Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

sponsored link (& more im sure) [CLOSED]


  • This topic is locked This topic is locked

#1
shalowater

shalowater

    Member

  • Member
  • PipPip
  • 18 posts
here is my hijackthis log (for now)

Logfile of HijackThis v1.99.1
Scan saved at 8:41:10 PM, on 7/13/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Keymaestro\Multimedia Keyboard\nhksrv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\crypserv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\keyhook.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
C:\Program Files\D-Tools\daemon.exe
C:\SCANJET\PrecisionScanLT\hppwrsav.exe
C:\Program Files\Keymaestro\Multimedia Keyboard\MMKeybd.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe
C:\WINDOWS\system32\sistray.exe
C:\Program Files\Keymaestro\Multimedia Keyboard\TrayMon.exe
C:\Program Files\Keymaestro\Onscreen Display\OSD.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\BitTornado\btdownloadgui.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\HiJackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.shalowater.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SiS Windows KeyHook] C:\WINDOWS\System32\keyhook.exe
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [hppwrsav] C:\SCANJET\PrecisionScanLT\hppwrsav.exe
O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Keymaestro\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [AWMON] "C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe"
O4 - HKLM\..\Run: [NAV CfgWiz] C:\PROGRA~1\NORTON~1\Cfgwiz.exe /R
O4 - HKLM\..\Run: [sp] rundll32 C:\DOCUME~1\SHALOW~1\LOCALS~1\Temp\se.dll,DllInstall
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\system32\sistray.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1107815592703
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zon...ro.cab32846.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.shockwave...aploader_v6.cab
O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zon...ss.cab31267.cab
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Program Files\Keymaestro\Multimedia Keyboard\nhksrv.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

thanks

//sandra.
  • 0

Advertisements


#2
Rawe

Rawe

    Visiting Staff

  • Member
  • PipPipPipPipPipPipPip
  • 4,746 posts
Hello and welcome!

Please print these instructions out, or write them down, as you can't read them during the fix.
Be sure to follow every step.

First, download;

- About:buster

Unzip the contents of AboutBuster.zip and an About:Buster directory will be created.
- Launch About:Buster
- Click "Ok" at the prompt with instructions.
- Click "Update" and then "Check For Update" to launch the update process.
- If any updates exist please download them by clicking "Download Update". After this, exit the updating window.
- Now please close About:Buster


- Clean Up

Install Cleanup and get it ready to be used, but don't run it yet.

- Spybot S&D

=> An tutorial for SpyBot

Run the program, as instructed on the link. ;)

After this, please download CWShredder v 2.15
When installed, launch it, check for any updates, and close it. Don't Run A Scan Yet!


Please run at least two of these free online scans here (use the "Auto-clean" - option);

- BitDefender
- RAV
- Kaspersky
- Jotti Virusscan
- A2

Please now run CWShredder v. 2.15, use the "Fix" button.

Once you have done all of this;

Disconnect from the internet. {For broadband/cable users, it is recommended to disconnect the cable connection}
Please boot up into Safe Mode.

While rebooting your computer, tap f8 continuosly. A menu should come up, choose to go to Safe Mode.


While at Safe Mode, please run About:Buster;

Click "Start" and then "OK" to allow AboutBuster to scan for Alternate Data Streams.
Click "Yes" to allow it to shutdown explorer.exe.
It will begin to check your computer for malicious files. If it asks if you would like to do a second pass, allow it to do so.
When it has finished, click Save Log. Make sure you save it.
When the scan has finished, and log saved, please reboot your computer to Safe Mode again.


Ok, now run About:Buster again without the reboot in the end.


Run a scan with HJT (making sure that only HJT is running) and check these objects for removal;

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.shalowater.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
O4 - HKLM\..\Run: [sp] rundll32 C:\DOCUME~1\SHALOW~1\LOCALS~1\Temp\se.dll,DllInstall


Again, run CWShredder v. 2.15 and use the "Fix" - button.

Run CleanUp! making sure to reboot when prompted.
Once your Windows has loaded, run a new scan with HJT & once it has finished, connect back to the internet so that you can post the fresh HJT log here along with the log from About:Buster.

