Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

SpywareSecure [RESOLVED]


  • This topic is locked This topic is locked

#16
Zanshin

Zanshin

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 113 posts
These are the results of the 02Moveit2 although 1 file failed to move just abot to reboot and follow further instructions

File move failed. c:\documents and settings\owner\local settings\application data\ztyseqk.exe scheduled to be moved on reboot.
File/Folder C:\Documents and Settings\Owner\Start Menu\Programs\Startup\desktop(2).ini not found.
File/Folder C:\Documents and Settings\Owner\Start Menu\Programs\Startup\desktop(3).ini not found.
File/Folder C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop(2).ini not found.
File/Folder C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop(3).ini not found.
File/Folder HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\ztyseqk not found.
File/Folder HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system\\DisableTaskMgr not found.
File/Folder HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system\\DisableRegistryTools not found.

OTMoveIt2 by OldTimer - Version 1.0.4.0 log created on 04032008_193453
  • 0

Advertisements


#17
Zanshin

Zanshin

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 113 posts
After I rebooted, Notepad opened a wimdow withh this information in.

File move failed. c:\documents and settings\owner\local settings\application data\ztyseqk.exe scheduled to be moved on reboot.
File/Folder C:\Documents and Settings\Owner\Start Menu\Programs\Startup\desktop(2).ini not found.
File/Folder C:\Documents and Settings\Owner\Start Menu\Programs\Startup\desktop(3).ini not found.
File/Folder C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop(2).ini not found.
File/Folder C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop(3).ini not found.
File/Folder HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\ztyseqk not found.
File/Folder HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system\\DisableTaskMgr not found.
File/Folder HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system\\DisableRegistryTools not found.

OTMoveIt2 by OldTimer - Version 1.0.4.0 log created on 04032008_193453

Files moved on Reboot...
c:\documents and settings\owner\local settings\application data\ztyseqk.exe moved successfully.
  • 0

#18
Zanshin

Zanshin

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 113 posts
This is the last report after reboot, from Fixwareout.

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion "nqpsc" Value deleted
HKCR\CLSID\{E70BF4DB-25BA-4C7D-8D76-47B06C028B30}\_h\4 Deleted.
....
~~~~~ Misc files.
....
~~~~~ Checking for older varients.
....

~~~~~ Current runs (hklm hkcu "run" Keys Only)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISUSPM Startup"="C:\\PROGRA~1\\COMMON~1\\INSTAL~1\\UPDATE~1\\ISUSPM.exe -startup"
"avast!"="C:\\PROGRA~1\\ALWILS~1\\Avast4\\ashDisp.exe"
"Adobe Reader Speed Launcher"="\"C:\\Program Files\\Adobe\\Reader 8.0\\Reader\\Reader_sl.exe\""
"SlipStream"="\"C:\\Program Files\\ONSPEED\\onspeedcore.exe\""
"FileZilla Server Interface"="\"C:\\Program Files\\FileZilla Server\\FileZilla Server Interface.exe\""
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"
"SmartRAM"="C:\\Program Files\\IObit\\Advanced WindowsCare V2\\MemCleaner.exe /m"
"SpyHunter Security Suite"="\"C:\\Program Files\\Enigma Software Group\\SpyHunter\\SpyHunter3.exe\" -minimized"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Uniblue RegistryBooster 2"="C:\\Program Files\\Uniblue\\RegistryBooster 2\\RegistryBooster.exe /S"
"msnmsgr"="\"C:\\Program Files\\Windows Live\\Messenger\\MsnMsgr.Exe\" /background"
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"VoipBuster"="\"C:\\Program Files\\VoipBuster.com\\VoipBuster\\VoipBuster.exe\" -nosplash -minimized"
"Uniblue SpeedUpMyPC"=""
"ztyseqk"="c:\\documents and settings\\owner\\local settings\\application data\\ztyseqk.exe ztyseqk"
"SUPERAntiSpyware"="C:\\Program Files\\SUPERAntiSpyware\\SUPERAntiSpyware.exe"
....
Hosts file was reset, If you use a custom hosts file please replace it...
~~~~~ End report ~~~~~
  • 0

#19
Zanshin

Zanshin

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 113 posts
This is one part of the report from HJT (Stats on my logfile entries).....which after doing a HJT scan and pressing the "Analyse This" took me to the HJT website.....

