Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Pop ups and files [RESOLVED]


  • This topic is locked This topic is locked

#1
frogger

frogger

    Member

  • Member
  • PipPip
  • 32 posts
Hi,

I am geeting all sorts of pop up browsers and files that keep appearing in my folder c:/documents and settings/frogger/

Everytime I try and delete them they keep coming back. These files are called:

c.exe
down.exe
efvefefe.exe
protect.exe
sefer.exe
tasks
tool.exe

Hope you can help to get my computer back to normal.

See log below.

Thanks
Froggers




Logfile of HijackThis v1.99.1
Scan saved at 8:50:32 PM, on 16/05/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\WINDOWS\system32\crypserv.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\keyhook.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3F2.EXE
C:\WINDOWS\System32\P2P Networking\P2P Networking.exe
C:\Program Files\WinFast\WFTVFM\WFWIZ.exe
C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE
C:\PROGRA~1\Nokia\NOKIAP~1\TRAYAP~1.EXE
C:\Program Files\Internet Optimizer\optimize.exe
C:\WINDOWS\System32\video2.exe
C:\WINDOWS\SYSTEM32\sistray.exe
C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE
C:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
c:\PROGRA~1\MICROS~2\OFFICE\OUTLOOK.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\frogger\down.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Internet Tools\CuteFTP\cutftp32.exe
C:\Documents and Settings\frogger\tool.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\NORTON~1\QSERVER.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Internet Tools\HijackThis\HijackThis.exe
C:\Documents and Settings\frogger\c.exe
C:\WINDOWS\Downloaded Program Files\CONFLICT.2\rdgAU1742.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\windows\system\blank.htm
R3 - Default URLSearchHook is missing
N1 - Netscape 4: user_pref("browser.startup.homepage", "C:\\Program Files\\Netscape\\Communicator\\Program\\blank.htm"); (C:\Program Files\Netscape\Users\jason\prefs.js)
O2 - BHO: DAPHelper Class - {0000CC75-ACF3-4cac-A0A9-DD3868E06852} - C:\PROGRAM FILES\DAP\DAPBHO.DLL
O2 - BHO: DAPBHO Class - {0096CC0A-623C-4829-AD9C-19AF0DC9D8FE} - C:\INTERNET TOOLS\DAP\DAPIEBAR.DLL
O2 - BHO: CDownCom Class - {031B6D43-CBC4-46A5-8E46-CF8B407C1A33} - C:\WINDOWS\DOWNLO~1\CONFLICT.1\IPREG32.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Loader Class - {2E246FAE-8420-11D9-870D-000C2917DE7F} - C:\WINDOWS\SYSTEM\Loader.dll
O2 - BHO: ohb - {999A06FF-10EF-4A29-8640-69E99882C26B} - C:\WINDOWS\System32\nsk17C.dll
O2 - BHO: Pop Class - {A9AEE0DD-89E1-40EE-8749-A18650CC2175} - C:\WINDOWS\winsx.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [SiS Windows KeyHook] C:\WINDOWS\System32\keyhook.exe
O4 - HKLM\..\Run: [EPSON Stylus Photo R310 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3F2.EXE /P30 "EPSON Stylus Photo R310 Series" /O6 "USB001" /M "Stylus Photo R310"
O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [WinFast Schedule] C:\Program Files\WinFast\WFTVFM\WFWIZ.exe
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\SYSTEM32\PSDrvCheck.exe
O4 - HKLM\..\Run: [DataLayer] C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\TRAYAP~1.EXE
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
O4 - HKLM\..\Run: [Windows Service] C:\WINDOWS\System32\video2.exe
O4 - HKCU\..\Run: [Handy Backup 4.1] C:\Program Files\Novosoft\Handy Backup\hbagent.exe -logon
O4 - HKCU\..\Run: [Windows Service] C:\WINDOWS\System32\video2.exe
O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\SYSTEM32\sistray.exe
O4 - Global Startup: EPSON CardMonitor.lnk = C:\Program Files\EPSON\EPSON CardMonitor\EPSON CardMonitor1.2.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O9 - Extra button: Run DAP - {669695BC-A811-4A9D-8CDF-BA8C795F261C} - C:\PROGRA~1\DAP\DAP.EXE
O9 - Extra button: vWebServer Script Debugger - {B478FE8F-57ED-4e12-BB32-6B6D6635872C} - C:\WINDOWS\SYSTEM32\vDebugBand.dll
O9 - Extra 'Tools' menuitem: vWebServer Script Debugger - {B478FE8F-57ED-4e12-BB32-6B6D6635872C} - C:\WINDOWS\SYSTEM32\vDebugBand.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Microsoft AntiSpyware helper - {A4DBE7A4-9901-4BB8-B8B5-963D6FE762A5} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {A4DBE7A4-9901-4BB8-B8B5-963D6FE762A5} - (no file) (HKCU)
O12 - Plugin for .mid: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .png: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll
O12 - Plugin for .swf: C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\npswf32.dll
O12 - Plugin for .tif: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll
O12 - Plugin for .vbs: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .wav: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O15 - Trusted Zone: *.addictivetechnologies.com
O15 - Trusted Zone: *.addictivetechnologies.net
O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.c4tdownload.com
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.f1organizer.com
O15 - Trusted Zone: *.megapornix.com
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.overpro.com
O15 - Trusted Zone: *.searchmiracle.com
O15 - Trusted Zone: *.slotch.com
O15 - Trusted Zone: *.slotchbar.com
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.xxxtoolbar.com
O15 - Trusted Zone: *.ysbweb.com
O15 - Trusted Zone: *.addictivetechnologies.com (HKLM)
O15 - Trusted Zone: *.addictivetechnologies.net (HKLM)
O15 - Trusted Zone: *.awmdabest.com (HKLM)
O15 - Trusted Zone: *.c4tdownload.com (HKLM)
O15 - Trusted Zone: *.clickspring.net (HKLM)
O15 - Trusted Zone: *.f1organizer.com (HKLM)
O15 - Trusted Zone: *.megapornix.com (HKLM)
O15 - Trusted Zone: *.mt-download.com (HKLM)
O15 - Trusted Zone: *.overpro.com (HKLM)
O15 - Trusted Zone: *.searchmiracle.com (HKLM)
O15 - Trusted Zone: *.slotch.com (HKLM)
O15 - Trusted Zone: *.slotchbar.com (HKLM)
O15 - Trusted Zone: *.windupdates.com (HKLM)
O15 - Trusted Zone: *.xxxtoolbar.com (HKLM)
O15 - Trusted Zone: *.ysbweb.com (HKLM)
O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone
O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone (HKLM)
O16 - DPF: {057EA4D3-A54E-6F2C-9D6E-48F43739499A} - http://67.19.178.86/1/rdgAU1742.exe
O16 - DPF: {1B803F7C-AC62-583A-8DC0-58976F83D2A5} - http://67.19.178.86/1/rdgAU1742.exe
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -
O16 - DPF: {1E5FC1C1-02FF-743E-3270-0AD83D487064} - http://67.19.178.86/1/rdgAU1742.exe
O16 - DPF: {25BEB897-DCF5-6E45-5708-05CF7638F454} - http://67.19.178.86/1/rdgAU1742.exe
O16 - DPF: {286B8E52-9182-7B2B-945F-076B743E9A2E} - http://67.19.178.86/1/rdgAU1742.exe
O16 - DPF: {2BB76598-C309-4B43-35B5-37C0302DBE5F} - http://67.19.178.86/1/rdgAU1742.exe
O16 - DPF: {324B7024-FC7D-784F-7A6F-07CD665A17BF} - http://67.19.178.86/1/rdgAU1742.exe
O16 - DPF: {42F2C9BA-614F-47C0-B3E3-ECFD34EED658} (Installer Class) - http://www.ysbweb.co...ysb_regular.cab
O16 - DPF: {47803DA0-0FB7-2B9B-C301-40522FFE3632} - http://67.19.178.86/1/rdgAU1742.exe
O16 - DPF: {5B4D3542-F2B8-2E66-719F-5B99620CD3B3} - http://67.19.178.86/1/rdgAU1742.exe
O16 - DPF: {5F61B714-E25B-3C7B-4D23-47B631FA0DFD} - http://67.19.178.86/1/rdgAU1742.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1108977554811
O16 - DPF: {6A35D9D5-6034-7186-348A-6BF1322A0B8E} - http://67.19.178.86/1/rdgAU1742.exe
O16 - DPF: {719133D0-E02A-67A5-625F-18B60FF51BD7} - http://67.19.178.86/1/rdgAU1742.exe
O16 - DPF: {733EA44F-8393-08EA-EF3B-265F006BED41} - http://67.19.178.86/1/rdgAU1742.exe
O16 - DPF: {77BC4874-902D-1671-273E-22793D11CEB4} - http://67.19.178.86/1/rdgAU1742.exe
O16 - DPF: {79849612-A98F-45B8-95E9-4D13C7B6B35C} (Loader2 Control) - http://static.topcon...activex/mp3.ocx
O16 - DPF: {928626A3-6B98-11CF-90B4-00AA00A4011F} (SurroundVideoCtrl Object) - http://carpoint.msn....id/MSSurVid.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg...ntrol_v1-32.cab
O18 - Protocol: ayb - (no CLSID) - (no file)
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: Sygate Personal Firewall Pro (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
  • 0

Advertisements


#2
therock247uk

therock247uk

    Expert

  • Expert
  • 14,671 posts
  • MVP
1. Go to Start > Settings > Control Panel > Add/remove and uninstall the following.