- Rawe :tazz:
  • 0

#3
shalowater

shalowater

    Member

  • Topic Starter
  • Member
  • PipPip
  • 18 posts
hi Rawe *waves*

ok. i tried to do these things. but im stuck now and i guess i should start over from scratch cause i ran into some snags. explained below.

re: aboutbuster //

when i first ran it it didnt quite go like your instructions say and at the end i got an error.

i found this

~ Problem: Error 339 Missing comctl32.ocx
~ Solution: Download file from

http://www.ascentive...ib/COMCTL32.OCX

Copy it into your system folder (Windows XP, 2000, NT = C:\Windows\System32) or (Win ME, 98, 95 = C:\Windows\System) and register it.


in the help for the program in the zip file and downloaded and copied that to my C:\Windows\System32 like it says to but i dont know what it means to "register it"

i ran "aboutbuster" in normal mode (not safe) again after i copied that and it says it found nothing. i did make a log thou. i think.

re: online scans //

i cant get the online scans to work cause they all give me errors about "active x"

do i need to do those? do i need "active x"?

i use "firefox" as my browser and im running service pack 2 (which i updated to by accident while my computer was infected a while back ;) )

i dont use "ie" but i tried to use it for those online scans. i even put my securities on medium like one page told me too but it still won't run 'cause of that "active x" thing.

do i need to change my settings back to what they were before medium? i cant remember what it was now.

-----------------------------------------------------------------------------------------------

im leaving this as is for now. i did install newer versions (from the ones on my computer) of "spybot search & destroy" and "cwshredder"

they both found nothing as well. good maybe. :tazz: i dunno.

;) //sandra.

thanxx for your help so far.

Edited by shalowater, 15 July 2005 - 01:06 AM.

  • 0

#4
Rawe

Rawe

    Visiting Staff

  • Member
  • PipPipPipPipPipPipPip
  • 4,746 posts
Hi again!

Ok, since you had problems with the process, we'll try couple different tools. ;)

Download & install CleanUp if you don't have it already. Don't run the program yet.

We'll get this sorted for you.

Please download WebRoot SpySweeper from HERE (It's a 2 week trial):
  • Click the Free Trial link on the right - next to "SpySweeper for Home Computers" to download the program.
  • Double-click the file to install it as follows:
    • Click "Next", read the agreement, Click "Next"
    • Choose "Custom" click "Next".
    • Leave the default installation directoy as it is, then click "Next".
    • UNcheck "Run SpySweeper at Windows Startup" and "Add Sweep for Spyware to Windows Explorer Context Menu". Click "Next".
    • On the following screen you can leave the e-mail address field blank, if you wish. Click "Next".
    • Finally, click "Install"
  • Once the program is installed, it will open.
  • It will prompt you to update to the latest definitions, click Yes.
    Disable SpySweeper Shields
    • Click Shields on the left.
    • Click Internet Explorer and uncheck all items.
    • Click Windows System and uncheck all items.
    • Click Startup Programs and uncheck all items.
  • Once the definitions are installed and shields disabled, click Sweep Now on the left side.
  • Click the Start button.
  • When it's done scanning, click the Next button.
  • Make sure everything has a check next to it, then click the Next button.
  • It will remove all of the items found.
  • Click Session Log in the upper right corner, copy everything in that window.
  • Click the Summary tab and click Finish.
  • Paste the contents of the session log you copied into your next reply.
Now run CleanUp! making sure to reboot your PC when prompted. Once your Windows has loaded back to normal mode, run a new scan with HJT. Post the fresh log here along with the log from SpySweeper.

- Rawe :tazz:
  • 0

#5
shalowater

shalowater

    Member

  • Topic Starter
  • Member
  • PipPip
  • 18 posts
done.

re: spy sweeper

it said i had something called "cydoor peer to peer dependancy"

when i went to remove everything checked that ^^ said that it was needed for programs like kazaa and a few others. i have kazaa so i told it not to remove it.

that ok?

anyways, here are my logs.

----------------------------- hijack this log

Logfile of HijackThis v1.99.1
Scan saved at 4:09:22 AM, on 7/15/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Keymaestro\Multimedia Keyboard\nhksrv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\crypserv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\System32\keyhook.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
C:\Program Files\D-Tools\daemon.exe
C:\SCANJET\PrecisionScanLT\hppwrsav.exe
C:\Program Files\Keymaestro\Multimedia Keyboard\MMKeybd.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe
C:\WINDOWS\system32\sistray.exe
C:\Program Files\Keymaestro\Multimedia Keyboard\TrayMon.exe
C:\Program Files\Keymaestro\Onscreen Display\OSD.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\HiJackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.shalowater.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SiS Windows KeyHook] C:\WINDOWS\System32\keyhook.exe
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [hppwrsav] C:\SCANJET\PrecisionScanLT\hppwrsav.exe
O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Keymaestro\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [AWMON] "C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe"
O4 - HKLM\..\Run: [sp] rundll32 C:\DOCUME~1\SHALOW~1\LOCALS~1\Temp\se.dll,DllInstall
O4 - HKLM\..\Run: [NAV CfgWiz] C:\PROGRA~1\NORTON~1\Cfgwiz.exe /R
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\system32\sistray.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1107815592703
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zon...ro.cab32846.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.shockwave...aploader_v6.cab
O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zon...ss.cab31267.cab
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Program Files\Keymaestro\Multimedia Keyboard\nhksrv.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

-------------------------------------------------------------------------------------------------

------------------------------------------------------------------------ spy sweeper log

********
3:35 AM: |··· Start of Session, Friday, July 15, 2005 ···|
3:35 AM: Spy Sweeper started
3:35 AM: Sweep initiated using definitions version 504
3:35 AM: Starting Memory Sweep
3:38 AM: Memory Sweep Complete, Elapsed Time: 00:02:57
3:38 AM: Starting Registry Sweep
3:38 AM: Found Adware: cws-aboutblank
3:38 AM: HKLM\software\microsoft\windows\currentversion\run\ || sp (ID = 4283277)
3:38 AM: Found Trojan Horse: trojan-downloader-pacisoft
3:38 AM: HKU\S-1-5-21-2052111302-630328440-725345543-1003\software\pacisoft\ (7 subtraces) (ID = 4303308)
3:38 AM: Found Adware: roings search enhancment
3:38 AM: HKLM\software\ssprint\ (2 subtraces) (ID = 4307106)
3:38 AM: Found Adware: shopathomeselect
3:38 AM: HKLM\software\ || test (ID = 4308630)
3:38 AM: HKLM\software\classes\webinstaller.cexecute.1\ (3 subtraces) (ID = 4308646)
3:38 AM: HKCR\webinstaller.cexecute.1\ (3 subtraces) (ID = 4308706)
3:38 AM: Found Adware: abetterinternet
3:38 AM: HKLM\system\currentcontrolset\services\svcproc\ (12 subtraces) (ID = 4313356)
3:38 AM: Found Adware: winad
3:38 AM: HKLM\software\microsoft\windows\currentversion\moduleusage\c:/windows/downloaded program files/mediaaccx.dll\ (2 subtraces) (ID = 4314446)
3:38 AM: HKLM\software\microsoft\windows\currentversion\shareddlls\ || c:\windows\downloaded program files\mediaaccx.dll (ID = 4314478)
3:38 AM: Registry Sweep Complete, Elapsed Time:00:00:14
3:38 AM: Starting Cookie Sweep
3:38 AM: Cookie Sweep Complete, Elapsed Time: 00:00:00
3:38 AM: Starting File Sweep
3:38 AM: Found Adware: begin2search
3:38 AM: c:\windows\system32\cache32_rtneg2 (2 subtraces) (ID = 3995835)
3:39 AM: Found Adware: cydoor peer-to-peer dependency
3:39 AM: cd_clint.dll (ID = 4002694)
3:40 AM: popupkiller2asdf.ico (ID = 3995810)
3:41 AM: bingo_big2.ico (ID = 3995774)
3:41 AM: abiuninst.htm (ID = 4031749)
3:44 AM: greenmovie2313asaadsasfad112341231adsfa.ico (ID = 3995785)
3:44 AM: mp3red51aads.ico (ID = 3995796)
3:44 AM: kas pink1233aadsfa.ico (ID = 3995793)
3:44 AM: bundlelite_westfrontier1001.exe (ID = 4023494)
3:45 AM: u6f6uftuc_.ini (ID = 4023802)
3:45 AM: hochkaod3_.ini (ID = 4023618)
3:45 AM: hochkaod3.ini (ID = 4023618)
3:45 AM: File Sweep Complete, Elapsed Time: 00:06:38
3:45 AM: Full Sweep has completed. Elapsed time 00:09:54
3:45 AM: Traces Found: 52
3:46 AM: Removal process initiated
3:46 AM: Quarantining All Traces: cws-aboutblank
3:46 AM: Quarantining All Traces: trojan-downloader-pacisoft
3:46 AM: Quarantining All Traces: roings search enhancment
3:46 AM: Quarantining All Traces: shopathomeselect
3:46 AM: Quarantining All Traces: abetterinternet
3:46 AM: Quarantining All Traces: winad
3:46 AM: Quarantining All Traces: begin2search
3:46 AM: Removal process completed. Elapsed time 00:00:44
********
3:32 AM: |··· Start of Session, Friday, July 15, 2005 ···|
3:32 AM: Spy Sweeper started
3:33 AM: Warning: Hosts File Shield unable to read from hosts file. Access violation at address 7C910370 in module 'ntdll.dll'. Read of address 00000058
3:35 AM: |··· End of Session, Friday, July 15, 2005 ···|

------------------------------------------------------------------------------------

thx.

s.

Edited by shalowater, 15 July 2005 - 02:14 AM.

  • 0

#6
Rawe

Rawe

    Visiting Staff

  • Member
  • PipPipPipPipPipPipPip
  • 4,746 posts
Hi again! About Kazaa.. It actually comes bundled with malware. If it's ok with you, once we get your computer back clean, I'll give you an link to an article which shows clean/infected P2P programs. Kazaa is NOT clean, and it's likely a part of the problem on your machine.

Click Start -> Control Panel -> Add/Remove Programs
uninstall the following entry if present;

Kazaa

Using Windows Explorer, locate the following folder and delete if present;

C:\Program Files\Kazaa (Note, this is the default install location for Kazaa, if you have installed it elsewhere, please go there and delete the folder.)

Then, do the following;

Please download Trend Micro™ Anti-Spyware for the Web Utility (by clicking the "Scan and Clean your PC" button).
  • Save it to your desktop.
  • Double-click the new icon on your desktop (tmas-web-scan.exe)
  • It will say "Loading TrendMicro definitions".
  • Once the definitions are loaded, the program will appear to close then re-open.
  • Click "Start Scan"
  • After it's done scanning, click "Scan Results"
  • Make sure all items found have a check next to them, then click "Clean Threats Now".
  • Click Exit.
Run CleanUp making sure to reboot when prompted. Once your Windows has loaded, in place of the TrendMicro icon will be a text file called "Antispyware.log", please double-click that log and copy the entire contents and paste them here.

This scan isn't online scan, it doesn't use Java OR ActiveX. Use Firefox to get it.

- Rawe :tazz:
  • 0

#7
shalowater

shalowater

    Member

  • Topic Starter
  • Member
  • PipPip
  • 18 posts
but i have diet kazaa and kazaa lite. they are suppossed to be free of ads and malware.
  • 0

#8
Rawe

Rawe

    Visiting Staff

  • Member
  • PipPipPipPipPipPipPip
  • 4,746 posts
Fine. Let's see then. Please post that Anti-spyware log from TrendMicro scan here.
If your problems wont go away without uninstalling Kazaa or other P2P - programs since you don't want to, there's nothing we can do in that case. Just a warning. Let's try first though ;)

Please post that log, I'll let you know further instructions then.

- Rawe :tazz:
  • 0

#9
shalowater

shalowater

    Member

  • Topic Starter
  • Member
  • PipPip
  • 18 posts
ok thanks. just confused not unwilling. umm, i was just reading that maybe limewire or something maybe a better program. says that it comes adware and spyware free to begin with instead of having to remove stuff.

i have older versions of both kazaa's anyways too so i dunno.

im doing that new scan now.
  • 0

#10
Rawe

Rawe

    Visiting Staff

  • Member
  • PipPipPipPipPipPipPip
  • 4,746 posts
Good.

Here's a info page for you about P2P programs; http://www.spywarein...m/articles/p2p/

I'm not asking you to uninstall your P2P software for rest of your life, just during the fix.
When your PC is back to clean, install a new P2P program which is a clean one!

Read from that article's list, then decide what you want to use as a clean alternative. ;)

- Rawe :tazz:
  • 0

#11
shalowater

shalowater

    Member

  • Topic Starter
  • Member
  • PipPip
  • 18 posts
i did the trend micro spyware thing then the cleanup then rebooted then i deleted both folders the diet kazaa & the kazaa lite (in that order) i have not rebooted since deleting those folders.

why delete and not uninstall?

anyways, here's is my trend micro spyware thing log:

Started Scanning
Internet Cookies
Found 'com.com' in 'Internet Explorer Cache'
Programs in Memory
Windows Registry
Found '' in 'Software\Kazaa'
Found '' in 'Software\Kazaa\ResultsFilter'
Found '' in 'Software\Kazaa\Settings'
Found '' in 'Software\Kazaa\Transfer'
Found '' in 'Software\KaZaA\CloudLoad'
Found '' in 'Software\KaZaA\ConnectionInfo'
Found '' in 'Software\KaZaA\LocalContent'
Found '' in 'Software\Kazaa'
Found '' in 'Software\Kazaa\Advanced'
Found '' in 'Software\Kazaa\InstantMessaging'
Found '' in 'Software\Kazaa\LocalContent'
Found '' in 'Software\Kazaa\Skins'
Found '' in 'Software\Kazaa\UserDetails'
Found '' in 'SOFTWARE\Kazaa\Bandwidth\in'
Found '' in 'SOFTWARE\Kazaa\Bandwidth\LastEstimate'
Found '' in 'SOFTWARE\Kazaa\Bandwidth\out'
Found '' in 'SOFTWARE\Magnet'
Found '' in 'SOFTWARE\Classes\magnet'
Found '' in 'SOFTWARE\Classes\magnet\shell\open\command'
Found 'Location' in 'SOFTWARE\Magnet'
Found 'URL Protocol' in 'SOFTWARE\Classes\magnet'
Found 'LastSearchHash' in 'Software\Kazaa'
Found 'ScanFolder' in 'Software\Kazaa\Advanced'
Found 'IgnoreAll' in 'Software\Kazaa\InstantMessaging'
Found '' in 'Software\Kazaa\Search'
Found 'adult_filter_level' in 'Software\Kazaa\ResultsFilter'
Found 'b' in 'SOFTWARE\Kazaa\Bandwidth\LastEstimate'
Found 'b0' in 'SOFTWARE\Kazaa\Bandwidth\in'
Found 'b0' in 'SOFTWARE\Kazaa\Bandwidth\out'
Found 'b0seconds' in 'SOFTWARE\Kazaa\Bandwidth\in'
Found 'b0seconds' in 'SOFTWARE\Kazaa\Bandwidth\out'
Found 'b1' in 'SOFTWARE\Kazaa\Bandwidth\in'
Found 'b1' in 'SOFTWARE\Kazaa\Bandwidth\out'
Found 'CacheDiscoveryTime' in 'Software\Kazaa\Transfer'
Found 'CacheHost' in 'Software\Kazaa\Transfer'
Found 'CachePort' in 'Software\Kazaa\Transfer'
Found 'CountryCode' in 'Software\Kazaa\UserDetails'
Found 'DatabaseDir' in 'SOFTWARE\Kazaa\LocalContent'
Found 'DlDir0' in 'Software\Kazaa\Transfer'
Found 'DownloadDir' in 'SOFTWARE\Kazaa\LocalContent'
Found 'AutoConnected' in 'Software\Kazaa\UserDetails'
Found 'firewall_filter' in 'Software\Kazaa\ResultsFilter'
Found 'UseCount' in 'Software\Kazaa\Settings'
Found 'SkinsDir' in 'Software\Kazaa\Skins'
Found 'NoUploadLimitWhenIdle' in 'Software\Kazaa\Transfer'
Found 'UserName' in 'Software\Kazaa\UserDetails'
Found 'ListenPort' in 'SOFTWARE\Kazaa'
Found 'network_config' in 'SOFTWARE\Kazaa'
Found 'UDP_probe_successes' in 'SOFTWARE\Kazaa'
Found 'time' in 'SOFTWARE\Kazaa\Bandwidth\LastEstimate'
Found 'KazaaNet' in 'SOFTWARE\Kazaa\ConnectionInfo'
Found '' in 'Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\Range1'
Found '' in 'SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TBPSSVC'
Found 'sp' in 'SOFTWARE\Microsoft\Windows\CurrentVersion\Run'
Found '' in 'SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TBPSSVC\0000'
Found 'Service' in 'SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TBPSSVC\0000'
Found 'Legacy' in 'SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TBPSSVC\0000'
Found 'DeviceDesc' in 'SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TBPSSVC\0000'
Found 'ConfigFlags' in 'SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TBPSSVC\0000'
Found 'ClassGUID' in 'SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TBPSSVC\0000'
Found 'Class' in 'SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TBPSSVC\0000'
Found 'PluginLevel' in 'SYSTEM\CurrentControlSet\Control\Session Manager'
Internet URL Shortcuts
Files and Directories
Found 'np.tmp' in 'C:\Documents and Settings\shalowater\Application Data\Kazaa Lite\db'
Found 'creditcard32123123123asdsa1.ico' in 'C:\WINDOWS\system32'
Found 'pop up blaster123213.ico' in 'C:\WINDOWS\system32'
Found 'virus hunter yeah1.ico' in 'C:\WINDOWS\system32'
Finished Scanning
Started Backup
Unable to create the registry key HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TBPSSVC\0000 for restore. [SCANMODS] Error=5.
Unable to create the registry key HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TBPSSVC\0000 for restore. [SCANMODS] Error=5.
Unable to create the registry key HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TBPSSVC\0000 for restore. [SCANMODS] Error=5.
Unable to create the registry key HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TBPSSVC\0000 for restore. [SCANMODS] Error=5.
Unable to create the registry key HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TBPSSVC\0000 for restore. [SCANMODS] Error=5.
Unable to create the registry key HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TBPSSVC\0000 for restore. [SCANMODS] Error=5.
Unable to create the registry key HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TBPSSVC\0000 for restore. [SCANMODS] Error=5.
Finished Backup
Started Cleaning
[SCANMODS] WARNING: Unable to remove registry keys under 'HKLM\'SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TBPSSVC'. Error=5.
[SCANMODS] WARNING: Unable to remove registry keys under 'HKLM\'SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TBPSSVC\0000'. Error=5.
Checking for 'C:\Documents and Settings\shalowater\Application Data\Kazaa Lite\db\np.tmp' in shortcut areas.
Checking for 'C:\Documents and Settings\shalowater\Application Data\Kazaa Lite\db\np.tmp' in startup areas.
Cleaning 'C:\Documents and Settings\shalowater\Application Data\Kazaa Lite\db\np.tmp'
Checking for 'C:\WINDOWS\system32\creditcard32123123123asdsa1.ico' in shortcut areas.
Checking for 'C:\WINDOWS\system32\creditcard32123123123asdsa1.ico' in startup areas.
Cleaning 'C:\WINDOWS\system32\creditcard32123123123asdsa1.ico'
Checking for 'C:\WINDOWS\system32\pop up blaster123213.ico' in shortcut areas.
Checking for 'C:\WINDOWS\system32\pop up blaster123213.ico' in startup areas.
Cleaning 'C:\WINDOWS\system32\pop up blaster123213.ico'
Checking for 'C:\WINDOWS\system32\virus hunter yeah1.ico' in shortcut areas.
Checking for 'C:\WINDOWS\system32\virus hunter yeah1.ico' in startup areas.
Cleaning 'C:\WINDOWS\system32\virus hunter yeah1.ico'
Finished Cleaning
------------------------------------------------------------------------------------------------

