removed.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1093154352655 (http://\"http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1093154352655\")
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2002092...all/xscan53.cab (http://\"http://a840.g.akamai.net/7/840/537/2002092801/housecall.antivirus.com/housecall/xscan53.cab\")
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab (http://\"http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab\")
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Email Removed Attachments Control) - http://by14fd.bay14.Email (http://\"http://by14fd.bay14.Email\") Removed.msn.com/activex/HMAtchmt.ocx
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab (http://\"http://fdl.msn.com/public/chat/msnchat45.cab\")
O16 - DPF: {FF054BED-D972-4215-897E-726C3488DDBB} (sonyctl.sonycm) - http://supportcentral.sel.sony.com/sdccomm...oad/sonyctl.CAB (http://\"http://supportcentral.sel.sony.com/sdccommon/download/sonyctl.CAB\")
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - D:\AVG7~1.0\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - D:\AVG7~1.0\avgupsvc.exe
O23 - Service: GBPoll - Symantec Corporation - D:\Program Files\Daemon & Norton Antivirus\Norton Anti-Virus\Norton GoBack\GBPoll.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
Post by: guestolo on March 22, 2005, 12:43:08 AM
If everything is running better
You should clear your System Restore points
disable system restore---restart your computer--enable system restore
This will clear all your restore points and ensure you don't restore any nasties
Once reenabled it will create a fresh restore point
How to Disable and Re-enable System Restore feature (http://\"http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm\")
Once back in Windows and System Restore is reenabled
You should set up protection against future attacks
SpywareBlaster by JavaCool---will block bad ActiveX and malevolent cookies
Install---Check for Updates---Enable all protection
http://www.javacoolsoftware.com/spywareblaster.html (http://\"http://www.javacoolsoftware.com/spywareblaster.html\")
IE-Spyad---IE-SPYAD puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
Here is a tutorial and download link
TUTORIAL==Link to Tutorial (http://\"http://www.bleepingcomputer.com/forums/index.php?showtutorial=53\")
Download link (http://\"https://netfiles.uiuc.edu/ehowes/www/resource.htm#IESPYAD\")
With both, Check for updates every couple of weeks
Keep the link to IE-Spyad bookmarked so you can check for updates
SpywareBlaster, after every update just simply enable all protection
Why so far behind on Windows Updates?
This is important in keeping your system secure online too...
Post by: agc8319 on March 23, 2005, 04:06:09 AM
Post by: guestolo on March 23, 2005, 11:34:19 PM
Here's a quote from the link I supplied
Quote
Spyware, adware, browser hijackers, and dialers are some of the fastest-growing threats on the Internet today.
By simply browsing to a web page, you could find your computer to be the brand-new host of one of these unwanted fiends!
The most important step you can take is to secure your system. And SpywareBlaster is the most powerful protection program available.
# Prevent the installation of ActiveX-based spyware, adware, browser hijackers, dialers, and other potentially unwanted pests.
# Block spyware/tracking cookies in Internet Explorer and Mozilla/Firefox.
# Restrict the actions of potentially dangerous sites in Internet Explorer.
SpywareBlaster can help keep your system spyware-free and secure, without interfering with the "good side" of the web.
And unlike other programs, SpywareBlaster does not have to remain running in the background.
Post by: agc8319 on March 24, 2005, 01:48:26 AM
I greatly appreciate all your help. I obviously would have been SOL without it!
Post by: guestolo on March 24, 2005, 08:51:24 PM
My eyes miss things too, we're all human
/biggrin.gif\' class=\'bbc_emoticon\' alt=\':D\' /> Take care and stay safe
Post by: guestolo on March 25, 2005, 11:24:44 PM
Here's what I said to you about the protection with SpywareBlaster
Quote
Make sure you check for updates with SpywareBlaster every couple of updates and enable all protection after every update
I meant to say,
Make sure you check for updates with SpywareBlaster every couple of weeks and enable all protection after every update
Like I said, Human
/tongue.gif\' class=\'bbc_emoticon\' alt=\':P\' /> I'm locking this topic agc8319
as your problems appear resolved, if you need this topic reopened
Please PM a Mod or the site Admin and supply a link to this thread
Take Care
/smile.gif\' class=\'bbc_emoticon\' alt=\':)\' />