Comparison of your HijackThis log file items to others
The table below compares the items HijackThis found on your computer with those on other people's computers. The column "% of PCs with item" indicates what percent of other people's HijackThis log files contain the item in that row of the table. Additional information will be provided as more HijackThis log files are added to the AnalyzeThis database.

Each entry is coded to indicate the type of item it is on your computer. An explanation of these codes may be found at the bottom of this page.


Index % of PCs with item Code Data
1 0.8% O10 c:\windows\system32\nwprovau.dll
2 0.7% O16 {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
3 0.3% O16 {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
4 0.0% O16 {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us...nfo/webscan.cab
5 0.0% O16 {B020B534-4AA2-4B99-BD6D-5F6EE286DF5C} - https://a248.e.akama...ol/SymDlBrg.cab
6 0.0% O16 {6B75345B-AA36-438A-BBE6-4078B4C6984D} - http://h20270.www2.h...ctDetection.cab
7 0.0% O16 {4CCA4E80-9259-11D9-AC6E-444553544200} - http://h30155.www3.h...llMgr_v01_5.cab
8 0.0% O16 {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail....es/MSNPUpld.cab
9 0.0% O16 {DE625294-70E6-45ED-B895-CFFA13AEB044} - http://webcam.fba.or...activex/AMC.cab
10 1.0% O2 Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
11 0.9% O2 Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
12 0.9% O2 SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
13 0.0% O2 NOW!Imaging - {9AA2F14F-E956-44B8-8694-A5B615CDF341} - C:\Program Files\ONSPEED\components\NOWImaging.dll
14 0.0% O2 (no name) - {4115122B-85FF-4DD3-9515-F075BEDE5EB5} - (no file)
15 0.1% O20 !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
16 1.8% O23 InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
17 1.3% O23 Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
18 0.9% O23 avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
19 0.9% O23 avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
20 0.4% O23 NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
21 0.4% O23 avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
22 0.4% O23 avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
23 0.1% O23 Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
24 0.1% O23 InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
25 0.0% O23 FileZilla Server FTP server (FileZilla Server) - FileZilla Project - C:\Program Files\FileZilla Server\FileZilla Server.exe
26 0.0% O23 ProtexisLicensing - Unknown owner - C:\Program Files\Common Files\Protexis\License Service\PSIService.exe
27 0.0% O23 SPBBCSvc - Unknown owner - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe (file missing)
28 0.0% O23 AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
29 0.0% O23 Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
30 6.1% O4 [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
31 4.0% O4 [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
32 3.9% O4 [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
33 1.6% O4 [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
34 1.4% O4 [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
35 1.3% O4 [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
36 1.0% O4 [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
37 0.3% O4 [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
38 0.3% O4 [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
39 0.0% O4 [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
40 0.0% O4 [VoipBuster] "C:\Program Files\VoipBuster.com\VoipBuster\VoipBuster.exe" -nosplash -minimized
41 0.0% O4 Ralink Wireless Utility.lnk = C:\Program Files\RALINK\Common\RaUI.exe
42 0.0% O4 [FileZilla Server Interface] "C:\Program Files\FileZilla Server\FileZilla Server Interface.exe"
43 0.0% O4 [SlipStream] "C:\Program Files\ONSPEED\onspeedcore.exe"
44 0.0% O4 [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
45 0.0% O4 [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
46 0.0% O4 [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
47 0.0% O4 [SpyHunter Security Suite] "C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exe" -minimized
48 0.0% O4 [SmartRAM] C:\Program Files\IObit\Advanced WindowsCare V2\MemCleaner.exe /m
49 0.0% O4 [ztyseqk] c:\documents and settings\owner\local settings\application data\ztyseqk.exe ztyseqk
50 0.5% O8 E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
51 9.5% P01 C:\WINDOWS\Explorer.EXE
52 9.2% P01 C:\WINDOWS\system32\svchost.exe
53 9.2% P01 C:\WINDOWS\system32\lsass.exe
54 9.2% P01 C:\WINDOWS\system32\winlogon.exe
55 9.2% P01 C:\WINDOWS\system32\services.exe
56 9.2% P01 C:\WINDOWS\System32\smss.exe
57 8.9% P01 C:\WINDOWS\system32\spoolsv.exe
58 6.4% P01 C:\WINDOWS\system32\ctfmon.exe
59 3.7% P01 C:\Program Files\Internet Explorer\iexplore.exe
60 2.6% P01 C:\WINDOWS\system32\nvsvc32.exe
61 2.3% P01 C:\WINDOWS\system32\wuauclt.exe
62 1.6% P01 C:\Program Files\Messenger\msmsgs.exe
63 1.1% P01 C:\WINDOWS\system32\csrss.exe
64 1.0% P01 C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
65 1.0% P01 C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
66 0.9% P01 C:\Program Files\Alwil Software\Avast4\ashServ.exe
67 0.8% P01 C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
68 0.8% P01 C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
69 0.8% P01 C:\WINDOWS\system32\wbem\wmiprvse.exe
70 0.6% P01 C:\WINDOWS\System32\HPZipm12.exe
71 0.4% P01 C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
72 0.3% P01 C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
73 0.3% P01 C:\Program Files\Ahead\InCD\InCDsrv.exe
74 0.2% P01 C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
75 0.0% P01 C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
76 0.0% P01 C:\Program Files\FileZilla Server\FileZilla Server.exe
77 0.0% P01 C:\Program Files\RALINK\Common\RaUI.exe
78 0.0% P01 C:\Program Files\Common Files\Protexis\License Service\PSIService.exe
79 0.0% P01 C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
80 0.0% P01 C:\Program Files\ONSPEED\onspeedcore.exe
81 0.0% P01 C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe
82 0.0% P01 C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
83 0.0% P01 C:\Program Files\IObit\Advanced WindowsCare V2\MemCleaner.exe
84 0.0% P01 C:\Program Files\Windows Live\Messenger\msnmsgr.exe
85 0.0% P01 C:\Program Files\Windows Live\Messenger\usnsvc.exe
86 0.0% P01 C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exe
87 0.9% R0 HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
88 0.1% R0 HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
89 0.0% R1 HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.co.uk/0SEENGB/SAOS01
90 0.0% R1 HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://pac.onspeed.c...38ab04c07a79531

Explanation of the codes

R - Registry, StartPage/SearchPage changes


R0 - Changed registry value
R1 - Created registry value
R2 - Created registry key
R3 - Created extra registry value where only one should be

F - IniFiles, autoloading entries


F0 - Changed inifile value
F1 - Created inifile value
F2 - Changed inifile value, mapped to Registry
F3 - Created inifile value, mapped to Registry

N - Netscape/Mozilla StartPage/SearchPage changes


N1 - Change in prefs.js of Netscape 4.x
N2 - Change in prefs.js of Netscape 6
N3 - Change in prefs.js of Netscape 7
N4 - Change in prefs.js of Mozilla

O - Other, several sections which represent:


O1 - Hijack of auto.search.msn.com with Hosts file
O2 - Enumeration of existing MSIE BHO's
O3 - Enumeration of existing MSIE toolbars
O4 - Enumeration of suspicious autoloading Registry entries
O5 - Blocking of loading Internet Options in Control Panel
O6 - Disabling of 'Internet Options' Main tab with Policies
O7 - Disabling of Regedit with Policies
O8 - Extra MSIE context menu items
O9 - Extra 'Tools' menuitems and buttons
O10 - Breaking of Internet access by New.Net or WebHancer
O11 - Extra options in MSIE 'Advanced' settings tab
O12 - MSIE plugins for file extensions or MIME types
O13 - Hijack of default URL prefixes
O14 - Changing of IERESET.INF
O15 - Trusted Zone Autoadd
O16 - Download Program Files item
O17 - Domain hijack
O18 - Enumeration of existing protocols and filters
O19 - User stylesheet hijack
O20 - AppInit_DLLs autorun Registry value, Winlogon Notify Registry keys
O21 - ShellServiceObjectDelayLoad (SSODL) autorun Registry key
O22 - SharedTaskScheduler autorun Registry key
O23 - Enumeration of NT Services
O24 - Enumeration of ActiveX Desktop Components

This is what was listed under "Info" on the HJT analysis. The scan results with the tick boxes gave me no option to copy/paste etc.


* Trend Micro HijackThis v2.0.2 *


See bottom for version history.

The different sections of hijacking possibilities have been separated into the following groups.
You can get more detailed information about an item by selecting it from the list of found items OR highlighting the relevant line below, and clicking 'Info on selected item'.

R - Registry, StartPage/SearchPage changes
R0 - Changed registry value
R1 - Created registry value
R2 - Created registry key
R3 - Created extra registry value where only one should be
F - IniFiles, autoloading entries
F0 - Changed inifile value
F1 - Created inifile value
F2 - Changed inifile value, mapped to Registry
F3 - Created inifile value, mapped to Registry
N - Netscape/Mozilla StartPage/SearchPage changes
N1 - Change in prefs.js of Netscape 4.x
N2 - Change in prefs.js of Netscape 6
N3 - Change in prefs.js of Netscape 7
N4 - Change in prefs.js of Mozilla
O - Other, several sections which represent:
O1 - Hijack of auto.search.msn.com with Hosts file
O2 - Enumeration of existing MSIE BHO's
O3 - Enumeration of existing MSIE toolbars
O4 - Enumeration of suspicious autoloading Registry entries
O5 - Blocking of loading Internet Options in Control Panel
O6 - Disabling of 'Internet Options' Main tab with Policies
O7 - Disabling of Regedit with Policies
O8 - Extra MSIE context menu items
O9 - Extra 'Tools' menuitems and buttons
O10 - Breaking of Internet access by New.Net or WebHancer
O11 - Extra options in MSIE 'Advanced' settings tab
O12 - MSIE plugins for file extensions or MIME types
O13 - Hijack of default URL prefixes
O14 - Changing of IERESET.INF
O15 - Trusted Zone Autoadd
O16 - Download Program Files item
O17 - Domain hijack
O18 - Enumeration of existing protocols and filters
O19 - User stylesheet hijack
O20 - AppInit_DLLs autorun Registry value, Winlogon Notify Registry keys
O21 - ShellServiceObjectDelayLoad (SSODL) autorun Registry key
O22 - SharedTaskScheduler autorun Registry key
O23 - Enumeration of NT Services
O24 - Enumeration of ActiveX Desktop Components

Command-line parameters:
* /autolog - automatically scan the system, save a logfile and open it
* /ihatewhitelists - ignore all internal whitelists
* /uninstall - remove all HijackThis Registry entries, backups and quit
* /silentautuolog - the same as /autolog, except with no required user intervention

* Version history *

[v2.00.0]
* AnalyzeThis added for log file statistics
* Recognizes Windows Vista and IE7
* Fixed a few bugs in the O23 method
* Fixed a bug in the O22 method (SharedTaskScheduler)
* Did a few tweaks on the log format
* Fixed and improved ADS Spy
* Improved Itty Bitty Procman (processes are frozen before they are killed)
* Added listing of O4 autoruns from other users
* Added listing of the Policies Run items in O4 method, used by SmitFraud trojan
* Added /silentautolog parameter for system admins
* Added /deleteonreboot [file] parameter for system admins
* Added O24 - ActiveX Desktop Components enumeration
* Added Enhanced Security Confirguration (ESC) Zones to O15 Trusted Sites check
[v1.99.1]
* Added Winlogon Notify keys to O20 listing
* Fixed crashing bug on certain Win2000 and WinXP systems at O23 listing
* Fixed lots and lots of 'unexpected error' bugs
* Fixed lots of inproper functioning bugs (i.e. stuff that didn't work)
* Added 'Delete NT Service' function in Misc Tools section
* Added ProtocolDefaults to O15 listing
* Fixed MD5 hashing not working
* Fixed 'ISTSVC' autorun entries with garbage data not being fixed
* Fixed HijackThis uninstall entry not being updated/created on new versions
* Added Uninstall Manager in Misc Tools to manage 'Add/Remove Software' list
* Added option to scan the system at startup, then show results or quit if nothing found
[v1.99]
* Added O23 (NT Services) in light of newer trojans
* Integrated ADS Spy into Misc Tools section
* Added 'Action taken' to info in 'More info on this item'
[v1.98]
* Definitive support for Japanese/Chinese/Korean systems
* Added O20 (AppInit_DLLs) in light of newer trojans
* Added O21 (ShellServiceObjectDelayLoad, SSODL) in light of newer trojans
* Added O22 (SharedTaskScheduler) in light of newer trojans
* Backups of fixed items are now saved in separate folder
* HijackThis now checks if it was started from a temp folder
* Added a small process manager (Misc Tools section)
[v1.96]
* Lots of bugfixes and small enhancements! Among others:
* Fix for Japanese IE toolbars
* Fix for searchwww.com fake CLSID trick in IE toolbars and BHO's
* Attributes on Hosts file will now be restored when scanning/fixing/restoring it.
* Added several files to the LSP whitelist
* Fixed some issues with incorrectly re-encrypting data, making R0/R1 go undetected until a restart
* All sites in the Trusted Zone are now shown, with the exception of those on the nonstandard but safe domain list
[v1.95]
* Added a new regval to check for from Whazit hijack (Start Page_bak).
* Excluded IE logo change tweak from toolbar detection (BrandBitmap and SmBrandBitmap).
* New in logfile: Running processes at time of scan.
* Checkmarks for running StartupList with /full and /complete in HijackThis UI.
* New O19 method to check for Datanotary hijack of user stylesheet.
* Google.com IP added to whitelist for Hosts file check.
[v1.94]
* Fixed a bug in the Check for Updates function that could cause corrupt downloads on certain systems.
* Fixed a bug in enumeration of toolbars (Lop toolbars are now listed!).
* Added imon.dll, drwhook.dll and wspirda.dll to LSP safelist.
* Fixed a bug where DPF could not be deleted.
* Fixed a stupid bug in enumeration of autostarting shortcuts.
* Fixed info on Netscape 6/7 and Mozilla saying '%shitbrowser%' (oops).
* Fixed bug where logfile would not auto-open on systems that don't have .log filetype registered.
* Added support for backing up F0 and F1 items (d'oh!).
[v1.93]
* Added mclsp.dll (McAfee), WPS.DLL (Sygate Firewall), zklspr.dll (Zero Knowledge) and mxavlsp.dll (OnTrack) to LSP safelist.
* Fixed a bug in LSP routine for Win95.
* Made taborder nicer.
* Fixed a bug in backup/restore of IE plugins.
* Added UltimateSearch hijack in O17 method (I think).
* Fixed a bug with detecting/removing BHO's disabled by BHODemon.
* Also fixed a bug in StartupList (now version 1.52.1).
[v1.92]
* Fixed two stupid bugs in backup restore function.
* Added DiamondCS file to LSP files safelist.
* Added a few more items to the protocol safelist.
* Log is now opened immediately after saving.
* Removed rd.yahoo.com from NSBSD list (spammers are starting to use this, no doubt spyware authors will follow).
* Updated integrated StartupList to v1.52.
* In light of SpywareNuker/BPS Spyware Remover, any strings relevant to reverse-engineers are now encrypted.
* Rudimentary proxy support for the Check for Updates function.
[v1.91]
* Added rd.yahoo.com to the Nonstandard But Safe Domains list.
* Added 8 new protocols to the protocol check safelist, as well as showing the file that handles the protocol in the log (O18).
* Added listing of programs/links in Startup folders (O4).
* Fixed 'Check for Update' not detecting new versions.
[v1.9]
* Added check for Lop.com 'Domain' hijack (O17).
* Bugfix in URLSearchHook (R3) fix.
* Improved O1 (Hosts file) check.
* Rewrote code to delete BHO's, fixing a really nasty bug with orphaned BHO keys.
* Added AutoConfigURL and proxyserver checks (R1).
* IE Extensions (Button/Tools menuitem) in HKEY_CURRENT_USER are now also detected.
* Added check for extra protocols (O18).
[v1.81]
* Added 'ignore non-standard but safe domains' option.
* Improved Winsock LSP hijackers detection.
* Integrated StartupList updated to v1.4.
[v1.8]
* Fixed a few bugs.
* Adds detecting of free.aol.com in Trusted Zone.
* Adds checking of URLSearchHooks key, which should have only one value.
* Adds listing/deleting of Download Program Files.
* Integrated StartupList into the new 'Misc Tools' section of the Config screen!
[v1.71]
* Improves detecting of O6.
* Some internal changes/improvements.
[v1.7]
* Adds backup function! Yay!
* Added check for default URL prefix
* Added check for changing of IERESET.INF
* Added check for changing of Netscape/Mozilla homepage and default search engine.
[v1.61]
* Fixes Runtime Error when Hosts file is empty.
[v1.6]
* Added enumerating of MSIE plugins
* Added check for extra options in 'Advanced' tab of 'Internet Options'.
[v1.5]
* Adds 'Uninstall & Exit' and 'Check for update online' functions.
* Expands enumeration of autoloading Registry entries (now also scans for .vbs, .js, .dll, rundll32 and service)
[v1.4]
* Adds repairing of broken Internet access (aka Winsock or LSP fix) by New.Net/WebHancer
* A few bugfixes/enhancements
[v1.3]
* Adds detecting of extra MSIE context menu items
* Added detecting of extra 'Tools' menu items and extra buttons
* Added 'Confirm deleting/ignoring items' checkbox
[v1.2]
* Adds 'Ignorelist' and 'Info' functions
[v1.1]
* Supports BHO's, some default URL changes
[v1.0]
* Original release

A good thing to do after version updates is clear your Ignore list and re-add them, as the format of detected items sometimes changes.
  • 0

#20
Zanshin

Zanshin

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 113 posts
I hope this all makes sense to you
Zanshin.
  • 0

#21
Zanshin

Zanshin

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 113 posts
My computer now appears to be virus free and I cannot thank you enough for your help.
My three windows opening upon reboot have now gone, but I still cannot access Notepad mnually as security access is still denied. Is this something you can help me with or do I need to start another topic/thread?
Also, how/where do I need to record closure of the fix to my virus problem?
Very much appreciated and kind regards from Zanshin.

Edited by Zanshin, 03 April 2008 - 04:00 PM.

  • 0

#22
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
We arent done yet but you are welcome.
============================
PLease re-open Hijackthis and choose "Do a system scan only"
Then place a check mark next to this entry:

O4 [ztyseqk] c:\documents and settings\owner\local settings\application data\ztyseqk.exe ztyseqk

Then click on Fix Checked and then close Hijackthis.
=======================================
For the notepad issue let's try this:
Please Go to start > run and type: cmd
This should open the command prompt Window (A black Window)

In the command prompt Window type the following commands:

assoc .txt=textfile Hit enter

ftype textfile=notepad.exe "%1" Hit enter

there should be a space between assoc and .txt
there should be a space between notepad.exe and "%1"


Then close the command prompt by typing exit or just close it using the x in the corner.

Then try to open up notepad again.
==========================
Let me know if that works.
  • 0

#23
Zanshin

Zanshin

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 113 posts
There is no file of that name contained in the HJT system scan. All 04 files start with HK except one, which is Global Startup Ralink Wireless Utility.
  • 0

#24
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
ok did you follow the fix for notepad instructions?
See my previous post.
  • 0

#25
Zanshin

Zanshin

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 113 posts
Yes I tried that and it didn't work.
I followed your instructions as per the spacings, also there appeared to be a space between ftype and textfile in the second instruction.....as it was a bit unclear, I followed the whole process with and without the space between those two words but again, neither set of instructions worked.
Zanshin
  • 0

Advertisements


#26
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 onlyDouble-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.
=================================================================
Please do an online scan with Kaspersky WebScanner
(This scanner is for use with internet explorer only)
Click on "Accept"

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as html button:
  • Save the file to your desktop.
  • Upload that information in your next post.

  • 0

#27
Zanshin

Zanshin

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 113 posts
Apologies for the delay......it appears there is still one infection.

Saturday, April 05, 2008 9:08:10 AM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 4/04/2008
Kaspersky Anti-Virus database records: 681582


Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true

Scan Target My Computer
A:\
C:\
D:\
E:\
Y:\
Z:\

Scan Statistics
Total number of scanned objects 67530
Number of viruses found 1
Number of infected objects 1
Number of suspicious objects 0
Duration of the scan process 01:58:44

Infected Object Name Virus Name Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\3951ad3288a789ce405632b5472a466f_6b3f012b-6420-4c4a-b39a-48ef8125b17d Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\619e9987b355968d358052e03ad07459_6b3f012b-6420-4c4a-b39a-48ef8125b17d Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\777f11ee48cd04941c5fe2c570444d00_6b3f012b-6420-4c4a-b39a-48ef8125b17d Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\88b96df0da2b9173db6378717bef8732_6b3f012b-6420-4c4a-b39a-48ef8125b17d Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Temp\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Temp\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\Owner\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped

C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Messenger\[email protected]\SharingMetadata\Logs\Dfsr00005.log Object is locked skipped

C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Messenger\[email protected]\SharingMetadata\Working\database_8F0_1512_F015_818\dfsr.db Object is locked skipped

C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Messenger\[email protected]\SharingMetadata\Working\database_8F0_1512_F015_818\fsr.log Object is locked skipped

C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Messenger\[email protected]\SharingMetadata\Working\database_8F0_1512_F015_818\fsrtmp.log Object is locked skipped

C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Messenger\[email protected]\SharingMetadata\Working\database_8F0_1512_F015_818\tmp.edb Object is locked skipped

C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows Live Contacts\[email protected]\real\members.stg Object is locked skipped

C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows Live Contacts\[email protected]\shadow\members.stg Object is locked skipped

C:\Documents and Settings\Owner\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Owner\Local Settings\History\History.IE5\MSHist012008040420080405\index.dat Object is locked skipped

C:\Documents and Settings\Owner\Local Settings\Temp\~DF3493.tmp Object is locked skipped

C:\Documents and Settings\Owner\Local Settings\Temp\~DF34A8.tmp Object is locked skipped

C:\Documents and Settings\Owner\Local Settings\Temp\~DF95F9.tmp Object is locked skipped

C:\Documents and Settings\Owner\Local Settings\Temp\~DF961D.tmp Object is locked skipped

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Owner\My Documents\My Music\maggie in the wood chieftains.mp3 Infected: Trojan-Downloader.WMA.Wimad.n skipped

C:\Documents and Settings\Owner\ntuser.dat Object is locked skipped

C:\Documents and Settings\Owner\ntuser.dat.LOG Object is locked skipped

C:\Program Files\Alwil Software\Avast4\DATA\aswResp.dat Object is locked skipped

C:\Program Files\Alwil Software\Avast4\DATA\Avast4.db Object is locked skipped

C:\Program Files\Alwil Software\Avast4\DATA\integ\avast.int Object is locked skipped

C:\Program Files\Alwil Software\Avast4\DATA\log\nshield.log Object is locked skipped

C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

C:\System Volume Information\_restore{17FAD6FD-DEE3-4446-9027-3A9E58E3C498}\RP8\change.log Object is locked skipped

C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped

C:\WINDOWS\SchedLgU.Txt Object is locked skipped

C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped

C:\WINDOWS\Sti_Trace.log Object is locked skipped

C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped

C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped

C:\WINDOWS\system32\config\Antivirus.Evt Object is locked skipped

C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\default Object is locked skipped

C:\WINDOWS\system32\config\default.LOG Object is locked skipped

C:\WINDOWS\system32\config\Internet.evt Object is locked skipped

C:\WINDOWS\system32\config\SAM Object is locked skipped

C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped

C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\SECURITY Object is locked skipped

C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped

C:\WINDOWS\system32\config\software Object is locked skipped

C:\WINDOWS\system32\config\software.LOG Object is locked skipped

C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\system Object is locked skipped

C:\WINDOWS\system32\config\system.LOG Object is locked skipped

C:\WINDOWS\system32\h323log.txt Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped

C:\WINDOWS\Temp\Perflib_Perfdata_740.dat Object is locked skipped

C:\WINDOWS\wiadebug.log Object is locked skipped

C:\WINDOWS\wiaservc.log Object is locked skipped

C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

Edited by Zanshin, 05 April 2008 - 01:40 AM.

  • 0

#28
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
  • Please double-click OTMoveIt2.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator")
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    C:\Documents and Settings\Owner\My Documents\My Music\maggie in the wood chieftains.mp3
  • Return to OTMoveIt2, right click in the "Paste List of Files/Folders to be Moved" window (under the light blue bar) and choose Paste.
  • Click the red Moveit! button.
  • OTMoveit2 will create a log of moved files in the C:\_OTMoveIt\MovedFiles folder. The log's name will appear as the date and time it was created, with the format mmddyyyy_hhmmss.log. Open this log in Notepad and post its contents in your next reply.
  • Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
==================================================
After that please update your Java:
Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version of Java components and upgrade the application. Beware it is NOT supported for use in 9x or ME and probably will not install in those systems

Ugrading Java:After that
  • Go to Start > Control Panel, double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java version.
  • Reboot your computer once all Java components are removed.
================================
LEt me know how things are running?

ALso post back with the OTMove it log.
  • 0

#29
Zanshin

Zanshin

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 113 posts
"If I had Maggie in the wood I'd do her all the good I could, if I had Maggier in the wood I'd keep her there 'til morning....................."
It's nice to know that a helpful stranger halfway around the world shares a good taste in music with myself.
Adrian.

p.s. I am just about to do a Java update then reboot.....so far no malware/pop-ups are appearing and whichever website/page I visit no invasive advertising appears in English, French or otherwise. I will give you a progress report again after Java.

p.p.s. I was able to open the OTMoveIt2 text.doc in Notepad without problem.


File/Folder C:\Documents and Settings\Owner\My Documents\My Music\maggie in the wood chieftains.mp3 not found.

OTMoveIt2 by OldTimer - Version 1.0.4.0 log created on 04052008_143211
  • 0

#30
Zanshin

Zanshin

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 113 posts
Java 6 (3 components) installed, all other Java removed.
Computer stable, normal, so far no appearance of malware when surfing the 'net.
Still have a security issue trying to enter Notepad directly via Start, Accessories.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP