Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

isearch blocks IE, refuses definition updates


  • This topic is locked This topic is locked

#61
bookie

bookie

    Member

  • Topic Starter
  • Member
  • PipPip
  • 49 posts
Thanks Don. I was afraid you might have given up on me after we were so close. Here's the find it log (I think-- it seems like it didn't finish too well in the DOS box):


Microsoft Windows XP [Version 5.1.2600]
The current date is: Sun 05/01/2005
PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
»»»»»»»»»»»»»»»»»»»»»»»» Todo Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»»»


»»»»»»»»»»»»»»»»»»»»»»»» aurora Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»


»»»»»»»»»»»»»»»»»»»»»»»» Suspect's »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Dont delete file's in the section without guidance
If any doubt back them up first


»»»»» lagitamate file's can/will show in this section.

»»»»»»»»»»»»»»»»»»»»»»»» Buddy file's »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

»»»»»»»»»»»»»»»»»»»»»»»» SAHAgent Files found »»»»»»»»»»»»»»»»»»»»»»»»»

»»»»»»»»»»»»»»»»»»»»»»»» Misc checks »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»


»»»»» Checking Windir\svcproc.exe and nail.exe.

»»»»» Checking for System32\DrPMon.dll.

»»»»» Check for Windows\SYSTEM32\cache32_rtneg* folder.

Volume in drive C has no label.
Volume Serial Number is 5051-2328

Directory of C:\WINDOWS\SYSTEM32

»»»»» Checking for SAHAgent ico files.
Volume in drive C has no label.
Volume Serial Number is 5051-2328

Directory of C:\WINDOWS\system32

04/03/2005 12:08 AM 1,406 amazon-desk.ico
04/03/2005 12:08 AM 1,406 amazon.ico
04/03/2005 12:08 AM 3,262 ebay-desk.ico
04/03/2005 12:08 AM 1,406 ebay.ico
04/03/2005 12:08 AM 3,128 expedia-desk.ico
04/03/2005 12:08 AM 824 expedia.ico
6 File(s) 11,432 bytes
0 Dir(s) 10,589,863,936 bytes free

»»»»»»»»»»»»»»»»»»»»»»»».



And here's the HJT log I ran after findit:

Logfile of HijackThis v1.99.1
Scan saved at 10:22:09 PM, on 5/1/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\PCHealth\HelpCtr\Binaries\HelpSvc.exe
C:\Program Files\Ontrack\PowerDesk\PDEXPLO.EXE
C:\Downloads\hijack\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.myway.com/...arconfigchanged
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [TrackPointSrv] tp4mon.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [SMS Application Launcher] C:\WINDOWS\MS\SMS\CORE\BIN\LAUNCH32.EXE
O4 - HKLM\..\Run: [TpHotkey] C:\PROGRA~1\ThinkPad\UTILIT~1\tphkmgr.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: SMC2635W 11Mbps WLAN Monitor.lnk = ?
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg...v45/yacscom.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - https://www-3.ibm.co...en/IbmEgath.cab
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe

Good luck and thanks.

Kevin
  • 0

Advertisements


#62
don77

don77

    Malware Expert

  • Retired Staff
  • 18,526 posts
Nothing showing there,

try running a couple on line scans

TrendMicro's HouseCall
ActiveScan
  • 0

#63
bookie

bookie

    Member

  • Topic Starter
  • Member
  • PipPip
  • 49 posts
Thanks once again Don. I'll check tonight when I get home from work but it'll be about 11 EST. I didn't bring the notebook to work with me today.
  • 0

#64
bookie

bookie

    Member

  • Topic Starter
  • Member
  • PipPip
  • 49 posts
Don, HouseCall didn't report anything weird. I'll scan now with ActiveScan and see what that comes up with.
  • 0

#65
bookie

bookie

    Member

  • Topic Starter
  • Member
  • PipPip
  • 49 posts
ActiveScan says it found 3 instances of spyware but I don't think it identified what they were. Would it help if I told you where it found them?
  • 0

#66
don77

don77

    Malware Expert

  • Retired Staff
  • 18,526 posts
Yes it would,
can you also tell me is it just when you try to go online in normal mode that the laptop get slow or just pretty much trying to do anything ?
  • 0

#67
bookie

bookie

    Member

  • Topic Starter
  • Member
  • PipPip
  • 49 posts
Don, here's what ActiveScan found:


Incident Status Location

Adware:Adware/CWS.Searchmeup No disinfected C:\Documents and Settings\Administrator\Desktop\1.dat
Adware:Adware/eZula No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\12392B3F-9E47-4FD6-A616-3E5E83\B96B1320-1859-413F-959F-62A8B6
Adware:Adware/PurityScan No disinfected C:\WINDOWS\system32\RNDLL3~1.EXE
  • 0

#68
don77

don77

    Malware Expert

  • Retired Staff
  • 18,526 posts
Hi Kevin,
Reboot to safe mode search for and delete,
C:\Documents and Settings\Administrator\Desktop\1.dat

C:\WINDOWS\system32\RNDLL3~1.EXE
If you can't find them open killbox and paste them in and kill them that way,

Does the computer only run slow when trying to get online in normal mode or is just doing anything at all ?
  • 0

#69
bookie

bookie

    Member

  • Topic Starter
  • Member
  • PipPip
  • 49 posts
I'm going to reboot into safemode and delete those files. To answer your question, the browsing seems pretty normal, it's just opening and running programs that's slow.
  • 0

#70
don77

don77

    Malware Expert

  • Retired Staff
  • 18,526 posts
Could you do something else for me Kevin,

[list]
[*]Start HijackThis
[*]Click on the Config button
[*]Click on the Misc Tools button
[*]Click on the Generate StartupList Log button.

[*]Once you click the button, the program will automatically open up a notepad filled with the Startup items from your computer. Copy and paste the contents back to this post please
  • 0

Advertisements


#71
bookie

bookie

    Member

  • Topic Starter
  • Member
  • PipPip
  • 49 posts
Here's the startup log Don. I had to use killbox for the file in /windows32 as I couldn't find it in explorer.

StartupList report, 5/4/2005, 8:58:28 PM
StartupList version: 1.52.2
Started from : C:\Downloads\hijack\HijackThis.EXE
Detected: Windows XP SP2 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP2 (6.00.2900.2180)
* Using default options
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\tp4mon.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\WINDOWS\MS\SMS\CORE\BIN\LAUNCH32.EXE
C:\PROGRA~1\ThinkPad\UTILIT~1\tphkmgr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\System32\LVComS.exe
C:\WINDOWS\MS\SMS\clicomp\apa\Bin\smsapm32.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\WINDOWS\system32\SMC2635WMonitor.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\WINDOWS\MS\SMS\CLICOMP\SWDist32\bin\smsmon32.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Ontrack\PowerDesk\PDEXPLO.EXE
C:\Downloads\hijack\HijackThis.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\Documents and Settings\Administrator\Start Menu\Programs\Startup]
SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
SMC2635W 11Mbps WLAN Monitor.lnk = ?

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

TrackPointSrv = tp4mon.exe
vptray = C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
SMS Application Launcher = C:\WINDOWS\MS\SMS\CORE\BIN\LAUNCH32.EXE
ZDConfig =
TpHotkey = C:\PROGRA~1\ThinkPad\UTILIT~1\tphkmgr.exe
iTunesHelper = C:\Program Files\iTunes\iTunesHelper.exe
QuickTime Task = "C:\Program Files\QuickTime\qttask.exe" -atboottime
LogitechVideoRepair = C:\Program Files\Logitech\Video\ISStart.exe
SunJavaUpdateSched = C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
TkBellExe = "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
LogitechVideoTray = C:\Program Files\Logitech\Video\LogiTray.exe
(Default) =
sunasServ = C:\Program Files\Sunbelt Software\CounterSpy Client\sunasServ.exe
gcasServ = "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
Zone Labs Client = C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

H/PC Connection Agent = "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
SpybotSD TeaTimer = C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
SpySweeper = "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
ctfmon.exe = C:\WINDOWS\system32\ctfmon.exe

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=C:\WINDOWS\System32\scrnsave.scr
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry key not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------


Enumerating Browser Helper Objects:

SpywareGuard Download Protection - C:\Program Files\SpywareGuard\dlprotect.dll - {4A368E80-174F-4872-96B5-0B27DDD11DB2}

--------------------------------------------------

Enumerating Download Program Files:

[Yahoo! Audio Conferencing]
InProcServer32 = C:\WINDOWS\DOWNLO~1\yacscom.dll
CODEBASE = http://us.chat1.yimg...v45/yacscom.cab

[{62475759-9E84-458E-A1AB-5D2C442ADFDE}]
CODEBASE = http://a1540.g.akama...meInstaller.exe

[HouseCall Control]
InProcServer32 = C:\WINDOWS\DOWNLO~1\xscan53.ocx
CODEBASE = http://a840.g.akamai...all/xscan53.cab

[IBM Access Support]
InProcServer32 = C:\WINDOWS\DOWNLO~1\IbmEgath.dll
CODEBASE = https://www-3.ibm.co...en/IbmEgath.cab

[ActiveScan Installer Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\asinst.dll
CODEBASE = http://www.pandasoft.../as5/asinst.cab

[{9F1C11AA-197B-4942-BA54-47A8489BB47F}]
CODEBASE = http://v4.windowsupd...8014.3647800926

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\System32\webcheck.dll
SysTray: C:\WINDOWS\System32\stobject.dll

--------------------------------------------------
End of report, 7,091 bytes
Report generated in 0.240 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only
  • 0

#72
don77

don77

    Malware Expert

  • Retired Staff
  • 18,526 posts
Well Kevin,
You should probably go to msconfig, by clicking Start>Run. type in msconfig go to start ups and see if there are any programs running from start up that you don't need running,
Also go to add remove programs and remove any programs you no longer use,
Probably a good time to do some maintenance on your system clean up Temp file ( you can use cleanup! for that ) defrag,

The logs look pretty clean now
  • 0

#73
bookie

bookie

    Member

  • Topic Starter
  • Member
  • PipPip
  • 49 posts
Thanks for everything Don. Cleanup! is a great suggestion. I hope you realize how much I appreciate what you do and the sacrifices you make to help the helpless. I had given up on the notebook a couple times and the IT guy at work recommended just reformatting and reinstalling XP. This is a work computer. He's one of my best friends so I know he would have done what he could to help me but it fell to you to save me. I have looked forward to seeing posts from you knowing there was more help on the way. I hope you don't mind if I say I hope not to need your help professionally again (but if I do I'll let you know).
  • 0

#74
don77

don77

    Malware Expert

  • Retired Staff
  • 18,526 posts
Great to hear Kevin,,
I m glad I could help and we finally got you sqaured away,
I will close this topic as it seems to be resloved now,
should you need it opened for any reason please pm a member of the staff.
Please provide a link to the topic.

Good luck Kevin,
BTW
Thank you

Don

[code=auto:0]I hope you don't mind if I say I hope not to need your help professionally again (but if I do I'll let you know).[QUOTE]

Totaly understand :tazz:
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP