Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

New log [resolved]


  • This topic is locked This topic is locked

#16
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,673 posts
Does Silentrunners have the vbs extension ?

Try rightclicking it and choose "Open with ..."
Then show the way to MicroSoft ® Windows Based Script Host

Regards,
  • 0

Advertisements


#17
lestat82

lestat82

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts
Thank you,

yes, it has a .vb script:


'Silent Runners.vbs -- find out what programs start up with Windows!
'
'DO NOT REMOVE THIS HEADER!
'
'Copyright Andrew ARONOFF 24 April 2005, http://www.silentrunners.org/
'This script is provided without any warranty, either expressed or implied
'It may not be copied or distributed without permission
'
'** YOU RUN THIS SCRIPT AT YOUR OWN RISK! **
'HEADER ENDS HERE

Deleted useless content - Metallica

Edited by Metallica, 16 May 2005 - 10:03 AM.

  • 0

#18
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,673 posts
No need to post the content. I do have a copy. :tazz:

Please go to this site and choose the correct language:
http://www.microsoft...&displaylang=en

No idea how WSH disappeared but we will have to replace it.
Install Windows Script 5.6 for Windows 2000 and XP that is offered for download there.

Regards,
  • 0

#19
lestat82

lestat82

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts
Got it, finally :tazz: Thanks.

Here it is:


"Silent Runners.vbs", revision 36, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"CTFMON.EXE" = "C:\WINDOWS\system32\ctfmon.exe" [MS]
"Mozilla Quick Launch" = ""C:\Programmi\Netscape\Netscape\Netscp.exe" -turbo" ["Mozilla, Netscape"]
"Yahoo! Pager" = "C:\Programmi\Yahoo!\Messenger\ypager.exe -quiet" ["Yahoo! Inc."]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"NeroFilterCheck" = "C:\WINDOWS\system32\NeroCheck.exe" ["Ahead Software Gmbh"]
"RemoteControl" = "C:\Programmi\CyberLink\PowerDVD\PDVDServ.exe" ["Cyberlink Corp."]
"SunJavaUpdateSched" = "C:\Program Files\Java\jre1.5.0\bin\jusched.exe" ["Sun Microsystems, Inc."]
"TkBellExe" = ""C:\Programmi\File comuni\Real\Update_OB\realsched.exe" -osboot" ["RealNetworks, Inc."]
"Symantec NetDriver Monitor" = "C:\PROGRA~1\SYMNET~1\SNDMon.exe" ["Symantec Corporation"]
"ccApp" = ""C:\Programmi\File comuni\Symantec Shared\ccApp.exe"" ["Symantec Corporation"]
"Picasa Media Detector" = "C:\Programmi\Picasa2\PicasaMediaDetector.exe" [null data]
"Zone Labs Client" = ""C:\Programmi\Zone Labs\ZoneAlarm\zlclient.exe"" ["Zone Labs Inc."]
"NWEReboot" = (no data)
"WinPatrol" = ""C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe"" ["BillP Studios"]
"WinampAgent" = "C:\Programmi\Winamp\winampa.exe" [null data]

HKLM\Software\Microsoft\Active Setup\Installed Components\
>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}\(Default) = "Outlook Express"
\StubPath = "C:\WINDOWS\system32\shmgrate.exe OCInstallUserConfigOE" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = "AcroIEHlprObj Class" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\SPYBOT~1\SDHelper.dll" ["Safer Networking Limited"]
{9ECB9560-04F9-4bbc-943D-298DDF1699E1}\(Default) = "CNisExtBho Class" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Programmi\File comuni\Symantec Shared\AdBlocking\NISShExt.dll" ["Symantec Corporation"]
{BDF3E430-B101-42AD-A544-FADC6B084872}\(Default) = "CNavExtBho Class" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Programmi\Norton Internet Security\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Estensione panoramica video del Pannello di controllo"
-> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Estensione di icona di HyperTerminal"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office\OLKFSTUB.DLL" [MS]
"{E0D79304-84BE-11CE-9641-444553540000}" = "WinZip"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79305-84BE-11CE-9641-444553540000}" = "WinZip"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79306-84BE-11CE-9641-444553540000}" = "WinZip"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79307-84BE-11CE-9641-444553540000}" = "WinZip"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{C56C4E21-706D-11d0-AFC5-444553540002}" = "La mia macchina fotografica digitale"
-> {CLSID}\InProcServer32\(Default) = "C:\Programmi\PhotoDeluxe HE 3.0\FotoNation Explorer\camview.dll" ["FotoNation Inc."]
"{32A9D769-5B55-4a25-9A62-86B5683FE50A}" = "NikonView Drop Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Programmi\Nikon\NkView6\NkvDropExt.dll" ["Nikon Corporation"]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
-> {CLSID}\InProcServer32\(Default) = "C:\Programmi\Real\RealOne Player\rpshell.dll" ["RealNetworks, Inc."]
"{F802F260-519B-11D1-BB5D-0060974C6013}" = "ICQ Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Programmi\ICQ\ICQShExt.dll" ["ICQ"]


Enabled Screen Saver:
---------------------

HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\WINDOWS\system32\ssbezier.scr" [MS]


Enabled Wallpaper and Active Desktop:
-------------------------------------

Active Desktop is disabled.

HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Documents and Settings\UTENTE1\Dati applicazioni\Webshots\The Webshots Desktop\Wallpaper.bmp"


Startup items in "UTENTE1" & "All Users" startup folders:
---------------------------------------------------------

C:\Documents and Settings\UTENTE1\Menu Avvio\Programmi\Esecuzione automatica
"Webshots" -> shortcut to: "C:\Programmi\Webshots\Launcher.exe /t" [null data]

C:\Documents and Settings\All Users\Menu Avvio\Programmi\Esecuzione automatica
"Adobe Gamma Loader" -> shortcut to: "C:\Programmi\File comuni\Adobe\Calibration\Adobe Gamma Loader.exe" ["Adobe Systems, Inc."]
"Avvio veloce di Adobe Reader" -> shortcut to: "C:\Programmi\Adobe\Acrobat 7.0\Reader\reader_sl.exe" ["Adobe Systems Incorporated"]
"Color Calibration" -> shortcut to: "C:\Programmi\SEC\MagicTune 2.5\GammaTray.exe" [empty string]
"Microsoft Office" -> shortcut to: "C:\Programmi\Microsoft Office\Office\OSA9.EXE -b -l" [MS]
"NkvMon.exe" -> shortcut to: "C:\Programmi\Nikon\NkView6\NkvMon.exe" ["Nikon Corporation"]
"WinZip Quick Pick" -> shortcut to: "C:\Programmi\WinZip\WZQKPICK.EXE" ["WinZip Computing, Inc."]


Enabled Scheduled Tasks:
------------------------

"Norton AntiVirus - Scansione del computer - UTENTE1" -> launches: "C:\PROGRA~1\NORTON~2\NORTON~1\Navw32.exe /task:"C:\Documents and Settings\All Users\Dati applicazioni\Symantec\Norton AntiVirus\Tasks\mycomp.sca"" ["Symantec Corporation"]
"Symantec NetDetect" -> launches: "C:\Programmi\Symantec\LiveUpdate\NDETECT.EXE" ["Symantec Corporation"]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
C:\Programmi\Google\Google Desktop Search\GoogleDesktopNetwork1.dll [null data], 01 - 02, 19
C:\Programmi\Panda Software\Panda Platinum Internet Security\pavlsp.dll ["Panda Software "], 03 - 04, 18
%SystemRoot%\system32\mswsock.dll [MS], 05 - 07, 10 - 17
%SystemRoot%\system32\rsvpsp.dll [MS], 08 - 09


Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\
"{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}"
-> {CLSID}\(Default) = "Norton AntiVirus"
-> {CLSID}\InProcServer32\(Default) = "C:\Programmi\Norton Internet Security\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7}"
-> {CLSID}\(Default) = "Norton Internet Security"
-> {CLSID}\InProcServer32\(Default) = "C:\Programmi\File comuni\Symantec Shared\AdBlocking\NISShExt.dll" ["Symantec Corporation"]

HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7}"
-> {CLSID}\(Default) = "Norton Internet Security"
-> {CLSID}\InProcServer32\(Default) = "C:\Programmi\File comuni\Symantec Shared\AdBlocking\NISShExt.dll" ["Symantec Corporation"]

"{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}"
-> {CLSID}\(Default) = "Norton AntiVirus"
-> {CLSID}\InProcServer32\(Default) = "C:\Programmi\Norton Internet Security\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Console"
"CLSIDExtension" = "{08B0E5C0-4FCB-11CF-AAA5-00401C608501}"

{2D663D1A-8670-49D9-A1A5-4C56B4E14E84}\
"ButtonText" = "Spyware Doctor"
"CLSIDExtension" = "{A1EDC4A1-940F-48E0-8DFD-E38F1D501021}"

{6224F700-CBA3-4071-B251-47CB894244CD}\
"ButtonText" = "ICQ Pro"
"MenuText" = "ICQ"
"Exec" = "C:\PROGRA~1\ICQ\ICQ.exe" ["ICQ Inc."]

{B13B4423-2647-4CFC-A4B3-C7D56CB83487}\
"ButtonText" = "Share in Hello"
"MenuText" = "Share in H&ello"
"CLSIDExtension" = "{B13B4423-2647-4cfc-A4B3-C7D56CB83487}"
-> {CLSID}\InProcServer32\(Default) = "C:\Programmi\Hello\PicasaCapture.dll" ["Picasa, Inc."]

{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Programmi\Messenger\msmsgs.exe" [MS]


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

ISSvc, ISSVC, ""C:\Programmi\Norton Internet Security\ISSVC.exe"" ["Symantec Corporation"]
Servizio Auto-Protect di Norton AntiVirus, navapsvc, "C:\Programmi\Norton Internet Security\Norton AntiVirus\navapsvc.exe" ["Symantec Corporation"]
SoundMAX Agent Service, SoundMAX Agent Service (default), "C:\Programmi\Analog Devices\SoundMAX\SMAgent.exe" ["Analog Devices, Inc."]
Symantec Core LC, Symantec Core LC, "C:\Programmi\File comuni\Symantec Shared\CCPD-LC\symlcsvc.exe" ["Symantec Corporation"]
Symantec Event Manager, ccEvtMgr, ""C:\Programmi\File comuni\Symantec Shared\ccEvtMgr.exe"" ["Symantec Corporation"]
Symantec Network Drivers Service, SNDSrvc, ""C:\Programmi\File comuni\Symantec Shared\SNDSrvc.exe"" ["Symantec Corporation"]
Symantec Network Proxy, ccProxy, ""C:\Programmi\File comuni\Symantec Shared\ccProxy.exe"" ["Symantec Corporation"]
Symantec Settings Manager, ccSetMgr, ""C:\Programmi\File comuni\Symantec Shared\ccSetMgr.exe"" ["Symantec Corporation"]
TrueVector Internet Monitor, vsmon, "C:\WINDOWS\system32\ZoneLabs\vsmon.exe -service" ["Zone Labs Inc."]


----------
This report excludes default entries except where indicated.
To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
----------
  • 0

#20
g2i2r4

g2i2r4

    retired HiJack Helper

  • Retired Staff
  • 5,080 posts
Thanks Metallica (I just turn around to have diner :tazz: ).

Silent Runners shows Winpatrol active.
Again, disable spywareguard and Antispyware. You should grant permission to Spybot to the changes we are making.
Also for the duration of this fix, disable Winpatrol.

Close all programs leaving only HijackThis running. Place a check against each of the following, making sure you get them all and not any others by mistake:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.vgjzchlto.../xNDcW8ts0.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.vgjzchlto.../xNDcW8ts0.html

Click on Fix Checked when finished and exit HijackThis.

Reboot the computer.
Can I see a new log please?
  • 0

#21
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,673 posts
My pleasure. :tazz:

Good luck g2i2r4
  • 0

#22
lestat82

lestat82

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts
Thanks, guys ;)

Ok, I removed those two items again and I reenabled WinPatrol and MS Antispyware. As for SpyGuard, I uninstalled it.

Now, The SearchBar items are gone, but Microsoft AntiSpyware is still detecting this "Possible browser Hijack" in my IE Search Bar.

AdAware isn't detecting anything.

Spybot isn't detecting Lop either, but it just detected a Register value called "E-Musica" which it seems to have cleaned.

I also found that MS AntiSpyware seems to be unable to connect to the internet for uploads. How do I know if and when the malware is gone? It seems to have the tendency to "resurrect" itself. :tazz:

As I was writing this, the Search Bar items, which had gone when I restarted my computer, have reappeared...

Here's a fresh HijackThis log:

Logfile of HijackThis v1.99.1
Scan saved at 21.16.05, on 16/05/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\File comuni\Symantec Shared\ccProxy.exe
C:\Programmi\File comuni\Symantec Shared\ccSetMgr.exe
C:\Programmi\Norton Internet Security\ISSVC.exe
C:\Programmi\File comuni\Symantec Shared\SNDSrvc.exe
C:\Programmi\File comuni\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Programmi\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\Programmi\File comuni\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Programmi\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Java\jre1.5.0\bin\jusched.exe
C:\Programmi\File comuni\Real\Update_OB\realsched.exe
C:\Programmi\File comuni\Symantec Shared\ccApp.exe
C:\Programmi\Picasa2\PicasaMediaDetector.exe
C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\Netscape\Netscape\Netscp.exe
C:\Programmi\Yahoo!\Messenger\ypager.exe
C:\Programmi\SEC\MagicTune 2.5\GammaTray.exe
C:\Programmi\Nikon\NkView6\NkvMon.exe
C:\Programmi\WinZip\WZQKPICK.EXE
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Programmi\Microsoft AntiSpyware\gcasDtServ.exe
C:\Programmi\Microsoft AntiSpyware\gcasServ.exe
C:\Programmi\Messenger\msmsgs.exe
C:\Documents and Settings\UTENTE1\Documenti\Unzipped\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.vgjzchlto.../xNDcW8ts0.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.vgjzchlto.../xNDcW8ts0.html
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: CNisExtBho Class - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Programmi\File comuni\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Programmi\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Programmi\File comuni\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Programmi\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] C:\Programmi\CyberLink\PowerDVD\PDVDServ.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Programmi\File comuni\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [ccApp] "C:\Programmi\File comuni\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Programmi\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Programmi\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [WinPatrol] "C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\Programmi\Netscape\Netscape\Netscp.exe" -turbo
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Programmi\Yahoo!\Messenger\ypager.exe -quiet
O4 - Startup: Webshots.lnk = C:\Programmi\Webshots\Launcher.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: Avvio veloce di Adobe Reader.lnk = C:\Programmi\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Color Calibration.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Programmi\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: NkvMon.exe.lnk = C:\Programmi\Nikon\NkView6\NkvMon.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Programmi\WinZip\WZQKPICK.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra button: Share in Hello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Programmi\Hello\PicasaCapture.dll
O9 - Extra 'Tools' menuitem: Share in H&ello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Programmi\Hello\PicasaCapture.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by17fd.bay17....es/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1097589077390
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{24F92186-5C10-4AD5-9554-B89192599332}: NameServer = 192.168.1.1
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccSetMgr.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Programmi\Norton Internet Security\ISSVC.exe
O23 - Service: Servizio Auto-Protect di Norton AntiVirus (navapsvc) - Symantec Corporation - C:\Programmi\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Programmi\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\FILECO~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Programmi\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
  • 0

#23
g2i2r4

g2i2r4

    retired HiJack Helper

  • Retired Staff
  • 5,080 posts
It looks like AntiSpyWare is the badguy now. It's putting this malware back time and time again.


Open Microsoft AntiSpyware.
Click on Tools, Settings.
In the left pane, click on Real-time Protection.
Under Startup Options uncheck: Enable the Microsoft AntiSpyware Security Agents on startup (recommended).
Under Real-time spyware threat protection uncheck: Enable real-time spyware threat protection (recommended).
After you uncheck these, click on the Save button and close Microsoft AntiSpyware.
Right click on the Microsoft AntiSpyware icon on the taskbar and select Shutdown Microsoft AntiSpyware.

Then open HijackThis and fix those two again.
Close HijackThis.

Open Internet Explorer. Go to internet options and change your startpage by using the current page (just to try).
Close Internet Explorer.

Reboot the computer.

Let's see if it will keep. Please check.

Now reverse what we did in AntiSpyWare. Is it prompting you there is a change? Please allow it.

Let me know how things are now.
  • 0

#24
lestat82

lestat82

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts
Each time I uncheck those items on AntiSpyware and press save settings, the boxes are automatically rechecked. I don't know whether I should just uninstall it before proceeding with the fix...what would you suggest? Though, I had uninstalled it earlier, and the malware was still there (or at least it seemed to be there)
Now, guess what's new? I scanned 3 times with MS AntiSpyware and it isn't detecting anything...yet...the Search Bar lines are still found by HijackThis.

What do you think about that?

Edited by lestat82, 16 May 2005 - 03:38 PM.

  • 0

#25
g2i2r4

g2i2r4

    retired HiJack Helper

  • Retired Staff
  • 5,080 posts
Let's put a check to them using HijackThis and fix them. Then reboot. See what happens next.

Let me know?
  • 0

Advertisements


#26
lestat82

lestat82

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts
Ok, I fixed those two Search Bar items, I rebooted my computer, and when I got back on they were gone from HijackThis.

I ran MS AntiSPyware and it detected the malware. Just after that I ran HijackThis again, and the two bad lines were there.

Here's the log:

Logfile of HijackThis v1.99.1
Scan saved at 0.40.54, on 17/05/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\File comuni\Symantec Shared\ccProxy.exe
C:\Programmi\File comuni\Symantec Shared\ccSetMgr.exe
C:\Programmi\Norton Internet Security\ISSVC.exe
C:\Programmi\File comuni\Symantec Shared\SNDSrvc.exe
C:\Programmi\File comuni\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Programmi\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\Programmi\File comuni\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Programmi\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Java\jre1.5.0\bin\jusched.exe
C:\Programmi\File comuni\Real\Update_OB\realsched.exe
C:\Programmi\File comuni\Symantec Shared\ccApp.exe
C:\Programmi\Picasa2\PicasaMediaDetector.exe
C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\Netscape\Netscape\Netscp.exe
C:\Programmi\SEC\MagicTune 2.5\GammaTray.exe
C:\Programmi\Nikon\NkView6\NkvMon.exe
C:\Programmi\WinZip\WZQKPICK.EXE
C:\Programmi\Webshots\webshots.scr
C:\Programmi\Microsoft AntiSpyware\gcasDtServ.exe
C:\Programmi\Microsoft AntiSpyware\gcasServ.exe
C:\Programmi\Yahoo!\Messenger\YPager.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Programmi\Messenger\msmsgs.exe
C:\Documents and Settings\UTENTE1\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.vgjzchlto.../xNDcW8ts0.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.vgjzchlto.../xNDcW8ts0.html
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: CNisExtBho Class - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Programmi\File comuni\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Programmi\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Programmi\File comuni\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Programmi\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] C:\Programmi\CyberLink\PowerDVD\PDVDServ.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Programmi\File comuni\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [ccApp] "C:\Programmi\File comuni\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Programmi\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Programmi\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [WinPatrol] "C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\Programmi\Netscape\Netscape\Netscp.exe" -turbo
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Programmi\Yahoo!\Messenger\ypager.exe -quiet
O4 - Startup: Webshots.lnk = C:\Programmi\Webshots\Launcher.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: Avvio veloce di Adobe Reader.lnk = C:\Programmi\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Color Calibration.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Programmi\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: NkvMon.exe.lnk = C:\Programmi\Nikon\NkView6\NkvMon.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Programmi\WinZip\WZQKPICK.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra button: Share in Hello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Programmi\Hello\PicasaCapture.dll
O9 - Extra 'Tools' menuitem: Share in H&ello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Programmi\Hello\PicasaCapture.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by17fd.bay17....es/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1097589077390
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{24F92186-5C10-4AD5-9554-B89192599332}: NameServer = 192.168.1.1
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccSetMgr.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Programmi\Norton Internet Security\ISSVC.exe
O23 - Service: Servizio Auto-Protect di Norton AntiVirus (navapsvc) - Symantec Corporation - C:\Programmi\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Programmi\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\FILECO~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Programmi\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
  • 0

#27
g2i2r4

g2i2r4

    retired HiJack Helper

  • Retired Staff
  • 5,080 posts
Oke, seems like Antispyware is not helping us up till now. Let's have Antispyware do the job then, see if that helps.

Open Antispyware.

In the right upper corner go to Advanced tools

Under System tools press Browser Hijack Restore

You'll see this screen (example):

Posted Image

I think the one we are trying to get ride off is in this list and checked.

Put a check to the page you would like to have as homepage (uncheck the ones you don't want) and press the button restore.

Close Antispyware. If you are prompted to grant permission, please do so.

Reboot the computer.

Post me a log of HijackThis please and let me know how this went.
  • 0

#28
lestat82

lestat82

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts
Ok, I checked the homepage setting I wanted for IE, which is about:blank. I left all the rest unchecked, and I think I saw those Search Bar lines in that list too.
I saved the setting (restore), rebooted my computer, and ran about 3 scans with MS AntiSpyware...it didn't detect anything, but the two infamous lines still appear on HijackThis.

Here's the log:

Logfile of HijackThis v1.99.1
Scan saved at 22.34.37, on 17/05/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\File comuni\Symantec Shared\ccProxy.exe
C:\Programmi\File comuni\Symantec Shared\ccSetMgr.exe
C:\Programmi\Norton Internet Security\ISSVC.exe
C:\Programmi\File comuni\Symantec Shared\SNDSrvc.exe
C:\Programmi\File comuni\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Programmi\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\Programmi\File comuni\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Programmi\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Java\jre1.5.0\bin\jusched.exe
C:\Programmi\File comuni\Real\Update_OB\realsched.exe
C:\Programmi\File comuni\Symantec Shared\ccApp.exe
C:\Programmi\Picasa2\PicasaMediaDetector.exe
C:\Programmi\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\Netscape\Netscape\Netscp.exe
C:\Programmi\Yahoo!\Messenger\ypager.exe
C:\Programmi\SEC\MagicTune 2.5\GammaTray.exe
C:\Programmi\Nikon\NkView6\NkvMon.exe
C:\Programmi\WinZip\WZQKPICK.EXE
C:\Programmi\Webshots\webshots.scr
C:\Programmi\Microsoft AntiSpyware\gcasDtServ.exe
C:\Programmi\Microsoft AntiSpyware\gcasServ.exe
C:\Programmi\Mozilla Firefox\firefox.exe
C:\Programmi\MSN Messenger\msnmsgr.exe
C:\Programmi\Messenger\msmsgs.exe
C:\Documents and Settings\UTENTE1\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.vgjzchlto.../xNDcW8ts0.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.vgjzchlto.../xNDcW8ts0.html
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: CNisExtBho Class - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Programmi\File comuni\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Programmi\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Programmi\File comuni\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Programmi\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] C:\Programmi\CyberLink\PowerDVD\PDVDServ.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Programmi\File comuni\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [ccApp] "C:\Programmi\File comuni\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Programmi\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Programmi\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [WinPatrol] "C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\Programmi\Netscape\Netscape\Netscp.exe" -turbo
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Programmi\Yahoo!\Messenger\ypager.exe -quiet
O4 - Startup: Webshots.lnk = C:\Programmi\Webshots\Launcher.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: Avvio veloce di Adobe Reader.lnk = C:\Programmi\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Color Calibration.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Programmi\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: NkvMon.exe.lnk = C:\Programmi\Nikon\NkView6\NkvMon.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Programmi\WinZip\WZQKPICK.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra button: Share in Hello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Programmi\Hello\PicasaCapture.dll
O9 - Extra 'Tools' menuitem: Share in H&ello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Programmi\Hello\PicasaCapture.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by17fd.bay17....es/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1097589077390
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{24F92186-5C10-4AD5-9554-B89192599332}: NameServer = 192.168.1.1
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccSetMgr.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Programmi\Norton Internet Security\ISSVC.exe
O23 - Service: Servizio Auto-Protect di Norton AntiVirus (navapsvc) - Symantec Corporation - C:\Programmi\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Programmi\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\FILECO~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Programmi\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
  • 0

#29
g2i2r4

g2i2r4

    retired HiJack Helper

  • Retired Staff
  • 5,080 posts
Can you disable winpatrol?
If prompted by Spybot, grant permission to the change. (did you do that this time?)

In the screenshot posted before, at the right hand side. What is displayed in details?
  • 0

#30
lestat82

lestat82

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts
SPybot was always closed during the fixes, so it never popped up "asking" for anything.

I just disabled WinPatrol.


On the right handside of the screenshot, if I click on the Search Bar items, it shows:


*Current setting:

Here it displays the Search Bar address...which is the one displayed in the HijackThis lines


*Restore setting to:

Same address as above;


*Internet Explorer default setting:

http://home.microsof...obby/search.asp


*Technical details:

Registry location: HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\main [Search Bar]


Then, below this:

*Change restore setting to a new URL...or

*Restore this setting now.



It says the same for the second Search Bar item too.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP