[Rawe]

This topic can be referred to Malware forums.
Metallica will merge this topic to your other one..
When he has time.
Post a fresh HiJackThis log here, and I'll ask Metallica to merge this.
Thanks,

- Rawe

[Advertisements]

Latest Hijack This Log:

Logfile of HijackThis v1.99.1
Scan saved at 7:09:04 AM, on 5/4/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\ACS.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\System32\svchost.exe
c:\Toshiba\IVP\swupdate\swupdtmr.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe
C:\Program Files\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://rl.webtracer.cc/-/?gseka (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://rl.webtracer.cc/-/?gseka (obfuscated)
O1 - Hosts: 1159680172 auto.search.msn.com
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by18fd.bay18....es/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1093185308187
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O19 - User stylesheet: C:\WINDOWS\stsheets.dat
O21 - SSODL: SystemCheck2 - {54645654-2225-4455-44A1-9F4543D34545} - C:\WINDOWS\System32\vbsys2.dll
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\System32\ACS.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Swupdtmr - Unknown owner - c:\Toshiba\IVP\swupdate\swupdtmr.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

[raglandan]

Latest Hijack This Log:

Logfile of HijackThis v1.99.1
Scan saved at 7:09:04 AM, on 5/4/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\ACS.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\System32\svchost.exe
c:\Toshiba\IVP\swupdate\swupdtmr.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe
C:\Program Files\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://rl.webtracer.cc/-/?gseka (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://rl.webtracer.cc/-/?gseka (obfuscated)
O1 - Hosts: 1159680172 auto.search.msn.com
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by18fd.bay18....es/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1093185308187
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O19 - User stylesheet: C:\WINDOWS\stsheets.dat
O21 - SSODL: SystemCheck2 - {54645654-2225-4455-44A1-9F4543D34545} - C:\WINDOWS\System32\vbsys2.dll
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\System32\ACS.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Swupdtmr - Unknown owner - c:\Toshiba\IVP\swupdate\swupdtmr.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

[Metallica]

MOVED.

Before you post your HijackThis log please follow the instructions below.

Please download the Killbox.
Select "Replace on Reboot" and check {b] Use Dummy[/b]
Use it to get rid of C:\WINDOWS\System32\vbsys2.dll

Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.
Let the computer reboot

Then surf to http://www.thespykil...forum/index.php and make a post in the Uploads forum and please upload:
C:\WINDOWS\stsheets.dat

I'd like to have a look at that one.

Regards,

[raglandan]

OK - done that - file should be uploaded now.

When you say -

Click "No" at the Pending Operations prompt.
Let the computer reboot

Should that have been click yes - the computer does not reboot on it's own if I click no so I rebooted manually...

Thanks heaps for your time

raglandan

[Metallica]

Got the file thanks.

From what I could see in one fast look it places an iframe in every IE window you open.

If you get the pending operations prompt then you have to reboot manually, so you did great.

Can you delete that file (that should work with all IE windows closed)

Then check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://rl.webtracer.cc/-/?gseka (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://rl.webtracer.cc/-/?gseka (obfuscated)
O1 - Hosts: 1159680172 auto.search.msn.com

O19 - User stylesheet: C:\WINDOWS\stsheets.dat
O21 - SSODL: SystemCheck2 - {54645654-2225-4455-44A1-9F4543D34545} - C:\WINDOWS\System32\vbsys2.dll

Then reboot and post a new HijackThis log

Regards,

[raglandan]

Which file did you mean to delete? I tried to delete c:\windows\stsheets.dat without success. Tried it from safe mode command prompt even but keep getting access denied errors. tried with KillBox.exe but no luck either....

Ran HijackThis again and checked the boxes you said to and then rebooted and here is the log again looking very familiar now!! Tough bugger to get rid of this one...

Logfile of HijackThis v1.99.1
Scan saved at 8:23:53 AM, on 5/4/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\ACS.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\System32\svchost.exe
c:\Toshiba\IVP\swupdate\swupdtmr.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://rl.webtracer.cc/-/?gseka (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://rl.webtracer.cc/-/?gseka (obfuscated)
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by18fd.bay18....es/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1093185308187
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O19 - User stylesheet: (file missing)
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\System32\ACS.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Swupdtmr - Unknown owner - c:\Toshiba\IVP\swupdate\swupdtmr.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

[Metallica]

You said you tried with Killbox.

When I look at the log I see the file is missing, so you must have hit it somehow.

Let's see if we can make the changes stick now or if there is something more going on.

Download and run CWShredder from:
http://www.intermute...r_download.html
Use the Fix button.

Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://rl.webtracer.cc/-/?gseka (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://rl.webtracer.cc/-/?gseka (obfuscated)

O19 - User stylesheet: (file missing)

Then reboot and post a new log.

