Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Internet Optomizer, ISTsvc, ProSiteFinder + [RESOLVED]


  • This topic is locked This topic is locked

#16
therock247uk

therock247uk

    Expert

  • Expert
  • 14,671 posts
  • MVP
1. Make sure your PC is set to show all hidden files and folders go here for instructions on how to do this. http://www.xtra.co.n...1916458,00.html

2. Boot into safemode to do this keep tapping F8 on your keyboard while your PC is starting up you will get a menu select safemode.

3. While in safemode open Hijackthis and click scan. Then tick and fix the following in Hijackthis with all windows closed except Hijackthis.

O4 - HKLM\..\Run: [WINDOWS STARTUP] WINDOWS32.exe
O4 - HKLM\..\RunServices: [WINDOWS STARTUP] WINDOWS32.exe

4. Delete the files. (if present)

These files might either be found in C:\ C:\Windows or C:\Windows\System32 if found delete.

WINDOWS32.exe

5. Reboot and post a new Hijackthis log here in a reply.
  • 0

Advertisements


#17
Random User #412

Random User #412

    Member

  • Topic Starter
  • Member
  • PipPip
  • 21 posts
After rebooting my computer [Before I even saw your new post] I did another scan. There's a lot more stuff now.

Logfile of HijackThis v1.99.1
Scan saved at 4:07:49 PM, on 8/3/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\WINDOWS32.exe
C:\Documents and Settings\Shane Moore\ss.exe
C:\Program Files\ISTsvc\istsvc.exe
C:\WINDOWS\pnjdpg.exe
C:\Program Files\srca\ctdl.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\WINDOWS\SYSTEM32\??ool32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Shane Moore\Desktop\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://msn.com/
O3 - Toolbar: ISTbar - {5F1ABCDB-A875-46c1-8345-B72A4567E486} - C:\Program Files\ISTbar\istbar.dll
O4 - HKLM\..\Run: [WINDOWS STARTUP] WINDOWS32.exe
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\Run: [fLqtb] C:\WINDOWS\pnjdpg.exe
O4 - HKLM\..\RunServices: [WINDOWS STARTUP] WINDOWS32.exe
O4 - HKCU\..\Run: [Nata] C:\Program Files\srca\ctdl.exe
O4 - HKCU\..\Run: [Gubiegx] C:\WINDOWS\System32\??ool32.exe
O15 - Trusted Zone: http://ny.contentmatch.net (HKLM)
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windup...e/bridge-c7.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {79849612-A98F-45B8-95E9-4D13C7B6B35C} (Loader2 Control) - http://static.topcon...vex/website.ocx
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/s...nfo/webscan.cab
O16 - DPF: {7C559105-9ECF-42B8-B3F7-832E75EDD959} (Installer Class) - http://www.xxxtoolba.../0006_adult.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-downlo....cab?refid=4809
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
  • 0

#18
therock247uk

therock247uk

    Expert

  • Expert
  • 14,671 posts
  • MVP
Ok looks like there is something running in the background that is giving you al lthese infections.

1. Make sure your PC is set to show all hidden files and folders go here for instructions on how to do this. http://www.xtra.co.n...1916458,00.html

2. Boot into safemode to do this keep tapping F8 on your keyboard while your PC is starting up you will get a menu select safemode.

3. While in safemode open Hijackthis and click scan. Then tick and fix the following in Hijackthis with all windows closed except Hijackthis.

O3 - Toolbar: ISTbar - {5F1ABCDB-A875-46c1-8345-B72A4567E486} - C:\Program Files\ISTbar\istbar.dll
O4 - HKLM\..\Run: [WINDOWS STARTUP] WINDOWS32.exe
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\Run: [fLqtb] C:\WINDOWS\pnjdpg.exe
O4 - HKLM\..\RunServices: [WINDOWS STARTUP] WINDOWS32.exe
O4 - HKCU\..\Run: [Nata] C:\Program Files\srca\ctdl.exe
O4 - HKCU\..\Run: [Gubiegx] C:\WINDOWS\System32\??ool32.exe
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windup...e/bridge-c7.cab
O16 - DPF: {79849612-A98F-45B8-95E9-4D13C7B6B35C} (Loader2 Control) - http://static.topcon...vex/website.ocx
O16 - DPF: {7C559105-9ECF-42B8-B3F7-832E75EDD959} (Installer Class) - http://www.xxxtoolba.../0006_adult.cab
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-downlo....cab?refid=4809

4. Delete the folders. (if present)

C:\Program Files\ISTbar
C:\Program Files\ISTsvc
C:\Program Files\srca

5. Delete the files. (if present)

C:\WINDOWS\pnjdpg.exe

These files might either be found in C:\ C:\Windows or C:\Windows\System32 if found delete.

WINDOWS32.exe

6. Reboot and Download and unzip Silent Runners http://www.silentrun...ent Runners.zip run Slient Runners.vbs it will make a log post that in a reply along with a new Hijackthis log.
  • 0

#19
Random User #412

Random User #412

    Member

  • Topic Starter
  • Member
  • PipPip
  • 21 posts
"Silent Runners.vbs", revision 39, http://www.silentrunners.org/
Operating System: Windows XP
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKLM\Software\Microsoft\Active Setup\Installed Components\
{306D6C21-C1B6-4629-986C-E59E1875B8AF}\(Default) = (no title provided)
\StubPath = ""C:\WINDOWS\System32\rundll32.exe" "C:\Program Files\Messenger\msgsc.dll",ShowIconsUser" [MS]


Logfile of HijackThis v1.99.1
Scan saved at 3:21:40 PM, on 8/4/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\WScript.exe
C:\Documents and Settings\Shane Moore\Desktop\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://msn.com/
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/s...nfo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
  • 0

#20
therock247uk

therock247uk

    Expert

  • Expert
  • 14,671 posts
  • MVP
Is that all of the slient runners log it looks small?
  • 0

#21
Random User #412

Random User #412

    Member

  • Topic Starter
  • Member
  • PipPip
  • 21 posts
Yes, that was all of it. Want me to run it again?
  • 0

#22
therock247uk

therock247uk

    Expert

  • Expert
  • 14,671 posts
  • MVP
Yep post all of the log it makes.
  • 0

#23
Random User #412

Random User #412

    Member

  • Topic Starter
  • Member
  • PipPip
  • 21 posts
Ah. I posted all of the log last time, but I guess it just didn't preform correctly. Or something.

"Silent Runners.vbs", revision 39, http://www.silentrunners.org/
Operating System: Windows XP
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKLM\Software\Microsoft\Active Setup\Installed Components\
{306D6C21-C1B6-4629-986C-E59E1875B8AF}\(Default) = (no title provided)
\StubPath = ""C:\WINDOWS\System32\rundll32.exe" "C:\Program Files\Messenger\msgsc.dll",ShowIconsUser" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]


Active Desktop and Wallpaper:
-----------------------------

Active Desktop is disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\WINDOWS\Santa Fe Stucco.bmp"


Enabled Screen Saver:
---------------------

HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\WINDOWS\System32\logon.scr" [MS]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 11
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

ewido security suite control, ewido security suite control, "C:\Program Files\ewido\security suite\ewidoctrl.exe" ["ewido networks"]


----------
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ The search for DESKTOP.INI DLL launch points on all local fixed drives
took 27 seconds.
+ The search for all Registry CLSIDs containing dormant Explorer Bars
took 17 seconds.
---------- (total run time: 83 seconds)
  • 0

#24
therock247uk

therock247uk

    Expert

  • Expert
  • 14,671 posts
  • MVP
That seems ok do this.

1. Download and unzip http://skads.org/special/rkfiles.zip to a folder.

2. Boot into safemode to do this keep tapping F8 on your keyboard while your PC is starting up you will get a menu select safemode.

3. While in safemode go to the folder you unzipped rkfiles to and run rkfiles.bat. It will take a long time and it will make a log log.txt. Reboot into normal mode and post that log here in a reply.
  • 0

#25
Random User #412

Random User #412

    Member

  • Topic Starter
  • Member
  • PipPip
  • 21 posts
:\Documents and Settings\Shane Moore\Desktop\rkfiles

PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
Files Found in system Folder............
------------------------
C:\WINDOWS\SYSTEM32\msnsmgs.exe: UPX!
C:\WINDOWS\SYSTEM32\dfrg.msc: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAAAwGpEc213

Files Found in all users startup Folder............
------------------------
Files Found in all users windows Folder............
------------------------
C:\WINDOWS\tsc.exe: UPX!
C:\WINDOWS\vsapi32.dll: UPX!t4
Finished
bye
  • 0

Advertisements


#26
therock247uk

therock247uk

    Expert

  • Expert
  • 14,671 posts
  • MVP
Ok delete the file C:\WINDOWS\SYSTEM32\msnsmgs.exe also post a new Hijackthis log for me to make sure you are still clean.
  • 0

#27
Random User #412

Random User #412

    Member

  • Topic Starter
  • Member
  • PipPip
  • 21 posts
Man, this stuff just won't go away.

Logfile of HijackThis v1.99.1
Scan saved at 6:14:26 AM, on 8/5/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\WINDOWS32.exe
C:\WINDOWS\System32\mssetup32.exe
C:\Program Files\srca\ctdl.exe
C:\Documents and Settings\Shane Moore\ss.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Shane Moore\Desktop\Spyware Removal Folder\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://msn.com/
O4 - HKLM\..\Run: [WINDOWS STARTUP] WINDOWS32.exe
O4 - HKLM\..\Run: [Microsoft Update 32] mssetup32.exe
O4 - HKLM\..\RunServices: [WINDOWS STARTUP] WINDOWS32.exe
O4 - HKLM\..\RunServices: [Microsoft Update 32] mssetup32.exe
O4 - HKCU\..\Run: [Nata] C:\Program Files\srca\ctdl.exe
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windup...e/bridge-c7.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {79849612-A98F-45B8-95E9-4D13C7B6B35C} (Loader2 Control) - http://static.topcon...vex/website.ocx
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/s...nfo/webscan.cab
O16 - DPF: {7C559105-9ECF-42B8-B3F7-832E75EDD959} (Installer Class) - http://www.xxxtoolba.../0006_adult.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-downlo....cab?refid=4809
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
  • 0

#28
therock247uk

therock247uk

    Expert

  • Expert
  • 14,671 posts
  • MVP
Hmm ok lets see if anything is hiding.

1. Run all these oline virus scans and tell me what they find.

http://housecall.tre.../start_corp.asp
http://www.pandasoft...n_principal.htm
http://www3.ca.com/t...sinfo/scan.aspx

2. Boot into safemode to do this keep tapping F8 on your keyboard while your PC is starting up you will get a menu select safemode.

Open Ewido again
  • Click on scanner
  • Click on Complete System Scan and the scan will begin.
  • While the scan is in progress you will be prompted to clean files, click OK
  • When it asks if you want to clean the first file, put a check in the lower left corner of the box that says "Perform action on all infections" then choose clean and click OK.
  • Once the scan has completed, there will be a button located on the bottom of the screen named Save report
  • Click Save report.
  • Save the report .txt file to your desktop.
Now close ewido security suite.

Reboot and Post the report Ewido made and a new Hijackthis log here in a reply.

Also question does this PC have more than one account on where other people use the PC?
  • 0

#29
Random User #412

Random User #412

    Member

  • Topic Starter
  • Member
  • PipPip
  • 21 posts
The three links you gave me no longer work on my computer. Housecall and eTrust antivirus do not start [Housecall gives me an Active X error on every page, though it did not do so before], and the Panda ActiveScan page does not even load.

All three of them worked earlier today, but my computer froze up, and then they stopped working.
  • 0

#30
therock247uk

therock247uk

    Expert

  • Expert
  • 14,671 posts
  • MVP
Ok does this PC have other user accounts?
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP