Jump to content


Photo

"topotun.com" Won't Let Me Go


  • Please log in to reply
11 replies to this topic

#1 Pulsar

Pulsar

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 12 June 2004 - 06:19 PM

Hello Forum,

I've got a browser hijacker that has been resistant to the normal fix procedures (unless I'm forgetting something that's pretty basic). Here are my HJT log and my start-up list---have at 'em!

Thanks a lot,

Pulsar

Logfile of HijackThis v1.97.7
Scan saved at 11:43:03 AM, on 6/12/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\atiptaxx.exe
C:\WINNT\System32\SK9910DM.EXE
C:\WINNT\GWMDMMSG.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINNT\System32\devldr32.exe
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
C:\WINNT\Cyb2k.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Fellowes\MediaFACE 4.0\SetHook.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINNT\Sys32Smm.exe
C:\Program Files\Washer\washer.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\winlgn.exe
C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
C:\WINNT\System32\Ati2evxx.exe
C:\WINNT\System32\CTsvcCDA.exe
C:\PROGRA~1\Iomega\System32\ActivityDisk.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\Home\Desktop\Ed\anti-hijacking programs\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://topotun.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://topotun.com/index.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://topotun.com/index.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://topotun.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://topotun.com/index.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = about:blank
O2 - BHO: (no name) - {02478D28-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\common\ycomp5_0_8_6.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {2F2FBF0D-254F-11D5-B1E5-0050DAD7AF62} - C:\PROGRA~1\ANONYM~1\ANONYM~1.DLL
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: PopUpCop - {DB43E4E6-FF8A-4018-8C8E-F68587A44A73} - C:\PROGRA~1\PopUpCop\PopUpCop.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\common\ycomp5_0_8_6.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [Keyboard Preload Check] C:\OEMDRVRS\KEYB\Preload.exe /DEVID: /CLASS:Keyboard /RunValue:"Keyboard Preload Check"
O4 - HKLM\..\Run: [GWMDMpi] C:\WINNT\GWMDMpi.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [Iomega Startup Options] C:\Program Files\Iomega\Common\ImgStart.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [C2K] C:\WINNT\Cyb2k.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [MediaFace Integration] C:\Program Files\Fellowes\MediaFACE 4.0\SetHook.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpyProtection] C:\Program Files\Webroot\Spy Protection\SpyProtection.exe /0
O4 - HKCU\..\Run: [MutexServiceEx] Sys32Smm.exe /run
O4 - HKCU\..\Run: [PicoZip] C:\PROGRA~1\PicoZip\PicoZipTray.exe
O4 - HKCU\..\Run: [Washer] C:\Program Files\Washer\washer.exe /0
O4 - HKCU\..\Run: [msmc] C:\WINNT\System32\msmc.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: Billminder.lnk = C:\Program Files\Quicken\billmind.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\Quicken\QWDLLS.EXE
O4 - Global Startup: winlgn.exe
O4 - Global Startup: ZoneAlarm Pro.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE10\EXCEL.EXE/3000
O8 - Extra context menu item: Open Image in New Window - res://C:\Program Files\PopUpCop\popupcop.dll/imagenew
O9 - Extra button: Yahoo! Login (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Login (HKLM)
O9 - Extra button: Anonymizer (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! NFL GameChannel StatTracker - http://aud14.sports....lgcst1010_x.cab
O16 - DPF: Yahoo! NFL StatTracker - http://aud10.sports....nflst8252_x.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1408.g.akama...iTunesSetup.exe
O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - hcp://system/RunExeActiveX.CAB
O16 - DPF: {78A730D4-0DF3-4B65-8DD2-BFCD433CEE30} - http://www.surfsecre...PEInstaller.exe
O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB
O16 - DPF: {9CF28A69-7659-4C51-BFD5-9ADE19E19EC3} (RegConfig Class) - http://download.yaho...rod/yregcfg.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7732.9287268519
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.app.../ITDetector.cab


StartupList report, 6/12/2004, 3:49:11 PM
StartupList version: 1.52
Started from : C:\Documents and Settings\Home\Desktop\Ed\anti-hijacking programs\HijackThis.EXE
Detected: Windows XP (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 (6.00.2600.0000)
* Using default options
==================================================

Running processes:

C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\atiptaxx.exe
C:\WINNT\System32\SK9910DM.EXE
C:\WINNT\System32\devldr32.exe
C:\WINNT\GWMDMMSG.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
C:\WINNT\Cyb2k.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Fellowes\MediaFACE 4.0\SetHook.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINNT\Sys32Smm.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\winlgn.exe
C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
C:\WINNT\System32\Ati2evxx.exe
C:\WINNT\System32\CTsvcCDA.exe
C:\PROGRA~1\Iomega\System32\ActivityDisk.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINNT\System32\wuauclt.exe
C:\Documents and Settings\Home\Desktop\Ed\anti-hijacking programs\HijackThis.exe
C:\WINNT\notepad.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
Adobe Gamma Loader.lnk = ?
Billminder.lnk = C:\Program Files\Quicken\billmind.exe
QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
Quicken Startup.lnk = C:\Program Files\Quicken\QWDLLS.EXE
winlgn.exe
ZoneAlarm Pro.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINNT\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

ATIModeChange = Ati2mdxx.exe
AtiPTA = atiptaxx.exe
Hot Key Kbd 9910 Daemon = SK9910DM.EXE
GWMDMMSG = GWMDMMSG.exe
Keyboard Preload Check = C:\OEMDRVRS\KEYB\Preload.exe /DEVID: /CLASS:Keyboard /RunValue:"Keyboard Preload Check"
GWMDMpi = C:\WINNT\GWMDMpi.exe
AdaptecDirectCD = C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
Iomega Startup Options = C:\Program Files\Iomega\Common\ImgStart.exe
Iomega Drive Icons = C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
C2K = C:\WINNT\Cyb2k.exe
ccApp = "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
ccRegVfy = "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
MediaFace Integration = C:\Program Files\Fellowes\MediaFACE 4.0\SetHook.exe
iTunesHelper = C:\Program Files\iTunes\iTunesHelper.exe
QuickTime Task = "C:\Program Files\QuickTime\qttask.exe" -atboottime
TkBellExe = "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

washindex = C:\Program Files\Washer\washidx.exe "Home"

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

MSMSGS = "C:\Program Files\Messenger\msmsgs.exe" /background
SpyProtection = C:\Program Files\Webroot\Spy Protection\SpyProtection.exe /0
MutexServiceEx = Sys32Smm.exe /run
PicoZip = C:\PROGRA~1\PicoZip\PicoZipTray.exe
msmc = C:\WINNT\System32\msmc.exe

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

washindex = C:\Program Files\Washer\washidx.exe

--------------------------------------------------

Shell & screensaver key from C:\WINNT\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=C:\WINNT\System32\ssstars.scr
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry key not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------


Enumerating Browser Helper Objects:

(no name) - C:\Program Files\Yahoo!\common\ycomp5_0_8_6.dll - {02478D28-C3F9-4efb-9B51-7695ECA05670}
(no name) - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
(no name) - C:\PROGRA~1\ANONYM~1\ANONYM~1.DLL - {2F2FBF0D-254F-11D5-B1E5-0050DAD7AF62}
NAV Helper - C:\Program Files\Norton AntiVirus\NavShExt.dll - {BDF3E430-B101-42AD-A544-FADC6B084872}

--------------------------------------------------

Enumerating Task Scheduler jobs:

ISP signup reminder 1.job
ISP signup reminder 3.job
Symantec NetDetect.job

--------------------------------------------------

Enumerating Download Program Files:

[YInstStarter Class]
InProcServer32 = C:\Program Files\Yahoo!\common\yinsthelper.dll
CODEBASE = C:\Program Files\Yahoo!\common\yinsthelper.dll

[{41F17733-B041-4099-A042-B518BB6A408C}]
CODEBASE = http://a1408.g.akama...iTunesSetup.exe

[RunExeActiveX.RunExe]
InProcServer32 = C:\WINNT\Downloaded Program Files\RunExeActiveX.ocx
CODEBASE = hcp://system/RunExeActiveX.CAB

[{78A730D4-0DF3-4B65-8DD2-BFCD433CEE30}]
CODEBASE = http://www.surfsecre...PEInstaller.exe

[StartFirstControl.CheckFirst]
InProcServer32 = C:\WINNT\Downloaded Program Files\StartFirstControl.ocx
CODEBASE = hcp://system/StartFirstControl.CAB

[RegConfig Class]
InProcServer32 = C:\WINNT\Downloaded Program Files\yregcfg.dll
CODEBASE = http://download.yaho...rod/yregcfg.cab

[Update Class]
InProcServer32 = C:\WINNT\System32\iuctl.dll
CODEBASE = http://v4.windowsupd...7732.9287268519

[Shockwave Flash Object]
InProcServer32 = C:\WINNT\System32\Macromed\Flash\FLASH.OCX
CODEBASE = http://download.macr...ash/swflash.cab

[iTunesDetector Class]
InProcServer32 = C:\Program Files\iTunes\ITDetector.ocx
CODEBASE = http://ax.phobos.app.../ITDetector.cab

--------------------------------------------------

Enumerating Winsock LSP files:

Protocol #1: C:\WINNT\System32\lspcs.dll
Protocol #2: C:\WINNT\System32\lspcs.dll
Protocol #3: C:\WINNT\System32\lspcs.dll
Protocol #4: C:\WINNT\System32\lspcs.dll
Protocol #5: C:\WINNT\System32\lspcs.dll
Protocol #6: C:\WINNT\System32\lspcs.dll
Protocol #7: C:\WINNT\System32\lspcs.dll
Protocol #8: C:\WINNT\System32\lspcs.dll
Protocol #9: C:\WINNT\System32\lspcs.dll
Protocol #10: C:\WINNT\System32\lspcs.dll
Protocol #11: C:\WINNT\System32\lspcs.dll
Protocol #12: C:\WINNT\System32\lspcs.dll
Protocol #13: C:\WINNT\System32\lspcs.dll
Protocol #14: C:\WINNT\System32\lspcs.dll
Protocol #15: C:\WINNT\System32\lspcs.dll
Protocol #16: C:\WINNT\System32\lspcs.dll
Protocol #17: C:\WINNT\System32\lspcs.dll
Protocol #18: C:\WINNT\System32\lspcs.dll
Protocol #19: C:\WINNT\System32\lspcs.dll
Protocol #39: C:\WINNT\System32\lspcs.dll

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINNT\system32\SHELL32.dll
CDBurn: C:\WINNT\system32\SHELL32.dll
WebCheck: C:\WINNT\System32\webcheck.dll
SysTray: C:\WINNT\System32\stobject.dll

--------------------------------------------------
End of report, 9,036 bytes
Report generated in 0.090 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only

#2 dolphins

dolphins

    Advanced Member

  • Retired Staff - Helper
  • PipPipPip
  • 131 posts

Posted 12 June 2004 - 07:10 PM

Download and run CWShredder from my signature by clicking the fix button.

Reboot, rescan with HJT and post a fresh log here.

#3 Pulsar

Pulsar

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 12 June 2004 - 08:16 PM

Dolphins,

Here are the fresh logs per your request---thanks for the timely response. The CWS report said that 5 registry entries were fixed, but as you can see, the problem still exists. Incidentally, I noticed that during my machine's shutdown, I got a message that a program called "Win Min" was ending with a status bar. When the bar finished running, I got another message saying that "Win Min" was not responding---I had to click an "End Now" button to complete the shutdown phase of the reboot. Does this mean anything to you?

Thanks again!

Pulsar

Logfile of HijackThis v1.97.7
Scan saved at 6:07:06 PM, on 6/12/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\atiptaxx.exe
C:\WINNT\System32\SK9910DM.EXE
C:\WINNT\GWMDMMSG.exe
C:\WINNT\System32\devldr32.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
C:\WINNT\Cyb2k.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Fellowes\MediaFACE 4.0\SetHook.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINNT\Sys32Smm.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\winlgn.exe
C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
C:\WINNT\System32\Ati2evxx.exe
C:\WINNT\System32\CTsvcCDA.exe
C:\PROGRA~1\Iomega\System32\ActivityDisk.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\Home\Desktop\Ed\anti-hijacking programs\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://topotun.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://topotun.com/index.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://topotun.com/index.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://topotun.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://topotun.com/index.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = about:blank
O2 - BHO: (no name) - {02478D28-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\common\ycomp5_0_8_6.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {2F2FBF0D-254F-11D5-B1E5-0050DAD7AF62} - C:\PROGRA~1\ANONYM~1\ANONYM~1.DLL
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: PopUpCop - {DB43E4E6-FF8A-4018-8C8E-F68587A44A73} - C:\PROGRA~1\PopUpCop\PopUpCop.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\common\ycomp5_0_8_6.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [Keyboard Preload Check] C:\OEMDRVRS\KEYB\Preload.exe /DEVID: /CLASS:Keyboard /RunValue:"Keyboard Preload Check"
O4 - HKLM\..\Run: [GWMDMpi] C:\WINNT\GWMDMpi.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [Iomega Startup Options] C:\Program Files\Iomega\Common\ImgStart.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [C2K] C:\WINNT\Cyb2k.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [MediaFace Integration] C:\Program Files\Fellowes\MediaFACE 4.0\SetHook.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpyProtection] C:\Program Files\Webroot\Spy Protection\SpyProtection.exe /0
O4 - HKCU\..\Run: [MutexServiceEx] Sys32Smm.exe /run
O4 - HKCU\..\Run: [PicoZip] C:\PROGRA~1\PicoZip\PicoZipTray.exe
O4 - HKCU\..\Run: [msmc] C:\WINNT\System32\msmc.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: Billminder.lnk = C:\Program Files\Quicken\billmind.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\Quicken\QWDLLS.EXE
O4 - Global Startup: winlgn.exe
O4 - Global Startup: ZoneAlarm Pro.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE10\EXCEL.EXE/3000
O8 - Extra context menu item: Open Image in New Window - res://C:\Program Files\PopUpCop\popupcop.dll/imagenew
O9 - Extra button: Yahoo! Login (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Login (HKLM)
O9 - Extra button: Anonymizer (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! NFL GameChannel StatTracker - http://aud14.sports....lgcst1010_x.cab
O16 - DPF: Yahoo! NFL StatTracker - http://aud10.sports....nflst8252_x.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1408.g.akama...iTunesSetup.exe
O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - hcp://system/RunExeActiveX.CAB
O16 - DPF: {78A730D4-0DF3-4B65-8DD2-BFCD433CEE30} - http://www.surfsecre...PEInstaller.exe
O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB
O16 - DPF: {9CF28A69-7659-4C51-BFD5-9ADE19E19EC3} (RegConfig Class) - http://download.yaho...rod/yregcfg.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7732.9287268519
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.app.../ITDetector.cab


StartupList report, 6/12/2004, 6:07:26 PM
StartupList version: 1.52
Started from : C:\Documents and Settings\Home\Desktop\Ed\anti-hijacking programs\HijackThis.EXE
Detected: Windows XP (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 (6.00.2600.0000)
* Using default options
==================================================

Running processes:

C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\atiptaxx.exe
C:\WINNT\System32\SK9910DM.EXE
C:\WINNT\GWMDMMSG.exe
C:\WINNT\System32\devldr32.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
C:\WINNT\Cyb2k.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Fellowes\MediaFACE 4.0\SetHook.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINNT\Sys32Smm.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\winlgn.exe
C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
C:\WINNT\System32\Ati2evxx.exe
C:\WINNT\System32\CTsvcCDA.exe
C:\PROGRA~1\Iomega\System32\ActivityDisk.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\Home\Desktop\Ed\anti-hijacking programs\HijackThis.exe
C:\WINNT\notepad.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
Adobe Gamma Loader.lnk = ?
Billminder.lnk = C:\Program Files\Quicken\billmind.exe
QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
Quicken Startup.lnk = C:\Program Files\Quicken\QWDLLS.EXE
winlgn.exe
ZoneAlarm Pro.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINNT\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

ATIModeChange = Ati2mdxx.exe
AtiPTA = atiptaxx.exe
Hot Key Kbd 9910 Daemon = SK9910DM.EXE
GWMDMMSG = GWMDMMSG.exe
Keyboard Preload Check = C:\OEMDRVRS\KEYB\Preload.exe /DEVID: /CLASS:Keyboard /RunValue:"Keyboard Preload Check"
GWMDMpi = C:\WINNT\GWMDMpi.exe
AdaptecDirectCD = C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
Iomega Startup Options = C:\Program Files\Iomega\Common\ImgStart.exe
Iomega Drive Icons = C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
C2K = C:\WINNT\Cyb2k.exe
ccApp = "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
ccRegVfy = "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
MediaFace Integration = C:\Program Files\Fellowes\MediaFACE 4.0\SetHook.exe
iTunesHelper = C:\Program Files\iTunes\iTunesHelper.exe
QuickTime Task = "C:\Program Files\QuickTime\qttask.exe" -atboottime
TkBellExe = "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

washindex = C:\Program Files\Washer\washidx.exe "Home"

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

MSMSGS = "C:\Program Files\Messenger\msmsgs.exe" /background
SpyProtection = C:\Program Files\Webroot\Spy Protection\SpyProtection.exe /0
MutexServiceEx = Sys32Smm.exe /run
PicoZip = C:\PROGRA~1\PicoZip\PicoZipTray.exe
msmc = C:\WINNT\System32\msmc.exe

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

washindex = C:\Program Files\Washer\washidx.exe

--------------------------------------------------

Shell & screensaver key from C:\WINNT\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=C:\WINNT\System32\ssstars.scr
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry key not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------


Enumerating Browser Helper Objects:

(no name) - C:\Program Files\Yahoo!\common\ycomp5_0_8_6.dll - {02478D28-C3F9-4efb-9B51-7695ECA05670}
(no name) - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
(no name) - C:\PROGRA~1\ANONYM~1\ANONYM~1.DLL - {2F2FBF0D-254F-11D5-B1E5-0050DAD7AF62}
NAV Helper - C:\Program Files\Norton AntiVirus\NavShExt.dll - {BDF3E430-B101-42AD-A544-FADC6B084872}

--------------------------------------------------

Enumerating Task Scheduler jobs:

ISP signup reminder 1.job
ISP signup reminder 3.job
Symantec NetDetect.job

--------------------------------------------------

Enumerating Download Program Files:

[YInstStarter Class]
InProcServer32 = C:\Program Files\Yahoo!\common\yinsthelper.dll
CODEBASE = C:\Program Files\Yahoo!\common\yinsthelper.dll

[{41F17733-B041-4099-A042-B518BB6A408C}]
CODEBASE = http://a1408.g.akama...iTunesSetup.exe

[RunExeActiveX.RunExe]
InProcServer32 = C:\WINNT\Downloaded Program Files\RunExeActiveX.ocx
CODEBASE = hcp://system/RunExeActiveX.CAB

[{78A730D4-0DF3-4B65-8DD2-BFCD433CEE30}]
CODEBASE = http://www.surfsecre...PEInstaller.exe

[StartFirstControl.CheckFirst]
InProcServer32 = C:\WINNT\Downloaded Program Files\StartFirstControl.ocx
CODEBASE = hcp://system/StartFirstControl.CAB

[RegConfig Class]
InProcServer32 = C:\WINNT\Downloaded Program Files\yregcfg.dll
CODEBASE = http://download.yaho...rod/yregcfg.cab

[Update Class]
InProcServer32 = C:\WINNT\System32\iuctl.dll
CODEBASE = http://v4.windowsupd...7732.9287268519

[Shockwave Flash Object]
InProcServer32 = C:\WINNT\System32\Macromed\Flash\FLASH.OCX
CODEBASE = http://download.macr...ash/swflash.cab

[iTunesDetector Class]
InProcServer32 = C:\Program Files\iTunes\ITDetector.ocx
CODEBASE = http://ax.phobos.app.../ITDetector.cab

--------------------------------------------------

Enumerating Winsock LSP files:

Protocol #1: C:\WINNT\System32\lspcs.dll
Protocol #2: C:\WINNT\System32\lspcs.dll
Protocol #3: C:\WINNT\System32\lspcs.dll
Protocol #4: C:\WINNT\System32\lspcs.dll
Protocol #5: C:\WINNT\System32\lspcs.dll
Protocol #6: C:\WINNT\System32\lspcs.dll
Protocol #7: C:\WINNT\System32\lspcs.dll
Protocol #8: C:\WINNT\System32\lspcs.dll
Protocol #9: C:\WINNT\System32\lspcs.dll
Protocol #10: C:\WINNT\System32\lspcs.dll
Protocol #11: C:\WINNT\System32\lspcs.dll
Protocol #12: C:\WINNT\System32\lspcs.dll
Protocol #13: C:\WINNT\System32\lspcs.dll
Protocol #14: C:\WINNT\System32\lspcs.dll
Protocol #15: C:\WINNT\System32\lspcs.dll
Protocol #16: C:\WINNT\System32\lspcs.dll
Protocol #17: C:\WINNT\System32\lspcs.dll
Protocol #18: C:\WINNT\System32\lspcs.dll
Protocol #19: C:\WINNT\System32\lspcs.dll
Protocol #39: C:\WINNT\System32\lspcs.dll

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINNT\system32\SHELL32.dll
CDBurn: C:\WINNT\system32\SHELL32.dll
WebCheck: C:\WINNT\System32\webcheck.dll
SysTray: C:\WINNT\System32\stobject.dll

--------------------------------------------------
End of report, 9,005 bytes
Report generated in 0.100 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only

#4 dolphins

dolphins

    Advanced Member

  • Retired Staff - Helper
  • PipPipPip
  • 131 posts

Posted 12 June 2004 - 09:26 PM

Yes, unfortunately "Win Min" does mean something among the other problems you have here.

So lets start with Updating all windows patches from HERE then Disable System Restore, then an AV Online Scan and an Online Trojan Scan, remove what they find.

Next, Check the following in HJT with all windows closed and remove them:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://topotun.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://topotun.com/index.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://topotun.com/index.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://topotun.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://topotun.com/index.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = about:blank

O4 - HKCU\..\Run: [MutexServiceEx] Sys32Smm.exe /run
O4 - HKCU\..\Run: [msmc] C:\WINNT\System32\msmc.exe
O4 - Global Startup: winlgn.exe

O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - hcp://system/RunExeActiveX.CAB

Show Hidden files, Boot into Safe Mode, navagate to the following files and delete them,

C:\WINNT\System32\msmc.exe
C:\WINNT\Sys32Smm.exe

Boot to normal mode, re-enable System restore, rescan with HJT and post a new log here.

#5 Pulsar

Pulsar

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 13 June 2004 - 04:19 AM

Dolphins,

Tried to execute your instructions, but I was met by stiff resistance---please note:

1. For some reason, I couldn't download any Windows patches. Every time I clicked the "Update" button, the same "Download Updates" page kept reappearing with no evidence that I had downloaded anything.

2. The AV Online Scan found 9 un-repairable files that I was able to fix (delete).

3. The Online Trojan Scan revealed the following once my firewall was disabled:

Service Ports Status Possible Trojans
Trojan 5000 OPEN Bubbel, Back Door Setup, Sockets de Troire

However, the site gave no instructions for addressing this find.

4. The HJT scan couldn't delete " 04 - Global Startup: winlgn.exe ". A message said to shut the program down by using the Task Manager, and then use HJT to delete the file. Before I comply to this instruction, I want to bounce it off of you to make sure that this is the right thing to do.

Here are the latest logs-----where do we go from here?

Pulsar


Logfile of HijackThis v1.97.7
Scan saved at 2:16:32 AM, on 6/13/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\atiptaxx.exe
C:\WINNT\System32\SK9910DM.EXE
C:\WINNT\GWMDMMSG.exe
C:\WINNT\System32\devldr32.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
C:\WINNT\Cyb2k.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Fellowes\MediaFACE 4.0\SetHook.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\winlgn.exe
C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
C:\WINNT\System32\Ati2evxx.exe
C:\WINNT\System32\CTsvcCDA.exe
C:\PROGRA~1\Iomega\System32\ActivityDisk.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINNT\System32\wuauclt.exe
C:\Documents and Settings\Home\Desktop\Ed\anti-hijacking programs\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://topotun.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://topotun.com/index.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://topotun.com/index.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://topotun.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://topotun.com/index.htm
O2 - BHO: (no name) - {02478D28-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\common\ycomp5_0_8_6.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {2F2FBF0D-254F-11D5-B1E5-0050DAD7AF62} - C:\PROGRA~1\ANONYM~1\ANONYM~1.DLL
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: PopUpCop - {DB43E4E6-FF8A-4018-8C8E-F68587A44A73} - C:\PROGRA~1\PopUpCop\PopUpCop.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\common\ycomp5_0_8_6.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [Keyboard Preload Check] C:\OEMDRVRS\KEYB\Preload.exe /DEVID: /CLASS:Keyboard /RunValue:"Keyboard Preload Check"
O4 - HKLM\..\Run: [GWMDMpi] C:\WINNT\GWMDMpi.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [Iomega Startup Options] C:\Program Files\Iomega\Common\ImgStart.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [C2K] C:\WINNT\Cyb2k.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [MediaFace Integration] C:\Program Files\Fellowes\MediaFACE 4.0\SetHook.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpyProtection] C:\Program Files\Webroot\Spy Protection\SpyProtection.exe /0
O4 - HKCU\..\Run: [PicoZip] C:\PROGRA~1\PicoZip\PicoZipTray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: Billminder.lnk = C:\Program Files\Quicken\billmind.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\Quicken\QWDLLS.EXE
O4 - Global Startup: winlgn.exe
O4 - Global Startup: ZoneAlarm Pro.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE10\EXCEL.EXE/3000
O8 - Extra context menu item: Open Image in New Window - res://C:\Program Files\PopUpCop\popupcop.dll/imagenew
O9 - Extra button: Yahoo! Login (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Login (HKLM)
O9 - Extra button: Anonymizer (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! NFL GameChannel StatTracker - http://aud14.sports....lgcst1010_x.cab
O16 - DPF: Yahoo! NFL StatTracker - http://aud10.sports....nflst8252_x.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1408.g.akama...iTunesSetup.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {78A730D4-0DF3-4B65-8DD2-BFCD433CEE30} - http://www.surfsecre...PEInstaller.exe
O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB
O16 - DPF: {9CF28A69-7659-4C51-BFD5-9ADE19E19EC3} (RegConfig Class) - http://download.yaho...rod/yregcfg.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7732.9287268519
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.app.../ITDetector.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{E180430C-38A8-47DA-9DBE-176BFF169CDE}: NameServer = 206.13.29.12 206.13.30.12


StartupList report, 6/13/2004, 2:16:41 AM
StartupList version: 1.52
Started from : C:\Documents and Settings\Home\Desktop\Ed\anti-hijacking programs\HijackThis.EXE
Detected: Windows XP (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 (6.00.2600.0000)
* Using default options
==================================================

Running processes:

C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\atiptaxx.exe
C:\WINNT\System32\SK9910DM.EXE
C:\WINNT\GWMDMMSG.exe
C:\WINNT\System32\devldr32.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
C:\WINNT\Cyb2k.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Fellowes\MediaFACE 4.0\SetHook.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\winlgn.exe
C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
C:\WINNT\System32\Ati2evxx.exe
C:\WINNT\System32\CTsvcCDA.exe
C:\PROGRA~1\Iomega\System32\ActivityDisk.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINNT\System32\wuauclt.exe
C:\Documents and Settings\Home\Desktop\Ed\anti-hijacking programs\HijackThis.exe
C:\WINNT\notepad.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
Adobe Gamma Loader.lnk = ?
Billminder.lnk = C:\Program Files\Quicken\billmind.exe
QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
Quicken Startup.lnk = C:\Program Files\Quicken\QWDLLS.EXE
winlgn.exe
ZoneAlarm Pro.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINNT\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

ATIModeChange = Ati2mdxx.exe
AtiPTA = atiptaxx.exe
Hot Key Kbd 9910 Daemon = SK9910DM.EXE
GWMDMMSG = GWMDMMSG.exe
Keyboard Preload Check = C:\OEMDRVRS\KEYB\Preload.exe /DEVID: /CLASS:Keyboard /RunValue:"Keyboard Preload Check"
GWMDMpi = C:\WINNT\GWMDMpi.exe
AdaptecDirectCD = C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
Iomega Startup Options = C:\Program Files\Iomega\Common\ImgStart.exe
Iomega Drive Icons = C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
C2K = C:\WINNT\Cyb2k.exe
ccApp = "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
ccRegVfy = "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
MediaFace Integration = C:\Program Files\Fellowes\MediaFACE 4.0\SetHook.exe
iTunesHelper = C:\Program Files\iTunes\iTunesHelper.exe
QuickTime Task = "C:\Program Files\QuickTime\qttask.exe" -atboottime
TkBellExe = "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

washindex = C:\Program Files\Washer\washidx.exe "Home"

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

MSMSGS = "C:\Program Files\Messenger\msmsgs.exe" /background
SpyProtection = C:\Program Files\Webroot\Spy Protection\SpyProtection.exe /0
PicoZip = C:\PROGRA~1\PicoZip\PicoZipTray.exe

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

washindex = C:\Program Files\Washer\washidx.exe

--------------------------------------------------

Shell & screensaver key from C:\WINNT\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=C:\WINNT\System32\ssstars.scr
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry key not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------


Enumerating Browser Helper Objects:

(no name) - C:\Program Files\Yahoo!\common\ycomp5_0_8_6.dll - {02478D28-C3F9-4efb-9B51-7695ECA05670}
(no name) - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
(no name) - C:\PROGRA~1\ANONYM~1\ANONYM~1.DLL - {2F2FBF0D-254F-11D5-B1E5-0050DAD7AF62}
NAV Helper - C:\Program Files\Norton AntiVirus\NavShExt.dll - {BDF3E430-B101-42AD-A544-FADC6B084872}

--------------------------------------------------

Enumerating Task Scheduler jobs:

ISP signup reminder 1.job
ISP signup reminder 3.job
Symantec NetDetect.job

--------------------------------------------------

Enumerating Download Program Files:

[YInstStarter Class]
InProcServer32 = C:\Program Files\Yahoo!\common\yinsthelper.dll
CODEBASE = C:\Program Files\Yahoo!\common\yinsthelper.dll

[{41F17733-B041-4099-A042-B518BB6A408C}]
CODEBASE = http://a1408.g.akama...iTunesSetup.exe

[HouseCall Control]
InProcServer32 = C:\WINNT\DOWNLO~1\xscan53.ocx
CODEBASE = http://a840.g.akamai...all/xscan53.cab

[{78A730D4-0DF3-4B65-8DD2-BFCD433CEE30}]
CODEBASE = http://www.surfsecre...PEInstaller.exe

[StartFirstControl.CheckFirst]
InProcServer32 = C:\WINNT\Downloaded Program Files\StartFirstControl.ocx
CODEBASE = hcp://system/StartFirstControl.CAB

[RegConfig Class]
InProcServer32 = C:\WINNT\Downloaded Program Files\yregcfg.dll
CODEBASE = http://download.yaho...rod/yregcfg.cab

[Update Class]
InProcServer32 = C:\WINNT\System32\iuctl.dll
CODEBASE = http://v4.windowsupd...7732.9287268519

[Shockwave Flash Object]
InProcServer32 = C:\WINNT\System32\Macromed\Flash\FLASH.OCX
CODEBASE = http://download.macr...ash/swflash.cab

[iTunesDetector Class]
InProcServer32 = C:\Program Files\iTunes\ITDetector.ocx
CODEBASE = http://ax.phobos.app.../ITDetector.cab

--------------------------------------------------

Enumerating Winsock LSP files:

Protocol #1: C:\WINNT\System32\lspcs.dll
Protocol #2: C:\WINNT\System32\lspcs.dll
Protocol #3: C:\WINNT\System32\lspcs.dll
Protocol #4: C:\WINNT\System32\lspcs.dll
Protocol #5: C:\WINNT\System32\lspcs.dll
Protocol #6: C:\WINNT\System32\lspcs.dll
Protocol #7: C:\WINNT\System32\lspcs.dll
Protocol #8: C:\WINNT\System32\lspcs.dll
Protocol #9: C:\WINNT\System32\lspcs.dll
Protocol #10: C:\WINNT\System32\lspcs.dll
Protocol #11: C:\WINNT\System32\lspcs.dll
Protocol #12: C:\WINNT\System32\lspcs.dll
Protocol #13: C:\WINNT\System32\lspcs.dll
Protocol #14: C:\WINNT\System32\lspcs.dll
Protocol #15: C:\WINNT\System32\lspcs.dll
Protocol #16: C:\WINNT\System32\lspcs.dll
Protocol #17: C:\WINNT\System32\lspcs.dll
Protocol #18: C:\WINNT\System32\lspcs.dll
Protocol #19: C:\WINNT\System32\lspcs.dll
Protocol #39: C:\WINNT\System32\lspcs.dll

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINNT\system32\SHELL32.dll
CDBurn: C:\WINNT\system32\SHELL32.dll
WebCheck: C:\WINNT\System32\webcheck.dll
SysTray: C:\WINNT\System32\stobject.dll

--------------------------------------------------
End of report, 9,028 bytes
Report generated in 0.091 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only

#6 dolphins

dolphins

    Advanced Member

  • Retired Staff - Helper
  • PipPipPip
  • 131 posts

Posted 13 June 2004 - 08:00 AM

Download Unplug n' Pray to disable UPnP.

Disconnect from the internet, boot into safe mode, Ctrl/Alt/Del and make sure nothing is running except for "explorer" and "Systray" run CWShredder and then HJT, remove the the items mentioned in earlier post.

While still in safe mode, show hidden files, search for and delete winlgn.exe.

Boot back to normal mode, connect to the internet, rescan with HJT and post a fresh log here.

#7 Pulsar

Pulsar

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 14 June 2004 - 02:36 AM

Dolphins,

I've got control of my browser again---thanks! The latest logs are posted. I had to restore some of the items you told me to fix as they seemed to belong to legit programs I have running (I had to re-install one of them after fixing)----if you still have reservations about anything that is still in my logs, let me know.

Thanks again!!

Pulsar

Logfile of HijackThis v1.97.7
Scan saved at 12:29:44 AM, on 6/14/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\atiptaxx.exe
C:\WINNT\System32\SK9910DM.EXE
C:\WINNT\GWMDMMSG.exe
C:\WINNT\System32\devldr32.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
C:\WINNT\Cyb2k.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINNT\Sys32Smm.exe
C:\WINNT\System32\Ati2evxx.exe
C:\WINNT\System32\CTsvcCDA.exe
C:\PROGRA~1\Iomega\System32\ActivityDisk.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINNT\System32\wuauclt.exe
C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Home\Desktop\Ed\anti-hijacking programs\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: (no name) - {02478D28-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\common\ycomp5_0_8_6.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {2F2FBF0D-254F-11D5-B1E5-0050DAD7AF62} - C:\PROGRA~1\ANONYM~1\ANONYM~1.DLL
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: PopUpCop - {DB43E4E6-FF8A-4018-8C8E-F68587A44A73} - C:\PROGRA~1\PopUpCop\PopUpCop.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\common\ycomp5_0_8_6.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [Keyboard Preload Check] C:\OEMDRVRS\KEYB\Preload.exe /DEVID: /CLASS:Keyboard /RunValue:"Keyboard Preload Check"
O4 - HKLM\..\Run: [GWMDMpi] C:\WINNT\GWMDMpi.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [Iomega Startup Options] C:\Program Files\Iomega\Common\ImgStart.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [C2K] C:\WINNT\Cyb2k.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpyProtection] C:\Program Files\Webroot\Spy Protection\SpyProtection.exe /0
O4 - HKCU\..\Run: [PicoZip] C:\PROGRA~1\PicoZip\PicoZipTray.exe
O4 - HKCU\..\Run: [MutexServiceEx] Sys32Smm.exe /run
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: Billminder.lnk = C:\Program Files\Quicken\billmind.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\Quicken\QWDLLS.EXE
O4 - Global Startup: ZoneAlarm Pro.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE10\EXCEL.EXE/3000
O8 - Extra context menu item: Open Image in New Window - res://C:\Program Files\PopUpCop\popupcop.dll/imagenew
O9 - Extra button: Yahoo! Login (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Login (HKLM)
O9 - Extra button: Anonymizer (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! NFL GameChannel StatTracker - http://aud14.sports....lgcst1010_x.cab
O16 - DPF: Yahoo! NFL StatTracker - http://aud10.sports....nflst8252_x.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1408.g.akama...iTunesSetup.exe
O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - hcp://system/RunExeActiveX.CAB
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {78A730D4-0DF3-4B65-8DD2-BFCD433CEE30} - http://www.surfsecre...PEInstaller.exe
O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB
O16 - DPF: {9CF28A69-7659-4C51-BFD5-9ADE19E19EC3} (RegConfig Class) - http://download.yaho...rod/yregcfg.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7732.9287268519
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.app.../ITDetector.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{E180430C-38A8-47DA-9DBE-176BFF169CDE}: NameServer = 206.13.29.12 206.13.30.12


StartupList report, 6/14/2004, 12:29:55 AM
StartupList version: 1.52
Started from : C:\Documents and Settings\Home\Desktop\Ed\anti-hijacking programs\HijackThis.EXE
Detected: Windows XP (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 (6.00.2600.0000)
* Using default options
==================================================

Running processes:

C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\atiptaxx.exe
C:\WINNT\System32\SK9910DM.EXE
C:\WINNT\GWMDMMSG.exe
C:\WINNT\System32\devldr32.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
C:\WINNT\Cyb2k.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINNT\Sys32Smm.exe
C:\WINNT\System32\Ati2evxx.exe
C:\WINNT\System32\CTsvcCDA.exe
C:\PROGRA~1\Iomega\System32\ActivityDisk.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINNT\System32\wuauclt.exe
C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Home\Desktop\Ed\anti-hijacking programs\HijackThis.exe
C:\WINNT\notepad.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
Adobe Gamma Loader.lnk = ?
Billminder.lnk = C:\Program Files\Quicken\billmind.exe
Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
Quicken Startup.lnk = C:\Program Files\Quicken\QWDLLS.EXE
ZoneAlarm Pro.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINNT\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

ATIModeChange = Ati2mdxx.exe
AtiPTA = atiptaxx.exe
Hot Key Kbd 9910 Daemon = SK9910DM.EXE
GWMDMMSG = GWMDMMSG.exe
Keyboard Preload Check = C:\OEMDRVRS\KEYB\Preload.exe /DEVID: /CLASS:Keyboard /RunValue:"Keyboard Preload Check"
GWMDMpi = C:\WINNT\GWMDMpi.exe
AdaptecDirectCD = C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
Iomega Startup Options = C:\Program Files\Iomega\Common\ImgStart.exe
Iomega Drive Icons = C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
C2K = C:\WINNT\Cyb2k.exe
ccApp = "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
ccRegVfy = "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
iTunesHelper = C:\Program Files\iTunes\iTunesHelper.exe
QuickTime Task = "C:\Program Files\QuickTime\qttask.exe" -atboottime
TkBellExe = "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

washindex = C:\Program Files\Washer\washidx.exe "Home"

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

MSMSGS = "C:\Program Files\Messenger\msmsgs.exe" /background
SpyProtection = C:\Program Files\Webroot\Spy Protection\SpyProtection.exe /0
PicoZip = C:\PROGRA~1\PicoZip\PicoZipTray.exe
MutexServiceEx = Sys32Smm.exe /run

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

washindex = C:\Program Files\Washer\washidx.exe

--------------------------------------------------

Shell & screensaver key from C:\WINNT\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=C:\WINNT\System32\ssstars.scr
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry key not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------


Enumerating Browser Helper Objects:

(no name) - C:\Program Files\Yahoo!\common\ycomp5_0_8_6.dll - {02478D28-C3F9-4efb-9B51-7695ECA05670}
(no name) - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
(no name) - C:\PROGRA~1\ANONYM~1\ANONYM~1.DLL - {2F2FBF0D-254F-11D5-B1E5-0050DAD7AF62}
NAV Helper - C:\Program Files\Norton AntiVirus\NavShExt.dll - {BDF3E430-B101-42AD-A544-FADC6B084872}

--------------------------------------------------

Enumerating Task Scheduler jobs:

ISP signup reminder 1.job
ISP signup reminder 3.job
Symantec NetDetect.job

--------------------------------------------------

Enumerating Download Program Files:

[YInstStarter Class]
InProcServer32 = C:\Program Files\Yahoo!\common\yinsthelper.dll
CODEBASE = C:\Program Files\Yahoo!\common\yinsthelper.dll

[{41F17733-B041-4099-A042-B518BB6A408C}]
CODEBASE = http://a1408.g.akama...iTunesSetup.exe

[RunExeActiveX.RunExe]
InProcServer32 = C:\WINNT\Downloaded Program Files\RunExeActiveX.ocx
CODEBASE = hcp://system/RunExeActiveX.CAB

[HouseCall Control]
InProcServer32 = C:\WINNT\DOWNLO~1\xscan53.ocx
CODEBASE = http://a840.g.akamai...all/xscan53.cab

[{78A730D4-0DF3-4B65-8DD2-BFCD433CEE30}]
CODEBASE = http://www.surfsecre...PEInstaller.exe

[StartFirstControl.CheckFirst]
InProcServer32 = C:\WINNT\Downloaded Program Files\StartFirstControl.ocx
CODEBASE = hcp://system/StartFirstControl.CAB

[RegConfig Class]
InProcServer32 = C:\WINNT\Downloaded Program Files\yregcfg.dll
CODEBASE = http://download.yaho...rod/yregcfg.cab

[Update Class]
InProcServer32 = C:\WINNT\System32\iuctl.dll
CODEBASE = http://v4.windowsupd...7732.9287268519

[Shockwave Flash Object]
InProcServer32 = C:\WINNT\System32\Macromed\Flash\FLASH.OCX
CODEBASE = http://download.macr...ash/swflash.cab

[iTunesDetector Class]
InProcServer32 = C:\Program Files\iTunes\ITDetector.ocx
CODEBASE = http://ax.phobos.app.../ITDetector.cab

--------------------------------------------------

Enumerating Winsock LSP files:

Protocol #1: C:\WINNT\System32\lspcs.dll
Protocol #2: C:\WINNT\System32\lspcs.dll
Protocol #3: C:\WINNT\System32\lspcs.dll
Protocol #4: C:\WINNT\System32\lspcs.dll
Protocol #5: C:\WINNT\System32\lspcs.dll
Protocol #6: C:\WINNT\System32\lspcs.dll
Protocol #7: C:\WINNT\System32\lspcs.dll
Protocol #8: C:\WINNT\System32\lspcs.dll
Protocol #9: C:\WINNT\System32\lspcs.dll
Protocol #10: C:\WINNT\System32\lspcs.dll
Protocol #11: C:\WINNT\System32\lspcs.dll
Protocol #12: C:\WINNT\System32\lspcs.dll
Protocol #13: C:\WINNT\System32\lspcs.dll
Protocol #14: C:\WINNT\System32\lspcs.dll
Protocol #15: C:\WINNT\System32\lspcs.dll
Protocol #16: C:\WINNT\System32\lspcs.dll
Protocol #17: C:\WINNT\System32\lspcs.dll
Protocol #18: C:\WINNT\System32\lspcs.dll
Protocol #19: C:\WINNT\System32\lspcs.dll
Protocol #39: C:\WINNT\System32\lspcs.dll

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINNT\system32\SHELL32.dll
CDBurn: C:\WINNT\system32\SHELL32.dll
WebCheck: C:\WINNT\System32\webcheck.dll
SysTray: C:\WINNT\System32\stobject.dll

--------------------------------------------------
End of report, 8,908 bytes
Report generated in 0.090 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only

#8 dolphins

dolphins

    Advanced Member

  • Retired Staff - Helper
  • PipPipPip
  • 131 posts

Posted 14 June 2004 - 08:29 AM

This is the one you reinstalled,

O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - hcp://system/RunExeActiveX.CAB

Correct?

You still have one problem to clear up.

Have HJT remove O4 - HKCU\..\Run: [MutexServiceEx] Sys32Smm.exe /run

Reboot, show hidden files, navagate to C:\WINNT\Sys32Smm.exe and delete it.

Reboot and post a fresh log here.

#9 Nimmy

Nimmy

    Member

  • New Member
  • Pip
  • 2 posts

Posted 19 June 2004 - 07:49 PM

I came to this site doing a search on google about topotun.com It was holding my homepage hostage and my computer was doing weird stuff, like not shutting down right , there was this winmin running, it was crazy ! After reading more on this site and others the first thing I did was update my Win98 with all the latest and greatest patches. I tried Ad-aware, Spyhunter and even Norton and the thing still came back. The Hijackthis that was mentioned looked exactly like something I could easily mess up so I was reluctant to do that.

At that point I was getting a tad hot so I went to my NEW homepage topotun.com with the intention of leaving them a nice colorful email. On the right bottom of the page is a link Support . I click that and in there is something you can download called uninstall.zip made to uninstall topotun.com. With my anti virus program on full alert I downloaded the file unzipped it ran the uninstall.exe. It all took about 2 minutes. IT WORKED. No more homepage hijacking, no more weird search engine, no more Winmin.

It was so easy I could hardly believe it. I rebooted 3 times just to be sure. I just wanted to share this in case someone gets in my position. Going through the fixs , etc , with Hijackthis looked complicated to me, but this uninstall thing was a snap.

Nimmy

#10 dolphins

dolphins

    Advanced Member

  • Retired Staff - Helper
  • PipPipPip
  • 131 posts

Posted 19 June 2004 - 08:39 PM

Nimmy,


From what you have posted, we are supposed to believe that the originator of this scumware is somehow feeling sorry for what they have done and has put out an uninstaller that will completely uninstall their software.

Yet their software still exists and is infecting machines while people like me haven't a clue, Right?

Is that what your saying????

Is it????

#11 Nimmy

Nimmy

    Member

  • New Member
  • Pip
  • 2 posts

Posted 19 June 2004 - 09:29 PM

Dolphin,

Here is the current hijackthis file from my system. Maybe you can understand how it might have been changed . I ran hijackthis a few days ago when all the fun was happening but did not save the file because at that time I was hoping there would be an easier way. All I know is my computer operates better and my homepage has been release from captivity.

Logfile of HijackThis v1.97.7
Scan saved at 10:22:35 PM, on 6/19/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\SPYHUNTER\POPUPBLOCKER\ENIGMAPOPUPSTOP.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\EFFICIENT NETWORKS\ENTERNET 300\APP\ENTERNET.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\OUTLOOK EXPRESS\MSIMN.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\MIRC\MIRC.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\WINDOWS MEDIA PLAYER\WMPLAYER.EXE
C:\WINDOWS\SOL.EXE
C:\MY DOCUMENTS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = C:\WINDOWS\system32\searchbar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = C:\WINDOWS\system32\searchbar.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = C:\WINDOWS\system32\searchbar.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dsl
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = C:\WINDOWS\system32\searchbar.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://topotun.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by SBC Yahoo! DSL
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://topotun.com/index.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5400
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = C:\WINDOWS\system32\searchbar.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = http://martfinder.com/crindex.html
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [EnigmaPopupStop] C:\Program Files\SpyHunter\PopupBlocker\EnigmaPopupStop.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
O4 - HKLM\..\Run: [v55mubx8d8] C:\WINDOWS\WINRAR.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [NAV DefAlert] C:\PROGRA~1\NORTON~1\DEFALERT.EXE
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKCU\..\Run: [aimboot] %SystemRoot%\awinrar.exe
O4 - HKCU\..\Run: [dllhelp] c:\windows\dllhlp.exe
O8 - Extra context menu item: Show Original Image - res://C:\PROGRAM FILES\HIGHSTREAM TURBO\HSTURBO.EXE/227
O9 - Extra button: RealGuide (HKLM)
O9 - Extra button: Guide (HKLM)
O9 - Extra button: PeoplePC (HKLM)
O9 - Extra button: Wallet (HKLM)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/z...4/heartbeat.cab
O16 - DPF: {02466323-75ED-11CF-A267-0020AF2546EA} (VivoActive Control) - http://player.vivo.com/ie/vvweb.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security2.nor...c/bin/cabsa.cab
O16 - DPF: {AB1E62EB-3DE3-428F-A417-64AB3C9B6CF0} - http://econnect.libe...et/econnect.cab
O16 - DPF: {BD11A280-2E73-11CF-B6CF-00AA00A74DAF} - http://www.talkingbu...uddyinstall.exe
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {072D3F2E-5FB6-11D3-B461-00C04FA35A21} (CFForm Runtime) - http://jobs.tntlogis...sses/CFJava.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {78960E0E-0B0C-11D4-8997-00104BD12D94} (AV Class) - http://www.pcpitstop...virus/PCPAV.CAB
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop...p/PCPitStop.CAB
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.s.../ActiveData.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.s...ta/SymAData.cab
O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - http://www-3.ibm.com...rt/IbmEgath.cab
O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} (yucsetreg Class) - C:\Program Files\Yahoo!\common\yucconfig.dll
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...8157.0788773148

I am as surprised as anyone, I figured when I clicked on that website my computer would be completely gone. But at that time I didn't care.

Nimmy

#12 dolphins

dolphins

    Advanced Member

  • Retired Staff - Helper
  • PipPipPip
  • 131 posts

Posted 21 June 2004 - 06:44 PM

Nimmy,

You have quite a few problems as indicated by your log.

Download and run CWShredder by clicking the link in my signature. (click the FIX button with all windows closed)

Run complete scans by checking all boxes in both programs listed below,

http://housecall.trendmicro.com/
http://www.pandasoft...n_principal.htm

Download and run a trial version of an Anti-Trojan by clicking the link in my signature.

Reboot, rescan with HJT and post a fresh log here along with the full file path to any file you were not able to remove with the tools mentioned.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button