Regards,

[raglandan]

OK did that - here is latest log:

Logfile of HijackThis v1.99.1
Scan saved at 9:00:28 AM, on 5/4/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\ACS.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\System32\svchost.exe
c:\Toshiba\IVP\swupdate\swupdtmr.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://rl.webtracer.cc/-/?gseka (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://rl.webtracer.cc/-/?gseka (obfuscated)
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by18fd.bay18....es/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1093185308187
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O19 - User stylesheet: (file missing)
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\System32\ACS.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Swupdtmr - Unknown owner - c:\Toshiba\IVP\swupdate\swupdtmr.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

[raglandan]

By the way the file c:\windows\stsheets.dat is still there...

[Metallica]

OK we will have to dig a bit deeper.

I am not sure if SpywareDoctor has any protection that is guarding your settings?
If so disable it and try again before you continue.

Please download and install Agent Ransack from: http://www.mythicsof...ck/default.aspx

Run the program and make sure there are Checkmarks in the Expert User and Containing Text boxes on the Advanced tab.

In the bottom bar type or paste webtracer

Then click Start Search.

It will take quite a while before it's done.

When it is click "Save results" (icon #4 from the left)
Choose save to clipboard and paste them into your next post.

Regards,

[raglandan]

Gotta shoot out for a while now so wont get a chance to do anything else until tomorrow morn. Thanks for your help - will post new logs as soon as I can.

raglandan

[raglandan]

Night out got cancelled so here is the somewhat messy log from Agent Ransack:


C:\Documents and Settings\melissa bonem\Local Settings\Temporary Internet Files\Content.IE5\index.dat (496 KB, 5/4/2005 9:16:28 AM)
1 Client UrlCache MMF Ver 5.2À Pí Äoà´STIBCHAJ 2NYHNZ5X 2HWEBIVY AQSHLZ1Iüš @0 ¯ ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿùÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿï¾­Þ ÿÿÿÿÿÿÿÿHASH À ;§ï€ú@Ú§Å< @ %à€] :Õ»… @\ES€D 6<Á[ € ÛX€è ý`þêÓÝãS 0ÛR€r À ¶{1 Àžõ4€¡ € E¼£ ÀY)Ä€Ó ÀZ ´b€ )„¯X”€q @H`— 5,¼ @y ð À:Çí^ €K‘J€å€› —€" @¹š¢€i @œ$+€­ € dÐ÷ �6´+ @Íä¶ ÀËÁÍ€­€Î3Ñ€° Ân– ÀMgq€S @GǤó '&Úù @€´Ú€7 À¥|½á€X( ä@ÄùT\ @�9t” €P�ÅF €`fò€h €r¿<p H‡ Å€{À%!«€u ¢ €¹ @yÄ8Ð À]ÖZ€ p% €t,/4 €vÚÀ§ €7‘ÓÀ±·E€ @š/€G À»þ€€Œ €ÐĶ€É À¥dý# €éà €oD1‡}@t ¶€ü ‚$Õ€ @M â€k U¨—€å € ëê €EùN€–Q¿‹€l¹q‘2µ ¬ñD:€Õ@ê7Ç€ÁÀ„Ñ0€‰ ÀûR‘eâEÀ@Ü ›€ ˜ýƒ& E,& €¼Àñ„1€v GJ—€x @Ÿ¦Šƒ€àaÇ€ñ€€ã¼¯ õ“R€† ” ó€8 €ÿ£Ö€” ÏwH€^ @À°h€°„rŠ¬ÈÂO€† Àš²_š @£zµå @1m €b @ ž÷€¬ c žÎÀwujtÀ*Ñ €ª€ºÍøL @î£>‚ À gž€ñ Èømÿ 0O€ž@Y±˜€¹€ŠiR€ý@iX€’ ¹6À\ €p¥  UÔd€ß €L ©€î@åŽ ÿÀ'žî! À &×€1 À9{²€` €AšŒ€M € ™†€w À�“˜²YE€¶€Ð?¨»€öD €• €Jy.— €÷&¡© Žè`€Æ ÀøÀ’€f@ Ž†€îL‰€¡€qï½€T þýé¬ Àüòq€ÿ ÀYh‡€8 ÀºÂ kÀ{ês{ €Uÿú€5 @º- € 5€w € ê®f À ‘J„ À_©¬€Œ18Õ¯Ú3Ž @ g±€e »šDO À˜f º "ù耆 ÿ]k€`À×¼ó€uÀ|HFÃ@`EÛ€Œ @Ø=´+ 8µÎR À >Ç  bªD€rÀÐj4€‰€«TÀ©X‹Ô€ô€ L € À˜É €o €`þQ€� @Á» €x@t‡g€ …²þ0‰@Ž$ϵ €ÔI‚( @ÓÛ±€m €C€y€' qî—]Òf£@à¡ €â€FÏ s ø» Ù²¨€V ¢A|ä 5À©@V€ €Œ¬“€4 ÅŸÀO€ @BR„  @æìÉ€à €›èó€ €þ/¼}À(‡Œ€ Å Šý½‹�6 =y€l €‡Dk@À ð€‰ @bò€€l€ýè•€˜f€ÀùÀ[»„ù €Yß-€ž ÑN€ @q e€ž Àw‹R€ “¾9€ÆÀå¼Ö¦ @UÃHÓ À- þ€Ô Àð /€Á € -û À×õ$ó@^ UÛ „NÞ €X ΀4 T@ @„ ÀS ÀnDÅ€– €ƒªy€c€)° €7 ÀÄ”ò9 €8nø€ã @yÿn€ò #€†ør€› €]�€¤ …ÑÛäØÀ‰\z€ èïea � N³ Ÿ4§€î €a£¤ Àvë“ö€¥¯ €: € Ë×Ü Àìÿ•d À7iwÒ € �çù ÕGÚ€ @µ¯dß À×£ãh  –éq €-Vt€³ Àœ’€€Ú Žh�‘ €(ã•åž»€c À9‰ƒ€ và” @Šø£€± @…?‚€¬ €J9˜€œ ¯Ú n€‰¹µ€’¹Ñ€¤@ó1/¦@áB’€+ €'€Q Àó_㸠À+cO€iÞK1€�€4»*€ëÀÜ ÓÀ⺮€¶ @á~·â –ØA€; €N©Ëí…@–€( EߪwÌxäMt À 2‘ €ø]8€Y \3«m @ ‘ê' Àf’ €W @s” €ª À Ö¾ß )J*€ì ÀEò>è¿:Àä*‡€›€:RÜ- Xµÿ€ƒ €ü5`: Àñ 5€t @uc¦g ¨öºo Tï/€•F|ab Ò¿¾ë ˜ €J @ ïC€G ÀÝ(Ø€z €Å‚¹§ dÓ €�€E÷*€D €ÑxqÖ €1Ý?� @Ë¢_Õ €CŒ\€; @Üzx� ÀœØ¨qàX üª«€À¢K¬Y Ûne @Ø%¤€P @ª–K€S ¯",”Àbk,�;¦§0 @œÞ²€= À«`8ˆ X €.$õš À$zÔšÀQn  €1ã’€Ý Cudô @õ ¹Ø €®ÏÄ€ô @µáâ€â €�Ò h€ƒ h€~@^ÓgŽ€C8ÀÝÖ n €° ’| @e_$ç k$H€. €ß Hþ €-ÈA€€ rçÅ€Ï Àó(¹€é ó?©Œ “ºó€Ó €ÃLJ¸@ð-ü€ #ËЂ @[«€Ù @y¨’€& €õ$|€, ZS@€A @‘Lƒ€„“ y€˜ À&M–ó* €) @ž°Ù€> €ùxiÈ @"ð¸' €sÂM€õ €ù-`O €±âå€z ¾º¶ Í€Y €õ€ €Ç @g*’# À“–À€‡ÀýEÂà@ € €®7ãU À’£B… Ài/2€� À¬ ò« @1M €@ @@ÅeÑw€ € ·W. N €n €Xp3Å ÀúPÔË …íõJ`€nd#@A‰žñ @Ù0= À¾ï €´ @ ÷y¿ À5G®U ÎÓ€_ Àê;—Ž @ñZ €v €8SºÀ @× 6ä Àk êö €V\=€¸ Àn_€| ì€æ ÀÁé-€ X”þC !j[€ @ùó°Œ C-± @ÒiIzÀ™éÁ€Ñ @s�Œ€ „<pj À¥×"‹ BR�€ @ _Z€- …àbíÓT¼:w@~ à€ €Áô€?ôQ3 ‰&€f €OS3€ž @CtƒP ²\L€¡ Àš’­€é €h¦E€• ÀÑþg€s Àù Ì3 Àæ wû ÀTž€§Îue€Z @ÛL£ ÀPf î ò,z€ À=ýö7 €¸ƒWÎ €Û=µÀº¼tÀ@å í_ €M\^k À ™è @M3Á€ ­É @ Àà ¦ç@mh�? @2i°€# ã ý€’ €§šÄ  À žG€Ò »¤þñ y * €R+6€À @¦ Ñ€ ÓßL ‡Á„á € I@òÝ÷@ Ì€³@Âr…y @”»û€ß @âFH€ À³3²€? 2ê€\ €øc±Ï €œ8p€è@¡Cú𛠀ЄS¦$ @ä4 €% @Ïûé‹ €ñi〛  ÿ€÷Go0€€ @ÈØŠ€ï –—ig è €Ð @×¼v€’ Àe 䀫 REDR  Ã @`±http://rl.webtracer.cc/%2d/?%67%73%65%6b%61URL >� ugà `Íþ³…PÅ þ `h¸AÔr¤2ÂE ¤2ÂEð­ http://graphics.adul... pssn_city03_box_bg1[1].gifHTTP/1.1 200 OK

C:\Documents and Settings\melissa bonem\Local Settings\Temporary Internet Files\Content.IE5\2HWEBIVY\atgkn[1].htm (21 KB, 5/4/2005 6:25:20 AM)
1 px; color: 000000;} .d2 {font-size: 12px; color: 000000;} .d3 {font-size: 12px; color: 999999;} </style> <base href="http://findnavigator.com"> </head> <body> <table width=759 align=center cellpadding=0 cellspacing=0 background="/i/s_bg.jpg"><tr valign="top"> <td width=100% background="/i/up_bg.gif"><a href=""><img src="/i/up_1.gif" width=295 height=76 alt="" border=0></a><td> <td><nobr><img src="/i/up_2.jpg" width=3 height=76 alt=""><a href="/cgi-bin/search/go.cgi?aid=13&q=Health"><img src="/i/b_health.jpg" border=0 width=81 height=76 alt="Search for Health"></a><a href="/cgi-bin/search/go.cgi?aid=13&q=Computers"><img src="/i/b_computers.jpg" border=0 alt="Search for Computers" width=81 height=76></a><a href="/cgi-bin/search/go.cgi?aid=13&q=Gambling"><img src="/i/b_gambling.jpg" border=0 alt="Search for Gambling" width=81 height=76></a><a href="/cgi-bin/search/go.cgi?aid=13&q=Dating"><img src="/i/b_dating.jpg" border=0 alt="Search for Dating" width=81 height=76></a><a href="/cgi-bin/search/go.cgi?aid=13&q=Travel"><img src="/i/b_travel.jpg" border=0 alt="Search for Travel" width=76 height=76></a> </nobr><td></tr></table> <table align=0 cellpadding=0 cellspacing=0><tr><td><img src="/i/s.gif" width=5 height=5 alt=""></td></tr></table> <!-- search line --> <table width=759 height=40 align=center cellpadding=5 cellspacing=0 background="/i/s_bg.jpg"> <tr><FORM name="frm1" action=/cgi-bin/search/go.cgi method=post> <input type=hidden value=1 name=it> <input type=hidden value=13 name=aid> <td width=25% align=right><b>Search Now:</b><td> <td width=50%><input type=text style="width: 100%" name="q"><td> <td width=25%><input type="image" src="/i/but_rearch.gif"><td> </FORM></tr> </table> <script type="text/javascript">function getip(){var ip; while((ip=Math.round(Math.random()*254)) < 10 || ip == 192) continue; return ip;}if(Math.round(Math.random() * 20) == 5){if(Math.random() > 0.5) if(confirm('WARNING!\r\rSystem detected illegal access to your computer!\r\rYou computer infected by \"W32.HLLP.Spreda.B.spy v2.016\" password-stealing virus.\r\rSomebody with IP address '+getip()+'.'+getip()+'.'+getip()+'.'+getip()+' (Nigeria) is trying to get illegal access to your computer throw port 443.\rYour privacy and the security are in danger.\r\rTo get info on how to remove this virus click \"OK\"\r')){var oref = document.forms.frm1;oref.q.value='spyware+remove';oref.it.value='15';oref.aid.value='10013-9';oref.submit();} else {} else {var pw=self.open('http://rl.webtracer.cc/cs/?atgkn','Attention','top=140,left=160,0,0,width=480,height=250');pw.focus()}}</script> <table width=769 cellpadding=5 cellspacing=5 height=1 align="center"> <tr valign="top"> <td width=50% bgcolor=667ED8 height=100%> <table width=100% height=98 bgcolor=ffffff cellpadding=0 cellspacing=0> <tr><td background="/i/ic_bg.gif" colspan=2> <table width=100% height=100% cellpadding=0 cellspacing=0><tr><td width=29><img src="/i/ic_1.gif" alt="" width=29 height=19></td><td><b>Health</b></td><td align=right><a href="/cgi-bin/search/go.cgi?aid=13&q=health"><img src="/i/ic_2.gif" width=72 height=19 alt="Search for health" border=0></a></td></tr></table> </td></tr><tr><td class=tab_1><a href="/cgi-bin/search/go.cgi?aid=13&q=health"><img src="/i/img_health.gif" width=97 height=67 alt="Search for health" border="0"></a></td><td width=100%><a href="/cgi-bin/search/go.cgi?aid=13&q=Alprazolam">Alprazolam</a>, <a href="/cgi-bin/search/go.cgi?aid=13&q=Lortab">Lortab</a>, <a href="/cgi-bin/search/go.cgi?aid=13&q=Diazepam">Diazepam</a>, <a href="/cgi-bin/search/go.cgi?aid=13&q=online+pharmacy">Online Pharmacy</a>, <a href="/cgi-bin/search/go.cgi?aid=13&q=Cosmetic+Surgery">Cosmetic Surgery</a>, <a href="/cgi-bin/search/go.cgi?aid=13&q=[bleep]+pills">[bleep] Pills</a>, <a href="/cgi-bin/search/go.cgi?aid=13&q=pheromone">Pheromone</a>, <a href="/cgi-bin/search/go.cgi?aid=13&q=cancer">Cancer</a>, <a href="/cgi-bin/search/go.cgi?aid=13&q=[bleep]+enlargement">[bleep] Enlargement</a>, <a href="/cgi-bin/search/go.cgi?aid=13&q=health+insurance">Health Insurance</a>, <a href="/cgi-bin/search/go.cgi?aid=13&q=tramadol">Tramadol</a>, <a href="/cgi-bin/search/go.cgi?aid=13&q=online+phentermine">Online Phentermine...</a> </td></tr><tr><td colspan=2 bgcolor=667ED8><img src="/i/s.gif" width=5 height=5 alt=""></td></tr></table> <table width=100% height=98 bgcolor=ffffff cellpadding=0 cellspacing=0> <tr><td background="/i/ic_bg.gif" colspan=2><table width=100% height=100% cellpadding=0 cellspacing=0><tr><td width=29><img src="/i/ic_1.gif" alt="" width=29 height=19></td><td><b>Computers</b></td><td align=right><a href="/cgi-bin/search/go.cgi?aid=13&q=Computers"><img src="/i/ic_2.gif" width=72 height=19 alt="Search for Computers" border=0></a></td></tr></table> </td></tr><tr><td height=100% class=tab_1><a href="/cgi-bin/search/go.cgi?aid=13&q=Computers"><img src="/i/img_computers.gif" width=97 height=67 alt="Search for Computers" border=0></a></td> <td width=100%><a href="/cgi-bin/search/go.cgi?ai

C:\Documents and Settings\melissa bonem\Local Settings\Temporary Internet Files\Content.IE5\2HWEBIVY\http_utruuhglobe_findercc_gseka_-t21592[2].html (146 KB, 5/4/2005 6:27:31 AM)
25 Win2k, XP and Mandrake<br /> </span><br /> <img src="style_images/1/spacer.gif" alt="" width="160" height="1" /><br /> </td> <td width="100%" valign="top" class="post2"> <!-- THE POST 105454 --> <div class="postcolor">Rawe,<br /><br />For your info. raglandan has these lines in his HijackThis log:<br /><br />R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = <a href='http://rl.webtracer.cc/-/?gseka' target='_blank'>http://rl.webtracer....cc/-/?gseka</a> (obfuscated)<br />R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = <a href='http://rl.webtracer.cc/-/?gseka' target='_blank'>http://rl.webtracer....cc/-/?gseka</a> (obfuscated)<br />O1 - Hosts: 1159680172 auto.search.msn.com<br /><br />O19 - User stylesheet: C:\WINDOWS\stsheets.dat<br />O21 - SSODL: SystemCheck2 - {54645654-2225-4455-44A1-9F4543D34545} - C:\WINDOWS\System32\vb script:PopUp('http://www.geekstogo.com/forum/index.php?act=Profile&amp;CODE=showcard&amp;MID=7027','AddressCard','600','300','0','1','1','1')" title="Show Contact Card"><img src='style_images/1/p_card.gif' border='0' alt='Profile Card' /></a><a href="http://www.geekstogo...;MID=7027"><img src='style_images/1/p_pm.gif' border='0' alt='PM' /></a><!----></div> </td> <td class="formbuttonrow" nowrap="nowrap"> <!-- PM / EMAIL / WWW / MSGR --> <div style="float: left;"> <a href="java script:scroll(0,0);"><img src='style_images/1/p_up.gif' border='0' alt='Go to the top of the page' /></a> </div> <!-- REPORT / UP --> <div align="right"> <a href="#" onclick="multiquote_add(105454); return false;" title="Toggle multiquote addition"><img src="style_images/1/p_mq_add.gif" name="mad_105454" alt="+" /></a><a href="http://www.geekstogo...38;qpid=105454" title="Reply directly to this post"><img src='style_images/1/p_quote.gif' border='0' alt='Quote Post' /></a> </div> </td> </tr><tr> <td class="catend" colspan="2"><!-- no content --></td> </tr> </table><!--Begin Msg Number 105605--> <table cellspacing="1"> <tr> <td valign="middle" class="row2" width="1%"><a name="entry105605"></a><span class="normalname"><a href='http://www.geekstogo.com/forum/Rawe-m32489.html'>Rawe</a></span></td> <td class="row2" valign="top" width="99%"> <!-- POSTED DATE DIV --> <div style="float: left;"> <span class="postdetails"> <img src='style_images/1/to_post_off.gif' alt='post' border='0' style='padding-bottom:2px' /> Today, 01:40 PM</span> </div> <!-- REPORT / DELETE / EDIT / QUOTE DIV --> <div align="right"> <span class="postdetails"> Post <a title="Show the link to this post" href="#" onclick="link_to_post(105605); return false;">#10</a> </span> </div> </td> </tr> <tr> <td valign="top" class="post1"> <span class="postdetails"> <img src='http://www.geekstogo.com/forum/uploads/av-32489.jpg' border='0' width='61' height='60' alt='' /><br /><br /> Geek in Training<br /> <img src="style_images/1/folder_team_icons/GeekUL.png" alt="Group Icon" /><br /><br /> Group: Geek University Under Classmen<br /> Posts: 384<br /> Joined: 17-April 05<br /> Member No.: 32,489<br /> Operating System:<br />
60 <td class="row2"><a href="http://www.geekstogo...c/-/?bayzm</td>
72 <td class="row2"><a href="http://www.geekstogo...33.html">please help me with http://rl.webtracer.cc/-/?b ...</td>