P2P Networking
Internet Optimizer

2. Then post a new Hijackthis log here in a reply.
  • 0

#3
frogger

frogger

    Member

  • Topic Starter
  • Member
  • PipPip
  • 32 posts
Thanks for getting back to me.

I have now uninstalled:

P2P Networking
Internet Optimizer

Still getting loads of files trying to access.

See below for new log.

Thanks for your help with this.

Frogger

Logfile of HijackThis v1.99.1
Scan saved at 6:46:49 PM, on 18/05/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\WINDOWS\system32\crypserv.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Executive Software\Undelete\UdServe.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\keyhook.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3F2.EXE
C:\Program Files\WinFast\WFTVFM\WFWIZ.exe
C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE
C:\PROGRA~1\Nokia\NOKIAP~1\TRAYAP~1.EXE
C:\WINDOWS\System32\video2.exe
C:\WINDOWS\System32\cmd32.exe
C:\WINDOWS\SYSTEM32\sistray.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE
C:\Documents and Settings\frogger\down.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Internet Tools\HijackThis\HijackThis.exe
C:\WINDOWS\Downloaded Program Files\CONFLICT.4\rdgAU1742.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\windows\system\blank.htm
R3 - Default URLSearchHook is missing
N1 - Netscape 4: user_pref("browser.startup.homepage", "C:\\Program Files\\Netscape\\Communicator\\Program\\blank.htm"); (C:\Program Files\Netscape\Users\jason\prefs.js)
O2 - BHO: DAPHelper Class - {0000CC75-ACF3-4cac-A0A9-DD3868E06852} - C:\PROGRAM FILES\DAP\DAPBHO.DLL
O2 - BHO: DAPBHO Class - {0096CC0A-623C-4829-AD9C-19AF0DC9D8FE} - C:\INTERNET TOOLS\DAP\DAPIEBAR.DLL
O2 - BHO: CDownCom Class - {031B6D43-CBC4-46A5-8E46-CF8B407C1A33} - C:\WINDOWS\DOWNLO~1\CONFLICT.1\IPREG32.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Loader Class - {2E246FAE-8420-11D9-870D-000C2917DE7F} - C:\WINDOWS\SYSTEM\Loader.dll
O2 - BHO: ohb - {999A06FF-10EF-4A29-8640-69E99882C26B} - C:\WINDOWS\System32\nsc1D1.dll
O2 - BHO: ohb - {9ADE0443-2AB2-4B23-A3F8-AC520773DE12} - C:\WINDOWS\System32\nsm14.dll
O2 - BHO: Pop Class - {A9AEE0DD-89E1-40EE-8749-A18650CC2175} - C:\WINDOWS\winsx.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [SiS Windows KeyHook] C:\WINDOWS\System32\keyhook.exe
O4 - HKLM\..\Run: [EPSON Stylus Photo R310 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3F2.EXE /P30 "EPSON Stylus Photo R310 Series" /O6 "USB001" /M "Stylus Photo R310"
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [WinFast Schedule] C:\Program Files\WinFast\WFTVFM\WFWIZ.exe
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\SYSTEM32\PSDrvCheck.exe
O4 - HKLM\..\Run: [DataLayer] C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\TRAYAP~1.EXE
O4 - HKLM\..\Run: [Windows Service] C:\WINDOWS\System32\video2.exe
O4 - HKLM\..\Run: [ControlPanel] C:\WINDOWS\System32\cmd32.exe internat.dll,LoadKeyboardProfile
O4 - HKCU\..\Run: [Handy Backup 4.1] C:\Program Files\Novosoft\Handy Backup\hbagent.exe -logon
O4 - HKCU\..\Run: [Windows Service] C:\WINDOWS\System32\video2.exe
O4 - Startup: Undelete 4 Professional Edition Registration.lnk = C:\Program Files\Executive Software\Undelete\ESIRegister.exe
O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\SYSTEM32\sistray.exe
O4 - Global Startup: EPSON CardMonitor.lnk = C:\Program Files\EPSON\EPSON CardMonitor\EPSON CardMonitor1.2.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O9 - Extra button: Run DAP - {669695BC-A811-4A9D-8CDF-BA8C795F261C} - C:\PROGRA~1\DAP\DAP.EXE
O9 - Extra button: vWebServer Script Debugger - {B478FE8F-57ED-4e12-BB32-6B6D6635872C} - C:\WINDOWS\SYSTEM32\vDebugBand.dll
O9 - Extra 'Tools' menuitem: vWebServer Script Debugger - {B478FE8F-57ED-4e12-BB32-6B6D6635872C} - C:\WINDOWS\SYSTEM32\vDebugBand.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Microsoft AntiSpyware helper - {A4DBE7A4-9901-4BB8-B8B5-963D6FE762A5} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {A4DBE7A4-9901-4BB8-B8B5-963D6FE762A5} - (no file) (HKCU)
O12 - Plugin for .mid: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .png: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll
O12 - Plugin for .swf: C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\npswf32.dll
O12 - Plugin for .tif: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll
O12 - Plugin for .vbs: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .wav: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O15 - Trusted Zone: *.addictivetechnologies.com
O15 - Trusted Zone: *.addictivetechnologies.net
O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.c4tdownload.com
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.crazywinnings.com
O15 - Trusted Zone: *.f1organizer.com
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.megapornix.com
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.overpro.com
O15 - Trusted Zone: *.searchmiracle.com
O15 - Trusted Zone: *.slotch.com
O15 - Trusted Zone: *.slotchbar.com
O15 - Trusted Zone: *.static.topconverting.com
O15 - Trusted Zone: *.topconverting.com
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.xxxtoolbar.com
O15 - Trusted Zone: *.ysbweb.com
O15 - Trusted Zone: *.addictivetechnologies.com (HKLM)
O15 - Trusted Zone: *.addictivetechnologies.net (HKLM)
O15 - Trusted Zone: *.awmdabest.com (HKLM)
O15 - Trusted Zone: *.c4tdownload.com (HKLM)
O15 - Trusted Zone: *.clickspring.net (HKLM)
O15 - Trusted Zone: *.crazywinnings.com (HKLM)
O15 - Trusted Zone: *.f1organizer.com (HKLM)
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - Trusted Zone: *.megapornix.com (HKLM)
O15 - Trusted Zone: *.mt-download.com (HKLM)
O15 - Trusted Zone: *.overpro.com (HKLM)
O15 - Trusted Zone: *.searchmiracle.com (HKLM)
O15 - Trusted Zone: *.slotch.com (HKLM)
O15 - Trusted Zone: *.slotchbar.com (HKLM)
O15 - Trusted Zone: *.static.topconverting.com (HKLM)
O15 - Trusted Zone: *.topconverting.com (HKLM)
O15 - Trusted Zone: *.windupdates.com (HKLM)
O15 - Trusted Zone: *.xxxtoolbar.com (HKLM)
O15 - Trusted Zone: *.ysbweb.com (HKLM)
O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone
O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone (HKLM)
O16 - DPF: {03E52902-4C28-3CF4-F561-06DB6AFF33F5} - http://67.19.178.86/1/rdgAU1742.exe
O16 - DPF: {057EA4D3-A54E-6F2C-9D6E-48F43739499A} - http://67.19.178.86/1/rdgAU1742.exe
O16 - DPF: {10D34BA0-774C-0500-8203-70D8073287AB} - http://67.19.178.86/1/rdgAU1742.exe
O16 - DPF: {130D203C-73BD-2CB1-6969-5DD91C74D93D} - http://67.19.178.86/1/rdgAU1742.exe
O16 - DPF: {14A3221B-1678-1982-A355-7263B1281987} - ms-its:mhtml:file://C:\foo.mht!http://82.179.170.82....chm::/file.exe
O16 - DPF: {1B803F7C-AC62-583A-8DC0-58976F83D2A5} - http://67.19.178.86/1/rdgAU1742.exe
O16 - DPF: {1E5FC1C1-02FF-743E-3270-0AD83D487064} - http://67.19.178.86/1/rdgAU1742.exe
O16 - DPF: {25967680-6DE0-6D5F-31A6-685D2FE23154} - http://67.19.178.86/1/rdgAU1742.exe
O16 - DPF: {25BEB897-DCF5-6E45-5708-05CF7638F454} - http://67.19.178.86/1/rdgAU1742.exe
O16 - DPF: {25ECF35A-870D-62DD-0A14-4D1C7E3748CB} - http://67.19.178.86/1/rdgAU1742.exe
O16 - DPF: {286B8E52-9182-7B2B-945F-076B743E9A2E} - http://67.19.178.86/1/rdgAU1742.exe
O16 - DPF: {2BB76598-C309-4B43-35B5-37C0302DBE5F} - http://67.19.178.86/1/rdgAU1742.exe
O16 - DPF: {313A2AD2-7892-2EE7-0A3E-3CDC4F829356} - http://67.19.178.86/1/rdgAU1742.exe
O16 - DPF: {324B7024-FC7D-784F-7A6F-07CD665A17BF} - http://67.19.178.86/1/rdgAU1742.exe
O16 - DPF: {330B86F9-9DF6-15FE-8C35-7D762D1CE0F5} - http://67.19.178.86/1/rdgAU1742.exe
O16 - DPF: {3DC902EF-998D-15DB-BA0B-6CDF17D60B90} - http://67.19.178.86/1/rdgAU1742.exe
O16 - DPF: {42F2C9BA-614F-47C0-B3E3-ECFD34EED658} (Installer Class) - http://www.ysbweb.co...ysb_regular.cab
O16 - DPF: {47803DA0-0FB7-2B9B-C301-40522FFE3632} - http://67.19.178.86/1/rdgAU1742.exe
O16 - DPF: {4E0075F3-0E14-18F5-9BAF-40234B3643E1} - http://67.19.178.86/1/rdgAU1742.exe
O16 - DPF: {5B4D3542-F2B8-2E66-719F-5B99620CD3B3} - http://67.19.178.86/1/rdgAU1742.exe
O16 - DPF: {5F61B714-E25B-3C7B-4D23-47B631FA0DFD} - http://67.19.178.86/1/rdgAU1742.exe
O16 - DPF: {5FBD08B0-925C-014C-B038-54CA6C4978C4} - http://67.19.178.86/1/rdgAU1742.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1108977554811
O16 - DPF: {6A35D9D5-6034-7186-348A-6BF1322A0B8E} - http://67.19.178.86/1/rdgAU1742.exe
O16 - DPF: {719133D0-E02A-67A5-625F-18B60FF51BD7} - http://67.19.178.86/1/rdgAU1742.exe
O16 - DPF: {733EA44F-8393-08EA-EF3B-265F006BED41} - http://67.19.178.86/1/rdgAU1742.exe
O16 - DPF: {77BC4874-902D-1671-273E-22793D11CEB4} - http://67.19.178.86/1/rdgAU1742.exe
O16 - DPF: {7C559105-9ECF-42B8-B3F7-832E75EDD959} (Installer Class) - http://www.xxxtoolba...0006_cracks.cab
O16 - DPF: {928626A3-6B98-11CF-90B4-00AA00A4011F} (SurroundVideoCtrl Object) - http://carpoint.msn....id/MSSurVid.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg...ntrol_v1-32.cab
O18 - Protocol: ayb - (no CLSID) - (no file)
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: Sygate Personal Firewall Pro (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Executive Software Undelete (UndeleteService) - Executive Software International - C:\Program Files\Executive Software\Undelete\UdServe.exe
  • 0

#4
therock247uk

therock247uk

    Expert

  • Expert
  • 14,671 posts
  • MVP
1. Make sure your PC is set to show all hidden files and folders go here for instructions on how to do this. http://www.xtra.co.n...1916458,00.html

2. Boot into safemode to do this keep tapping F8 on your keyboard while your PC is starting up you will get a menu select safemode.

3. While in safemode open Hijackthis and click scan. Then tick and fix the following in Hijackthis with all windows closed except Hijackthis.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\windows\system\blank.htm
R3 - Default URLSearchHook is missing
O2 - BHO: CDownCom Class - {031B6D43-CBC4-46A5-8E46-CF8B407C1A33} - C:\WINDOWS\DOWNLO~1\CONFLICT.1\IPREG32.DLL
O2 - BHO: Loader Class - {2E246FAE-8420-11D9-870D-000C2917DE7F} - C:\WINDOWS\SYSTEM\Loader.dll
O2 - BHO: ohb - {999A06FF-10EF-4A29-8640-69E99882C26B} - C:\WINDOWS\System32\nsc1D1.dll
O2 - BHO: ohb - {9ADE0443-2AB2-4B23-A3F8-AC520773DE12} - C:\WINDOWS\System32\nsm14.dll
O2 - BHO: Pop Class - {A9AEE0DD-89E1-40EE-8749-A18650CC2175} - C:\WINDOWS\winsx.dll
O4 - HKLM\..\Run: [Windows Service] C:\WINDOWS\System32\video2.exe
O4 - HKLM\..\Run: [ControlPanel] C:\WINDOWS\System32\cmd32.exe internat.dll,LoadKeyboardProfile
O4 - HKCU\..\Run: [Windows Service] C:\WINDOWS\System32\video2.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Microsoft AntiSpyware helper - {A4DBE7A4-9901-4BB8-B8B5-963D6FE762A5} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {A4DBE7A4-9901-4BB8-B8B5-963D6FE762A5} - (no file) (HKCU)
O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone
O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone (HKLM)
O16 - DPF: {03E52902-4C28-3CF4-F561-06DB6AFF33F5} - http://67.19.178.86/1/rdgAU1742.exe
O16 - DPF: {057EA4D3-A54E-6F2C-9D6E-48F43739499A} - http://67.19.178.86/1/rdgAU1742.exe
O16 - DPF: {10D34BA0-774C-0500-8203-70D8073287AB} - http://67.19.178.86/1/rdgAU1742.exe
O16 - DPF: {130D203C-73BD-2CB1-6969-5DD91C74D93D} - http://67.19.178.86/1/rdgAU1742.exe
O16 - DPF: {14A3221B-1678-1982-A355-7263B1281987} - ms-its:mhtml:file://C:\foo.mht!http://82.179.170.82....chm::/file.exe
O16 - DPF: {1B803F7C-AC62-583A-8DC0-58976F83D2A5} - http://67.19.178.86/1/rdgAU1742.exe
O16 - DPF: {1E5FC1C1-02FF-743E-3270-0AD83D487064} - http://67.19.178.86/1/rdgAU1742.exe
O16 - DPF: {25967680-6DE0-6D5F-31A6-685D2FE23154} - http://67.19.178.86/1/rdgAU1742.exe
O16 - DPF: {25BEB897-DCF5-6E45-5708-05CF7638F454} - http://67.19.178.86/1/rdgAU1742.exe
O16 - DPF: {25ECF35A-870D-62DD-0A14-4D1C7E3748CB} - http://67.19.178.86/1/rdgAU1742.exe
O16 - DPF: {286B8E52-9182-7B2B-945F-076B743E9A2E} - http://67.19.178.86/1/rdgAU1742.exe
O16 - DPF: {2BB76598-C309-4B43-35B5-37C0302DBE5F} - http://67.19.178.86/1/rdgAU1742.exe
O16 - DPF: {313A2AD2-7892-2EE7-0A3E-3CDC4F829356} - http://67.19.178.86/1/rdgAU1742.exe
O16 - DPF: {324B7024-FC7D-784F-7A6F-07CD665A17BF} - http://67.19.178.86/1/rdgAU1742.exe
O16 - DPF: {330B86F9-9DF6-15FE-8C35-7D762D1CE0F5} - http://67.19.178.86/1/rdgAU1742.exe
O16 - DPF: {3DC902EF-998D-15DB-BA0B-6CDF17D60B90} - http://67.19.178.86/1/rdgAU1742.exe
O16 - DPF: {42F2C9BA-614F-47C0-B3E3-ECFD34EED658} (Installer Class) - http://www.ysbweb.co...ysb_regular.cab
O16 - DPF: {47803DA0-0FB7-2B9B-C301-40522FFE3632} - http://67.19.178.86/1/rdgAU1742.exe
O16 - DPF: {4E0075F3-0E14-18F5-9BAF-40234B3643E1} - http://67.19.178.86/1/rdgAU1742.exe
O16 - DPF: {5B4D3542-F2B8-2E66-719F-5B99620CD3B3} - http://67.19.178.86/1/rdgAU1742.exe
O16 - DPF: {5F61B714-E25B-3C7B-4D23-47B631FA0DFD} - http://67.19.178.86/1/rdgAU1742.exe
O16 - DPF: {5FBD08B0-925C-014C-B038-54CA6C4978C4} - http://67.19.178.86/1/rdgAU1742.exe
O16 - DPF: {6A35D9D5-6034-7186-348A-6BF1322A0B8E} - http://67.19.178.86/1/rdgAU1742.exe
O16 - DPF: {719133D0-E02A-67A5-625F-18B60FF51BD7} - http://67.19.178.86/1/rdgAU1742.exe
O16 - DPF: {733EA44F-8393-08EA-EF3B-265F006BED41} - http://67.19.178.86/1/rdgAU1742.exe
O16 - DPF: {77BC4874-902D-1671-273E-22793D11CEB4} - http://67.19.178.86/1/rdgAU1742.exe
O16 - DPF: {7C559105-9ECF-42B8-B3F7-832E75EDD959} (Installer Class) - http://www.xxxtoolba...0006_cracks.cab
O18 - Protocol: ayb - (no CLSID) - (no file)

4. Delete the files. (if present)

C:\WINDOWS\DOWNLOADED PROGRAM FILES\CONFLICT.1\IPREG32.DLL
C:\WINDOWS\SYSTEM\Loader.dll
C:\WINDOWS\System32\nsc1D1.dll
C:\WINDOWS\System32\nsm14.dll
C:\WINDOWS\winsx.dll
C:\WINDOWS\System32\video2.exe
C:\WINDOWS\System32\cmd32.exe
C:\WINDOWS\System32\video2.exe
C:\WINDOWS\System32\internat.dll

5. Reboot then Right click Here and select Save As to download WinHelp2002's DelDomains.inf. Please save the file somewhere you can find it like on the desktop. To run the inf file, right click on it and select Install.

