Post by: afrohead on April 28, 2005, 05:49:25 PM
/blink.gif\' class=\'bbc_emoticon\' alt=\':blink:\' /> also here is a hijack log [/color][/font]Logfile of HijackThis v1.99.1
Scan saved at 9:04:50 PM, on 4/28/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\System32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Anti-Spam\QSP-2.1.212.0\QOELoader.exe
C:\PROGRA~1\CA\ETRUST~1\ETRUST~3\ca.exe
C:\Program Files\Muiltmedia keyboard utility\1.1\MMKEYBD.EXE
C:\Program Files\Browser Mouse\mouse32a.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\aim\aim.exe
C:\Downloads\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\system32\rvkpka.exe
C:\Program Files\K-Meleon\k-meleon.exe
C:\Program Files\Yahoo SiteBuilder\Yahoo!SiteBuilder.exe
C:\PROGRA~1\JavaSoft\JRE1.4\14267D~1.1\bin\javaw.exe
C:\Documents and Settings\DL only\Desktop\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.rr.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.stopzilla.com/director/?type=first_run&AID=10004 (http://\"http://www.stopzilla.com/director/?type=first_run&AID=10004\")
O4 - HKLM\..\Run: [QOELOADER] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Anti-Spam\QSP-2.1.212.0\QOELoader.exe"
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\CA\ETRUST~1\ETRUST~3\ca.exe
O4 - HKLM\..\Run: [FLMK08KB] C:\Program Files\Muiltmedia keyboard utility\1.1\MMKEYBD.EXE
O4 - HKLM\..\Run: [FLMOFFICE4DMOUSE] C:\Program Files\Browser Mouse\mouse32a.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [sunasDTServ] C:\Program Files\Sunbelt Software\CounterSpy Client\sunasDtServ.exe
O4 - HKLM\..\Run: [sunasServ] C:\Program Files\Sunbelt Software\CounterSpy Client\sunasServ.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\system32\rvkpka.exe
O4 - HKLM\..\RunServicesOnce: [washindex] c:\Program Files\Washer\washidx.exe "Byron"
O4 - HKCU\..\Run: [AIM] C:\Program Files\aim\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - HKCU\..\Run: [Adware Spyware SE] C:\Program Files\AdWare SpyWare SE\AdWare SpyWare SE.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Downloads\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: K-Meleon Loader.lnk = C:\Program Files\K-Meleon\loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\aim\aim.exe
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: YExplorer1_8US.CAB - http://photos.groups.yahoo.com/ocx/us/yexplorer1_8us.cab (http://\"http://photos.groups.yahoo.com/ocx/us/yexplorer1_8us.cab\")
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409 (http://\"http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409\")
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} - http://us.dl1.yimg.com/download.yahoo.com/...nst20040510.cab (http://\"http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab\")
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...84/mcinsctl.cab (http://\"http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,84/mcinsctl.cab\")
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/1343450befc59b...ip/RdxIE601.cab (http://\"http://software-dl.real.com/1343450befc59baa4d00/netzip/RdxIE601.cab\")
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab (http://\"http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab\")
O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} (TLIEFlashObj Class) - https://rtc3.webresponse.one.microsoft.com/...p/TLIEFlash.CAB (http://\"https://rtc3.webresponse.one.microsoft.com/media/xp/TLIEFlash.CAB\")
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab (http://\"http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab\")
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/...utocomplete.cab (http://\"http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab\")
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/m...,21/mcgdmgr.cab (http://\"http://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,21/mcgdmgr.cab\")
O16 - DPF: {CAFEEFAC-0014-0001-0000-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1) -
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab (http://\"http://fdl.msn.com/zone/datafiles/heartbeat.cab\")
O23 - Service: NICSer_WMP11 - Unknown owner - C:\Program Files\Linksys\Wireless-B PCI Adapter\NICServ.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
[font=\"Arial\"][color=\"blue\"]plz any help would be great thanks in advance
[/color][/font]
Post by: guestolo on April 29, 2005, 12:52:59 AM
=Download the RKFiles.zip
http://skads.org/special/rkfiles.zip (http://\"http://skads.org/special/rkfiles.zip\")
UNZIP the contents to it's own folder
Set Windows To Show Hidden Files and Folders
* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.
* Under the Hidden files and folders heading select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Uncheck the Hide Extensions for known file types
* Click Yes to confirm.
* Click OK.
Restart your computer into SAFE MODE (http://\"http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001060608000039\")
Open the folder you unzipped rkfiles.zip too
Double click to run Rkfiles.bat
Wait for the scan to finish, give this time
When it's done a log will be produced, save this log
By default, it is saved to C:\Log.txt
Restart back to Normal mode
Post the log produced by rkfiles.bat
Also
Download FindQoologic-Narrator.zip
Save it to your Desktop.
http://forums.net-integration.net/index.ph...=post&id=134981 (http://\"http://forums.net-integration.net/index.php?act=Attach&type=post&id=134981\")
UNZIP the files inside into their own folder called FindQoologic.
Open the FindQoologic folder.
Locate and double-click the Find-Qoologic2.bat file to run it.
wait until a text opens
Post this log also
Post by: afrohead on April 29, 2005, 02:43:40 PM
EASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
»»»»»»»»»»»»»»»»»»»»»»»» Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
»»»»»»»»»»»»»»»»»»»»»»»» startup files»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
»»»»»»»»»»»»»»»»»»»»»»»» Checking Global Startup »»»»»»»»»»»»»»»»»»»»»»
(fstarts by IMM - test ver. 0.001) NOT using address check -- 0x7c90df5e
Global Startup:
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
.
..
Adobe Reader Speed Launch.lnk
desktop.ini
HP Digital Imaging Monitor.lnk
HP Image Zone Fast Start.lnk
SECRETMAKER.lnk
User Startup:
C:\Documents and Settings\DL only\Start Menu\Programs\Startup
.
..
desktop.ini
K-Meleon Loader.lnk
»»»»»»»»»»»»»»»»»»»»»»»» Registry Entries Found »»»»»»»»»»»»»»»»»»»»»»»
! REG.EXE VERSION 3.0
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\gfxnxs
<NO NAME> REG_SZ {0d37bfad-8a26-4994-8efb-e9755420a4a6}
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\gfxnxsqg
<NO NAME> REG_SZ {d3818ab2-2d3c-481a-9568-c10c2b6c1dbf}
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\ICQMenu
<NO NAME> REG_SZ {f802f260-519b-11d1-bb5d-0060974c6013}
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
<NO NAME> REG_SZ {750fdf0e-2a26-11d1-a3ea-080036587f03}
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
<NO NAME> REG_SZ {09799AFB-AD67-11d1-ABCD-00C04FC30936}
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
<NO NAME> REG_SZ {A470F8CF-A1E8-4f65-8335-227475AA5C46}
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
<NO NAME> REG_SZ Start Menu Pin
»»»»»»»»»»»»»»»»»»»»»»»»» Active setup »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
"Find activesetup", version1, launched at: 15:40
Operating System: Windows XP SP2
HKLM\Software\Microsoft\Active Setup\Installed Components\
"799b10e9-e721-4842-99dc-c932520ea882\(Default)" = ""
\StubPath = "C:\WINDOWS\system32\cbmnmxo.exe" [null data]
">{22d6f312-b0f6-11d0-94ab-0080c74c7e95}\(Default)" = "Windows Media Player"
\StubPath = "C:\WINDOWS\inf\unregmp2.exe /ShowWMP" [MS]
[font=\"Arial\"][color=\"red\"]Heres the rkfiles[/color][/font]
C:\Documents and Settings\DL only\My Documents
PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
Files Found in system Folder............
------------------------
C:\WINDOWS\system32\Install.exe: UPX!
C:\WINDOWS\system32\msbb321.dll: UPX!
C:\WINDOWS\system32\MTE1Mzc6ODoxMg.exe: UPX!
C:\WINDOWS\system32\qpkak.dat: UPX!
C:\WINDOWS\system32\rvkpka.exe: UPX!
C:\WINDOWS\system32\winup2date.dll: UPX!
C:\WINDOWS\system32\wmconfig.cpl: UPX!
C:\WINDOWS\system32\dfrg.msc: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAAAwGpEc213
C:\WINDOWS\system32\oembios.bin: peC2"y)Q
Files Found in all users startup Folder............
------------------------
Files Found in all users windows Folder............
------------------------
C:\WINDOWS\icont.exe: UPX!
C:\WINDOWS\sskb5.exe: UPX!
C:\WINDOWS\tsc.exe: UPX!
C:\WINDOWS\vsapi32.dll: UPX!t4
Finished
bye
Post by: guestolo on April 29, 2005, 10:20:09 PM
UNZIP it to a folder of your choice
==Download and then UNZIP to deskto fix.zip
So you now have fix.reg on the desktop
[attachment=185:attachment]
Please copy and paste the rest of these instructions too a Notepad file and then save it to desktop
Disconnect from the Internet and close all browser windows including this one
Do another scan with Hijackthis and put a check next to these entries:
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.stopzilla.com/director/?type=first_run&AID=10004 (http://\"http://www.stopzilla.com/director/?type=first_run&AID=10004\")
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\system32\rvkpka.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/1343450befc59b...ip/RdxIE601.cab (http://\"http://software-dl.real.com/1343450befc59b...ip/RdxIE601.cab\")
After you have ticked the above entries, close All other open windows, including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis
==Run Pocket KillBox>>Now killbox and this notepad file is open
Click on Tools>>Delete Temp files
In the Full Path of File to Delete box, copy and paste the entire line directly below in bold, do not type this in
C:\WINDOWS\system32\rvkpka.exe
Select the radio button to
Delete on Reboot
Click The Red circle and a white X
When prompted to Delete on Reboot, click YES
If prompted to Reboot Now, Click NO
Continue to copy and paste the next paths to the files below into killbox
Selecting Delete on Reboot after each
C:\WINDOWS\system32\cbmnmxo.exe
C:\WINDOWS\system32\Install.exe
C:\WINDOWS\system32\msbb321.dll
C:\WINDOWS\system32\MTE1Mzc6ODoxMg.exe
C:\WINDOWS\system32\qpkak.dat
C:\WINDOWS\system32\rvkpka.exe
C:\WINDOWS\system32\winup2date.dll
C:\WINDOWS\system32\wmconfig.cpl
C:\WINDOWS\icont.exe
C:\WINDOWS\sskb5.exe
When you've entered the last path to the file
Allow the computer to Reboot
or Restart the computer anyways
Back in Windows
Double click on fix.reg and allow to merge to the registry
Restart your computer again
Back in Windows
Post back a fresh Hijackthis log
Also run RKFiles.bat again and post the log produced
AFTER posting this log could you run FindQoologic.bat again and post this log
NOTE: At any time, if any security software such as Spybot Tea Timer or Microsoft AntiSpyware prompts about a change, Allow it so it won't interfere with any fixes
Post by: afrohead on April 30, 2005, 09:32:47 AM
but ill do everything elce
Post by: afrohead on April 30, 2005, 10:18:16 AM
Post by: Edward on April 30, 2005, 11:02:41 AM
Post by: afrohead on April 30, 2005, 11:29:34 AM
Post by: afrohead on April 30, 2005, 11:34:35 AM
[email protected]
and plz put a subject of fix.zip when u send
thx
Post by: Edward on April 30, 2005, 11:43:15 AM
Post by: Edward on April 30, 2005, 11:48:07 AM
Post by: afrohead on April 30, 2005, 11:49:02 AM
Post by: Edward on April 30, 2005, 11:50:06 AM
Post by: afrohead on April 30, 2005, 11:54:27 AM
Post by: afrohead on April 30, 2005, 11:55:10 AM
Logfile of HijackThis v1.99.1
Scan saved at 12:54:49 PM, on 4/30/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\System32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Anti-Spam\QSP-2.1.212.0\QOELoader.exe
C:\PROGRA~1\CA\ETRUST~1\ETRUST~3\ca.exe
C:\Program Files\Muiltmedia keyboard utility\1.1\MMKEYBD.EXE
C:\Program Files\Browser Mouse\mouse32a.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\AdWare SpyWare SE\AdWare SpyWare SE.exe
C:\Downloads\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Secretmaker\secretmaker.exe
C:\Program Files\K-Meleon\loader.exe
C:\Program Files\K-Meleon\k-meleon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Documents and Settings\DL only\Desktop\Spyware Programs\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.rr.com
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\DOWNLO~1\SPYBOT~1\SDHelper.dll
O2 - BHO: IeHelper Class - {A491D208-B353-490F-B81A-A8A3DC97042D} - C:\WINDOWS\system32\smiehlp.dll
O4 - HKLM\..\Run: [QOELOADER] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Anti-Spam\QSP-2.1.212.0\QOELoader.exe"
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\CA\ETRUST~1\ETRUST~3\ca.exe
O4 - HKLM\..\Run: [FLMK08KB] C:\Program Files\Muiltmedia keyboard utility\1.1\MMKEYBD.EXE
O4 - HKLM\..\Run: [FLMOFFICE4DMOUSE] C:\Program Files\Browser Mouse\mouse32a.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [sunasDTServ] C:\Program Files\Sunbelt Software\CounterSpy Client\sunasDtServ.exe
O4 - HKLM\..\Run: [sunasServ] C:\Program Files\Sunbelt Software\CounterSpy Client\sunasServ.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\RunServicesOnce: [washindex] c:\Program Files\Washer\washidx.exe "Byron"
O4 - HKCU\..\Run: [AIM] C:\Program Files\aim\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - HKCU\..\Run: [Adware Spyware SE] C:\Program Files\AdWare SpyWare SE\AdWare SpyWare SE.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Downloads\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: K-Meleon Loader.lnk = C:\Program Files\K-Meleon\loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: SECRETMAKER.lnk = C:\Program Files\Secretmaker\secretmaker.exe
O4 - Global Startup: strings.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\aim\aim.exe
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: YExplorer1_8US.CAB - http://photos.groups.yahoo.com/ocx/us/yexplorer1_8us.cab (http://\"http://photos.groups.yahoo.com/ocx/us/yexplorer1_8us.cab\")
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409 (http://\"http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409\")
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} - http://us.dl1.yimg.com/download.yahoo.com/...nst20040510.cab (http://\"http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab\")
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...84/mcinsctl.cab (http://\"http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,84/mcinsctl.cab\")
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab (http://\"http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab\")
O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} (TLIEFlashObj Class) - https://rtc3.webresponse.one.microsoft.com/...p/TLIEFlash.CAB (http://\"https://rtc3.webresponse.one.microsoft.com/media/xp/TLIEFlash.CAB\")
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab (http://\"http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab\")
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/...utocomplete.cab (http://\"http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab\")
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/m...,21/mcgdmgr.cab (http://\"http://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,21/mcgdmgr.cab\")
O16 - DPF: {CAFEEFAC-0014-0001-0000-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1) -
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab (http://\"http://fdl.msn.com/zone/datafiles/heartbeat.cab\")
O23 - Service: NICSer_WMP11 - Unknown owner - C:\Program Files\Linksys\Wireless-B PCI Adapter\NICServ.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
Post by: Edward on April 30, 2005, 11:58:48 AM
Post by: afrohead on April 30, 2005, 12:06:59 PM
C:\Documents and Settings\DL only\Desktop\Spyware Programs
PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
Files Found in system Folder............
------------------------
C:\WINDOWS\system32\dfrg.msc: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAAAwGpEc213
C:\WINDOWS\system32\oembios.bin: peC2"y)Q
Files Found in all users startup Folder............
------------------------
Files Found in all users windows Folder............
------------------------
C:\WINDOWS\tsc.exe: UPX!
C:\WINDOWS\vsapi32.dll: UPX!t4
Finished
bye
Post by: afrohead on April 30, 2005, 12:09:00 PM
PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
»»»»»»»»»»»»»»»»»»»»»»»» Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
»»»»»»»»»»»»»»»»»»»»»»»» startup files»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
»»»»»»»»»»»»»»»»»»»»»»»» Checking Global Startup »»»»»»»»»»»»»»»»»»»»»»
»»»»»»»»»»»»»»»»»»»»»»»» Registry Entries Found »»»»»»»»»»»»»»»»»»»»»»»
! REG.EXE VERSION 3.0
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\ICQMenu
<NO NAME> REG_SZ {f802f260-519b-11d1-bb5d-0060974c6013}
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
<NO NAME> REG_SZ {750fdf0e-2a26-11d1-a3ea-080036587f03}
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
<NO NAME> REG_SZ {09799AFB-AD67-11d1-ABCD-00C04FC30936}
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
<NO NAME> REG_SZ {A470F8CF-A1E8-4f65-8335-227475AA5C46}
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinZip
<NO NAME> REG_SZ {E0D79304-84BE-11CE-9641-444553540000}
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
<NO NAME> REG_SZ Start Menu Pin
»»»»»»»»»»»»»»»»»»»»»»»»» Active setup »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Post by: guestolo on April 30, 2005, 12:37:44 PM
Can you do one more thing for me as it didn't appear with your logs
Delete any reference to Activesetup Components text files, DON'T delete Activesetup.vbs
Then double click on Activesetup.vbs
A new a Activesetup Components text file will be produced
Post the contents of it back here
Post by: afrohead on April 30, 2005, 01:43:07 PM
Post by: guestolo on April 30, 2005, 01:45:47 PM
Post by: afrohead on April 30, 2005, 01:46:59 PM
Post by: afrohead on April 30, 2005, 01:47:56 PM
"Find activesetup", version1, launched at: 14:47
Operating System: Windows XP SP2
HKLM\Software\Microsoft\Active Setup\Installed Components\
">{22d6f312-b0f6-11d0-94ab-0080c74c7e95}\(Default)" = "Windows Media Player"
\StubPath = "C:\WINDOWS\inf\unregmp2.exe /ShowWMP" [MS]
Post by: guestolo on April 30, 2005, 01:55:46 PM
Oh, and thanks Edward for mailing that reg file
/smile.gif\' class=\'bbc_emoticon\' alt=\':)\' /> If everything is running better
You should disable system restore---restart your computer--enable system restore
This will clear all your restore points and ensure you don't restore any nasties
Once reenabled it will create a fresh restore point
How to Disable and Re-enable System Restore feature (http://\"http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm\")
Once back in Windows and System Restore is reenabled
You should set up protection against future attacks
SpywareBlaster 3.3 by JavaCool (http://\"http://www.javacoolsoftware.com/spywareblaster.html\")
*Will block bad ActiveX Controls
*Block Malevolent cookies in Internet Explorer and Firefox
*Restrict actions of potentially dangerous sites in Internet Explorer
IE-Spyad---IE-SPYAD puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
Here is a tutorial and download link
TUTORIAL==Link to Tutorial (http://\"http://www.bleepingcomputer.com/forums/index.php?showtutorial=53\")
Download link (http://\"https://netfiles.uiuc.edu/ehowes/www/resource.htm#IESPYAD\")
With both, Check for updates every couple of weeks
Keep the link to IE-Spyad bookmarked so you can check for updates
SpywareBlaster, after every update just simply enable all protection
IE-Spyad is compatible with XP SP2 also
Post by: afrohead on April 30, 2005, 02:04:56 PM
and i wont need 2 dl the last program b/c i do not use internet explore i use K-Meleon