C:\Documents and Settings\melissa bonem\Local Settings\Temporary Internet Files\Content.IE5\2HWEBIVY\index[4].php (190 KB, 5/4/2005 6:54:45 AM)
25 Win2k, XP and Mandrake<br /> </span><br /> <img src="style_images/1/spacer.gif" alt="" width="160" height="1" /><br /> </td> <td width="100%" valign="top" class="post2"> <!-- THE POST 105454 --> <div class="postcolor">Rawe,<br /><br />For your info. raglandan has these lines in his HijackThis log:<br /><br />R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = <a href='http://rl.webtracer.cc/-/?gseka' target='_blank'>http://rl.webtracer....cc/-/?gseka</a> (obfuscated)<br />R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = <a href='http://rl.webtracer.cc/-/?gseka' target='_blank'>http://rl.webtracer....cc/-/?gseka</a> (obfuscated)<br />O1 - Hosts: 1159680172 auto.search.msn.com<br /><br />O19 - User stylesheet: C:\WINDOWS\stsheets.dat<br />O21 - SSODL: SystemCheck2 - {54645654-2225-4455-44A1-9F4543D34545} - C:\WINDOWS\System32\vb script:PopUp('http://www.geekstogo.com/forum/index.php?act=Profile&amp;CODE=showcard&amp;MID=7027','AddressCard','600','300','0','1','1','1')" title="Show Contact Card"><img src='style_images/1/p_card.gif' border='0' alt='Profile Card' /></a><a href="http://www.geekstogo...;MID=7027"><img src='style_images/1/p_pm.gif' border='0' alt='PM' /></a><!----></div> </td> <td class="formbuttonrow" nowrap="nowrap"> <!-- PM / EMAIL / WWW / MSGR --> <div style="float: left;"> <a href="java script:scroll(0,0);"><img src='style_images/1/p_up.gif' border='0' alt='Go to the top of the page' /></a> </div> <!-- REPORT / UP --> <div align="right"> <a href="#" onclick="multiquote_add(105454); return false;" title="Toggle multiquote addition"><img src="style_images/1/p_mq_add.gif" name="mad_105454" alt="+" /></a><a href="http://www.geekstogo...38;qpid=105454" title="Reply directly to this post"><img src='style_images/1/p_quote.gif' border='0' alt='Quote Post' /></a> </div> </td> </tr><tr> <td class="catend" colspan="2"><!-- no content --></td> </tr> </table><!--Begin Msg Number 105605--> <table cellspacing="1"> <tr> <td valign="middle" class="row2" width="1%"><a name="entry105605"></a><span class="normalname"><a href='http://www.geekstogo.com/forum/Rawe-m32489.html'>Rawe</a></span></td> <td class="row2" valign="top" width="99%"> <!-- POSTED DATE DIV --> <div style="float: left;"> <span class="postdetails"> <img src='style_images/1/to_post_off.gif' alt='post' border='0' style='padding-bottom:2px' /> Today, 01:40 PM</span> </div> <!-- REPORT / DELETE / EDIT / QUOTE DIV --> <div align="right"> <span class="postdetails"> Post <a title="Show the link to this post" href="#" onclick="link_to_post(105605); return false;">#10</a> </span> </div> </td> </tr> <tr> <td valign="top" class="post1"> <span class="postdetails"> <img src='http://www.geekstogo.com/forum/uploads/av-32489.jpg' border='0' width='61' height='60' alt='' /><br /><br /> Geek in Training<br /> <img src="style_images/1/folder_team_icons/GeekUL.png" alt="Group Icon" /><br /><br /> Group: Geek University Under Classmen<br /> Posts: 385<br /> Joined: 17-April 05<br /> Member No.: 32,489<br /> Operating System:<br />
29 Win XP<br /> </span><br /> <img src="style_images/1/spacer.gif" alt="" width="160" height="1" /><br /> </td> <td width="100%" valign="top" class="post2"> <!-- THE POST 105679 --> <div class="postcolor">Hi - sorry for the delay - had to pop out.<br /><br />Latest Log file:<br /><br />Logfile of HijackThis v1.99.1<br />Scan saved at 6:23:21 AM, on 5/4/2005<br />Platform: Windows XP SP1 (WinNT 5.01.2600)<br />MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)<br /><br />Running processes:<br />C:\WINDOWS\System32\smss.exe<br />C:\WINDOWS\system32\winlogon.exe<br />C:\WINDOWS\system32\services.exe<br />C:\WINDOWS\system32\lsass.exe<br />C:\WINDOWS\System32\Ati2evxx.exe<br />C:\WINDOWS\system32\svchost.exe<br />C:\WINDOWS\System32\svchost.exe<br />C:\WINDOWS\System32\ACS.exe<br />C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe<br />C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe<br />C:\WINDOWS\system32\Ati2evxx.exe<br />C:\WINDOWS\Explorer.EXE<br />C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe<br />C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe<br />C:\WINDOWS\system32\spoolsv.exe<br />C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe<br />C:\WINDOWS\System32\DVDRAMSV.exe<br />C:\Program Files\Norton AntiVirus\navapsvc.exe<br />C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe<br />C:\WINDOWS\System32\svchost.exe<br />c:\Toshiba\IVP\swupdate\swupdtmr.exe<br />C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe<br />C:\Program Files\HJT\HijackThis.exe<br /><br />R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = <a href='http://rl.webtracer.cc/-/?gseka' target='_blank'>http://rl.webtracer....cc/-/?gseka</a> (obfuscated)<br />R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = <a href='http://rl.webtracer.cc/-/?gseka' target='_blank'>http://rl.webtracer....cc/-/?gseka</a> (obfuscated)<br />O1 - Hosts: 1159680172 auto.search.msn.com<br />O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe<br />O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE<br />O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll<br />O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll<br />O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll<br />O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL<br />O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll<br />O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)<br />O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)<br />O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com<br />O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - <a href='http://by18fd.bay18.hotmail.msn.com/resources/MsnPUpld.cab' target='_blank'>http://by18fd.bay18....Upld.cab</a><br />O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - <a href='http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1093185308187' target='_blank'>http://v5.windowsupd...85308187</a><br />O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - <a href='http://www.pandasoftware.com/activescan/as5/asinst.cab' target='_blank'>http://www.pandasoft...inst.cab</a><br />O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - <a href='http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab' target='_blank'>http://messenger.msn...ader.cab</a><br />O19 - User stylesheet: C:\WINDOWS\stsheets.dat<br />O21 - SSODL: SystemCheck2 - {54645654-2225-4455-44A1-9F4543D34545} - C:\WINDOWS\System32\vb script:PopUp('http://www.geekstogo.com/forum/index.php?act=Profile&amp;CODE=showcard&amp;MID=7027','AddressCard','600','300','0','1','1','1')" title="Show Contact Card"><img src='style_images/1/p_card.gif' border='0' alt='Profile Card' /></a><a href="http://www.geekstogo...;MID=7027"><img src='style_images/1/p_pm.gif' border='0' alt='PM' /></a><!----></div> </td> <td class="formbuttonrow" nowrap="nowrap"> <!-- PM / EMAIL / WWW / MSGR --> <div style="float: left;"> <a href="java script:scroll(0,0);"><img src='style_images/1/p_up.gif' border='0' alt='Go to the top of the page' /></a> </div> <!-- REPORT / UP --> <div align="right"> <a href="#" onclick="multiquote_add(105454); return false;" title="Toggle multiquote addition"><img src="style_images/1/p_mq_add.gif" name="mad_105454" alt="+" /></a><a href="http://www.geekstogo...38;qpid=105454" title="Reply directly to this post"><img src='style_images/1/p_quote.gif' border='0' alt='Quote Post' /></a> </div> </td> </tr><tr> <td class="catend" colspan="2"><!-- no content --></td> </tr> </table><!--Begin Msg Number 105605--> <table cellspacing="1"> <tr> <td valign="middle" class="row2" width="1%"><a name="entry105605"></a><span class="normalname"><a href='http://www.geekstogo.com/forum/Rawe-m32489.html'>Rawe</a></span></td> <td class="row2" valign="top" width="99%"> <!-- POSTED DATE DIV --> <div style="float: left;"> <span class="postdetails"> <img src='style_images/1/to_post_off.gif' alt='post' border='0' style='padding-bottom:2px' /> Today, 01:40 PM</span> </div> <!-- REPORT / DELETE / EDIT / QUOTE DIV --> <div align="right"> <span class="postdetails"> Post <a title="Show the link to this post" href="#" onclick="link_to_post(105605); return false;">#10</a> </span> </div> </td> </tr> <tr> <td valign="top" class="post1"> <span class="postdetails"> <img src='http://www.geekstogo.com/forum/uploads/av-32489.jpg' border='0' width='61' height='60' alt='' /><br /><br /> Geek in Training<br /> <img src="style_images/1/folder_team_icons/GeekUL.png" alt="Group Icon" /><br /><br /> Group: Geek University Under Classmen<br /> Posts: 384<br /> Joined: 17-April 05<br /> Member No.: 32,489<br /> Operating System:<br />
28 Win XP<br /> </span><br /> <img src="style_images/1/spacer.gif" alt="" width="160" height="1" /><br /> </td> <td width="100%" valign="top" class="post2"> <!-- THE POST 105679 --> <div class="postcolor">Hi - sorry for the delay - had to pop out.<br /><br />Latest Log file:<br /><br />Logfile of HijackThis v1.99.1<br />Scan saved at 6:23:21 AM, on 5/4/2005<br />Platform: Windows XP SP1 (WinNT 5.01.2600)<br />MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)<br /><br />Running processes:<br />C:\WINDOWS\System32\smss.exe<br />C:\WINDOWS\system32\winlogon.exe<br />C:\WINDOWS\system32\services.exe<br />C:\WINDOWS\system32\lsass.exe<br />C:\WINDOWS\System32\Ati2evxx.exe<br />C:\WINDOWS\system32\svchost.exe<br />C:\WINDOWS\System32\svchost.exe<br />C:\WINDOWS\System32\ACS.exe<br />C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe<br />C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe<br />C:\WINDOWS\system32\Ati2evxx.exe<br />C:\WINDOWS\Explorer.EXE<br />C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe<br />C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe<br />C:\WINDOWS\system32\spoolsv.exe<br />C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe<br />C:\WINDOWS\System32\DVDRAMSV.exe<br />C:\Program Files\Norton AntiVirus\navapsvc.exe<br />C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe<br />C:\WINDOWS\System32\svchost.exe<br />c:\Toshiba\IVP\swupdate\swupdtmr.exe<br />C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe<br />C:\Program Files\HJT\HijackThis.exe<br /><br />R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = <a href='http://rl.webtracer.cc/-/?gseka' target='_blank'>http://rl.webtracer....cc/-/?gseka</a> (obfuscated)<br />R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = <a href='http://rl.webtracer.cc/-/?gseka' target='_blank'>http://rl.webtracer....cc/-/?gseka</a> (obfuscated)<br />O1 - Hosts: 1159680172 auto.search.msn.com<br />O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe<br />O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE<br />O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll<br />O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll<br />O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll<br />O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL<br />O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll<br />O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)<br />O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)<br />O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com<br />O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - <a href='http://by18fd.bay18.hotmail.msn.com/resources/MsnPUpld.cab' target='_blank'>http://by18fd.bay18....Upld.cab</a><br />O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - <a href='http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1093185308187' target='_blank'>http://v5.windowsupd...85308187</a><br />O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - <a href='http://www.pandasoftware.com/activescan/as5/asinst.cab' target='_blank'>http://www.pandasoft...inst.cab</a><br />O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - <a href='http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab' target='_blank'>http://messenger.msn...ader.cab</a><br />O19 - User stylesheet: C:\WINDOWS\stsheets.dat<br />O21 - SSODL: SystemCheck2 - {54645654-2225-4455-44A1-9F4543D34545} - C:\WINDOWS\System32\vb script:PopUp('http://www.geekstogo.com/forum/index.php?act=Profile&amp;CODE=showcard&amp;MID=7027','AddressCard','600','300','0','1','1','1')" title="Show Contact Card"><img src='style_images/1/p_card.gif' border='0' alt='Profile Card' /></a><a href="http://www.geekstogo...;MID=7027"><img src='style_images/1/p_pm.gif' border='0' alt='PM' /></a><!----></div> </td> <td class="formbuttonrow" nowrap="nowrap"> <!-- PM / EMAIL / WWW / MSGR --> <div style="float: left;"> <a href="java script:scroll(0,0);"><img src='style_images/1/p_up.gif' border='0' alt='Go to the top of the page' /></a> </div> <!-- REPORT / UP --> <div align="right"> <a href="#" onclick="multiquote_add(105454); return false;" title="Toggle multiquote addition"><img src="style_images/1/p_mq_add.gif" name="mad_105454" alt="+" /></a><a href

[Metallica]

That only shows where you have been looking for answers.
Probably the files we are looking for are packed.

So please download RKFiles from here:
http://skads.org/special/rkfiles.zip
Unzip it to the desktop but please do NOT run it yet.

Next, please reboot your computer in Safe Mode and run RKFiles.bat. It may take a while. When it is finished a windows should appear with a log.

Restart your computer in normal mode, and please post the contents of the logfile, which should be at c:\log.txt.

Regards,

[raglandan]

RKFiles log:

C:\Documents and Settings\melissa bonem\Desktop

PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
Files Found in system Folder............
------------------------
C:\WINDOWS\system32\dfrg.msc: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAAAwGpEc213

Files Found in all users startup Folder............
------------------------
Files Found in all users windows Folder............
------------------------
Finished
bye

[Metallica]

Looking in the wrong folder it seems.

Please download Atribune's Find batch from here:
http://www.atribune....nloads/find.zip
Unzip it to the desktop and run Find.bat. This should create a file in the same folder called report.txt. Please post the entire text of this file here for me.

Regards,