Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Need help with getting rid of trojan horses![RESOLVED]


  • This topic is locked This topic is locked

#106
Wizard

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
Lets have a look here:

C:\Windows\System32\Drivers

Open the Drivers Folder and see if this File Exist:

delprot.sys

Also,Hang onto that registry Entry,we may want to remove it in a bit!
  • 0

Advertisements


#107
Kristy

Kristy

    Visiting Consultant

  • Topic Starter
  • Member
  • PipPipPipPip
  • 1,099 posts
No, delprot.sys isn't there.
  • 0

#108
Wizard

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
OK,now I need to see the results of that Registry Key,could you collect as much of the Info that is Displayed and POst it in this thread!
  • 0

#109
Kristy

Kristy

    Visiting Consultant

  • Topic Starter
  • Member
  • PipPipPipPip
  • 1,099 posts
Name Type Data

(Default) REG_SZ C:\Program Files\Microsoft Office\OFFICE11\MSUSP.DLL

InprocServer32 REG_MULTI_SZ )l1^Vn-}f(ZXfeAR6.jiSearchOutlookFiles>2OfoI)vH)A!...

ThreadingModel REG_SZ Both
  • 0

#110
Wizard

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
Exactly what Path was this key located at?

The entire Path Please!
  • 0

#111
Kristy

Kristy

    Visiting Consultant

  • Topic Starter
  • Member
  • PipPipPipPip
  • 1,099 posts
My Computer\HKEY_CLASSES_ROOT\CLSID\{1F247DC0-902E-11D0-A80C-00A0C906241A}
  • 0

#112
Kristy

Kristy

    Visiting Consultant

  • Topic Starter
  • Member
  • PipPipPipPip
  • 1,099 posts
My Computer\HKEY_CLASSES_ROOT\CLSID\{1F247DC0-902E-11D0-A80C-00A0C906241A}\InprocServer32


Here the path is from inprocserver32. I had ended up doing something, and I have no idea what I did, that got me these results which I posted a little while ago...

Name Type Data

(Default) REG_SZ C:\Program Files\Microsoft Office\OFFICE11\MSUSP.DLL

InprocServer32 REG_MULTI_SZ )l1^Vn-}f(ZXfeAR6.jiSearchOutlookFiles>2OfoI)vH)A!...

ThreadingModel REG_SZ Both

The first time I got...

Name Type Data

(Default) REG_SZ Content Index ISearch Creator Object


When I exited out of registry editor, and did the search for isearch again, I got the exact same results as the first time.

And this is the path for it: My Computer\HKEY_CLASSES_ROOT\CLSID\{1F247DC0-902E-11D0-A80C-00A0C906241A}


Sorry if I'm making it confusing. I'll leave registry editor alone until I need to look at something, or delete something, so it doesn't get too confusing.
  • 0

#113
Wizard

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
Scratch that last post
Atribune is on his way,he is much more skilled here!!!

Edited by Cretemonster, 26 March 2005 - 08:50 PM.

  • 0

#114
Atribune

Atribune

    HijackThis Expert

  • Visiting Consultant
  • 956 posts
  • MVP
Copy the info from the code box below
regedit /e c:\key.txt "HKEY_CLASSES_ROOT\CLSID\{1F247DC0-902E-11D0-A80C-00A0C906241A}"

Next click start then run and paste the info you just copied into the text box labeled "open:" and then press enter.

Next navigate to c:\ and find key.txt open it with notepad and copy the contents.

Next paste what you just copied into a response to this thread.
  • 0

#115
Kristy

Kristy

    Visiting Consultant

  • Topic Starter
  • Member
  • PipPipPipPip
  • 1,099 posts
Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{1F247DC0-902E-11D0-A80C-00A0C906241A}]
@="Content Index ISearch Creator Object"

[HKEY_CLASSES_ROOT\CLSID\{1F247DC0-902E-11D0-A80C-00A0C906241A}\InprocServer32]
@="query.dll"
"ThreadingModel"="Both"
  • 0

Advertisements


#116
Atribune

Atribune

    HijackThis Expert

  • Visiting Consultant
  • 956 posts
  • MVP
Can you please post a new hijackthis log
  • 0

#117
Kristy

Kristy

    Visiting Consultant

  • Topic Starter
  • Member
  • PipPipPipPip
  • 1,099 posts
Logfile of HijackThis v1.99.1
Scan saved at 7:33:43 PM, on 3/26/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\WINDOWS\regedit.com
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\kristy\Desktop\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://channels.aimt.../aimtoolbar.jsp
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
R3 - Default URLSearchHook is missing
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall-bet...all/xscan60.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
  • 0

#118
Atribune

Atribune

    HijackThis Expert

  • Visiting Consultant
  • 956 posts
  • MVP
Please download isff.zip from http://www.atribune....nloads/isff.zip

Open one Firefox window and keep it open till done with the rest of these instructions.

Extract isff.zip to its own folder then run isff.bat by double clicking it.

When it finishes running it will open a notepad window with a bunch of text in it please post all of it.

Edited by Atribune, 26 March 2005 - 10:40 PM.

  • 0

#119
Kristy

Kristy

    Visiting Consultant

  • Topic Starter
  • Member
  • PipPipPipPip
  • 1,099 posts
Module information for 'firefox.exe'
MODULE BASE SIZE PATH
firefox.exe 400000 6713344 C:\Program Files\Mozilla Firefox\firefox.exe 1.0.2 Firefox
ntdll.dll 7c900000 720896 C:\WINDOWS\system32\ntdll.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) NT Layer DLL
kernel32.dll 7c800000 999424 C:\WINDOWS\system32\kernel32.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Windows NT BASE API Client DLL
js3250.dll 60070000 344064 C:\Program Files\Mozilla Firefox\js3250.dll 4.0 Netscape 32-bit JavaScript Module
nspr4.dll 60130000 155648 C:\Program Files\Mozilla Firefox\nspr4.dll 4.5 Beta NSPR Library
ADVAPI32.dll 77dd0000 634880 C:\WINDOWS\system32\ADVAPI32.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Advanced Windows 32 Base API
RPCRT4.dll 77e70000 593920 C:\WINDOWS\system32\RPCRT4.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Remote Procedure Call Runtime
WSOCK32.dll 71ad0000 36864 C:\WINDOWS\system32\WSOCK32.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Windows Socket 32-Bit DLL
WS2_32.dll 71ab0000 94208 C:\WINDOWS\system32\WS2_32.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Windows Socket 2.0 32-Bit DLL
msvcrt.dll 77c10000 360448 C:\WINDOWS\system32\msvcrt.dll 7.0.2600.2180 (xpsp_sp2_rtm.040803-2158) Windows NT CRT DLL
WS2HELP.dll 71aa0000 32768 C:\WINDOWS\system32\WS2HELP.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Windows Socket 2.0 Helper for Windows NT
xpcom.dll 602d0000 393216 C:\Program Files\Mozilla Firefox\xpcom.dll 1.7.6: 2005031717
plc4.dll 60200000 28672 C:\Program Files\Mozilla Firefox\plc4.dll 4.5 Beta PLC Library
plds4.dll 60210000 24576 C:\Program Files\Mozilla Firefox\plds4.dll 4.5 Beta PLDS Library
SHELL32.dll 7c9c0000 8470528 C:\WINDOWS\system32\SHELL32.dll 6.00.2900.2578 (xpsp_sp2_gdr.041130-1729) Windows Shell Common Dll
GDI32.dll 77f10000 286720 C:\WINDOWS\system32\GDI32.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) GDI Client DLL
USER32.dll 77d40000 589824 C:\WINDOWS\system32\USER32.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Windows XP USER API Client DLL
SHLWAPI.dll 77f60000 483328 C:\WINDOWS\system32\SHLWAPI.dll 6.00.2900.2573 (xpsp_sp2_gdr.041130-1729) Shell Light-weight Utility Library
ole32.dll 774e0000 1298432 C:\WINDOWS\system32\ole32.dll 5.1.2600.2595 (xpsp_sp2_gdr.041130-1729) Microsoft OLE for Windows
smime3.dll 60230000 106496 C:\Program Files\Mozilla Firefox\smime3.dll 3.9.3 NSS S/MIME Library
nss3.dll 60160000 348160 C:\Program Files\Mozilla Firefox\nss3.dll 3.9.3 NSS Base Library
softokn3.dll 60250000 368640 C:\Program Files\Mozilla Firefox\softokn3.dll 3.9.3 NSS PKCS #11 Library
ssl3.dll 602b0000 110592 C:\Program Files\Mozilla Firefox\ssl3.dll 3.9.3 NSS SSL Library
xpcom_compat.dll 60330000 81920 C:\Program Files\Mozilla Firefox\xpcom_compat.dll 1.7.6: 2005031717
comdlg32.dll 763b0000 299008 C:\WINDOWS\system32\comdlg32.dll 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158) Common Dialogs DLL
COMCTL32.dll 773d0000 1056768 C:\WINDOWS\WinSxS\X86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9\COMCTL32.dll 6.0 (xpsp_sp2_rtm.040803-2158) User Experience Controls Library
OLEAUT32.dll 77120000 573440 C:\WINDOWS\system32\OLEAUT32.dll 5.1.2600.2180
VERSION.dll 77c00000 32768 C:\WINDOWS\system32\VERSION.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Version Checking and File Installation Libraries
WINSPOOL.DRV 73000000 155648 C:\WINDOWS\system32\WINSPOOL.DRV 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Windows Spooler Driver
uxtheme.dll 5ad70000 229376 C:\WINDOWS\system32\uxtheme.dll 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158) Microsoft UxTheme Library
SETUPAPI.dll 77920000 995328 C:\WINDOWS\system32\SETUPAPI.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Windows Setup API
CLBCATQ.DLL 76fd0000 520192 C:\WINDOWS\system32\CLBCATQ.DLL 2001.12.4414.258
COMRes.dll 77050000 806912 C:\WINDOWS\system32\COMRes.dll 2001.12.4414.258
mswsock.dll 71a50000 258048 C:\WINDOWS\system32\mswsock.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Microsoft Windows Sockets 2.0 Service Provider
hnetcfg.dll 662b0000 360448 C:\WINDOWS\system32\hnetcfg.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Home Networking Configuration Manager
wshtcpip.dll 71a90000 32768 C:\WINDOWS\System32\wshtcpip.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Windows Sockets Helper DLL
msimtf.dll 746f0000 172032 C:\WINDOWS\System32\msimtf.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Active IMM Server DLL
MSCTF.dll 74720000 307200 C:\WINDOWS\System32\MSCTF.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) MSCTF Server DLL
jar50.dll 60020000 53248 C:\Program Files\Mozilla Firefox\components\jar50.dll 1.7.6: 2005031717
xpsp2res.dll 20000000 2904064 C:\WINDOWS\system32\xpsp2res.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Service Pack 2 Messages
msimg32.dll 76380000 20480 C:\WINDOWS\system32\msimg32.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) GDIEXT Client DLL
DNSAPI.dll 76f20000 159744 C:\WINDOWS\system32\DNSAPI.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) DNS Client API DLL
winrnr.dll 76fb0000 32768 C:\WINDOWS\System32\winrnr.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) LDAP RnR Provider DLL
WLDAP32.dll 76f60000 180224 C:\WINDOWS\system32\WLDAP32.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Win32 LDAP API DLL
rasadhlp.dll 76fc0000 24576 C:\WINDOWS\system32\rasadhlp.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Remote Access AutoDial Helper
appHelp.dll 77b40000 139264 C:\WINDOWS\system32\appHelp.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Application Compatibility Client Library
cscui.dll 77a20000 344064 C:\WINDOWS\System32\cscui.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Client Side Caching UI
CSCDLL.dll 76600000 118784 C:\WINDOWS\System32\CSCDLL.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Offline Network Agent
USERENV.dll 769c0000 733184 C:\WINDOWS\system32\USERENV.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Userenv
netapi32.dll 5b860000 344064 C:\WINDOWS\system32\netapi32.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Net Win32 API DLL
spywareguard.dll 22200000 126976 C:\Program Files\SpywareGuard\spywareguard.dll 2.02 SpywareGuard Protection
MSVBVM60.DLL 73420000 1392640 C:\WINDOWS\system32\MSVBVM60.DLL 6.00.9690 Visual Basic Virtual Machine
Secur32.dll 77fe0000 69632 C:\WINDOWS\system32\Secur32.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Security Support Provider Interface
  • 0

#120
Atribune

Atribune

    HijackThis Expert

  • Visiting Consultant
  • 956 posts
  • MVP
Can you describe in detail any and all problems you are still having. All of your logs are clean. The registry keys you posted are standard for windows.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP