Author Topic: http://rl.webtracer.cc/-/?atgkn (Read 1498 times)

mpitaji · « **on:** April 30, 2005, 04:15:25 PM »

Having a very difficult time removing this browser hi-jacker. I have attempted to use some of the techniques I've seen on this forum, to no avail. Help is very much appreciated.

Here is my HijackThis Log:

Logfile of HijackThis v1.99.1
Scan saved at 2:14:37 PM, on 4/30/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HJT\hijackthis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://rl.webtracer.cc/-/?atgkn
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://rl.webtracer.cc/-/?atgkn
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Tim (bam)
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: 1159680172 auto.search.msn.com
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/cha...v45/yacscom.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O19 - User stylesheet: C:\WINDOWS\stsheets.dat
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

guestolo · « **Reply #1 on:** April 30, 2005, 04:58:29 PM »

Create a new folder on your desktop
Right click an empty spot on the desktop
Select NEW>>FOLDER
Name the new folder Locate
Download and save too desktop Locate.zip

UNZIP the contents to that newly created folder
Open the Locate folder and Double click to run Locate.bat

Could you also
download startdreck.zip

UNZIP to a folder. DoubleClick: 'StartDreck.exe'
First click on the config button.
Now click the Unmark all button
Under "System/Drivers, put a check by these boxes only:
*Mark NT Services
*List binaries
*NT Kernel- and FS Drivers
Now click the Save button to save that log. Go to the StartDreck folder and find the Startdreck.log file.

Copy and Paste the contents of that log back here

mpitaji · « **Reply #2 on:** April 30, 2005, 05:08:18 PM »

when running Locate.bat, I get the following prompt:

"16 bit MS-DOS Subsystem:
C:\Windows\System32\cmd.exe
C:\Windows\System32\Autoexec.nt. The system file is not suitable for running MS-DOS and Microsoft Windows applications. Choose 'Close' to terminate the application."

Here is my log file from StartDreck:

StartDreck (build 2.1.7 public stable) - 2005-04-30 @ 15:06:59 (GMT -07:00)
Platform: Windows XP (Win NT 5.1.2600 )
Internet Explorer: 6.0.2600.0000
Logged in as dave at DAVE-NRC8KTZRRB

»Registry
»Files
»System/Drivers
»NT Services
*Alerter   Alerter   -   on demand
`binary: C:\WINDOWS\System32\svchost.exe -k LocalService
*Application Layer Gateway Service   ALG   -   on demand
`binary: C:\WINDOWS\System32\alg.exe
*Application Management   AppMgmt   -   on demand
`binary: C:\WINDOWS\system32\svchost.exe -k netsvcs
*Ati HotKey Poller   Ati HotKey Poller   running   auto
`binary: C:\WINDOWS\System32\Ati2evxx.exe
*ATI Smart   ATI Smart   -   auto
`binary: C:\WINDOWS\system32\ati2sgag.exe
*Windows Audio   AudioSrv   running   auto
`binary: C:\WINDOWS\System32\svchost.exe -k netsvcs
*Background Intelligent Transfer Service   BITS   -   on demand
`binary: C:\WINDOWS\System32\svchost.exe -k netsvcs
*Computer Browser   Browser   running   auto
`binary: C:\WINDOWS\System32\svchost.exe -k netsvcs
*Symantec Event Manager   ccEvtMgr   running   auto
`binary: "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
*Symantec Password Validation   ccPwdSvc   -   on demand
`binary: "C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe"
*Symantec Settings Manager   ccSetMgr   running   auto
`binary: "C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"
*Indexing Service   cisvc   -   on demand
`binary: C:\WINDOWS\System32\cisvc.exe
*ClipBook   ClipSrv   -   on demand
`binary: C:\WINDOWS\system32\clipsrv.exe
*COM+ System Application   COMSysApp   -   on demand
`binary: C:\WINDOWS\System32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
*Cryptographic Services   CryptSvc   running   auto
`binary: C:\WINDOWS\system32\svchost.exe -k netsvcs
*DHCP Client   Dhcp   running   auto
`binary: C:\WINDOWS\System32\svchost.exe -k netsvcs
*Logical Disk Manager Administrative Service   dmadmin   -   on demand
`binary: C:\WINDOWS\System32\dmadmin.exe /com
*Logical Disk Manager   dmserver   running   auto
`binary: C:\WINDOWS\System32\svchost.exe -k netsvcs
*DNS Client   Dnscache   running   auto
`binary: C:\WINDOWS\System32\svchost.exe -k NetworkService
*Error Reporting Service   ERSvc   running   auto
`binary: C:\WINDOWS\System32\svchost.exe -k netsvcs
*Event Log   Eventlog   running   auto
`binary: C:\WINDOWS\system32\services.exe
*COM+ Event System   EventSystem   running   on demand
`binary: C:\WINDOWS\System32\svchost.exe -k netsvcs
*Fast User Switching Compatibility   FastUserSwitchingCom   running   on demand
`binary: C:\WINDOWS\System32\svchost.exe -k netsvcs
*Help and Support   helpsvc   running   auto
`binary: C:\WINDOWS\System32\svchost.exe -k netsvcs
*HID Input Service   HidServ   running   auto
`binary: C:\WINDOWS\System32\svchost.exe -k netsvcs
*IMAPI CD-Burning COM Service   ImapiService   -   on demand
`binary: C:\WINDOWS\System32\imapi.exe
*Server   lanmanserver   running   auto
`binary: C:\WINDOWS\System32\svchost.exe -k netsvcs
*Workstation   lanmanworkstation   running   auto
`binary: C:\WINDOWS\System32\svchost.exe -k netsvcs
*TCP/IP NetBIOS Helper   LmHosts   running   auto
`binary: C:\WINDOWS\System32\svchost.exe -k LocalService
*Messenger   Messenger   running   auto
`binary: C:\WINDOWS\System32\svchost.exe -k netsvcs
*NetMeeting Remote Desktop Sharing   mnmsrvc   -   on demand
`binary: C:\WINDOWS\System32\mnmsrvc.exe
*Distributed Transaction Coordinator   MSDTC   -   on demand
`binary: C:\WINDOWS\System32\msdtc.exe
*Windows Installer   MSIServer   -   on demand
`binary: C:\WINDOWS\System32\msiexec.exe /V
*Norton AntiVirus Auto Protect Service   navapsvc   running   auto
`binary: "C:\Program Files\Norton AntiVirus\navapsvc.exe"
*Network DDE   NetDDE   -   on demand
`binary: C:\WINDOWS\system32\netdde.exe
*Network DDE DSDM   NetDDEdsdm   -   on demand
`binary: C:\WINDOWS\system32\netdde.exe
*Net Logon   Netlogon   -   on demand
`binary: C:\WINDOWS\System32\lsass.exe
*Network Connections   Netman   running   on demand
`binary: C:\WINDOWS\System32\svchost.exe -k netsvcs
*Network Location Awareness (NLA)   Nla   running   on demand
`binary: C:\WINDOWS\System32\svchost.exe -k netsvcs
*NT LM Security Support Provider   NtLmSsp   -   on demand
`binary: C:\WINDOWS\System32\lsass.exe
*Removable Storage   NtmsSvc   -   on demand
`binary: C:\WINDOWS\system32\svchost.exe -k netsvcs
*Plug and Play   PlugPlay   running   auto
`binary: C:\WINDOWS\system32\services.exe
*Pml Driver HPZ12   Pml Driver HPZ12   -   on demand
`binary: C:\WINDOWS\System32\HPZipm12.exe
*IPSEC Services   PolicyAgent   running   auto
`binary: C:\WINDOWS\System32\lsass.exe
*Protected Storage   ProtectedStorage   running   auto
`binary: C:\WINDOWS\system32\lsass.exe
*Remote Access Auto Connection Manager   RasAuto   -   on demand
`binary: C:\WINDOWS\System32\svchost.exe -k netsvcs
*Remote Access Connection Manager   RasMan   -   on demand
`binary: C:\WINDOWS\System32\svchost.exe -k netsvcs
*Remote Desktop Help Session Manager   RDSessMgr   -   on demand
`binary: C:\WINDOWS\system32\sessmgr.exe
*Routing and Remote Access   RemoteAccess   -   disabled
`binary: C:\WINDOWS\System32\svchost.exe -k netsvcs
*Remote Registry   RemoteRegistry   running   auto
`binary: C:\WINDOWS\system32\svchost.exe -k LocalService
*Remote Procedure Call (RPC) Locator   RpcLocator   -   on demand
`binary: C:\WINDOWS\System32\locator.exe
*Remote Procedure Call (RPC)   RpcSs   running   auto
`binary: C:\WINDOWS\system32\svchost -k rpcss
*QoS RSVP   RSVP   -   on demand
`binary: C:\WINDOWS\System32\rsvp.exe
*Security Accounts Manager   SamSs   running   auto
`binary: C:\WINDOWS\system32\lsass.exe
*SAVScan   SAVScan   running   auto
`binary: C:\Program Files\Norton AntiVirus\SAVScan.exe
*ScriptBlocking Service   SBService   -   auto
`binary: C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
*Smart Card Helper   SCardDrv   -   on demand
`binary: C:\WINDOWS\System32\SCardSvr.exe
*Smart Card   SCardSvr   -   on demand
`binary: C:\WINDOWS\System32\SCardSvr.exe
*Task Scheduler   Schedule   running   auto
`binary: C:\WINDOWS\System32\svchost.exe -k netsvcs
*Secondary Logon   seclogon   running   auto
`binary: C:\WINDOWS\System32\svchost.exe -k netsvcs
*System Event Notification   SENS   running   auto
`binary: C:\WINDOWS\system32\svchost.exe -k netsvcs
*Internet Connection Firewall (ICF) / Internet C   SharedAccess   -   on demand
`onnection Sharing (ICS)
`binary: C:\WINDOWS\System32\svchost.exe -k netsvcs
*Shell Hardware Detection   ShellHWDetection   running   auto
`binary: C:\WINDOWS\System32\svchost.exe -k netsvcs
*Symantec Network Drivers Service   SNDSrvc   -   on demand
`binary: C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
*Print Spooler   Spooler   running   auto
`binary: C:\WINDOWS\system32\spoolsv.exe
*System Restore Service   srservice   -   auto
`binary: C:\WINDOWS\System32\svchost.exe -k netsvcs
*SSDP Discovery Service   SSDPSRV   running   on demand
`binary: C:\WINDOWS\System32\svchost.exe -k LocalService
*Windows Image Acquisition (WIA)   stisvc   -   on demand
`binary: C:\WINDOWS\System32\svchost.exe -k imgsvc
*MS Software Shadow Copy Provider   SwPrv   -   on demand
`binary: C:\WINDOWS\System32\dllhost.exe /Processid:{800CD0BA-8241-4B14-9A48-CF7CFF44325F}
*Symantec Core LC   Symantec Core LC   running   auto
`binary: C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
*SymWMI Service   SymWSC   -   auto
`binary: C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
*Performance Logs and Alerts   SysmonLog   -   on demand
`binary: C:\WINDOWS\system32\smlogsvc.exe
*Telephony   TapiSrv   -   on demand
`binary: C:\WINDOWS\System32\svchost.exe -k netsvcs
*Terminal Services   TermService   running   on demand
`binary: C:\WINDOWS\System32\svchost.exe -k netsvcs
*Themes   Themes   running   auto
`binary: C:\WINDOWS\System32\svchost.exe -k netsvcs
*Telnet   TlntSvr   -   on demand
`binary: C:\WINDOWS\System32\tlntsvr.exe
*Distributed Link Tracking Client   TrkWks   running   auto
`binary: C:\WINDOWS\system32\svchost.exe -k netsvcs
*Windows User Mode Driver Framework   UMWdf   running   auto
`binary: C:\WINDOWS\System32\wdfmgr.exe
*Upload Manager   uploadmgr   running   auto
`binary: C:\WINDOWS\System32\svchost.exe -k netsvcs
*Universal Plug and Play Device Host   upnphost   -   on demand
`binary: C:\WINDOWS\System32\svchost.exe -k LocalService
*Uninterruptible Power Supply   UPS   -   on demand
`binary: C:\WINDOWS\System32\ups.exe
*Volume Shadow Copy   VSS   -   on demand
`binary: C:\WINDOWS\System32\vssvc.exe
*Windows Time   W32Time   running   auto
`binary: C:\WINDOWS\System32\svchost.exe -k netsvcs
*WebClient   WebClient   running   auto
`binary: C:\WINDOWS\System32\svchost.exe -k LocalService
*Windows Management Instrumentation   winmgmt   running   auto
`binary: C:\WINDOWS\system32\svchost.exe -k netsvcs
*Portable Media Serial Number Service   WmdmPmSN   -   on demand
`binary: C:\WINDOWS\System32\svchost.exe -k netsvcs
*Windows Management Instrumentation Driver Exten   Wmi   -   on demand
`sions
`binary: C:\WINDOWS\System32\svchost.exe -k netsvcs
*WMI Performance Adapter   WmiApSrv   -   on demand
`binary: C:\WINDOWS\System32\wbem\wmiapsrv.exe
*Automatic Updates   wuauserv   running   auto
`binary: C:\WINDOWS\system32\svchost.exe -k netsvcs
*Wireless Zero Configuration   WZCSVC   running   auto
`binary: C:\WINDOWS\System32\svchost.exe -k netsvcs
»NT Kernel- and FS-drivers
*Abiosdsk   Abiosdsk   -   disabled
`binary:
*abp480n5   abp480n5   -   disabled
`binary:
*Microsoft ACPI Driver   ACPI   running   boot
`binary: \SystemRoot\System32\DRIVERS\ACPI.sys
*ACPIEC   ACPIEC   -   disabled
`binary:
*adpu160m   adpu160m   -   disabled
`binary:
*Microsoft Kernel Acoustic Echo Canceller   aec   -   on demand
`binary: system32\drivers\aec.sys
*AFD Networking Support Environment   AFD   running   auto
`binary: \SystemRoot\System32\drivers\afd.sys
*AFS2K   AFS2K   running   system
`binary:
*Aha154x   Aha154x   -   disabled
`binary:
*aic78u2   aic78u2   -   disabled
`binary:
*aic78xx   aic78xx   -   disabled
`binary:
*Service for WDM 3D Audio Driver   ALCXSENS   -   on demand
`binary: system32\drivers\ALCXSENS.SYS
*Service for Realtek AC97 Audio (WDM)   ALCXWDM   running   on demand
`binary: system32\drivers\ALCXWDM.SYS
*AliIde   AliIde   -   disabled
`binary:
*amsint   amsint   -   disabled
`binary:
*1394 ARP Client Protocol   Arp1394   running   on demand
`binary: System32\DRIVERS\arp1394.sys
*asc   asc   -   disabled
`binary:
*asc3350p   asc3350p   -   disabled
`binary:
*asc3550   asc3550   -   disabled
`binary:
*RAS Asynchronous Media Driver   AsyncMac   -   on demand
`binary: System32\DRIVERS\asyncmac.sys
*Standard IDE/ESDI Hard Disk Controller   atapi   running   boot
`binary: \SystemRoot\System32\DRIVERS\atapi.sys
*Atdisk   Atdisk   -   disabled
`binary:
*ati2mtag   ati2mtag   running   on demand
`binary: System32\DRIVERS\ati2mtag.sys
*ATM ARP Client Protocol   Atmarpc   -   on demand
`binary: System32\DRIVERS\atmarpc.sys
*Audio Stub Driver   audstub   running   on demand
`binary: System32\DRIVERS\audstub.sys
*Beep   Beep   running   system
`binary:
*cbidf2k   cbidf2k   -   disabled
`binary:
*cd20xrnt   cd20xrnt   -   disabled
`binary:
*Cdaudio   Cdaudio   -   system
`binary:
*Cdfs   Cdfs   running   disabled
`binary:
*CD-ROM Driver   Cdrom   running   system
`binary: System32\DRIVERS\cdrom.sys
*Changer   Changer   -   system
`binary:
*CmdIde   CmdIde   -   disabled
`binary:
*Cpqarray   Cpqarray   -   disabled
`binary:
*dac960nt   dac960nt   -   disabled
`binary:
*Disk Driver   Disk   running   boot
`binary: \SystemRoot\System32\DRIVERS\disk.sys
*dmboot   dmboot   -   disabled
`binary: System32\drivers\dmboot.sys
*Logical Disk Manager Driver   dmio   running   boot
`binary: \SystemRoot\System32\drivers\dmio.sys
*dmload   dmload   running   boot
`binary: \SystemRoot\System32\drivers\dmload.sys
*Microsoft Kernel DLS Syntheiszer   DMusic   -   on demand
`binary: system32\drivers\DMusic.sys
*dpti2o   dpti2o   -   disabled
`binary:
*Microsoft Kernel DRM Audio Descrambler   drmkaud   -   on demand
`binary: system32\drivers\drmkaud.sys
*Fastfat   Fastfat   -   disabled
`binary:
*Floppy Disk Controller Driver   Fdc   running   on demand
`binary: System32\DRIVERS\fdc.sys
*Fips   Fips   running   system
`binary:
*Floppy Disk Driver   Flpydisk   -   on demand
`binary: System32\DRIVERS\flpydisk.sys
*Volume Manager Driver   Ftdisk   running   boot
`binary: \SystemRoot\System32\DRIVERS\ftdisk.sys
*GMSIPCI   GMSIPCI   -   on demand
`binary: \??\E:\INSTALL\GMSIPCI.SYS
*Generic Packet Classifier   Gpc   running   on demand
`binary: System32\DRIVERS\msgpc.sys
*Microsoft HID Class Driver   hidusb   running   on demand
`binary: System32\DRIVERS\hidusb.sys
*hpn   hpn   -   disabled
`binary:
*hpt3xx   hpt3xx   -   disabled
`binary:
*IEEE-1284.4 Driver HPZid412   HPZid412   -   on demand
`binary: System32\DRIVERS\HPZid412.sys
*Print Class Driver for IEEE-1284.4 HPZipr12   HPZipr12   -   on demand
`binary: System32\DRIVERS\HPZipr12.sys
*USB to IEEE-1284.4 Translation Driver HPZius12   HPZius12   -   on demand
`binary: System32\DRIVERS\HPZius12.sys
*i2omgmt   i2omgmt   -   system
`binary:
*i2omp   i2omp   -   disabled
`binary:
*i8042 Keyboard and PS/2 Mouse Port Driver   i8042prt   running   system
`binary: System32\DRIVERS\i8042prt.sys
*Imapi   Imapi   running   system
`binary:
*ini910u   ini910u   -   disabled
`binary:
*IntelIde   IntelIde   -   disabled
`binary:
*IP Traffic Filter Driver   IpFilterDriver   -   on demand
`binary: System32\DRIVERS\ipfltdrv.sys
*IP in IP Tunnel Driver   IpInIp   -   on demand
`binary: System32\DRIVERS\ipinip.sys
*IP Network Address Translator   IpNat   -   on demand
`binary: System32\DRIVERS\ipnat.sys
*IPSEC driver   IPSec   running   system
`binary: System32\DRIVERS\ipsec.sys
*IR Enumerator Service   IRENUM   -   on demand
`binary: System32\DRIVERS\irenum.sys
*PnP ISA/EISA Bus Driver   isapnp   running   boot
`binary: \SystemRoot\System32\DRIVERS\isapnp.sys
*Keyboard Class Driver   Kbdclass   running   system
`binary: System32\DRIVERS\kbdclass.sys
*Keyboard HID Driver   kbdhid   -   system
`binary: System32\DRIVERS\kbdhid.sys
*Microsoft Kernel Wave Audio Mixer   kmixer   running   on demand
`binary: system32\drivers\kmixer.sys
*KSecDD   KSecDD   running   boot
`binary:
*lbrtfdc   lbrtfdc   -   system
`binary:
*ldiskl   ldiskl   -   on demand
`binary: \??\C:\DOCUME~1\dave\LOCALS~1\Temp\ldiskl.sys
*mbwgkgw   mbwgkgw   -   on demand
`binary: \??\C:\WINDOWS\System32\uovejs\mbwgkgw
*mnmdd   mnmdd   running   system
`binary:
*Modem   Modem   -   on demand
`binary:
*Mouse Class Driver   Mouclass   running   system
`binary: System32\DRIVERS\mouclass.sys
*Mouse HID Driver   mouhid   running   on demand
`binary: System32\DRIVERS\mouhid.sys
*MountMgr   MountMgr   running   boot
`binary:
*mraid35x   mraid35x   -   disabled
`binary:
*WebDav Client Redirector   MRxDAV   running   on demand
`binary: System32\DRIVERS\mrxdav.sys
*MRxSmb   MRxSmb   running   system
`binary: System32\DRIVERS\mrxsmb.sys
*Msfs   Msfs   running   system
`binary:
*Microsoft Streaming Service Proxy   MSKSSRV   -   on demand
`binary: system32\drivers\MSKSSRV.sys
*Microsoft Streaming Clock Proxy   MSPCLOCK   -   on demand
`binary: system32\drivers\MSPCLOCK.sys
*Microsoft Streaming Quality Manager Proxy   MSPQM   -   on demand
`binary: system32\drivers\MSPQM.sys
*Mup   Mup   running   boot
`binary:
*NAVENG   NAVENG   running   on demand
`binary: \??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20050428.018\NAVENG.Sys
*NAVEX15   NAVEX15   running   on demand
`binary: \??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20050428.018\NavEx15.Sys
*NDIS System Driver   NDIS   running   boot
`binary:
*Remote Access NDIS TAPI Driver   NdisTapi   running   on demand
`binary: System32\DRIVERS\ndistapi.sys
*NDIS Usermode I/O Protocol   Ndisuio   running   on demand
`binary: System32\DRIVERS\ndisuio.sys
*Remote Access NDIS WAN Driver   NdisWan   running   on demand
`binary: System32\DRIVERS\ndiswan.sys
*NDIS Proxy   NDProxy   running   on demand
`binary:
*NetBIOS Interface   NetBIOS   running   system
`binary: System32\DRIVERS\netbios.sys
*NetBT   NetBT   running   system
`binary: System32\DRIVERS\netbt.sys
*1394 Net Driver   NIC1394   running   on demand
`binary: System32\DRIVERS\nic1394.sys
*Npfs   Npfs   running   system
`binary:
*NTACCESS   NTACCESS   -   on demand
`binary: \??\E:\NTACCESS.sys
*Ntfs   Ntfs   running   disabled
`binary:
*Null   Null   running   system
`binary:
*IPX Traffic Filter Driver   NwlnkFlt   -   on demand
`binary: System32\DRIVERS\nwlnkflt.sys
*IPX Traffic Forwarder Driver   NwlnkFwd   -   on demand
`binary: System32\DRIVERS\nwlnkfwd.sys
*VIA OHCI Compliant IEEE 1394 Host Controller   ohci1394   running   boot
`binary: \SystemRoot\System32\DRIVERS\ohci1394.sys
*Parallel port driver   Parport   running   on demand
`binary: System32\DRIVERS\parport.sys
*PartMgr   PartMgr   running   boot
`binary:
*ParVdm   ParVdm   running   auto
`binary:
*PCI Bus Driver   PCI   running   boot
`binary: \SystemRoot\System32\DRIVERS\pci.sys
*PCIDump   PCIDump   -   system
`binary:
*PCIIde   PCIIde   -   disabled
`binary:
*Pcmcia   Pcmcia   -   disabled
`binary:
*PDCOMP   PDCOMP   -   on demand
`binary:
*PDFRAME   PDFRAME   -   on demand
`binary:
*PDRELI   PDRELI   -   on demand
`binary:
*PDRFRAME   PDRFRAME   -   on demand
`binary:
*perc2   perc2   -   disabled
`binary:
*perc2hib   perc2hib   -   disabled
`binary:
*WAN Miniport (PPTP)   PptpMiniport   running   on demand
`binary: System32\DRIVERS\raspptp.sys
*Processor Driver   Processor   running   system
`binary: System32\DRIVERS\processr.sys
*QoS Packet Scheduler   PSched   running   on demand
`binary: System32\DRIVERS\psched.sys
*Direct Parallel Link Driver   Ptilink   running   on demand
`binary: System32\DRIVERS\ptilink.sys
*PxHelp20   PxHelp20   running   boot
`binary: \SystemRoot\System32\DRIVERS\PxHelp20.sys
*ql1080   ql1080   -   disabled
`binary:
*Ql10wnt   Ql10wnt   -   disabled
`binary:
*ql12160   ql12160   -   disabled
`binary:
*ql1240   ql1240   -   disabled
`binary:
*ql1280   ql1280   -   disabled
`binary:
*Remote Access Auto Connection Driver   RasAcd   running   system
`binary: System32\DRIVERS\rasacd.sys
*WAN Miniport (L2TP)   Rasl2tp   running   on demand
`binary: System32\DRIVERS\rasl2tp.sys
*Remote Access PPPOE Driver   RasPppoe   running   on demand
`binary: System32\DRIVERS\raspppoe.sys
*Direct Parallel   Raspti   running   on demand
`binary: System32\DRIVERS\raspti.sys
*Rdbss   Rdbss   running   system
`binary: System32\DRIVERS\rdbss.sys
*RDPCDD   RDPCDD   running   system
`binary: System32\DRIVERS\RDPCDD.sys
*Terminal Server Device Redirector Driver   rdpdr   running   on demand
`binary: System32\DRIVERS\rdpdr.sys
*RDPWD   RDPWD   running   on demand
`binary:
*Digital CD Audio Playback Filter Driver   redbook   running   system
`binary: System32\DRIVERS\redbook.sys
*Realtek RTL8139/810x/8169/8110 all in one NDIS    RTL8023   running   on demand
`NT Driver
`binary: System32\DRIVERS\Rtlnic51.sys
*SAVRT   SAVRT   running   system
`binary: \??\C:\Program Files\Norton AntiVirus\SAVRT.SYS
*SAVRTPEL   SAVRTPEL   running   system
`binary: \??\C:\Program Files\Norton AntiVirus\SAVRTPEL.SYS
*Secdrv   Secdrv   running   auto
`binary: System32\DRIVERS\secdrv.sys
*Serenum Filter Driver   serenum   running   on demand
`binary: System32\DRIVERS\serenum.sys
*Serial port driver   Serial   running   system
`binary: System32\DRIVERS\serial.sys
*SetupNTGLM7X   SetupNTGLM7X   -   on demand
`binary: \??\E:\NTGLM7X.sys
*High-Capacity Floppy Disk Drive   Sfloppy   -   on demand
`binary: System32\DRIVERS\sfloppy.sys
*Simbad   Simbad   -   disabled
`binary:
*Sparrow   Sparrow   -   disabled
`binary:
*Microsoft Kernel Audio Splitter   splitter   -   on demand
`binary: system32\drivers\splitter.sys
*System Restore Filter Driver   sr   -   disabled
`binary: \SystemRoot\System32\DRIVERS\sr.sys
*Srv   Srv   running   on demand
`binary: System32\DRIVERS\srv.sys
*Software Bus Driver   swenum   running   on demand
`binary: System32\DRIVERS\swenum.sys
*Microsoft Kernel GS Wavetable Synthesizer   swmidi   -   on demand
`binary: system32\drivers\swmidi.sys
*symc810   symc810   -   disabled
`binary:
*symc8xx   symc8xx   -   disabled
`binary:
*SymEvent   SymEvent   running   on demand
`binary: \??\C:\Program Files\Symantec\SYMEVENT.SYS
*symlcbrd   symlcbrd   running   auto
`binary: \??\C:\WINDOWS\System32\drivers\symlcbrd.sys
*SYMREDRV   SYMREDRV   -   on demand
`binary: \??\C:\WINDOWS\System32\Drivers\SYMREDRV.SYS
*SYMTDI   SYMTDI   running   system
`binary: \SystemRoot\System32\Drivers\SYMTDI.SYS
*sym_hi   sym_hi   -   disabled
`binary:
*sym_u3   sym_u3   -   disabled
`binary:
*Microsoft Kernel System Audio Device   sysaudio   running   on demand
`binary: system32\drivers\sysaudio.sys
*tapec   tapec   running   auto
`binary: \??\C:\WINDOWS\System32\drivers\tapec.sys
*TCP/IP Protocol Driver   Tcpip   running   system
`binary: System32\DRIVERS\tcpip.sys
*TDPIPE   TDPIPE   -   on demand
`binary:
*TDTCP   TDTCP   running   on demand
`binary:
*Terminal Device Driver   TermDD   running   system
`binary: System32\DRIVERS\termdd.sys
*TosIde   TosIde   -   disabled
`binary:
*Udfs   Udfs   -   disabled
`binary:
*ultra   ultra   -   disabled
`binary:
*Microcode Update Driver   Update   running   on demand
`binary: System32\DRIVERS\update.sys
*Microsoft USB Generic Parent Driver   usbccgp   -   on demand
`binary: System32\DRIVERS\usbccgp.sys
*USB2 Enabled Hub   usbhub   running   on demand
`binary: System32\DRIVERS\usbhub.sys
*Microsoft USB PRINTER Class   usbprint   -   on demand
`binary: System32\DRIVERS\usbprint.sys
*USB Mass Storage Driver   USBSTOR   -   on demand
`binary: System32\DRIVERS\USBSTOR.SYS
*Microsoft USB Universal Host Controller Minipor   usbuhci   running   on demand
`t Driver
`binary: System32\DRIVERS\usbuhci.sys
*VgaSave   VgaSave   running   system
`binary: \SystemRoot\System32\drivers\vga.sys
*VIA AGP Filter   viaagp1   running   boot
`binary: \SystemRoot\System32\DRIVERS\viaagp1.sys
*ViaIde   ViaIde   running   boot
`binary: \SystemRoot\System32\DRIVERS\viaidexp.sys
*viasraid   viasraid   running   boot
`binary: \SystemRoot\system32\drivers\viasraid.sys
*VolSnap   VolSnap   running   boot
`binary:
*Remote Access IP ARP Driver   Wanarp   running   on demand
`binary: System32\DRIVERS\wanarp.sys
*WDICA   WDICA   -   on demand
`binary:
*Microsoft WINMM WDM Audio Compatibility Driver   wdmaud   running   on demand
`binary: system32\drivers\wdmaud.sys
*Windows Socket 2.0 Non-IFS Service Provider Sup   WS2IFSL   -   disabled
`port Environment
`binary: \SystemRoot\System32\drivers\ws2ifsl.sys
»Application specific

guestolo · « **Reply #3 on:** April 30, 2005, 05:13:28 PM »

I should be able to filter out one bad file with Startdreck.zip, but I would like the log from
Locate.bat too

Could you do the following
Go to this thread and try the soulution I gave to this user
Remember if you have to download the fix to download the correct version
Click Here

mpitaji · « **Reply #4 on:** April 30, 2005, 05:18:42 PM »

That worked like a champ!

Here is the Locate log:

C:\WINDOWS\SYSTEM32\DRIVERS\TAPEC.SYS
C:\WINDOWS\SOFTWA~1\DOWNLOAD\6CA7B3~1\ATINXBXX.SYS
C:\WINDOWS\SOFTWA~1\DOWNLOAD\6CA7B3~1\WCEUSBSH.SYS
C:\ATI\SUPPORT\WXP-W2~1\WDM\WDM_XP\ATINXBXX.SYS
C:\ATI\SUPPORT\WXP-W2~2\WDM\WDM_XP\ATINXBXX.SYS
C:\ATI\SUPPORT\WXP-W2~4\WDM\WDM_XP\ATINXBXX.SYS

guestolo · « **Reply #5 on:** April 30, 2005, 05:31:32 PM »

Can you do the following please

Set Windows To Show Hidden Files and Folders
* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.
* Under the Hidden files and folders heading select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Uncheck the Hide Extensions for known file types
* Click Yes to confirm.
* Click OK.

Please Print this out or save these instructions to a Notepad file and save it to your Desktop
RESTART your Computer in SAFE MODE
You can do this by tapping the F8 key as the system is restarting, after the single post beep, or use the link
I supplied for a more detailed explanation

Navigate to this file, exact file name, there may be others that looks similiar, but are legit
C:\WINDOWS\SYSTEM32\DRIVERS\TAPEC.SYS <-file
Right click on it and rename it too TAPEC.old

After that find and delete these files
C:\WINDOWS\stsheets.dat <-file
C:\WINDOWS\hosts <file, in the Windows folder only

Stay in safe mode
Do another scan with Hijackthis and put a check next to these entries:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://rl.webtracer.cc/-/?atgkn
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://rl.webtracer.cc/-/?atgkn

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: 1159680172 auto.search.msn.com

O19 - User stylesheet: C:\WINDOWS\stsheets.dat

After you have ticked the above entries, close All other open windows,
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis

Restart back to Normal mode

Don't open a browser yet, instead access Internet Options via Control Panel
Under the Programs tab "Reset Web Settings"
Under the General tab---Delete files + offline content---Also Reset home page

Post back a fresh Hijackthis log afterwards

mpitaji · « **Reply #6 on:** April 30, 2005, 05:48:07 PM »

Followed the directions and it seemed to have worked! thanks so much!

Just in case though, here is my log:

Logfile of HijackThis v1.99.1
Scan saved at 3:45:39 PM, on 4/30/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\HJT\hijackthis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Tim (bam)
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/cha...v45/yacscom.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

guestolo · « **Reply #7 on:** April 30, 2005, 05:49:31 PM »

That looks good, Is your version of Windows legit?
Is so, why so far behind on Windows Updates?

TheTechGuide Forum

News:

Author Topic: http://rl.webtracer.cc/-/?atgkn (Read 1498 times)

mpitaji

http://rl.webtracer.cc/-/?atgkn

guestolo

http://rl.webtracer.cc/-/?atgkn

mpitaji

http://rl.webtracer.cc/-/?atgkn

guestolo

http://rl.webtracer.cc/-/?atgkn

mpitaji

http://rl.webtracer.cc/-/?atgkn

guestolo

http://rl.webtracer.cc/-/?atgkn

mpitaji

http://rl.webtracer.cc/-/?atgkn

guestolo

http://rl.webtracer.cc/-/?atgkn