6. Then post a new Hijackthis log here in a reply.
  • 0

#5
frogger

frogger

    Member

  • Topic Starter
  • Member
  • PipPip
  • 32 posts
Hopefully we are getting clsoe to fixing this problem.

Thanks again for your help



Logfile of HijackThis v1.99.1
Scan saved at 9:29:50 PM, on 20/05/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\WINDOWS\system32\crypserv.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Executive Software\Undelete\UdServe.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\keyhook.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3F2.EXE
C:\Program Files\WinFast\WFTVFM\WFWIZ.exe
C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE
C:\PROGRA~1\Nokia\NOKIAP~1\TRAYAP~1.EXE
C:\documents and settings\frogger\local settings\temp\fsg_4203.exe
C:\WINDOWS\SYSTEM32\sistray.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE
C:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
C:\Internet Tools\HijackThis\HijackThis.exe

N1 - Netscape 4: user_pref("browser.startup.homepage", "C:\\Program Files\\Netscape\\Communicator\\Program\\blank.htm"); (C:\Program Files\Netscape\Users\jason\prefs.js)
O2 - BHO: DAPHelper Class - {0000CC75-ACF3-4cac-A0A9-DD3868E06852} - C:\PROGRAM FILES\DAP\DAPBHO.DLL
O2 - BHO: DAPBHO Class - {0096CC0A-623C-4829-AD9C-19AF0DC9D8FE} - C:\INTERNET TOOLS\DAP\DAPIEBAR.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [SiS Windows KeyHook] C:\WINDOWS\System32\keyhook.exe
O4 - HKLM\..\Run: [EPSON Stylus Photo R310 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3F2.EXE /P30 "EPSON Stylus Photo R310 Series" /O6 "USB001" /M "Stylus Photo R310"
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [WinFast Schedule] C:\Program Files\WinFast\WFTVFM\WFWIZ.exe
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\SYSTEM32\PSDrvCheck.exe
O4 - HKLM\..\Run: [DataLayer] C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\TRAYAP~1.EXE
O4 - HKLM\..\Run: [Trickler] "c:\documents and settings\frogger\local settings\temp\fsg_4203.exe"
O4 - HKCU\..\Run: [Handy Backup 4.1] C:\Program Files\Novosoft\Handy Backup\hbagent.exe -logon
O4 - Startup: Undelete 4 Professional Edition Registration.lnk = C:\Program Files\Executive Software\Undelete\ESIRegister.exe
O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\SYSTEM32\sistray.exe
O4 - Global Startup: EPSON CardMonitor.lnk = C:\Program Files\EPSON\EPSON CardMonitor\EPSON CardMonitor1.2.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O9 - Extra button: Run DAP - {669695BC-A811-4A9D-8CDF-BA8C795F261C} - C:\PROGRA~1\DAP\DAP.EXE
O9 - Extra button: vWebServer Script Debugger - {B478FE8F-57ED-4e12-BB32-6B6D6635872C} - C:\WINDOWS\SYSTEM32\vDebugBand.dll
O9 - Extra 'Tools' menuitem: vWebServer Script Debugger - {B478FE8F-57ED-4e12-BB32-6B6D6635872C} - C:\WINDOWS\SYSTEM32\vDebugBand.dll
O12 - Plugin for .mid: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .png: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll
O12 - Plugin for .swf: C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\npswf32.dll
O12 - Plugin for .tif: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll
O12 - Plugin for .vbs: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .wav: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O18 - Protocol: ayb - (no CLSID) - (no file)
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: Sygate Personal Firewall Pro (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Executive Software Undelete (UndeleteService) - Executive Software International - C:\Program Files\Executive Software\Undelete\UdServe.exe
  • 0

#6
therock247uk

therock247uk

    Expert

  • Expert
  • 14,671 posts
  • MVP
1. Make sure your PC is set to show all hidden files and folders go here for instructions on how to do this. http://www.xtra.co.n...1916458,00.html

2. Open Hijackthis and click scan. Then tick and fix the following in Hijackthis with all windows closed except Hijackthis.

O4 - HKLM\..\Run: [Trickler] "c:\documents and settings\frogger\local settings\temp\fsg_4203.exe"
O18 - Protocol: ayb - (no CLSID) - (no file)

3. Delete the files. (if present)

c:\documents and settings\frogger\local settings\temp\fsg_4203.exe

4. Then post a new Hijackthis log here in a reply.
  • 0

#7
frogger

frogger

    Member

  • Topic Starter
  • Member
  • PipPip
  • 32 posts
Thanks...

Here is the latest scan.

Logfile of HijackThis v1.99.1
Scan saved at 8:04:57 AM, on 21/05/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\WINDOWS\system32\crypserv.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Executive Software\Undelete\UdServe.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\keyhook.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3F2.EXE
C:\Program Files\WinFast\WFTVFM\WFWIZ.exe
C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE
C:\PROGRA~1\Nokia\NOKIAP~1\TRAYAP~1.EXE
C:\WINDOWS\System32\pd33.exe
C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE
C:\WINDOWS\SYSTEM32\sistray.exe
C:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
C:\Documents and Settings\frogger\down.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Internet Tools\HijackThis\HijackThis.exe

N1 - Netscape 4: user_pref("browser.startup.homepage", "C:\\Program Files\\Netscape\\Communicator\\Program\\blank.htm"); (C:\Program Files\Netscape\Users\jason\prefs.js)
O2 - BHO: DAPHelper Class - {0000CC75-ACF3-4cac-A0A9-DD3868E06852} - C:\PROGRAM FILES\DAP\DAPBHO.DLL
O2 - BHO: DAPBHO Class - {0096CC0A-623C-4829-AD9C-19AF0DC9D8FE} - C:\INTERNET TOOLS\DAP\DAPIEBAR.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Loader Class - {2E246FAE-8420-11D9-870D-000C2917DE7F} - C:\WINDOWS\SYSTEM\Loader.dll
O2 - BHO: ohb - {9ADE0443-2AB2-4B23-A3F8-AC520773DE12} - C:\WINDOWS\System32\nsp25.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [SiS Windows KeyHook] C:\WINDOWS\System32\keyhook.exe
O4 - HKLM\..\Run: [EPSON Stylus Photo R310 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3F2.EXE /P30 "EPSON Stylus Photo R310 Series" /O6 "USB001" /M "Stylus Photo R310"
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [WinFast Schedule] C:\Program Files\WinFast\WFTVFM\WFWIZ.exe
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\SYSTEM32\PSDrvCheck.exe
O4 - HKLM\..\Run: [DataLayer] C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\TRAYAP~1.EXE
O4 - HKLM\..\Run: [Windows Service] C:\WINDOWS\System32\pd33.exe
O4 - HKCU\..\Run: [Handy Backup 4.1] C:\Program Files\Novosoft\Handy Backup\hbagent.exe -logon
O4 - HKCU\..\Run: [Windows Service] C:\WINDOWS\System32\pd33.exe
O4 - Startup: Undelete 4 Professional Edition Registration.lnk = C:\Program Files\Executive Software\Undelete\ESIRegister.exe
O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\SYSTEM32\sistray.exe
O4 - Global Startup: EPSON CardMonitor.lnk = C:\Program Files\EPSON\EPSON CardMonitor\EPSON CardMonitor1.2.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O9 - Extra button: Run DAP - {669695BC-A811-4A9D-8CDF-BA8C795F261C} - C:\PROGRA~1\DAP\DAP.EXE
O9 - Extra button: vWebServer Script Debugger - {B478FE8F-57ED-4e12-BB32-6B6D6635872C} - C:\WINDOWS\SYSTEM32\vDebugBand.dll
O9 - Extra 'Tools' menuitem: vWebServer Script Debugger - {B478FE8F-57ED-4e12-BB32-6B6D6635872C} - C:\WINDOWS\SYSTEM32\vDebugBand.dll
O12 - Plugin for .mid: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .png: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll
O12 - Plugin for .swf: C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\npswf32.dll
O12 - Plugin for .tif: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll
O12 - Plugin for .vbs: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .wav: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O15 - Trusted Zone: *.addictivetechnologies.com
O15 - Trusted Zone: *.addictivetechnologies.net
O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.c4tdownload.com
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.f1organizer.com
O15 - Trusted Zone: *.megapornix.com
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.overpro.com
O15 - Trusted Zone: *.searchmiracle.com
O15 - Trusted Zone: *.slotch.com
O15 - Trusted Zone: *.slotchbar.com
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.xxxtoolbar.com
O15 - Trusted Zone: *.ysbweb.com
O15 - Trusted Zone: *.addictivetechnologies.com (HKLM)
O15 - Trusted Zone: *.addictivetechnologies.net (HKLM)
O15 - Trusted Zone: *.awmdabest.com (HKLM)
O15 - Trusted Zone: *.c4tdownload.com (HKLM)
O15 - Trusted Zone: *.clickspring.net (HKLM)
O15 - Trusted Zone: *.f1organizer.com (HKLM)
O15 - Trusted Zone: *.megapornix.com (HKLM)
O15 - Trusted Zone: *.mt-download.com (HKLM)
O15 - Trusted Zone: *.overpro.com (HKLM)
O15 - Trusted Zone: *.searchmiracle.com (HKLM)
O15 - Trusted Zone: *.slotch.com (HKLM)
O15 - Trusted Zone: *.slotchbar.com (HKLM)
O15 - Trusted Zone: *.windupdates.com (HKLM)
O15 - Trusted Zone: *.xxxtoolbar.com (HKLM)
O15 - Trusted Zone: *.ysbweb.com (HKLM)
O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone
O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone (HKLM)
O16 - DPF: {553BCC7C-82E5-12A5-75C6-23D81A58A531} - http://67.19.178.86/1/rdgAU1742.exe
O16 - DPF: {582FD2C1-034F-5E2F-D69F-6A076528639D} - http://67.19.178.86/1/rdgAU1742.exe
O16 - DPF: {79849612-A98F-45B8-95E9-4D13C7B6B35C} (Loader2 Control) - http://static.topcon...activex/mp3.ocx
O18 - Protocol: ayb - (no CLSID) - (no file)
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: Sygate Personal Firewall Pro (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Executive Software Undelete (UndeleteService) - Executive Software International - C:\Program Files\Executive Software\Undelete\UdServe.exe
  • 0

#8
therock247uk

therock247uk

    Expert

  • Expert
  • 14,671 posts
  • MVP
Looks like you keep getting infected. :tazz:

Please try and not go on much sites or surf the Internet at all untill we are done.

1. Make sure your PC is set to show all hidden files and folders go here for instructions on how to do this. http://www.xtra.co.n...1916458,00.html

2. Boot into safemode to do this keep tapping F8 on your keyboard while your PC is starting up you will get a menu select safemode.

3. While in safemode open Hijackthis and click scan. Then tick and fix the following in Hijackthis with all windows closed except Hijackthis.

O2 - BHO: Loader Class - {2E246FAE-8420-11D9-870D-000C2917DE7F} - C:\WINDOWS\SYSTEM\Loader.dll
O2 - BHO: ohb - {9ADE0443-2AB2-4B23-A3F8-AC520773DE12} - C:\WINDOWS\System32\nsp25.dll
O4 - HKLM\..\Run: [Windows Service] C:\WINDOWS\System32\pd33.exe
O4 - HKCU\..\Run: [Windows Service] C:\WINDOWS\System32\pd33.exe
O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone
O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone (HKLM)
O16 - DPF: {553BCC7C-82E5-12A5-75C6-23D81A58A531} - http://67.19.178.86/1/rdgAU1742.exe
O16 - DPF: {582FD2C1-034F-5E2F-D69F-6A076528639D} - http://67.19.178.86/1/rdgAU1742.exe
O16 - DPF: {79849612-A98F-45B8-95E9-4D13C7B6B35C} (Loader2 Control) - http://static.topcon...activex/mp3.ocx
O18 - Protocol: ayb - (no CLSID) - (no file)

5. Delete the files. (if present)

C:\WINDOWS\SYSTEM\Loader.dll
C:\WINDOWS\System32\nsp25.dll
C:\WINDOWS\System32\pd33.exe

6. Reboot and Right click Here and select Save As to download WinHelp2002's DelDomains.inf. Please save the file somewhere you can find it like on the desktop. To run the inf file, right click on it and select Install.

7. Then post a new Hijackthis log here in a reply.
  • 0

#9
frogger

frogger

    Member

  • Topic Starter
  • Member
  • PipPip
  • 32 posts
Thanks for help with this>

Here is latest log.

Logfile of HijackThis v1.99.1
Scan saved at 12:59:00 PM, on 21/05/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\WINDOWS\system32\crypserv.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Executive Software\Undelete\UdServe.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\keyhook.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3F2.EXE
C:\Program Files\WinFast\WFTVFM\WFWIZ.exe
C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE
C:\PROGRA~1\Nokia\NOKIAP~1\TRAYAP~1.EXE
C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE
C:\WINDOWS\SYSTEM32\sistray.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
c:\PROGRA~1\MICROS~2\OFFICE\OUTLOOK.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Internet Tools\HijackThis\HijackThis.exe

N1 - Netscape 4: user_pref("browser.startup.homepage", "C:\\Program Files\\Netscape\\Communicator\\Program\\blank.htm"); (C:\Program Files\Netscape\Users\jason\prefs.js)
O2 - BHO: DAPHelper Class - {0000CC75-ACF3-4cac-A0A9-DD3868E06852} - C:\PROGRAM FILES\DAP\DAPBHO.DLL
O2 - BHO: DAPBHO Class - {0096CC0A-623C-4829-AD9C-19AF0DC9D8FE} - C:\INTERNET TOOLS\DAP\DAPIEBAR.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [SiS Windows KeyHook] C:\WINDOWS\System32\keyhook.exe
O4 - HKLM\..\Run: [EPSON Stylus Photo R310 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3F2.EXE /P30 "EPSON Stylus Photo R310 Series" /O6 "USB001" /M "Stylus Photo R310"
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [WinFast Schedule] C:\Program Files\WinFast\WFTVFM\WFWIZ.exe
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\SYSTEM32\PSDrvCheck.exe
O4 - HKLM\..\Run: [DataLayer] C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\TRAYAP~1.EXE
O4 - HKCU\..\Run: [Handy Backup 4.1] C:\Program Files\Novosoft\Handy Backup\hbagent.exe -logon
O4 - Startup: Undelete 4 Professional Edition Registration.lnk = C:\Program Files\Executive Software\Undelete\ESIRegister.exe
O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\SYSTEM32\sistray.exe
O4 - Global Startup: EPSON CardMonitor.lnk = C:\Program Files\EPSON\EPSON CardMonitor\EPSON CardMonitor1.2.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O9 - Extra button: Run DAP - {669695BC-A811-4A9D-8CDF-BA8C795F261C} - C:\PROGRA~1\DAP\DAP.EXE
O9 - Extra button: vWebServer Script Debugger - {B478FE8F-57ED-4e12-BB32-6B6D6635872C} - C:\WINDOWS\SYSTEM32\vDebugBand.dll
O9 - Extra 'Tools' menuitem: vWebServer Script Debugger - {B478FE8F-57ED-4e12-BB32-6B6D6635872C} - C:\WINDOWS\SYSTEM32\vDebugBand.dll
O12 - Plugin for .mid: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .png: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll
O12 - Plugin for .swf: C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\npswf32.dll
O12 - Plugin for .tif: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll
O12 - Plugin for .vbs: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .wav: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O16 - DPF: {47E04A42-4637-3ABD-F9CE-76004CCF5A50} - http://67.19.178.86/1/rdgAU1742.exe
O16 - DPF: {5F0FB38A-279F-3C2C-3A39-656E004DFC4E} - http://67.19.178.86/1/rdgAU1742.exe
O16 - DPF: {7B3E869E-C659-448F-A0CD-5E3645785919} - http://67.19.178.86/1/rdgAU1742.exe
O18 - Protocol: ayb - (no CLSID) - (no file)
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: Sygate Personal Firewall Pro (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Executive Software Undelete (UndeleteService) - Executive Software International - C:\Program Files\Executive Software\Undelete\UdServe.exe
  • 0

#10
therock247uk

therock247uk

    Expert

  • Expert
  • 14,671 posts
  • MVP
1. Open Hijackthis and click scan. Then tick and fix the following in Hijackthis with all windows closed except Hijackthis.

O16 - DPF: {47E04A42-4637-3ABD-F9CE-76004CCF5A50} - http://67.19.178.86/1/rdgAU1742.exe
O16 - DPF: {5F0FB38A-279F-3C2C-3A39-656E004DFC4E} - http://67.19.178.86/1/rdgAU1742.exe
O16 - DPF: {7B3E869E-C659-448F-A0CD-5E3645785919} - http://67.19.178.86/1/rdgAU1742.exe
O18 - Protocol: ayb - (no CLSID) - (no file)

2. Then post a new Hijackthis log here in a reply.
  • 0

Advertisements


#11
frogger

frogger

    Member

  • Topic Starter
  • Member
  • PipPip
  • 32 posts
Hopefully this will fix it.

Thanks

Logfile of HijackThis v1.99.1
Scan saved at 6:34:30 PM, on 23/05/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\WINDOWS\system32\crypserv.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\Program Files\Executive Software\Undelete\UdServe.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\keyhook.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3F2.EXE
C:\Program Files\WinFast\WFTVFM\WFWIZ.exe
C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE
C:\PROGRA~1\Nokia\NOKIAP~1\TRAYAP~1.EXE
C:\WINDOWS\System32\pd33.exe
C:\WINDOWS\System32\combop.exe
C:\WINDOWS\System32\combo.exe
C:\WINDOWS\System32\dload.exe
C:\WINDOWS\SYSTEM32\sistray.exe
C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
c:\PROGRA~1\MICROS~2\OFFICE\OUTLOOK.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Internet Tools\HijackThis\HijackThis.exe

N1 - Netscape 4: user_pref("browser.startup.homepage", "C:\\Program Files\\Netscape\\Communicator\\Program\\blank.htm"); (C:\Program Files\Netscape\Users\jason\prefs.js)
O2 - BHO: DAPHelper Class - {0000CC75-ACF3-4cac-A0A9-DD3868E06852} - C:\PROGRAM FILES\DAP\DAPBHO.DLL
O2 - BHO: DAPBHO Class - {0096CC0A-623C-4829-AD9C-19AF0DC9D8FE} - C:\INTERNET TOOLS\DAP\DAPIEBAR.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: BHOmodObj Class - {7F6828CA-9E42-462C-BC60-418C8144012C} - c:\windows\system\BHOmod.dll
O2 - BHO: ohb - {9ADE0443-2AB2-4B23-A3F8-AC520773DE12} - C:\WINDOWS\System32\nsp16F.dll
O2 - BHO: IE SP2 AddOn - {AFA5A6F8-927D-4895-BBDF-8B082E2AE70E} - C:\WINDOWS\System32\spxdu.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O3 - Toolbar: SearchToolbar - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - C:\WINDOWS\System32\ie2cltr.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [SiS Windows KeyHook] C:\WINDOWS\System32\keyhook.exe
O4 - HKLM\..\Run: [EPSON Stylus Photo R310 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3F2.EXE /P30 "EPSON Stylus Photo R310 Series" /O6 "USB001" /M "Stylus Photo R310"
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [WinFast Schedule] C:\Program Files\WinFast\WFTVFM\WFWIZ.exe
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\SYSTEM32\PSDrvCheck.exe
O4 - HKLM\..\Run: [DataLayer] C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\TRAYAP~1.EXE
O4 - HKLM\..\Run: [Windows Service] C:\WINDOWS\System32\pd33.exe
O4 - HKLM\..\Run: [combop.exe] combop.exe
O4 - HKLM\..\Run: [combo.exe] combo.exe
O4 - HKCU\..\Run: [Handy Backup 4.1] C:\Program Files\Novosoft\Handy Backup\hbagent.exe -logon
O4 - HKCU\..\Run: [Windows Service] C:\WINDOWS\System32\pd33.exe
O4 - Startup: Undelete 4 Professional Edition Registration.lnk = C:\Program Files\Executive Software\Undelete\ESIRegister.exe
O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\SYSTEM32\sistray.exe
O4 - Global Startup: EPSON CardMonitor.lnk = C:\Program Files\EPSON\EPSON CardMonitor\EPSON CardMonitor1.2.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O9 - Extra button: Run DAP - {669695BC-A811-4A9D-8CDF-BA8C795F261C} - C:\PROGRA~1\DAP\DAP.EXE
O9 - Extra button: vWebServer Script Debugger - {B478FE8F-57ED-4e12-BB32-6B6D6635872C} - C:\WINDOWS\SYSTEM32\vDebugBand.dll
O9 - Extra 'Tools' menuitem: vWebServer Script Debugger - {B478FE8F-57ED-4e12-BB32-6B6D6635872C} - C:\WINDOWS\SYSTEM32\vDebugBand.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\fltmgr.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\fltmgr.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\fltmgr.dll
O12 - Plugin for .mid: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .png: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll
O12 - Plugin for .swf: C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\npswf32.dll
O12 - Plugin for .tif: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll
O12 - Plugin for .vbs: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .wav: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O15 - Trusted Zone: *.addictivetechnologies.com
O15 - Trusted Zone: *.addictivetechnologies.net
O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.c4tdownload.com
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.f1organizer.com
O15 - Trusted Zone: *.megapornix.com
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.overpro.com
O15 - Trusted Zone: *.searchmiracle.com
O15 - Trusted Zone: *.slotch.com
O15 - Trusted Zone: *.slotchbar.com
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.xxxtoolbar.com
O15 - Trusted Zone: *.ysbweb.com
O15 - Trusted Zone: *.addictivetechnologies.com (HKLM)
O15 - Trusted Zone: *.addictivetechnologies.net (HKLM)
O15 - Trusted Zone: *.awmdabest.com (HKLM)
O15 - Trusted Zone: *.c4tdownload.com (HKLM)
O15 - Trusted Zone: *.clickspring.net (HKLM)
O15 - Trusted Zone: *.f1organizer.com (HKLM)
O15 - Trusted Zone: *.megapornix.com (HKLM)
O15 - Trusted Zone: *.mt-download.com (HKLM)
O15 - Trusted Zone: *.overpro.com (HKLM)
O15 - Trusted Zone: *.searchmiracle.com (HKLM)
O15 - Trusted Zone: *.slotch.com (HKLM)
O15 - Trusted Zone: *.slotchbar.com (HKLM)
O15 - Trusted Zone: *.windupdates.com (HKLM)
O15 - Trusted Zone: *.xxxtoolbar.com (HKLM)
O15 - Trusted Zone: *.ysbweb.com (HKLM)
O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone
O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone (HKLM)
O16 - DPF: {020E1920-399A-4E44-E336-79184735FB3F} - http://67.19.178.86/1/rdgAU1742.exe
O16 - DPF: {196442C2-9B37-4694-BA99-242506EAD85E} - http://67.19.178.86/1/rdgAU1742.exe
O16 - DPF: {1ACDDFAC-B1B3-726A-E4E7-0A6F6BA3372F} - http://67.19.178.86/1/rdgAU1742.exe
O16 - DPF: {1C3D100C-2EEB-46F5-DE7A-6CC56D7AB663} - http://67.19.178.86/1/rdgAU1742.exe
O16 - DPF: {1C5FAB0D-D06E-7AFF-4D19-3D4C2B56A797} - http://67.19.178.86/1/rdgAU1742.exe
O16 - DPF: {2D35A546-2207-0809-AF6C-378C143BE0FF} - http://67.19.178.86/1/rdgAU1742.exe
O16 - DPF: {33D66F14-CD13-2EAA-5814-5FC561CECAB2} - http://67.19.178.86/1/rdgAU1742.exe
O16 - DPF: {412EA95B-9A39-36A6-28F3-1AFB264E11EF} - http://67.19.178.86/1/rdgAU1742.exe
O16 - DPF: {4233D199-7A57-0ED4-ECFC-6AE05A4B9278} - http://67.19.178.86/1/rdgAU1742.exe
O16 - DPF: {44371ACE-3860-1393-BEDF-7FE542CB8678} - http://67.19.178.86/1/rdgAU1742.exe
O16 - DPF: {5A085206-A820-5177-C550-44F54BAA4C19} - http://67.19.178.86/1/rdgAU1742.exe
O16 - DPF: {6AB3BFA5-C125-23E2-D605-424961D596FB} - http://67.19.178.86/1/rdgAU1742.exe
O16 - DPF: {6E6786AB-3656-21DD-CA5F-5A6738D07249} - http://67.19.178.86/1/rdgAU1742.exe
O16 - DPF: {79849612-A98F-45B8-95E9-4D13C7B6B35C} (Loader2 Control) - http://static.topcon...activex/mp3.ocx
O17 - HKLM\System\CCS\Services\Tcpip\..\{6F6612CD-A408-404B-B765-B68236B01AF2}: NameServer = 69.50.176.156,195.225.176.31
O17 - HKLM\System\CCS\Services\Tcpip\..\{ADA6880F-43F6-42F0-9F05-2FD2849C5864}: NameServer = 69.50.176.156,195.225.176.31
O17 - HKLM\System\CCS\Services\Tcpip\..\{D229C121-B898-474B-8887-E9C73B0E6F09}: NameServer = 69.50.176.156,195.225.176.31
O17 - HKLM\System\CS1\Services\Tcpip\..\{6F6612CD-A408-404B-B765-B68236B01AF2}: NameServer = 69.50.176.156,195.225.176.31
O18 - Protocol: ayb - (no CLSID) - (no file)
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: Sygate Personal Firewall Pro (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Executive Software Undelete (UndeleteService) - Executive Software International - C:\Program Files\Executive Software\Undelete\UdServe.exe
  • 0

#12
therock247uk

therock247uk

    Expert

  • Expert
  • 14,671 posts
  • MVP
Please visit this tutorial and follow the steps there to remove the infection.

Once finished with those instructions, please re-run HiJackThis and post a fresh log so we can see what we have left over.

Good Luck
  • 0

#13
frogger

frogger

    Member

  • Topic Starter
  • Member
  • PipPip
  • 32 posts
Hi All,

Well hopefully we can get rid of these viruses. I managed to download the Kaspersky Anti-Virus Personal 5.0 software the other day. As I ran out of time to scan for errors I decided to run it the next day. After restarting my computer and trying to download the updated anti virus database it seems like something has now effected my Internet properties connection cable settings. It has deleted my current Optus settings and wont let me add them back in. It keeps changing my password which restricts me from connecting. Hopefully you can help me get that back to normal. I am adding this from my work computer. I managed to run the scan from KAV and see below for Hijackthis log. Hopefully this will give you some insight to finally get my computer back to normal and work out how I can get rid of this internet property connection virus.
Thanks again.
Frogger


Logfile of HijackThis v1.99.1
Scan saved at 8:27:31 PM, on 25/05/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\crypserv.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\Program Files\Executive Software\Undelete\UdServe.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\keyhook.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3F2.EXE
C:\Program Files\WinFast\WFTVFM\WFWIZ.exe
C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE
C:\PROGRA~1\Nokia\NOKIAP~1\TRAYAP~1.EXE
C:\WINDOWS\System32\combo.exe
C:\WINDOWS\System32\combop.exe
C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE
C:\WINDOWS\System32\pd33.exe
C:\WINDOWS\SYSTEM32\sistray.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
C:\Internet Tools\HijackThis\HijackThis.exe

R3 - URLSearchHook: (no name) - {72598E3A-733F-655C-2A10-6C19FD321BA0} - KeywordFinder.dll (file missing)
N1 - Netscape 4: user_pref("browser.startup.homepage", "C:\\Program Files\\Netscape\\Communicator\\Program\\blank.htm"); (C:\Program Files\Netscape\Users\jason\prefs.js)
O2 - BHO: DAPBHO Class - {0096CC0A-623C-4829-AD9C-19AF0DC9D8FE} - C:\INTERNET TOOLS\DAP\DAPIEBAR.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: BHOmodObj Class - {7F6828CA-9E42-462C-BC60-418C8144012C} - c:\windows\system\BHOmod.dll
O2 - BHO: ohb - {9ADE0443-2AB2-4B23-A3F8-AC520773DE12} - C:\WINDOWS\System32\nse3E.dll
O2 - BHO: IE SP2 AddOn - {AFA5A6F8-927D-4895-BBDF-8B082E2AE70E} - C:\WINDOWS\System32\spxdu.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O3 - Toolbar: SearchToolbar - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - C:\WINDOWS\System32\ie2cltr.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [SiS Windows KeyHook] C:\WINDOWS\System32\keyhook.exe
O4 - HKLM\..\Run: [EPSON Stylus Photo R310 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3F2.EXE /P30 "EPSON Stylus Photo R310 Series" /O6 "USB001" /M "Stylus Photo R310"
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [WinFast Schedule] C:\Program Files\WinFast\WFTVFM\WFWIZ.exe
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\SYSTEM32\PSDrvCheck.exe
O4 - HKLM\..\Run: [DataLayer] C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\TRAYAP~1.EXE
O4 - HKLM\..\Run: [combo.exe] combo.exe
O4 - HKLM\..\Run: [combop.exe] combop.exe
O4 - HKLM\..\Run: [SpyElim] WhatsNewBot.exe
O4 - HKLM\..\Run: [AliceSD] panel_its.exe
O4 - HKLM\..\Run: [KAVPersonal50] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe" /minimize
O4 - HKCU\..\Run: [Handy Backup 4.1] C:\Program Files\Novosoft\Handy Backup\hbagent.exe -logon
O4 - HKCU\..\Run: [Windows Service] C:\WINDOWS\System32\pd33.exe
O4 - HKCU\..\Run: [WareOut] "C:\Program Files\WareOut\WareOut.exe"
O4 - HKCU\..\Run: [mozilla-text] utsgmon.exe
O4 - HKCU\..\Run: [EXE32EXE] Serviceprocess.exe
O4 - HKCU\..\Run: [iesetupdll] syspanel.exe
O4 - Startup: Undelete 4 Professional Edition Registration.lnk = C:\Program Files\Executive Software\Undelete\ESIRegister.exe
O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\SYSTEM32\sistray.exe
O4 - Global Startup: EPSON CardMonitor.lnk = C:\Program Files\EPSON\EPSON CardMonitor\EPSON CardMonitor1.2.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O9 - Extra button: vWebServer Script Debugger - {B478FE8F-57ED-4e12-BB32-6B6D6635872C} - C:\WINDOWS\SYSTEM32\vDebugBand.dll
O9 - Extra 'Tools' menuitem: vWebServer Script Debugger - {B478FE8F-57ED-4e12-BB32-6B6D6635872C} - C:\WINDOWS\SYSTEM32\vDebugBand.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\fltmgr.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\fltmgr.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\fltmgr.dll
O12 - Plugin for .mid: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .png: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll
O12 - Plugin for .swf: C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\npswf32.dll
O12 - Plugin for .tif: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll
O12 - Plugin for .vbs: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .wav: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O15 - Trusted Zone: *.addictivetechnologies.com
O15 - Trusted Zone: *.addictivetechnologies.net
O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.c4tdownload.com
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.f1organizer.com
O15 - Trusted Zone: *.megapornix.com
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.overpro.com
O15 - Trusted Zone: *.searchmiracle.com
O15 - Trusted Zone: *.slotch.com
O15 - Trusted Zone: *.slotchbar.com
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.ysbweb.com
O15 - Trusted Zone: *.addictivetechnologies.com (HKLM)
O15 - Trusted Zone: *.addictivetechnologies.net (HKLM)
O15 - Trusted Zone: *.awmdabest.com (HKLM)
O15 - Trusted Zone: *.c4tdownload.com (HKLM)
O15 - Trusted Zone: *.clickspring.net (HKLM)
O15 - Trusted Zone: *.f1organizer.com (HKLM)
O15 - Trusted Zone: *.megapornix.com (HKLM)
O15 - Trusted Zone: *.mt-download.com (HKLM)
O15 - Trusted Zone: *.overpro.com (HKLM)
O15 - Trusted Zone: *.searchmiracle.com (HKLM)
O15 - Trusted Zone: *.slotch.com (HKLM)
O15 - Trusted Zone: *.slotchbar.com (HKLM)
O15 - Trusted Zone: *.windupdates.com (HKLM)
O15 - Trusted Zone: *.xxxtoolbar.com (HKLM)
O15 - Trusted Zone: *.ysbweb.com (HKLM)
O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone
O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone (HKLM)
O16 - DPF: {020E1920-399A-4E44-E336-79184735FB3F} - http://67.19.178.86/1/rdgAU1742.exe
O16 - DPF: {196442C2-9B37-4694-BA99-242506EAD85E} - http://67.19.178.86/1/rdgAU1742.exe
O16 - DPF: {1ACDDFAC-B1B3-726A-E4E7-0A6F6BA3372F} - http://67.19.178.86/1/rdgAU1742.exe
O16 - DPF: {1C3D100C-2EEB-46F5-DE7A-6CC56D7AB663} - http://67.19.178.86/1/rdgAU1742.exe
O16 - DPF: {1C5FAB0D-D06E-7AFF-4D19-3D4C2B56A797} - http://67.19.178.86/1/rdgAU1742.exe
O16 - DPF: {2D35A546-2207-0809-AF6C-378C143BE0FF} - http://67.19.178.86/1/rdgAU1742.exe
O16 - DPF: {33D66F14-CD13-2EAA-5814-5FC561CECAB2} - http://67.19.178.86/1/rdgAU1742.exe
O16 - DPF: {412EA95B-9A39-36A6-28F3-1AFB264E11EF} - http://67.19.178.86/1/rdgAU1742.exe
O16 - DPF: {4233D199-7A57-0ED4-ECFC-6AE05A4B9278} - http://67.19.178.86/1/rdgAU1742.exe
O16 - DPF: {44371ACE-3860-1393-BEDF-7FE542CB8678} - http://67.19.178.86/1/rdgAU1742.exe
O16 - DPF: {5A085206-A820-5177-C550-44F54BAA4C19} - http://67.19.178.86/1/rdgAU1742.exe
O16 - DPF: {6AB3BFA5-C125-23E2-D605-424961D596FB} - http://67.19.178.86/1/rdgAU1742.exe
O16 - DPF: {6E6786AB-3656-21DD-CA5F-5A6738D07249} - http://67.19.178.86/1/rdgAU1742.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{6F6612CD-A408-404B-B765-B68236B01AF2}: NameServer = 69.50.176.156,195.225.176.31
O17 - HKLM\System\CCS\Services\Tcpip\..\{ADA6880F-43F6-42F0-9F05-2FD2849C5864}: NameServer = 69.50.176.156,195.225.176.31
O17 - HKLM\System\CCS\Services\Tcpip\..\{D229C121-B898-474B-8887-E9C73B0E6F09}: NameServer = 69.50.176.156,195.225.176.31
O17 - HKLM\System\CS1\Services\Tcpip\..\{6F6612CD-A408-404B-B765-B68236B01AF2}: NameServer = 69.50.176.156,195.225.176.31
O23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: kavsvc - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe
O23 - Service: Sygate Personal Firewall Pro (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Executive Software Undelete (UndeleteService) - Executive Software International - C:\Program Files\Executive Software\Undelete\UdServe.exe
  • 0

#14
therock247uk

therock247uk

    Expert

  • Expert
  • 14,671 posts
  • MVP
1. Make sure your PC is set to show all hidden files and folders go here for instructions on how to do this. http://www.xtra.co.n...1916458,00.html

2. Boot into safemode to do this keep tapping F8 on your keyboard while your PC is starting up you will get a menu select safemode.

3. While in safemode open Hijackthis and click scan. Then tick and fix the following in Hijackthis with all windows closed except Hijackthis.

R3 - URLSearchHook: (no name) - {72598E3A-733F-655C-2A10-6C19FD321BA0} - KeywordFinder.dll (file missing)
O2 - BHO: BHOmodObj Class - {7F6828CA-9E42-462C-BC60-418C8144012C} - c:\windows\system\BHOmod.dll
O2 - BHO: ohb - {9ADE0443-2AB2-4B23-A3F8-AC520773DE12} - C:\WINDOWS\System32\nse3E.dll
O2 - BHO: IE SP2 AddOn - {AFA5A6F8-927D-4895-BBDF-8B082E2AE70E} - C:\WINDOWS\System32\spxdu.dll
O3 - Toolbar: SearchToolbar - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - C:\WINDOWS\System32\ie2cltr.dll
O4 - HKLM\..\Run: [combo.exe] combo.exe
O4 - HKLM\..\Run: [combop.exe] combop.exe
O4 - HKLM\..\Run: [SpyElim] WhatsNewBot.exe
O4 - HKLM\..\Run: [AliceSD] panel_its.exe
O4 - HKCU\..\Run: [Windows Service] C:\WINDOWS\System32\pd33.exe
O4 - HKCU\..\Run: [WareOut] "C:\Program Files\WareOut\WareOut.exe"
O4 - HKCU\..\Run: [mozilla-text] utsgmon.exe
O4 - HKCU\..\Run: [EXE32EXE] Serviceprocess.exe
O4 - HKCU\..\Run: [iesetupdll] syspanel.exe
O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone
O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone (HKLM)
O16 - DPF: {020E1920-399A-4E44-E336-79184735FB3F} - http://67.19.178.86/1/rdgAU1742.exe
O16 - DPF: {196442C2-9B37-4694-BA99-242506EAD85E} - http://67.19.178.86/1/rdgAU1742.exe
O16 - DPF: {1ACDDFAC-B1B3-726A-E4E7-0A6F6BA3372F} - http://67.19.178.86/1/rdgAU1742.exe
O16 - DPF: {1C3D100C-2EEB-46F5-DE7A-6CC56D7AB663} - http://67.19.178.86/1/rdgAU1742.exe
O16 - DPF: {1C5FAB0D-D06E-7AFF-4D19-3D4C2B56A797} - http://67.19.178.86/1/rdgAU1742.exe
O16 - DPF: {2D35A546-2207-0809-AF6C-378C143BE0FF} - http://67.19.178.86/1/rdgAU1742.exe
O16 - DPF: {33D66F14-CD13-2EAA-5814-5FC561CECAB2} - http://67.19.178.86/1/rdgAU1742.exe
O16 - DPF: {412EA95B-9A39-36A6-28F3-1AFB264E11EF} - http://67.19.178.86/1/rdgAU1742.exe
O16 - DPF: {4233D199-7A57-0ED4-ECFC-6AE05A4B9278} - http://67.19.178.86/1/rdgAU1742.exe
O16 - DPF: {44371ACE-3860-1393-BEDF-7FE542CB8678} - http://67.19.178.86/1/rdgAU1742.exe
O16 - DPF: {5A085206-A820-5177-C550-44F54BAA4C19} - http://67.19.178.86/1/rdgAU1742.exe
O16 - DPF: {6AB3BFA5-C125-23E2-D605-424961D596FB} - http://67.19.178.86/1/rdgAU1742.exe
O16 - DPF: {6E6786AB-3656-21DD-CA5F-5A6738D07249} - http://67.19.178.86/1/rdgAU1742.exe

4. Delete the folders. (if present)

C:\Program Files\WareOut\

5. Delete the files. (if present)

c:\windows\system\BHOmod.dll
C:\WINDOWS\System32\nse3E.dll
C:\WINDOWS\System32\spxdu.dll
C:\WINDOWS\System32\ie2cltr.dll
C:\WINDOWS\System32\pd33.exe

These files might be in C:\ or C:\Windows or C:\Windows\System32 if found delete them

combo.exe
combop.exe
WhatsNewBot.exe
panel_its.exe
utsgmon.exe
Serviceprocess.exe
syspanel.exe

6. Reboot and Right click Here and select Save As to download WinHelp2002's DelDomains.inf. Please save the file somewhere you can find it like on the desktop. To run the inf file, right click on it and select Install.

7. A malicious .DLL file is disrupting the LSP chain on your computer. We need to get rid of it.

1. Please download LSPFix from here.
2. Run the LSPFix.exe that you have just finished downloading.
3. Check the I know what I'm doing box.
4. In the Keep box you should see one or more instances of fltmgr.dll.
5. Select every instance of fltmgr.dll and move each one to the Remove box by clicking the >> button.
6. When you are done click Finish>>.

8. Then post a new Hijackthis log here in a reply.
  • 0

#15
frogger

frogger

    Member

  • Topic Starter
  • Member
  • PipPip
  • 32 posts
Hi There,

I think we might be getting close.
Please see below>

Logfile of HijackThis v1.99.1
Scan saved at 3:16:46 PM, on 29/05/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Vet\isafe.exe
C:\WINDOWS\system32\crypserv.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Executive Software\Undelete\UdServe.exe
C:\Vet\VetMsg.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Vet\VetTray.exe
C:\Program Files\WinFast\WFTVFM\WFWIZ.exe
C:\WINDOWS\System32\keyhook.exe
C:\PROGRA~1\Nokia\NOKIAP~1\TRAYAP~1.EXE
C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE
C:\WINDOWS\SYSTEM32\sistray.exe
C:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10MT2.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\SAGENT4.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10MT2.EXE
c:\PROGRA~1\MICROS~2\OFFICE\OUTLOOK.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Internet Tools\HijackThis\HijackThis.exe

N1 - Netscape 4: user_pref("browser.startup.homepage", "C:\\Program Files\\Netscape\\Communicator\\Program\\blank.htm"); (C:\Program Files\Netscape\Users\jason\prefs.js)
O2 - BHO: DAPBHO Class - {0096CC0A-623C-4829-AD9C-19AF0DC9D8FE} - C:\INTERNET TOOLS\DAP\DAPIEBAR.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [VetTray] C:\Vet\VetTray.exe
O4 - HKLM\..\Run: [WinFast Schedule] C:\Program Files\WinFast\WFTVFM\WFWIZ.exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [SiS Windows KeyHook] C:\WINDOWS\System32\keyhook.exe
O4 - HKLM\..\Run: [Security iGuard] C:\Program Files\Security iGuard\Security iGuard.exe
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\SYSTEM32\PSDrvCheck.exe
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\TRAYAP~1.EXE
O4 - HKLM\..\Run: [InstaFinderK] C:\Program Files\INSTAFINK\InstaFinderK_inst.exe
O4 - HKLM\..\Run: [EPSON Stylus Photo R310 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3F2.EXE /P30 "EPSON Stylus Photo R310 Series" /O6 "USB001" /M "Stylus Photo R310"
O4 - HKLM\..\Run: [DataLayer] C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE
O4 - HKCU\..\Run: [WindowsFY] c:\wp.exe
O4 - HKCU\..\Run: [Handy Backup 4.1] C:\Program Files\Novosoft\Handy Backup\hbagent.exe -logon
O4 - HKCU\..\Run: [180ClientStubInstall] "C:\WINDOWS\stubinstaller5356.exe"
O4 - Startup: Undelete 4 Professional Edition Registration.lnk = C:\Program Files\Executive Software\Undelete\ESIRegister.exe
O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\SYSTEM32\sistray.exe
O4 - Global Startup: EPSON CardMonitor.lnk = C:\Program Files\EPSON\EPSON CardMonitor\EPSON CardMonitor1.2.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - D:\PROGRA~1\DAP\dapextie2.htm
O9 - Extra button: vWebServer Script Debugger - {B478FE8F-57ED-4e12-BB32-6B6D6635872C} - C:\WINDOWS\SYSTEM32\vDebugBand.dll
O9 - Extra 'Tools' menuitem: vWebServer Script Debugger - {B478FE8F-57ED-4e12-BB32-6B6D6635872C} - C:\WINDOWS\SYSTEM32\vDebugBand.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\fltmgr.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\fltmgr.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\fltmgr.dll
O12 - Plugin for .mid: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .png: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll
O12 - Plugin for .swf: C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\npswf32.dll
O12 - Plugin for .tif: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll
O12 - Plugin for .vbs: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .wav: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{ADA6880F-43F6-42F0-9F05-2FD2849C5864}: NameServer = 69.50.176.156,195.225.176.31
O17 - HKLM\System\CCS\Services\Tcpip\..\{D229C121-B898-474B-8887-E9C73B0E6F09}: NameServer = 69.50.176.156,195.225.176.31
O23 - Service: CA ISafe (CAISafe) - Computer Associates International, Inc. - C:\Vet\isafe.exe
O23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: Sygate Personal Firewall Pro (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Executive Software Undelete (UndeleteService) - Executive Software International - C:\Program Files\Executive Software\Undelete\UdServe.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Vet\VetMsg.exe
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP