Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Internet Optomizer, ISTsvc, ProSiteFinder + [RESOLVED]

Started by Random User #412 , Jul 30 2005 04:24 PM

This topic is locked

#16
therock247uk

Posted 03 August 2005 - 07:14 PM

Expert

Expert
14,672 posts

1. Make sure your PC is set to show all hidden files and folders go here for instructions on how to do this. http://www.xtra.co.n...1916458,00.html

2. Boot into safemode to do this keep tapping F8 on your keyboard while your PC is starting up you will get a menu select safemode.

3. While in safemode open Hijackthis and click scan. Then tick and fix the following in Hijackthis with all windows closed except Hijackthis.

O4 - HKLM\..\Run: [WINDOWS STARTUP] WINDOWS32.exe
O4 - HKLM\..\RunServices: [WINDOWS STARTUP] WINDOWS32.exe

4. Delete the files. (if present)

These files might either be found in C:\ C:\Windows or C:\Windows\System32 if found delete.

WINDOWS32.exe

5. Reboot and post a new Hijackthis log here in a reply.

#17
Random User #412

Posted 03 August 2005 - 08:09 PM

Member

Topic Starter
Member
21 posts

After rebooting my computer [Before I even saw your new post] I did another scan. There's a lot more stuff now.

Logfile of HijackThis v1.99.1
Scan saved at 4:07:49 PM, on 8/3/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\WINDOWS32.exe
C:\Documents and Settings\Shane Moore\ss.exe
C:\Program Files\ISTsvc\istsvc.exe
C:\WINDOWS\pnjdpg.exe
C:\Program Files\srca\ctdl.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\WINDOWS\SYSTEM32\??ool32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Shane Moore\Desktop\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://msn.com/
O3 - Toolbar: ISTbar - {5F1ABCDB-A875-46c1-8345-B72A4567E486} - C:\Program Files\ISTbar\istbar.dll
O4 - HKLM\..\Run: [WINDOWS STARTUP] WINDOWS32.exe
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\Run: [fLqtb] C:\WINDOWS\pnjdpg.exe
O4 - HKLM\..\RunServices: [WINDOWS STARTUP] WINDOWS32.exe
O4 - HKCU\..\Run: [Nata] C:\Program Files\srca\ctdl.exe
O4 - HKCU\..\Run: [Gubiegx] C:\WINDOWS\System32\??ool32.exe
O15 - Trusted Zone: http://ny.contentmatch.net (HKLM)
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windup...e/bridge-c7.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {79849612-A98F-45B8-95E9-4D13C7B6B35C} (Loader2 Control) - http://static.topcon...vex/website.ocx
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/s...nfo/webscan.cab
O16 - DPF: {7C559105-9ECF-42B8-B3F7-832E75EDD959} (Installer Class) - http://www.xxxtoolba.../0006_adult.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-downlo....cab?refid=4809
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe

#18
therock247uk

Posted 04 August 2005 - 06:28 AM

Expert

Expert
14,672 posts

Ok looks like there is something running in the background that is giving you al lthese infections.

1. Make sure your PC is set to show all hidden files and folders go here for instructions on how to do this. http://www.xtra.co.n...1916458,00.html

2. Boot into safemode to do this keep tapping F8 on your keyboard while your PC is starting up you will get a menu select safemode.

3. While in safemode open Hijackthis and click scan. Then tick and fix the following in Hijackthis with all windows closed except Hijackthis.

O3 - Toolbar: ISTbar - {5F1ABCDB-A875-46c1-8345-B72A4567E486} - C:\Program Files\ISTbar\istbar.dll
O4 - HKLM\..\Run: [WINDOWS STARTUP] WINDOWS32.exe
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\Run: [fLqtb] C:\WINDOWS\pnjdpg.exe
O4 - HKLM\..\RunServices: [WINDOWS STARTUP] WINDOWS32.exe
O4 - HKCU\..\Run: [Nata] C:\Program Files\srca\ctdl.exe
O4 - HKCU\..\Run: [Gubiegx] C:\WINDOWS\System32\??ool32.exe
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windup...e/bridge-c7.cab
O16 - DPF: {79849612-A98F-45B8-95E9-4D13C7B6B35C} (Loader2 Control) - http://static.topcon...vex/website.ocx
O16 - DPF: {7C559105-9ECF-42B8-B3F7-832E75EDD959} (Installer Class) - http://www.xxxtoolba.../0006_adult.cab
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-downlo....cab?refid=4809

4. Delete the folders. (if present)

C:\Program Files\ISTbar
C:\Program Files\ISTsvc
C:\Program Files\srca

5. Delete the files. (if present)

C:\WINDOWS\pnjdpg.exe

These files might either be found in C:\ C:\Windows or C:\Windows\System32 if found delete.

WINDOWS32.exe

6. Reboot and Download and unzip Silent Runners http://www.silentrun...ent Runners.zip run Slient Runners.vbs it will make a log post that in a reply along with a new Hijackthis log.

#19
Random User #412

Posted 04 August 2005 - 07:21 PM

Member

Topic Starter
Member
21 posts

"Silent Runners.vbs", revision 39, http://www.silentrunners.org/
Operating System: Windows XP
Output limited to non-default values, except where indicated by "{++}"

Startup items buried in registry:
---------------------------------

HKLM\Software\Microsoft\Active Setup\Installed Components\
{306D6C21-C1B6-4629-986C-E59E1875B8AF}\(Default) = (no title provided)
\StubPath = ""C:\WINDOWS\System32\rundll32.exe" "C:\Program Files\Messenger\msgsc.dll",ShowIconsUser" [MS]

Logfile of HijackThis v1.99.1
Scan saved at 3:21:40 PM, on 8/4/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\WScript.exe
C:\Documents and Settings\Shane Moore\Desktop\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://msn.com/
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/s...nfo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe

#20
therock247uk

Posted 04 August 2005 - 07:34 PM

Expert

Expert
14,672 posts

Is that all of the slient runners log it looks small?

#21
Random User #412

Posted 04 August 2005 - 07:41 PM

Member

Topic Starter
Member
21 posts

Yes, that was all of it. Want me to run it again?

#22
therock247uk

Posted 04 August 2005 - 07:44 PM

Expert

Expert
14,672 posts

Yep post all of the log it makes.

#23
Random User #412

Posted 04 August 2005 - 07:50 PM

Member

Topic Starter
Member
21 posts

Ah. I posted all of the log last time, but I guess it just didn't preform correctly. Or something.

"Silent Runners.vbs", revision 39, http://www.silentrunners.org/
Operating System: Windows XP
Output limited to non-default values, except where indicated by "{++}"

Startup items buried in registry:
---------------------------------

HKLM\Software\Microsoft\Active Setup\Installed Components\
{306D6C21-C1B6-4629-986C-E59E1875B8AF}\(Default) = (no title provided)
\StubPath = ""C:\WINDOWS\System32\rundll32.exe" "C:\Program Files\Messenger\msgsc.dll",ShowIconsUser" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]

Active Desktop and Wallpaper:
-----------------------------

Active Desktop is disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\WINDOWS\Santa Fe Stucco.bmp"

Enabled Screen Saver:
---------------------

HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\WINDOWS\System32\logon.scr" [MS]

Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 11
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05

Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

ewido security suite control, ewido security suite control, "C:\Program Files\ewido\security suite\ewidoctrl.exe" ["ewido networks"]

----------
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ The search for DESKTOP.INI DLL launch points on all local fixed drives
took 27 seconds.
+ The search for all Registry CLSIDs containing dormant Explorer Bars
took 17 seconds.
---------- (total run time: 83 seconds)

#24
therock247uk

Posted 04 August 2005 - 07:53 PM

Expert

Expert
14,672 posts

That seems ok do this.

1. Download and unzip http://skads.org/special/rkfiles.zip to a folder.

2. Boot into safemode to do this keep tapping F8 on your keyboard while your PC is starting up you will get a menu select safemode.

3. While in safemode go to the folder you unzipped rkfiles to and run rkfiles.bat. It will take a long time and it will make a log log.txt. Reboot into normal mode and post that log here in a reply.

#25
Random User #412

Posted 04 August 2005 - 08:28 PM

Member

Topic Starter
Member
21 posts

:\Documents and Settings\Shane Moore\Desktop\rkfiles

PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
Files Found in system Folder............
------------------------
C:\WINDOWS\SYSTEM32\msnsmgs.exe: UPX!
C:\WINDOWS\SYSTEM32\dfrg.msc: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAAAwGpEc213

Files Found in all users startup Folder............
------------------------
Files Found in all users windows Folder............
------------------------
C:\WINDOWS\tsc.exe: UPX!
C:\WINDOWS\vsapi32.dll: UPX!t4
Finished
bye

#26
therock247uk

Posted 05 August 2005 - 06:03 AM

Expert

Expert
14,672 posts

Ok delete the file C:\WINDOWS\SYSTEM32\msnsmgs.exe also post a new Hijackthis log for me to make sure you are still clean.

#27
Random User #412

Posted 05 August 2005 - 10:13 AM

Member

Topic Starter
Member
21 posts

Man, this stuff just won't go away.

Logfile of HijackThis v1.99.1
Scan saved at 6:14:26 AM, on 8/5/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\WINDOWS32.exe
C:\WINDOWS\System32\mssetup32.exe
C:\Program Files\srca\ctdl.exe
C:\Documents and Settings\Shane Moore\ss.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Shane Moore\Desktop\Spyware Removal Folder\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://msn.com/
O4 - HKLM\..\Run: [WINDOWS STARTUP] WINDOWS32.exe
O4 - HKLM\..\Run: [Microsoft Update 32] mssetup32.exe
O4 - HKLM\..\RunServices: [WINDOWS STARTUP] WINDOWS32.exe
O4 - HKLM\..\RunServices: [Microsoft Update 32] mssetup32.exe
O4 - HKCU\..\Run: [Nata] C:\Program Files\srca\ctdl.exe
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windup...e/bridge-c7.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {79849612-A98F-45B8-95E9-4D13C7B6B35C} (Loader2 Control) - http://static.topcon...vex/website.ocx
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/s...nfo/webscan.cab
O16 - DPF: {7C559105-9ECF-42B8-B3F7-832E75EDD959} (Installer Class) - http://www.xxxtoolba.../0006_adult.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-downlo....cab?refid=4809
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe

#28
therock247uk

Posted 05 August 2005 - 10:20 AM

Expert

Expert
14,672 posts

Hmm ok lets see if anything is hiding.

1. Run all these oline virus scans and tell me what they find.

http://housecall.tre.../start_corp.asp
http://www.pandasoft...n_principal.htm
http://www3.ca.com/t...sinfo/scan.aspx

2. Boot into safemode to do this keep tapping F8 on your keyboard while your PC is starting up you will get a menu select safemode.

Open Ewido again

Click on scanner
Click on Complete System Scan and the scan will begin.
While the scan is in progress you will be prompted to clean files, click OK
When it asks if you want to clean the first file, put a check in the lower left corner of the box that says "Perform action on all infections" then choose clean and click OK.
Once the scan has completed, there will be a button located on the bottom of the screen named Save report
Click Save report.
Save the report .txt file to your desktop.

Now close ewido security suite.

Reboot and Post the report Ewido made and a new Hijackthis log here in a reply.

Also question does this PC have more than one account on where other people use the PC?

#29
Random User #412

Posted 05 August 2005 - 11:01 PM

Member

Topic Starter
Member
21 posts

The three links you gave me no longer work on my computer. Housecall and eTrust antivirus do not start [Housecall gives me an Active X error on every page, though it did not do so before], and the Panda ActiveScan page does not even load.

All three of them worked earlier today, but my computer froze up, and then they stopped working.