Jump to content


Photo

Help me wise ones. Home page is About: blank


  • Please log in to reply
33 replies to this topic

#1 PReevesZWebsurfer

PReevesZWebsurfer

    Member

  • Full Member
  • Pip
  • 23 posts

Posted 02 June 2004 - 10:22 PM

I have Ad-aware 6.0, SpyBot Search and Destroy, CWS Shedder, Zone Alarm and HijackThis.
I had already ran a sweep with Ad-aware and Spybot. Spy boot found a Host redirect. I believe it was IGetNet?. Adware found CWS, VX and various harmless tracking cookies. CWS Shredder came clean. Zone alarm is set to highest security(Free version), though I am thinking about buying the the new version that has just came out that includes the AV suite.

This has been frustrating. :grrr: My home page will not stay where I want it to be. :scratchhead:
Here is my HijackThis Log

Please help me Ole' wise ones :D
If you need to know anymore info about computer, I will provide. I am using a DSL connection.

Logfile of HijackThis v1.97.7
Scan saved at 7:59:09 PM, on 6/2/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\COMMON~1\Stardock\SDMCP.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\PANICW~1\POP-UP~3\PSFREE.EXE
C:\Program Files\Yahoo!\Messenger\ypager.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\TGTSoft\StyleXP\StyleXP.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Documents and Settings\COMPUTER\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = c:\searchpage.html#1507
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.//my.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\searchpage.html#1507
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = c:\searchpage.html#1507
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = c:\searchpage.html#1507
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = c:\searchpage.html#1507
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer,Search = c:\searchpage.html#1507
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = c:\searchpage.html#1507
R3 - Default URLSearchHook is missing
O1 - Hosts: 207.36.196.189 #eautosearch
O1 - Hosts: 207.36.196.189 #eautosearch
O1 - Hosts: 207.36.196.189 #eautosearch
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - E:\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: REALBAR - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\COMMON~1\Real\Toolbar\realbar.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_3_12_0.dll
O3 - Toolbar: QuickSearch Search Bar - {82315A18-6CFB-44a7-BDFD-90E36537C252} - C:\Program Files\QuickSearch\QuickSearchBar1_27.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Ad-aware] "C:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe" +c
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~3\PSFREE.EXE"
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O13 - Home Prefix: c:\searchpage.html?page=
O13 - Mosaic Prefix: c:\searchpage.html?page=
O16 - DPF: {01020304-0506-0708-090A-0B0C0D0E0F08} - http://messenger.yah...nance/patch.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com...ex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class) - http://download.zone...ee/cm/ICSCM.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yaho...s/yinst0401.cab
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://host.cycore.n...E_5.3.0.228.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {666DDE35-E955-11D0-A707-000000521958} - http://69.56.176.227/webplugin.cab
O16 - DPF: {87067F04-DE4C-4688-BC3C-4FCF39D609E7} - http://download.webs...38/QDow_AS2.cab
O16 - DPF: {9076A11F-5EA6-4A67-BDE9-8D3C7C453DAC} - http://www.fizzlewiz.../popblocker.cab
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-downlo...tsInstaller.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7810.8512731481
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.c.../ymmapi_416.dll
O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78E} (SassCln Object) - http://www.microsoft...ols/SassCln.CAB
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {DDFFA75A-E81D-4454-89FC-B9FD0631E726} - http://www.bundlewar...veX/DS3/DS3.cab

#2 PReevesZWebsurfer

PReevesZWebsurfer

    Member

  • Full Member
  • Pip
  • 23 posts

Posted 03 June 2004 - 06:52 AM

Well its the morning and I had to reboot because my DSL connection keeps going down :scratchhead:. So I ran Ad aware, spybot Seach and Destroy, CWShredder 1.58, and dl Spyblaster. Spyblaster will not run :wtf: Anyways here is my latest Highjack This log

Logfile of HijackThis v1.97.7
Scan saved at 4:46:07 AM, on 6/3/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\COMMON~1\Stardock\SDMCP.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\PANICW~1\POP-UP~3\PSFREE.EXE
C:\Program Files\Yahoo!\Messenger\ypager.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\TGTSoft\StyleXP\StyleXP.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Documents and Settings\COMPUTER\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = c:\searchpage.html#1507
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\searchpage.html#1507
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = c:\searchpage.html#1507
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = c:\searchpage.html#1507
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = c:\searchpage.html#1507
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer,Search = c:\searchpage.html#1507
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = c:\searchpage.html#1507
R3 - Default URLSearchHook is missing
O1 - Hosts: 207.36.196.189 #eautosearch
O1 - Hosts: 207.36.196.189 #eautosearch
O1 - Hosts: 207.36.196.189 #eautosearch
O1 - Hosts: 207.36.196.189 ieautosearch
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: REALBAR - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\COMMON~1\Real\Toolbar\realbar.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_3_12_0.dll
O3 - Toolbar: QuickSearch Search Bar - {82315A18-6CFB-44a7-BDFD-90E36537C252} - C:\Program Files\QuickSearch\QuickSearchBar1_27.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Ad-aware] "C:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe" +c
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~3\PSFREE.EXE"
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {01020304-0506-0708-090A-0B0C0D0E0F08} - http://messenger.yah...nance/patch.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com...ex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class) - http://download.zone...ee/cm/ICSCM.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yaho...s/yinst0401.cab
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://host.cycore.n...E_5.3.0.228.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {666DDE35-E955-11D0-A707-000000521958} - http://69.56.176.227/webplugin.cab
O16 - DPF: {87067F04-DE4C-4688-BC3C-4FCF39D609E7} - http://download.webs...38/QDow_AS2.cab
O16 - DPF: {9076A11F-5EA6-4A67-BDE9-8D3C7C453DAC} - http://www.fizzlewiz.../popblocker.cab
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-downlo...tsInstaller.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7810.8512731481
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.c.../ymmapi_416.dll
O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78E} (SassCln Object) - http://www.microsoft...ols/SassCln.CAB
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {DDFFA75A-E81D-4454-89FC-B9FD0631E726} - http://www.bundlewar...veX/DS3/DS3.cab

P.S Human operator has also been hit with nasty virus. :weep: So he is not 100% healthy either.

#3 PReevesZWebsurfer

PReevesZWebsurfer

    Member

  • Full Member
  • Pip
  • 23 posts

Posted 03 June 2004 - 05:13 PM

bump

#4 PReevesZWebsurfer

PReevesZWebsurfer

    Member

  • Full Member
  • Pip
  • 23 posts

Posted 03 June 2004 - 08:02 PM

bump

#5 PReevesZWebsurfer

PReevesZWebsurfer

    Member

  • Full Member
  • Pip
  • 23 posts

Posted 03 June 2004 - 10:33 PM

Well I have ran some more anti-spyware software, using the software that was recommended in the newsletter that Mike wrote. The X-Cleaner was really, really great. It cleaned a lot of files. I also dowloaded IE-spyad and put it in my registry. I downloaded some other files. Was never able to get Spyblaster to work.

So far so good. Ad-aware is not finding anything when my computer starts up, which is encouraging. :weee:
Here is my latest Hijack this Log. Could one of the experts :wave: take a look at it and see if there is anything more I need to do to get it completely clean?

Logfile of HijackThis v1.97.7
Scan saved at 8:27:48 PM, on 6/3/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\Stardock\SDMCP.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\PANICW~1\POP-UP~3\PSFREE.EXE
C:\Program Files\Yahoo!\Messenger\ypager.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\COMPUTER\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = c:\searchpage.html#1507
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\searchpage.html#1507
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = c:\searchpage.html#1507
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = c:\searchpage.html#1507
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = c:\searchpage.html#1507
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
R1 - HKCU\Software\Microsoft\Internet Explorer,Search = c:\searchpage.html#1507
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = c:\searchpage.html#1507
R3 - Default URLSearchHook is missing
O1 - Hosts: 207.36.196.189 #eautosearch
O1 - Hosts: 207.36.196.189 #eautosearch
O1 - Hosts: 207.36.196.189 #eautosearch
O1 - Hosts: 207.36.196.189 #eautosearch
O1 - Hosts: 207.36.196.189 #eautosearch
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: (no name) - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - (no file)
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_3_12_0.dll
O3 - Toolbar: QuickSearch Search Bar - {82315A18-6CFB-44a7-BDFD-90E36537C252} - C:\Program Files\QuickSearch\QuickSearchBar1_27.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Ad-aware] "C:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe" +c
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~3\PSFREE.EXE"
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {01020304-0506-0708-090A-0B0C0D0E0F08} - http://messenger.yah...nance/patch.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com...ex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class) - http://download.zone...ee/cm/ICSCM.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yaho...s/yinst0401.cab
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://host.cycore.n...E_5.3.0.228.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.co...clean_micro.exe
O16 - DPF: {666DDE35-E955-11D0-A707-000000521958} - http://69.56.176.227/webplugin.cab
O16 - DPF: {87067F04-DE4C-4688-BC3C-4FCF39D609E7} - http://download.webs...38/QDow_AS2.cab
O16 - DPF: {9076A11F-5EA6-4A67-BDE9-8D3C7C453DAC} - http://www.fizzlewiz.../popblocker.cab
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-downlo...tsInstaller.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7810.8512731481
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.c.../ymmapi_416.dll
O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78E} (SassCln Object) - http://www.microsoft...ols/SassCln.CAB
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {DDFFA75A-E81D-4454-89FC-B9FD0631E726} - http://www.bundlewar...veX/DS3/DS3.cab

#6 freeatlast

freeatlast

    E x p l o r e r

  • Retired Staff
  • PipPipPipPipPip
  • 833 posts

Posted 03 June 2004 - 10:47 PM

You still have package there...

Fix checked in hijackthis:
*All- R1 - /R3 - /O1 - lines
*O3 - Toolbar: (no name) - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - (no file)
*O16 - DPF: {666DDE35-E955-11D0-A707-000000521958} - http://69.56.176.227/webplugin.cab
*O16 - DPF: {87067F04-DE4C-4688-BC3C-4FCF39D609E7} - http://download.webs...38/QDow_AS2.cab
*O16 - DPF: {9076A11F-5EA6-4A67-BDE9-8D3C7C453DAC} - http://www.fizzlewiz.../popblocker.cab
*O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-downlo...tsInstaller.cab
*O16 - DPF: {DDFFA75A-E81D-4454-89FC-B9FD0631E726} - http://www.bundlewar...veX/DS3/DS3.cab

-Delete this file: c:\searchpage.html<

Download: http://downloads.sub...g/VX2Finder.exe
Scan and post the results.
Submit Files: Posted Image
----------------------------------------------------------------------
Posted ImagePosted ImagePosted Image

#7 PReevesZWebsurfer

PReevesZWebsurfer

    Member

  • Full Member
  • Pip
  • 23 posts

Posted 03 June 2004 - 11:16 PM

OK, fixed the files you wanted on Hijack this. A unexpected error occurred but the files still got fixed and deleted. About 18 backup files that start with the name backup backup-20040603-210120 with 3 different at the end are now on my desktop. I downloaded the VX2 Finder and ran that. I have both the Hijack and VX2 finder logs.
I could not find the C:searchfile anywhere. I even searched hidden files and folders on Windows XP
Here are the logs. What should I do with those 18 backup files. 2 of them are dll files.

Logfile of HijackThis v1.97.7
Scan saved at 9:10:36 PM, on 6/3/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\Stardock\SDMCP.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\PANICW~1\POP-UP~3\PSFREE.EXE
C:\Program Files\Yahoo!\Messenger\ypager.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\COMPUTER\Desktop\VX2Finder.exe
C:\Documents and Settings\COMPUTER\Desktop\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_3_12_0.dll
O3 - Toolbar: QuickSearch Search Bar - {82315A18-6CFB-44a7-BDFD-90E36537C252} - C:\Program Files\QuickSearch\QuickSearchBar1_27.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Ad-aware] "C:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe" +c
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~3\PSFREE.EXE"
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {01020304-0506-0708-090A-0B0C0D0E0F08} - http://messenger.yah...nance/patch.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com...ex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class) - http://download.zone...ee/cm/ICSCM.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yaho...s/yinst0401.cab
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://host.cycore.n...E_5.3.0.228.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.co...clean_micro.exe
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7810.8512731481
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.c.../ymmapi_416.dll
O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78E} (SassCln Object) - http://www.microsoft...ols/SassCln.CAB
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab


VX 2 Finder log
Files Found---
C:\WINDOWS\System32\dyprov.dll
C:\WINDOWS\System32\MrJT3032.DLL
C:\WINDOWS\System32\nttui0.dll
C:\WINDOWS\System32\nztui0.dll
C:\WINDOWS\System32\pubase.dll
C:\WINDOWS\System32\qqdit.dll


Guardian Key--- is called: GuardianUVYOO
Asynchronous 000
DllName C:\WINDOWS\system32\pubase.dll
Impersonate 000
Logon WinLogon
Logoff WinLogoff
Version 124
ID {42FC83C9-CCD6-4B44-BFCA-62A77334430C}
IDex DS3

User Agent String---
{42FC83C9-CCD6-4B44-BFCA-62A77334430C}

Edited by PReevesZWebsurfer, 03 June 2004 - 11:18 PM.


#8 freeatlast

freeatlast

    E x p l o r e r

  • Retired Staff
  • PipPipPipPipPip
  • 833 posts

Posted 03 June 2004 - 11:32 PM

The backups are created by hijackthis.
It would have been smart to put it in a
folder so it can access the backups.

Select the files in VX2 finder and have it delete them.
It will ask you to restart on one file that can't be deleted.
Restart, scan again and be sure no other files are
listed in VX2 finder.

Lastly, check the boxes on the right pane:
-Guardian.reg
-Restore policy
-User agent
To fix the remains.

Scan again and make sure the results are
all cleared up, and you're all set ;)

Edited by freeatlast, 03 June 2004 - 11:33 PM.

Submit Files: Posted Image
----------------------------------------------------------------------
Posted ImagePosted ImagePosted Image

#9 PReevesZWebsurfer

PReevesZWebsurfer

    Member

  • Full Member
  • Pip
  • 23 posts

Posted 04 June 2004 - 12:01 AM

Before I let you go and finally, trully be FREE AT LAST ;D
I went ahead and Restored Polichy and did User Agent. I ran Guardian.reg.
I let the system reboot like instructed.
Here is the VX2 finder log
Files Found---


Guardian Key--- is called:

User Agent String---

Here is my Hijack This log.
Logfile of HijackThis v1.97.7
Scan saved at 9:52:05 PM, on 6/3/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\PROGRA~1\COMMON~1\Stardock\SDMCP.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\PANICW~1\POP-UP~3\PSFREE.EXE
C:\Program Files\Yahoo!\Messenger\ypager.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Documents and Settings\COMPUTER\Desktop\VX2Finder.exe
C:\Documents and Settings\COMPUTER\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\ciadc.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\ciadc.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\ciadc.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\ciadc.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\ciadc.dll/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\ciadc.dll/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_3_12_0.dll
O3 - Toolbar: QuickSearch Search Bar - {82315A18-6CFB-44a7-BDFD-90E36537C252} - C:\Program Files\QuickSearch\QuickSearchBar1_27.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Ad-aware] "C:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe" +c
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~3\PSFREE.EXE"
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {01020304-0506-0708-090A-0B0C0D0E0F08} - http://messenger.yah...nance/patch.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com...ex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class) - http://download.zone...ee/cm/ICSCM.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yaho...s/yinst0401.cab
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://host.cycore.n...E_5.3.0.228.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.co...clean_micro.exe
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7810.8512731481
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.c.../ymmapi_416.dll
O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78E} (SassCln Object) - http://www.microsoft...ols/SassCln.CAB
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab

Since the human computer operator is still stricken with a virus himself, he is going to bed because he still has to work to make money. He will continue this spyware nuking in the morning. I will run spybot S&D before I go to bed. I will do another Hijack this log for you in the morning if you like, unless I here more instructions from you.

#10 PReevesZWebsurfer

PReevesZWebsurfer

    Member

  • Full Member
  • Pip
  • 23 posts

Posted 04 June 2004 - 06:40 AM

OK, it is 4:30am PST. Everything on computer is still running ok. Scanned it again with Xcleaner, adaware, and Spybot S&D and all came clean. Completed logs on VX2Finder and Hijackthis. VX2finder log was exactly the same as previous reply, which is good news :D
Since I am in the Techsupport field :techsupport: , this has been very beneficial to me.

VX2Finder log
Files Found---


Guardian Key--- is called:

User Agent String---

HijackThis log
Logfile of HijackThis v1.97.7
Scan saved at 4:31:06 AM, on 6/4/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\PROGRA~1\COMMON~1\Stardock\SDMCP.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\PANICW~1\POP-UP~3\PSFREE.EXE
C:\Program Files\Yahoo!\Messenger\ypager.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\COMPUTER\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\ciadc.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\ciadc.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\ciadc.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\ciadc.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\ciadc.dll/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\ciadc.dll/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_3_12_0.dll
O3 - Toolbar: QuickSearch Search Bar - {82315A18-6CFB-44a7-BDFD-90E36537C252} - C:\Program Files\QuickSearch\QuickSearchBar1_27.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Ad-aware] "C:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe" +c
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~3\PSFREE.EXE"
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {01020304-0506-0708-090A-0B0C0D0E0F08} - http://messenger.yah...nance/patch.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com...ex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class) - http://download.zone...ee/cm/ICSCM.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yaho...s/yinst0401.cab
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://host.cycore.n...E_5.3.0.228.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.co...clean_micro.exe
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7810.8512731481
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.c.../ymmapi_416.dll
O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78E} (SassCln Object) - http://www.microsoft...ols/SassCln.CAB
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab

So with all this, am I out of the woods now?

As for the virus effecting the human operator, I am drinking plenty of liquids and getting plenty of rest. I feel that I am beating the virus, but like these malicious softwares for the computer, flu viruses are hard to predict :grrr:

Edited by PReevesZWebsurfer, 04 June 2004 - 06:50 AM.


#11 freeatlast

freeatlast

    E x p l o r e r

  • Retired Staff
  • PipPipPipPipPip
  • 833 posts

Posted 04 June 2004 - 08:35 AM

You had multiple pests there...
Couple are still left...

Next--
Click on the 'Find-All' page link in my signature, Download:
"FIND-ALL.EXE".
Install, run the 'Find-all.cmd' file, it'll generate a log, post it here!
Submit Files: Posted Image
----------------------------------------------------------------------
Posted ImagePosted ImagePosted Image

#12 PReevesZWebsurfer

PReevesZWebsurfer

    Member

  • Full Member
  • Pip
  • 23 posts

Posted 04 June 2004 - 07:34 PM

OK, I ran Find-all.CMD like you wanted.
Here is the log. That is a neat app there.

--==***@@@ 'FIND-ALL' »»*Original*»» VERSION *9 -6/05 @@@***==--


Fri Jun 04 15:35:29 2004 -- ++Results:
»»System Info:

Microsoft Windows XP [Version 5.1.2600]
'Find-All' is running from Drive:
C: "" (3D34:18EC) - FS:FAT clusters:8k
Total: 10 230 423 552 [10G] - Free: 1 576 476 672 [1.5G]


»»IE version and Service packs:
6.0.2600.0 C:\Program Files\Internet Explorer\Iexplore.exe
--a-- W32i APP ENU 6.0.2600.0 shp 91,136 08-23-2001 iexplore.exe

! REG.EXE VERSION 2.0

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings
MinorVersion REG_SZ ;Q321232;Q323759;Q324929;Q328676;Q810847;Q837009;Q832894;

»»Google:
2.0.111.0 C:\Program Files\google\googletoolbar2.dll
-ra-- W32i DLL ENU 2.0.111.0 shp 770,048 05-04-2004 googletoolbar2.dll

»»UserAgent:
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]


»»Wmplayer version:
9.0.0.2980 C:\Program Files\Windows Media Player\wmplayer.exe
--a-- W32i APP ENU 9.0.0.2980 shp 73,728 12-11-2002 wmplayer.exe
6.4.9.1120 C:\Program Files\Windows Media Player\mplayer2.exe
--a-- W32i APP ENU 6.4.9.1120 shp 4,639 08-23-2001 mplayer2.exe

»»M$Java version:
5.0.3810.0 C:\WINDOWS\System32\msjava.dll
--a-- W32i DLL ENU 5.0.3810.0 shp 947,472 02-28-2003 msjava.dll

»»NotePad(s) version(s)... Tnx,shadoWWWW ;)
5.1.2600.0 C:\WINDOWS\notepad.exe
--a-- W32i APP ENU 5.1.2600.0 shp 66,048 08-23-2001 notepad.exe
5.1.2600.0 C:\WINDOWS\System32\notepad.exe
--a-- W32i APP ENU 5.1.2600.0 shp 66,048 08-23-2001 notepad.exe

»» Regedit* version(s):
5.1.2600.0 C:\WINDOWS\regedit.exe
--a-- W32i APP ENU 5.1.2600.0 shp 134,144 08-23-2001 regedit.exe
5.1.2600.0 C:\WINDOWS\System32\regedt32.exe
--a-- W32i APP ENU 5.1.2600.0 shp 3,584 08-23-2001 regedt32.exe


»»PC uptime:
3:35pm up 0 days, 0:31

»»Locked or 'Suspect' file(s) found...
\\?\C:\WINDOWS\System32\RESIMHA.DLL +++ File read error
\\?\C:\WINDOWS\System32\RESIMHA.DLL +++ File read error


»»Tasks (services):
0 System Process
4 System
336 SMSS.EXE
388 CSRSS.EXE Title:
412 WINLOGON.EXE Title: NetDDE Agent
464 SERVICES.EXE Svcs: Eventlog,PlugPlay
476 LSASS.EXE Svcs: PolicyAgent,ProtectedStorage,SamSs
636 ATI2EVXX.EXE Svcs: Ati HotKey Poller
672 SVCHOST.EXE Svcs: RpcSs
700 SVCHOST.EXE Svcs: AudioSrv,BITS,Browser,CryptSvc,Dhcp,dmserver,ERSvc,EventSystem,FastUserSwitching
ompatibility,helpsvc,lanmanserver,lanmanworkstation,Netman,Nla,RasAuto,RasMan,Sc
edule,seclogon,SENS,ShellHWDetection,TapiSrv,TermService,Themes,TrkWks,uploadmgr
W32Time,winm
744 StyleXPService.eOleMainThreadWndNameSvcs: StyleXPService
896 SVCHOST.EXE Svcs: Dnscache
956 SDMCP.EXE Title:
964 SVCHOST.EXE Svcs: LmHosts,RemoteRegistry,SSDPSRV,WebClient
1100 SPOOLSV.EXE Svcs: Spooler
1384 EXPLORER.EXE Title: Program Manager
1488 ZLCLIENT.EXE Title: Privacy Info Dialog
1496 PSFree.exe Title:
1504 YPager.exe Title: Yahoo! Messenger
1528 CTFMON.EXE Title:
1748 SVCHOST.EXE Svcs: stisvc
1784 VSMON.EXE Svcs: vsmon
1980 MsPMSPSv.exe Svcs: WMDM PMSP Service
468 iexplore.exe Title: FreeAtLast - Microsoft Internet Explorer
324 iexplore.exe Title: NFL.com - - Microsoft Internet Explorer
4020 cmd.exe Title: C:\WINDOWS\System32\cmd.exe
1148 ntvdm.exe
3060 tlist.exe
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"DeviceNotSelectedTimeout"="15"
"GDIProcessHandleQuota"=dword:00002710
"Spooler"="yes"
"swapdisk"=""
"TransmissionRetryTimeout"="90"
"USERProcessHandleQuota"=dword:00002710
"AppInit_DLLs"=""

REGEDIT4

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter]

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\application/octet-stream]
"CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\application/x-complus]
"CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\application/x-msdownload]
"CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\Class Install Handler]
@="AP Class Install Handler filter"
"CLSID"="{32B533BB-EDAE-11d0-BD5A-00AA00B92AF1}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\deflate]
@="AP Deflate Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\gzip]
@="AP GZIP Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\lzdhtml]
@="AP lzdhtml encoding/decoding Filter"
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/webviewhtml]
@="WebView MIME Filter"
"CLSID"="{733AC4CB-F1A4-11d0-B951-00A0C90312E1}"

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"

»»Security settings for 'Windows' key:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
(NI) ALLOW Read BUILTIN\Users
(IO) ALLOW Read BUILTIN\Users
(NI) ALLOW Read BUILTIN\Power Users
(IO) ALLOW Read BUILTIN\Power Users
(NI) ALLOW Full access BUILTIN\Administrators
(IO) ALLOW Full access BUILTIN\Administrators
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access BUILTIN\Administrators
(IO) ALLOW Full access CREATOR OWNER

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
Read BUILTIN\Users
Read BUILTIN\Power Users
Full access BUILTIN\Administrators
Full access NT AUTHORITY\SYSTEM




»»Size of 'Windows' key: (Default-450;No'AppInit'-398;*Fake-~448!)
Size of HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Windows: 448

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\win.ini\Windows\SYS:Microsoft\Windows NT\CurrentVersion\Windows : AppInit_DLLs
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\ : AppInit_DLLs

»»Group/user settings:


User: [PAUL\COMPUTER], is a member of:

BUILTIN\Administrators
\Everyone

User is a member of group PAUL\None.
User is a member of group \Everyone.
User is a member of group BUILTIN\Administrators.
User is a member of group BUILTIN\Users.
User is a member of group \LOCAL.
User is a member of group NT AUTHORITY\INTERACTIVE.
User is a member of group NT AUTHORITY\Authenticated Users.

»»ACLs list:
C:\junkxxx No permissions are set. All user have full control.
ERROR: There are no more files.

»»File(s) in 'junkxxx' folder:

»»Md5sums

MD5sums 1.1 freeware for Win9x/ME/NT/2000/XP+
Copyright © 2001-2002 Jem Berkes - http://www.pc-tools.net/


0 bytes, 0 ms = 0.00 MB/sec

»»hosts file Size: (Default/plain: ~732-4 bytes)
A C:\Find-All\Find-All\oldhosts.txt
--a-- - - - - - 1,202 06-03-2004 oldhosts.txt
R C:\WINDOWS\System32\Drivers\etc\hosts
-r--- - - - - - 1,202 06-03-2004 hosts
------
»»Rehash:

Fri Jun 04 15:36:24 2004 -- ++Find-All backups:
c:\find-all\find-all\winBackup.hiv
--a-- - - - - - 8,192 06-04-2004 winbackup.hiv
c:\find-all\find-all\windows.txt
--a-- - - - - - 8,192 06-04-2004 windows.txt
A C:\FindallwinBackup.hiv
--a-- - - - - - 8,192 06-04-2004 findallwinbackup.hiv
A C:\findallappinit.reg
--a-- - - - - - 632 06-04-2004 findallappinit.reg

***Next Registry run should open this key directly:

! REG.EXE VERSION 2.0

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Applets\Regedit
LastKey REG_SZ My Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows

#13 PReevesZWebsurfer

PReevesZWebsurfer

    Member

  • Full Member
  • Pip
  • 23 posts

Posted 04 June 2004 - 11:05 PM

FreeAtLast, it came back. My home page got hijacked. I will post logs soon. I running everything again.

#14 PReevesZWebsurfer

PReevesZWebsurfer

    Member

  • Full Member
  • Pip
  • 23 posts

Posted 04 June 2004 - 11:15 PM

Here are more recent logs
Hijack this log
Logfile of HijackThis v1.97.7
Scan saved at 8:59:35 PM, on 6/4/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\PROGRA~1\COMMON~1\Stardock\SDMCP.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\PANICW~1\POP-UP~3\PSFREE.EXE
C:\Program Files\Yahoo!\Messenger\ypager.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Documents and Settings\COMPUTER\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\imlpgp.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\imlpgp.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\imlpgp.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\imlpgp.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\imlpgp.dll/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\imlpgp.dll/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_3_12_0.dll
O3 - Toolbar: QuickSearch Search Bar - {82315A18-6CFB-44a7-BDFD-90E36537C252} - C:\Program Files\QuickSearch\QuickSearchBar1_27.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Ad-aware] "C:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe" +c
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~3\PSFREE.EXE"
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {01020304-0506-0708-090A-0B0C0D0E0F08} - http://messenger.yah...nance/patch.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com...ex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class) - http://download.zone...ee/cm/ICSCM.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yaho...s/yinst0401.cab
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://host.cycore.n...E_5.3.0.228.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.co...clean_micro.exe
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7810.8512731481
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.c.../ymmapi_416.dll
O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78E} (SassCln Object) - http://www.microsoft...ols/SassCln.CAB
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab

Find-ALL.CMD log is next :techsupport:

--==***@@@ 'FIND-ALL' »»*Original*»» VERSION *9 -6/05 @@@***==--


Fri Jun 04 21:08:43 2004 -- ++Results:
»»System Info:

Microsoft Windows XP [Version 5.1.2600]
'Find-All' is running from Drive:
C: "" (3D34:18EC) - FS:FAT clusters:8k
Total: 10 230 423 552 [10G] - Free: 1 587 585 024 [1.5G]


»»IE version and Service packs:
6.0.2600.0 C:\Program Files\Internet Explorer\Iexplore.exe
--a-- W32i APP ENU 6.0.2600.0 shp 91,136 08-23-2001 iexplore.exe

! REG.EXE VERSION 2.0

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings
MinorVersion REG_SZ ;Q321232;Q323759;Q324929;Q328676;Q810847;Q837009;Q832894;

»»Google:
2.0.111.0 C:\Program Files\google\googletoolbar2.dll
-ra-- W32i DLL ENU 2.0.111.0 shp 770,048 05-04-2004 googletoolbar2.dll

»»UserAgent:
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]


»»Wmplayer version:
9.0.0.2980 C:\Program Files\Windows Media Player\wmplayer.exe
--a-- W32i APP ENU 9.0.0.2980 shp 73,728 12-11-2002 wmplayer.exe
6.4.9.1120 C:\Program Files\Windows Media Player\mplayer2.exe
--a-- W32i APP ENU 6.4.9.1120 shp 4,639 08-23-2001 mplayer2.exe

»»M$Java version:
5.0.3810.0 C:\WINDOWS\System32\msjava.dll
--a-- W32i DLL ENU 5.0.3810.0 shp 947,472 02-28-2003 msjava.dll

»»NotePad(s) version(s)... Tnx,shadoWWWW ;)
5.1.2600.0 C:\WINDOWS\notepad.exe
--a-- W32i APP ENU 5.1.2600.0 shp 66,048 08-23-2001 notepad.exe
5.1.2600.0 C:\WINDOWS\System32\notepad.exe
--a-- W32i APP ENU 5.1.2600.0 shp 66,048 08-23-2001 notepad.exe

»» Regedit* version(s):
5.1.2600.0 C:\WINDOWS\regedit.exe
--a-- W32i APP ENU 5.1.2600.0 shp 134,144 08-23-2001 regedit.exe
5.1.2600.0 C:\WINDOWS\System32\regedt32.exe
--a-- W32i APP ENU 5.1.2600.0 shp 3,584 08-23-2001 regedt32.exe


»»PC uptime:
9:08pm up 0 days, 0:13

»»Locked or 'Suspect' file(s) found...
\\?\C:\WINDOWS\System32\RESIMHA.DLL +++ File read error
\\?\C:\WINDOWS\System32\RESIMHA.DLL +++ File read error


»»Tasks (services):
0 System Process
4 System
336 SMSS.EXE
388 CSRSS.EXE Title:
412 WINLOGON.EXE Title: NetDDE Agent
464 SERVICES.EXE Svcs: Eventlog,PlugPlay
476 LSASS.EXE Svcs: PolicyAgent,ProtectedStorage,SamSs
636 ATI2EVXX.EXE Svcs: Ati HotKey Poller
672 SVCHOST.EXE Svcs: RpcSs
700 SVCHOST.EXE Svcs: AudioSrv,Browser,CryptSvc,Dhcp,dmserver,ERSvc,EventSystem,FastUserSwitchingCompa
ibility,helpsvc,lanmanserver,lanmanworkstation,Netman,Nla,RasAuto,RasMan,Schedul
,seclogon,SENS,ShellHWDetection,TapiSrv,TermService,Themes,TrkWks,uploadmgr,W32T
me,winmgmt,w
748 StyleXPService.eOleMainThreadWndNameSvcs: StyleXPService
872 SVCHOST.EXE Svcs: Dnscache
912 SVCHOST.EXE Svcs: LmHosts,RemoteRegistry,SSDPSRV,WebClient
964 SDMCP.EXE Title:
1096 SPOOLSV.EXE Svcs: Spooler
1388 EXPLORER.EXE Title: Program Manager
1496 ZLCLIENT.EXE Title: Privacy Info Dialog
1504 PSFree.exe Title:
1512 YPager.exe Title: Yahoo! Messenger
1540 CTFMON.EXE Title:
1736 SVCHOST.EXE Svcs: stisvc
1772 VSMON.EXE Svcs: vsmon
1936 MsPMSPSv.exe Svcs: WMDM PMSP Service
1956 HijackThis.exe Title: HijackThis
224 VX2Finder.exe Title: VX2Finder
1492 iexplore.exe Title: FreeAtLast - Microsoft Internet Explorer
1368 cmd.exe Title: C:\WINDOWS\System32\cmd.exe
1328 ntvdm.exe
4076 tlist.exe
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"DeviceNotSelectedTimeout"="15"
"GDIProcessHandleQuota"=dword:00002710
"Spooler"="yes"
"swapdisk"=""
"TransmissionRetryTimeout"="90"
"USERProcessHandleQuota"=dword:00002710
"AppInit_DLLs"=""

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

REGEDIT4

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter]

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\application/octet-stream]
"CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\application/x-complus]
"CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\application/x-msdownload]
"CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\Class Install Handler]
@="AP Class Install Handler filter"
"CLSID"="{32B533BB-EDAE-11d0-BD5A-00AA00B92AF1}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\deflate]
@="AP Deflate Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\gzip]
@="AP GZIP Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\lzdhtml]
@="AP lzdhtml encoding/decoding Filter"
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/webviewhtml]
@="WebView MIME Filter"
"CLSID"="{733AC4CB-F1A4-11d0-B951-00A0C90312E1}"

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"

»»Security settings for 'Windows' key:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
(NI) ALLOW Read BUILTIN\Users
(IO) ALLOW Read BUILTIN\Users
(NI) ALLOW Read BUILTIN\Power Users
(IO) ALLOW Read BUILTIN\Power Users
(NI) ALLOW Full access BUILTIN\Administrators
(IO) ALLOW Full access BUILTIN\Administrators
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access BUILTIN\Administrators
(IO) ALLOW Full access CREATOR OWNER

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
Read BUILTIN\Users
Read BUILTIN\Power Users
Full access BUILTIN\Administrators
Full access NT AUTHORITY\SYSTEM




»»Size of 'Windows' key: (Default-450;No'AppInit'-398;*Fake-~448!)
Size of HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Windows: 448

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\win.ini\Windows\SYS:Microsoft\Windows NT\CurrentVersion\Windows : AppInit_DLLs
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\ : AppInit_DLLs

»»Group/user settings:


User: [PAUL\COMPUTER], is a member of:

BUILTIN\Administrators
\Everyone

User is a member of group PAUL\None.
User is a member of group \Everyone.
User is a member of group BUILTIN\Administrators.
User is a member of group BUILTIN\Users.
User is a member of group \LOCAL.
User is a member of group NT AUTHORITY\INTERACTIVE.
User is a member of group NT AUTHORITY\Authenticated Users.

»»ACLs list:
C:\junkxxx No permissions are set. All user have full control.
ERROR: There are no more files.

»»File(s) in 'junkxxx' folder:

»»Md5sums

MD5sums 1.1 freeware for Win9x/ME/NT/2000/XP+
Copyright © 2001-2002 Jem Berkes - http://www.pc-tools.net/


0 bytes, 0 ms = 0.00 MB/sec

»»hosts file Size: (Default/plain: ~732-4 bytes)
A C:\Find-All\Find-All\oldhosts.txt
--a-- - - - - - 1,202 06-03-2004 oldhosts.txt
R C:\WINDOWS\System32\Drivers\etc\hosts
-r--- - - - - - 1,202 06-03-2004 hosts
------
»»Rehash:

Fri Jun 04 21:09:23 2004 -- ++Find-All backups:
c:\find-all\find-all\winBackup.hiv
--a-- - - - - - 8,192 06-04-2004 winbackup.hiv
c:\find-all\find-all\windows.txt
--a-- - - - - - 8,192 06-04-2004 windows.txt
A C:\FindallwinBackup.hiv
--a-- - - - - - 8,192 06-04-2004 findallwinbackup.hiv
A C:\findallappinit.reg
--a-- - - - - - 632 06-04-2004 findallappinit.reg

***Next Registry run should open this key directly:

! REG.EXE VERSION 2.0

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Applets\Regedit
LastKey REG_SZ My Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows

Lastly here is the VXfinder 2 log :techsupport:
Files Found---


Guardian Key--- is called:

User Agent String---


I see some of the familar pests came back under the Hijack Log. Any suggestions?? Other Experts feel free to help too. FreeAtLast is doing a wonderful job, though. I do thank you FreeAtLast for your hard work. We will win this battle. :thumbsup:

#15 freeatlast

freeatlast

    E x p l o r e r

  • Retired Staff
  • PipPipPipPipPip
  • 833 posts

Posted 05 June 2004 - 09:58 AM

VX2Finder problem is over.

This pertains to something else on your Find-all log

You seem to have the 'classic' pest there!

-FIRST--
And before doing anything else, go to System
Restore, make sure it's active and create manual restore
point as safety procedure.

Next, follow these steps carefully:

Your Windows registry is set to open this key directly:
*My Computer\HKEY_LOCAL_MACHINE\
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows*

--Go to Start/run/type:
regedit
The registry should open with the Windows Subfolder
hilited.
(*compare and be sure the path on the status
bar is same as indicated above!)

--RightClick on the Windows Subfolder,
And rename Windows as Windows1

--Locate "AppInit_DLLs" value on the right
pane, RightClick it and select -> 'delete'

--Select the Windows1 on the left pane
again and rename it back to it's
original name, Windows

--Use top regedit's menu view->refresh once
and be sure the "AppInit_DLLs"
value is 'officially' gone from the right pane.

--Close regedit, *restart computer!

--Navigate to System32 folder, Search
for System32\ RESIMHA.DLL file, hilite
and use the folder's top menu
option : "Edit-> Move to folder..."
Browse to and select: C:\junkxxx folder.
(It was created during first 'Find-All' run)
'ok' it.

---Re-run 'Find-All.cmd' and post new log!
Submit Files: Posted Image
----------------------------------------------------------------------
Posted ImagePosted ImagePosted Image

#16 PReevesZWebsurfer

PReevesZWebsurfer

    Member

  • Full Member
  • Pip
  • 23 posts

Posted 05 June 2004 - 10:11 AM

:huh: You got me on the setting up system restore. My tech support is limited to over the phone for a certain company's software. I am knowledgeable on most parts of Windows. I am not famillar with system restore on XP however. If anyone who is could help me here so I can proceed with Free's insturctions here.

#17 richjk21

richjk21

    Member

  • Full Member
  • Pip
  • 5 posts

Posted 05 June 2004 - 10:25 AM

In XP go to Start/programs/accessories/system tools/system restore .... when it opens select 'create a manual restore point".

Rich

#18 freeatlast

freeatlast

    E x p l o r e r

  • Retired Staff
  • PipPipPipPipPip
  • 833 posts

Posted 05 June 2004 - 10:30 AM

Well, this was just a safety point.

How to:create your own restore point &How to restore Windows XP to a previous state
Submit Files: Posted Image
----------------------------------------------------------------------
Posted ImagePosted ImagePosted Image

#19 PReevesZWebsurfer

PReevesZWebsurfer

    Member

  • Full Member
  • Pip
  • 23 posts

Posted 05 June 2004 - 10:38 AM

Thanks for the replies. I was looking under system properties where it talked about System Restore.

#20 PReevesZWebsurfer

PReevesZWebsurfer

    Member

  • Full Member
  • Pip
  • 23 posts

Posted 05 June 2004 - 11:28 AM

It will not let me restore my system. I have rebooted several times and shut down all my start up programs except for Zone Alarm. The only thing left is to go into Safe Mode and try, but I will wait until I hear on that.

#21 freeatlast

freeatlast

    E x p l o r e r

  • Retired Staff
  • PipPipPipPipPip
  • 833 posts

Posted 05 June 2004 - 11:48 AM

Why are you trying to restore? :mellow:

The instructions were pointed to create manual restore point!
However, in some cases system restore gets corrupted and you need to flush the restore point following these steps:
http://service1.syma...src=sec_doc_nam

As for cws issue(s) , these were the initial steps:
http://www.spywarein...indpost&p=19440

And if you attempt to restore to an earlier point now, these steps won't work properly.

Here is an example of how they should work:
http://www.spywarein...wtopic=4466&hl=

You can always try flushing restore, but you'd have to run the 'Find-All.cmd again once that get's fixed, or proceed as is, at your *own risk!

However, it's always wise to prepare some sort of working
backup when dealing with baddies, just to avoid the unexpected...
Submit Files: Posted Image
----------------------------------------------------------------------
Posted ImagePosted ImagePosted Image

#22 PReevesZWebsurfer

PReevesZWebsurfer

    Member

  • Full Member
  • Pip
  • 23 posts

Posted 05 June 2004 - 11:52 AM

I am sorry, that I was I meant to say. It wont let me get into the system wizard to setup a restore point. You may be right about it being corrupt. I will try the symantec step, then go from there.

#23 PReevesZWebsurfer

PReevesZWebsurfer

    Member

  • Full Member
  • Pip
  • 23 posts

Posted 05 June 2004 - 11:59 AM

Well it looks like system restore is jacked up. It wont let me disable it either. Unless you can think of something else to do concerning system restore, I will proceed with the rest of the step but with extreme caution :alarm:

#24 freeatlast

freeatlast

    E x p l o r e r

  • Retired Staff
  • PipPipPipPipPip
  • 833 posts

Posted 05 June 2004 - 12:16 PM

Here's what you can do ;)

There is no real need to go through the complex instructions.

You can go here:
http://bootdisk.com/bootdisk.htm

Make a startup disk.
Win98 is highly recommended.

You can boot the system and try renaming the file via
console commands.
However, you do have to be a bit
familiar with prompts.

To navigate from A:\> type:
c:
type
cd windows
type:
cd system32
In order to rename the file, type:
ren RESIMHA.DLL RESIMHA.old

Restart the system via Ctrl-Alt-Delete, delete the RESIMHA.old.
Submit Files: Posted Image
----------------------------------------------------------------------
Posted ImagePosted ImagePosted Image

#25 PReevesZWebsurfer

PReevesZWebsurfer

    Member

  • Full Member
  • Pip
  • 23 posts

Posted 05 June 2004 - 12:21 PM

Just out of curiousity, why would I want to may a boot disk out of win 98, when I am running Win XP? Also could I make my boot disk on a CD, because I dont have any floppies?

#26 PReevesZWebsurfer

PReevesZWebsurfer

    Member

  • Full Member
  • Pip
  • 23 posts

Posted 05 June 2004 - 12:25 PM

Oh nevermind, I saw the instructions. I guess I will run to BestBuy or Circuit City and buy some floppies. I will have to check to see if my floppy connected. I never have had use for it.

#27 freeatlast

freeatlast

    E x p l o r e r

  • Retired Staff
  • PipPipPipPipPip
  • 833 posts

Posted 05 June 2004 - 12:26 PM

Win98 bootdisk is easy and will let you access the system's partition
via one floppy!

You have that luxury since your
drive is FAT32 formatted (as opposed to Ntfs)

However---
Feel free to alternate &use any and all
combinations of the steps& links above to
best suit your needs !


Good luck! :D
Submit Files: Posted Image
----------------------------------------------------------------------
Posted ImagePosted ImagePosted Image

#28 PReevesZWebsurfer

PReevesZWebsurfer

    Member

  • Full Member
  • Pip
  • 23 posts

Posted 05 June 2004 - 12:26 PM

Ok I double clicked on A: in my computer and the light came on, so I have power going to it. I will buy floppies later today and try the boot disk thing you mentioned free and post everything later.

Edited by PReevesZWebsurfer, 05 June 2004 - 12:30 PM.


#29 PReevesZWebsurfer

PReevesZWebsurfer

    Member

  • Full Member
  • Pip
  • 23 posts

Posted 05 June 2004 - 12:29 PM

You have that luxury since your
drive is FAT32 formatted (as opposed to Ntfs)

I have 2 drives. C: which is the main drive and only has 10gb is the FAT 32. My E: drive is NTFB, but you only are concerned about the C: drive correct?
This computer was built for me from a friend. I have added on it since.

#30 PReevesZWebsurfer

PReevesZWebsurfer

    Member

  • Full Member
  • Pip
  • 23 posts

Posted 05 June 2004 - 11:16 PM

OK I have made a boot disk for Windows 98. I did the custom one rather the OEM. I figured I didnt need the Original Equipment Manufacte one. So here it goes.
Was there anything you wanted me to do after I deleted that file?

#31 PReevesZWebsurfer

PReevesZWebsurfer

    Member

  • Full Member
  • Pip
  • 23 posts

Posted 05 June 2004 - 11:35 PM

To navigate from A:\> type:
c:
type
cd windows
type:
cd system32
In order to rename the file, type:
ren RESIMHA.DLL RESIMHA.old

Restart the system via Ctrl-Alt-Delete, delete the RESIMHA.old.

Followed the instructions
Easy as pie with the 98 boot disk. :D
File is deleted :!:

Now what do you want me to do?

Edited by PReevesZWebsurfer, 05 June 2004 - 11:36 PM.


#32 freeatlast

freeatlast

    E x p l o r e r

  • Retired Staff
  • PipPipPipPipPip
  • 833 posts

Posted 06 June 2004 - 09:58 AM

RESIMHA.DLL is deleted?

Well done!
Open regedit (make sure it opens up to this key!)


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows

DoubleClick on 'AppInit_DLLs' value, erase the
data in it( C:\WINDOWS\System32\RESIMHA.DLL )

Run all removal tools again, Shredder, ad-Aware to
clean up the rest!
Submit Files: Posted Image
----------------------------------------------------------------------
Posted ImagePosted ImagePosted Image

#33 PReevesZWebsurfer

PReevesZWebsurfer

    Member

  • Full Member
  • Pip
  • 23 posts

Posted 06 June 2004 - 11:00 AM

OK I erased the date from the registry key like you wanted and the ran the cleaning tools. Every came clean on both Ad-adaware and SpyboyS&D.
Here are my latest logs for Hijack this and Find now.
Hijack this looks clean to me :thumbsup:
Hijack this log
Logfile of HijackThis v1.97.7
Scan saved at 8:48:47 AM, on 6/6/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\Program Files\TGTSoft\StyleXP\CurrentLogon.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\System32\ctfmon.exe
E:\Trillian\trillian.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Documents and Settings\COMPUTER\Desktop\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_3_12_0.dll
O3 - Toolbar: QuickSearch Search Bar - {82315A18-6CFB-44a7-BDFD-90E36537C252} - C:\Program Files\QuickSearch\QuickSearchBar1_27.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Ad-aware] "C:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe" +c
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - Startup: Trillian.lnk = ?
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {01020304-0506-0708-090A-0B0C0D0E0F08} - http://messenger.yah...nance/patch.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com...ex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class) - http://download.zone...ee/cm/ICSCM.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yaho...s/yinst0401.cab
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://host.cycore.n...E_5.3.0.228.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.co...clean_micro.exe
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7810.8512731481
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.c.../ymmapi_416.dll
O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78E} (SassCln Object) - http://www.microsoft...ols/SassCln.CAB
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab

Now here is the Find All log
--==***@@@ 'FIND-ALL' »»*Original*»» VERSION *9 -6/05 @@@***==--


Sun Jun 06 08:52:35 2004 -- ++Results:
»»System Info:

Microsoft Windows XP [Version 5.1.2600]
'Find-All' is running from Drive:
C: "" (3D34:18EC) - FS:FAT clusters:8k
Total: 10 230 423 552 [10G] - Free: 1 646 559 232 [1.5G]


»»IE version and Service packs:
6.0.2600.0 C:\Program Files\Internet Explorer\Iexplore.exe
--a-- W32i APP ENU 6.0.2600.0 shp 91,136 08-23-2001 iexplore.exe

! REG.EXE VERSION 2.0

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings
MinorVersion REG_SZ ;Q321232;Q323759;Q324929;Q328676;Q810847;Q837009;Q832894;

»»Google:
2.0.111.0 C:\Program Files\google\googletoolbar2.dll
-ra-- W32i DLL ENU 2.0.111.0 shp 770,048 05-04-2004 googletoolbar2.dll

»»UserAgent:
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]


»»Wmplayer version:
9.0.0.2980 C:\Program Files\Windows Media Player\wmplayer.exe
--a-- W32i APP ENU 9.0.0.2980 shp 73,728 12-11-2002 wmplayer.exe
6.4.9.1120 C:\Program Files\Windows Media Player\mplayer2.exe
--a-- W32i APP ENU 6.4.9.1120 shp 4,639 08-23-2001 mplayer2.exe

»»M$Java version:
5.0.3810.0 C:\WINDOWS\System32\msjava.dll
--a-- W32i DLL ENU 5.0.3810.0 shp 947,472 02-28-2003 msjava.dll

»»NotePad(s) version(s)... Tnx,shadoWWWW ;)
5.1.2600.0 C:\WINDOWS\notepad.exe
--a-- W32i APP ENU 5.1.2600.0 shp 66,048 08-23-2001 notepad.exe
5.1.2600.0 C:\WINDOWS\System32\notepad.exe
--a-- W32i APP ENU 5.1.2600.0 shp 66,048 08-23-2001 notepad.exe

»» Regedit* version(s):
5.1.2600.0 C:\WINDOWS\regedit.exe
--a-- W32i APP ENU 5.1.2600.0 shp 134,144 08-23-2001 regedit.exe
5.1.2600.0 C:\WINDOWS\System32\regedt32.exe
--a-- W32i APP ENU 5.1.2600.0 shp 3,584 08-23-2001 regedt32.exe


»»PC uptime:
8:52am up 0 days, 0:08

»»Locked or 'Suspect' file(s) found...


»»Tasks (services):
0 System Process
4 System
336 SMSS.EXE
388 CSRSS.EXE Title:
412 WINLOGON.EXE Title: NetDDE Agent
460 SERVICES.EXE Svcs: Eventlog,PlugPlay
472 LSASS.EXE Svcs: PolicyAgent,ProtectedStorage,SamSs
624 ATI2EVXX.EXE Svcs: Ati HotKey Poller
652 SVCHOST.EXE Svcs: RpcSs
676 SVCHOST.EXE Svcs: AudioSrv,Browser,CryptSvc,Dhcp,dmserver,ERSvc,EventSystem,FastUserSwitchingCompa
ibility,helpsvc,lanmanserver,lanmanworkstation,Netman,Nla,RasAuto,RasMan,Schedul
,seclogon,SENS,ShellHWDetection,TapiSrv,TermService,Themes,TrkWks,uploadmgr,W32T
me,winmgmt,w
700 StyleXPService.eOleMainThreadWndNameSvcs: StyleXPService
748 CurrentLogon.EXE
816 SVCHOST.EXE Svcs: Dnscache
832 SVCHOST.EXE Svcs: Alerter,LmHosts,RemoteRegistry,SSDPSRV,WebClient
1008 SPOOLSV.EXE Svcs: Spooler
1284 EXPLORER.EXE Title: Program Manager
1364 ZLCLIENT.EXE Title: AutoVPNAlertDlg
1372 CTFMON.EXE Title:
1396 trillian.exe Title:
1636 SVCHOST.EXE Svcs: stisvc
1656 VSMON.EXE Svcs: vsmon
1704 MsPMSPSv.exe Svcs: WMDM PMSP Service
952 cmd.exe Title: C:\WINDOWS\System32\cmd.exe
1960 ntvdm.exe
1136 tlist.exe
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"DeviceNotSelectedTimeout"="15"
"GDIProcessHandleQuota"=dword:00002710
"Spooler"="yes"
"swapdisk"=""
"TransmissionRetryTimeout"="90"
"USERProcessHandleQuota"=dword:00002710
"AppInit_DLLs"=""

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

REGEDIT4

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter]

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\application/octet-stream]
"CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\application/x-complus]
"CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\application/x-msdownload]
"CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\Class Install Handler]
@="AP Class Install Handler filter"
"CLSID"="{32B533BB-EDAE-11d0-BD5A-00AA00B92AF1}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\deflate]
@="AP Deflate Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\gzip]
@="AP GZIP Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\lzdhtml]
@="AP lzdhtml encoding/decoding Filter"
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/webviewhtml]
@="WebView MIME Filter"
"CLSID"="{733AC4CB-F1A4-11d0-B951-00A0C90312E1}"

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"

»»Security settings for 'Windows' key:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
(NI) ALLOW Read BUILTIN\Users
(IO) ALLOW Read BUILTIN\Users
(NI) ALLOW Read BUILTIN\Power Users
(IO) ALLOW Read BUILTIN\Power Users
(NI) ALLOW Full access BUILTIN\Administrators
(IO) ALLOW Full access BUILTIN\Administrators
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access BUILTIN\Administrators
(IO) ALLOW Full access CREATOR OWNER

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
Read BUILTIN\Users
Read BUILTIN\Power Users
Full access BUILTIN\Administrators
Full access NT AUTHORITY\SYSTEM




»»Size of 'Windows' key: (Default-450;No'AppInit'-398;*Fake-~448!)
Size of HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Windows: 450

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\win.ini\Windows\SYS:Microsoft\Windows NT\CurrentVersion\Windows : AppInit_DLLs
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\ : AppInit_DLLs

»»Group/user settings:


User: [PAUL\COMPUTER], is a member of:

BUILTIN\Administrators
\Everyone

User is a member of group PAUL\None.
User is a member of group \Everyone.
User is a member of group BUILTIN\Administrators.
User is a member of group BUILTIN\Users.
User is a member of group \LOCAL.
User is a member of group NT AUTHORITY\INTERACTIVE.
User is a member of group NT AUTHORITY\Authenticated Users.

»»ACLs list:
C:\junkxxx No permissions are set. All user have full control.
ERROR: There are no more files.

»»File(s) in 'junkxxx' folder:

»»Md5sums

MD5sums 1.1 freeware for Win9x/ME/NT/2000/XP+
Copyright © 2001-2002 Jem Berkes - http://www.pc-tools.net/


0 bytes, 0 ms = 0.00 MB/sec

»»hosts file Size: (Default/plain: ~732-4 bytes)
A C:\Find-All\Find-All\oldhosts.txt
--a-- - - - - - 1,202 06-03-2004 oldhosts.txt
R C:\WINDOWS\System32\Drivers\etc\hosts
-r--- - - - - - 1,202 06-03-2004 hosts
------
»»Rehash:

Sun Jun 06 08:52:48 2004 -- ++Find-All backups:
c:\find-all\find-all\winBackup.hiv
--a-- - - - - - 8,192 06-06-2004 winbackup.hiv
c:\find-all\find-all\windows.txt
--a-- - - - - - 8,192 06-06-2004 windows.txt
A C:\FindallwinBackup.hiv
--a-- - - - - - 8,192 06-04-2004 findallwinbackup.hiv
A C:\findallappinit.reg
--a-- - - - - - 632 06-04-2004 findallappinit.reg

***Next Registry run should open this key directly:

! REG.EXE VERSION 2.0

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Applets\Regedit
LastKey REG_SZ My Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows


If I am done with this, I will be happy. :weee: and I do thank you for you hard work Freeatlast. How can I help people on this forum?
BTW I have switched over to Mozilla Firefox as my default browser from advice that I got. I love it. Its much better the IE. What is your opinion

Edited by PReevesZWebsurfer, 06 June 2004 - 11:02 AM.


#34 freeatlast

freeatlast

    E x p l o r e r

  • Retired Staff
  • PipPipPipPipPip
  • 833 posts

Posted 06 June 2004 - 11:33 AM

Well done! :D

Smooth ride with 'Win98' rescue! ;)


P.S:
1.) Try to fix your system restore issues, though...
...Troubleshoot System Restore

2.) Asap!!! upgrade to IE6/SP1! your current
version is insecure and outdated for some time now...

Good luck! ;)
Submit Files: Posted Image
----------------------------------------------------------------------
Posted ImagePosted ImagePosted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button