i will read that article now

thx.

s.

edit// how do i get my trend micro icon back in case i need to use it again. im confused that it was replaced with the log?

Edited by shalowater, 15 July 2005 - 01:12 PM.

  • 0

#12
Rawe

Rawe

    Visiting Staff

  • Member
  • PipPipPipPipPipPipPip
  • 4,746 posts
That scan is meant to be a utility that cleans what it scans, then it's gone after reboot. It will then show log. You can download it anytime you need it.

As for the Kazaa thing.. I actually did ask you to uninstall it. Did you just delete the folder? If so, you have deleted the uninstaller for it too, take a look at the Add/Remove programs list, and see if Kazaa is listed there.

Before going further, please run CleanUp! and reboot.

Once your Windows has loaded;

Open HijackThis, click Config, click Misc Tools
Click "Open Uninstall Manager"
Click "Save List" (generates uninstall_list.txt)
Click Save, copy and paste the results in your next post.


Then run following online Anti-virus scan (Be sure to use the "Auto-clean" option);

- Trend Micro (It supports Java so you can run it on Firefox.)

After this, run a new scan with HiJackThis and save the results.

Post the results from the online A/V scan, uninstall list as well as the fresh log from HiJackThis.. We'll continue then.

- Rawe :tazz:
  • 0

#13
shalowater

shalowater

    Member

  • Topic Starter
  • Member
  • PipPip
  • 18 posts
i just deleted them. im sorry. i didnt read it right.

there are still there in the add / remove list they say that the files may already be unistalled. do i let add / remove remove them?

im not usually this dumb.
  • 0

#14
Rawe

Rawe

    Visiting Staff

  • Member
  • PipPipPipPipPipPipPip
  • 4,746 posts
They won't go from Add/Remove programs - list if you deleted the whole folders,
please remove any leftovers you might find like files and such. Then follow my instructions at my last post.

- Rawe :tazz:
  • 0

#15
Rawe

Rawe

    Visiting Staff

  • Member
  • PipPipPipPipPipPipPip
  • 4,746 posts
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP