Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Hijacked? [CLOSED]


  • This topic is locked This topic is locked

#1
Bookieanalyst

Bookieanalyst

    Member

  • Member
  • PipPip
  • 21 posts
I tried a free scan through Xoft (sp?) that said my exployer was hijacked and a web hijacker has changed my options. Not to mention a PCBloodhound. Can anyone verify this and tell me what to do?

Thanks, Here's my hijack this log.

Logfile of HijackThis v1.99.1
Scan saved at 1:24:37 AM, on 8/21/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\system32\gearsec.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Windows Media Connect\mswmcls.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Documents and Settings\Linda\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.search.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.googlesearch.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = dynhost.inetcam.com;register.inetcam.com;<local>
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: (no name) - {A491D208-B353-490F-B81A-A8A3DC97042D} - (no file)
O2 - BHO: (no name) - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - (no file)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - (no file)
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &AOL Toolbar Search - res://c:\program files\aol\aol toolbar 2.0\aoltbhtml.dll/search.html
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MIF269~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Vegas Palms Online Casino - {D6CE8C73-4D87-4404-9E98-B0463643FD94} - C:\Program Files\vegaspalms\casinogame.exe (file missing)
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: SmartWhois - {FD9DE2B4-C926-4460-81C4-FC58C6F1062E} - C:\PROGRA~1\SMARTW~1\SWMSIE~1.EXE
O15 - Trusted Zone: http://www.micromedia.com
O15 - Trusted Zone: http://*.msn.com
O15 - Trusted Zone: http://chat.myspace.com
O15 - Trusted Zone: http://www.passport.net
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O20 - AppInit_DLLs: C:\PROGRA~1\Agnitum\OUTPOS~1.0\wl_hook.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\Program Files\Common Files\AOL\AOL Spyware Protection\\aolserv.exe (file missing)
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Gear Security Service (GEARSecurity) - GEAR Software - C:\WINDOWS\system32\gearsec.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Unknown owner - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE (file missing)
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Unknown owner - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe (file missing)
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program Files\TuneUp Utilities 2004\WinStylerThemeSvc.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
  • 0

Advertisements


#2
Bookieanalyst

Bookieanalyst

    Member

  • Topic Starter
  • Member
  • PipPip
  • 21 posts
Me again. I realize everyone has lives and are busy people, but I do a lot of work from my home PC and I need to get this fixed so that the client data is safe and secure.

I did another scan online and it's telling me I have a Win32 worm/trojan. None of the scans I perform with my software at home verifies nor denies this. Can someone please let me know what to do and who to believe?

Thanks
  • 0

#3
Excal

Excal

    Malware Slayer Extraordinaire!

  • Retired Staff
  • 12,739 posts
Hi and welcome to Geekstogo!

XSoft is not a trusted Spyware program and has been know to give false postives to get people to buy the product.


Please download ewido security suite it is a trial version of the program.
  • Install ewido security suite
  • When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
  • Launch ewido, there should be an icon on your desktop double-click it.
  • The program will now go to the main screen
You will need to update ewido to the latest definition files.
  • On the left hand side of the main screen click update
  • Then click on Start Update
The update will start and a progress bar will show the updates being installed.
If you are having problems with the updater, you can use this link to manually update ewido.
ewido manual updates

Reboot into safe mode.

Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

Open up and run Ewido:
  • Click on scanner
  • Click Complete System Scan and the scan will begin.
  • During the scan when it ask if you want to clean the first file, put a check in the lower left corner of the box that says "Perform action on all infections" then choose clean and click OK
  • When the scan is finished, look at the bottom of the screen and click the Save report button.
  • Save the report to your desktop
Close Ewido

Reboot into normal mode and please run this online virus scan: ActiveScan - Save the results from the scan!

Please post the Active scan log, Ewido log and a fresh HiJackThis log. Let me know how your computer is running.
  • 0

#4
Bookieanalyst

Bookieanalyst

    Member

  • Topic Starter
  • Member
  • PipPip
  • 21 posts
Excal,

Thanks for getting back to me. Despite taking forever..... and on a night where I have to get up early for work (I know, I need some cheese to go with my whine), I finally got what you requested. I had to try forever to get into safe mode, and longer yet to complete the activescan. My computer kept kicking me off the internet, then would not let me get back on through anything. Didn't want me to activate the scan and was a real pain. I had to setup my LAN for the nth time and reset my internet access. It's getting old.

But, here are the scans and I so appreciate your help. I'm not computer illiterate, but sure feel that way right now. Why can't people find better things to constructively spend their time on rather than creating heartache for others??? I know, who knows?

Ewido
---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 11:02:32 PM, 8/21/2005
+ Report-Checksum: F992EB87

+ Scan result:

C:\Documents and Settings\Linda\Cookies\linda@e-2dj6wjnyoidpggq.stats.esomniture[1].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Linda\Cookies\linda@e-2dj6wjnyslajilp.stats.esomniture[1].txt -> Spyware.Cookie.Esomniture : Cleaned with backup


::Report End

Activescan (which scares me)


Incident Status Location

Adware:adware/wintools No disinfected Windows Registry
Possible Virus. No disinfected C:\Documents and Settings\Linda\Desktop\Tools&Chat Stuff\desktop\NetVestigator4.0.exe
Possible Virus. No disinfected C:\Program Files\The Cleaner\MooLive.exe
Possible Virus. No disinfected C:\Program Files\TrojanHunter 4.2\Tools\Process Viewer\ProcessViewer.exe
Possible Virus. No disinfected C:\WINDOWS\Temp\ASHeuristic\MooLive.exe.vir
Possible Virus. No disinfected C:\WINDOWS\Temp\ASHeuristic\NetVestigator4.0.exe.vir
Possible Virus. No disinfected C:\WINDOWS\Temp\ASHeuristic\ProcessViewer.exe.vir
And HJT - what do the backloops stand for?

Logfile of HijackThis v1.99.1
Scan saved at 12:49:42 AM, on 8/22/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\system32\gearsec.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Documents and Settings\Linda\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.msn.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = dynhost.inetcam.com;register.inetcam.com;<local>
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - (no file)
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: New application.lnk = C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAV.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &AOL Toolbar Search - res://c:\program files\aol\aol toolbar 2.0\aoltbhtml.dll/search.html
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MIF269~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Vegas Palms Online Casino - {D6CE8C73-4D87-4404-9E98-B0463643FD94} - C:\Program Files\vegaspalms\casinogame.exe (file missing)
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: SmartWhois - {FD9DE2B4-C926-4460-81C4-FC58C6F1062E} - C:\PROGRA~1\SMARTW~1\SWMSIE~1.EXE
O15 - Trusted Zone: http://www.micromedia.com
O15 - Trusted Zone: http://*.msn.com
O15 - Trusted Zone: http://chat.myspace.com
O15 - Trusted Zone: http://www.passport.net
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O20 - AppInit_DLLs: C:\PROGRA~1\Agnitum\OUTPOS~1.0\wl_hook.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\Program Files\Common Files\AOL\AOL Spyware Protection\\aolserv.exe (file missing)
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Gear Security Service (GEARSecurity) - GEAR Software - C:\WINDOWS\system32\gearsec.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Unknown owner - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE (file missing)
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Unknown owner - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe (file missing)
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program Files\TuneUp Utilities 2004\WinStylerThemeSvc.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe



Again, thank you so much
  • 0

#5
Excal

Excal

    Malware Slayer Extraordinaire!

  • Retired Staff
  • 12,739 posts

And HJT - what do the backloops stand for?


Not sure what you are asking?


Please download the file I have attached to this post and unzip it to your desktop :tazz:

Open the RegSearch folder and double click RegSearch.vbs. Allow it to run.
Note: if your Antivirus or another program prompts about running a script file, allow the script to run.

copy and paste this in: wintools then hit "ok"

RegSearch will "disappear" but it is actually searching the registry for that entry.

Copy and paste what it finds into a Notepad file.
  • 0

#6
Bookieanalyst

Bookieanalyst

    Member

  • Topic Starter
  • Member
  • PipPip
  • 21 posts
I'm sorry, I meant what do the "backlinks" mean that are showing up on the Hijack this Log?

Here is the wordpad from the RegSearch scan. I have very little idea of what it means and what to do with it.

Thanks again for all your help. This has been a hair pulling nightmare for me.

REGEDIT4
; RegSrch.vbs © Bill James

; Registry search results for string "wintools" 8/22/2005 8:23:39 PM

; NOTE: This file will be deleted when you close WordPad.
; You must manually save this file to a new location if you want to refer to it again later.
; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.)


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\WinTools]

[HKEY_USERS\S-1-5-21-436374069-1935655697-725345543-1004\Software\Webroot\SpySweeper\Startup\2_WinTools]

[HKEY_USERS\S-1-5-21-436374069-1935655697-725345543-1004\Software\Webroot\SpySweeper\Startup\2_WinTools]
"path"="C:\\PROGRA~1\\COMMON~1\\WinTools\\WToolsA.exe"

[HKEY_USERS\S-1-5-21-436374069-1935655697-725345543-1004\Software\Webroot\SpySweeper\Startup\2_WinTools]
"command"="C:\\PROGRA~1\\COMMON~1\\WinTools\\WToolsA.exe"

[HKEY_USERS\S-1-5-21-436374069-1935655697-725345543-1004\Software\Webroot\SpySweeper\Startup\2_WinTools]
"item"="WinTools"

:tazz:
  • 0

#7
Excal

Excal

    Malware Slayer Extraordinaire!

  • Retired Staff
  • 12,739 posts
Launch Notepad, and copy/paste the box below into a new text file. Save it as fixme.reg (make sure that Save as Type is set at "All Files") on your Desktop. Ensure there is no space at or above REGEDIT 4.


REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\WinTools]

[-HKEY_CURRENT_USER\Software\Webroot\SpySweeper\Startup\2_WinTools]



Locate fixme.reg on your Desktop and double-click on it. You will receive a prompt similar to: "Do you wish to merge the information into the registry?". Answer "Yes" and wait for a message to appear similar to "Merged Successfully".


Please reboot then run that reg search again .

Also, do you have more than one account on your system?

Thanks,

:tazz:

Excal

Edited by Excal, 22 August 2005 - 11:41 PM.

  • 0

#8
Bookieanalyst

Bookieanalyst

    Member

  • Topic Starter
  • Member
  • PipPip
  • 21 posts
Excal,

As far as I know, I don't have more than one account on this system. My boyfriend set up an account for his laptop and we sometimes check on the post he has for that on here. But since they are two different systems, I thought it best to have two different user accounts to try and get the problems fixed on both of our computers.

I will now do as you instructed and post the new log on here.

Thanks again for all your help. :tazz:
  • 0

#9
Bookieanalyst

Bookieanalyst

    Member

  • Topic Starter
  • Member
  • PipPip
  • 21 posts
:tazz:

The results came back with nothing found. I'm assuming that is a good thing. Do I need to do anything else? It still doesn't seem like my explorer is "right." and I'm still having problems with things correctly - especially my account since I am administrator and am having problems trying to access without restriction.

Let me know. You are awesome!!

:)
  • 0

#10
Excal

Excal

    Malware Slayer Extraordinaire!

  • Retired Staff
  • 12,739 posts

I am administrator and am having problems trying to access without restriction.


This should help with that :tazz:

Right click on the Microsoft/Giant AntiSpyware icon (looks like a target) and click on Security Agents Status (Enabled) and click on Disable Real-time Protection. To re enable it after the fix, you follow the same steps but click on Enable Real-time Protection.

Spysweeper

Please disable SpySweeper, as it may hinder the removal of some entries. You can re-enable it after you're clean.

To disable SpySweeper:

Open it click >Options over to the left then >Program Options >Uncheck "load at windows startup".
Over to the left click "shields" and uncheck all there.
Uncheck "home page shield".
Uncheck "automatically restore default without notification".


open Hijackthis and do a scan. Please check off the following items:

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present


click FIX CHECKED then close Hijackthis

Reboot and post a fresh Hijackthis log
  • 0

Advertisements


#11
Bookieanalyst

Bookieanalyst

    Member

  • Topic Starter
  • Member
  • PipPip
  • 21 posts
One again, I have done as instructed. Boy, did I have a hard time getting back online though. My LAN became disconnected and I had to re-do the wizard to get the interenet connection back.

I'll make it brief since I am currently running unprotected. Here is my latest Hijack this log.

Logfile of HijackThis v1.99.1
Scan saved at 11:10:50 PM, on 8/23/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\system32\gearsec.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Documents and Settings\Linda\Desktop\HijackThis.exe
C:\WINDOWS\system32\wuauclt.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride =

dynhost.inetcam.com;register.inetcam.com;<local>
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program

Files\AOL\AOL Toolbar 2.0\aoltb.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program

Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN

Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN

Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar

2.0\aoltb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program

Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: New application.lnk = C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAV.exe
O8 - Extra context menu item: &AOL Toolbar Search - res://c:\program files\aol\aol toolbar

2.0\aoltbhtml.dll/search.html
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program

Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program

Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel -

res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program

Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL

Toolbar 2.0\aoltb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} -

C:\PROGRA~1\MIF269~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Vegas Palms Online Casino - {D6CE8C73-4D87-4404-9E98-B0463643FD94} - C:\Program

Files\vegaspalms\casinogame.exe (file missing)
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683}

- C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 -

{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: SmartWhois - {FD9DE2B4-C926-4460-81C4-FC58C6F1062E} -

C:\PROGRA~1\SMARTW~1\SWMSIE~1.EXE
O15 - Trusted Zone: http://www.micromedia.com
O15 - Trusted Zone: http://*.msn.com
O15 - Trusted Zone: http://chat.myspace.com
O15 - Trusted Zone: http://www.passport.net
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) -

http://housecall60.t...all/xscan60.cab
O20 - AppInit_DLLs: C:\PROGRA~1\Agnitum\OUTPOS~1.0\wl_hook.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. -

C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\Program Files\Common

Files\AOL\AOL Spyware Protection\\aolserv.exe (file missing)
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ

Antivirus\ISafe.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Gear Security Service (GEARSecurity) - GEAR Software - C:\WINDOWS\system32\gearsec.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Unknown owner - C:\Program Files\Norton

SystemWorks\Norton Utilities\NPROTECT.EXE (file missing)
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common

Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program

Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec

Shared\Security Center\SymWSC.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program

Files\TuneUp Utilities 2004\WinStylerThemeSvc.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program

Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe


I still don't understand the "backwards links" and "extra buttons" that I've noticed before. Are these supposed to be there? I don't mean to sound ignorant, but I guess I'm starting to feel that way.

Also, I don't understand why BIOS items keep appearing on my Microsoft AntiSpyWare for the Winsock LSP's? Any ideas?

Thanks again for all your help
  • 0

#12
Excal

Excal

    Malware Slayer Extraordinaire!

  • Retired Staff
  • 12,739 posts

I still don't understand the "backwards links" and "extra buttons" that I've noticed before.


Extra buttons are buttons that appear on the top of your Internet Explorer. If you do not want them there, or didn't put them there, Fix them in HiJackthis and delete the folder of applicable.

Still don't know what you mean by backwards link :tazz:


Also, I don't understand why BIOS items keep appearing on my Microsoft AntiSpyWare for the Winsock LSP's? Any ideas?


Not sure on this. If LSP is coming up it may mean connections problems, although I don't see any problem in your HiJackthis with those.

let me see a Silent runners log, just want to check something:

Silent Runners:
  • Please click this link to download Silent Runners.
  • Save it to the desktop.
  • Run Silent Runner's by doubleclicking the "Silent Runners" icon on your desktop.
  • You will see a text file appear on the desktop - it's not done yet, just let it run (it won't appear to be doing anything!)
  • Once you receive the prompt "All Done!", double-click on the new text file on the desktop and copy that entire log and paste it here.

  • NOTE* If you receive any warning message about scripts, please choose to allow the script to run.
    For some time it will look like nothing is happening. Just keep waiting.
  • Once it's done it will create a log. A window will come up telling you when it's saved. Please post that log here

Edited by Excal, 24 August 2005 - 12:28 AM.

  • 0

#13
Bookieanalyst

Bookieanalyst

    Member

  • Topic Starter
  • Member
  • PipPip
  • 21 posts
By Backward Links, I mean items that show up on my notepad list like this:

O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html


At one point, there were quite a few of these, now I'm not seeing any on the last scan but am still curious as to what they are for or what they mean. Are they "bad" things?

Here is the Silent Runners Log:




"Silent Runners.vbs", revision 37, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"ctfmon.exe" = "C:\WINDOWS\system32\ctfmon.exe" [MS]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"gcasServ" = ""C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"" [MS]
"SpySweeper" = ""C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray" ["Webroot Software, Inc."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{02478D38-C3F9-4EFB-9B51-7695ECA05670}\(Default) = "Yahoo! Toolbar Helper" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll" ["Yahoo! Inc."]
{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\SPYBOT~1\SDHelper.dll" ["Safer Networking Limited"]
{9394EDE7-C8B5-483E-8773-474BF36AF6E4}\(Default) = "ST" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."]
"{00020D75-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Desktop Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\MIF269~1\OFFICE11\MLSHEXT.DLL" [MS]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Custom Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\MIF269~1\OFFICE11\OLKFSTUB.DLL" [MS]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\OFFICE11\msohev.dll" [MS]
"{640167b4-59b0-47a6-b335-a6b3c0695aea}" = "Portable Media Devices"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]
"{7C9D5882-CB4A-4090-96C8-430BFE8B795B}" = "Webroot Spy Sweeper Context Menu Integration"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\Webroot\SPYSWE~1\SSCtxMnu.dll" ["Webroot Software, Inc."]
"{EBDF1F20-C829-11D1-8233-FF20AF3E97A9}" = "TrojanHunter Menu Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\TROJAN~1.2\contmenu.dll" [null data]
"{5464D816-CF16-4784-B9F3-75C0DB52B499}" = "Yahoo! Mail"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\Yahoo!\common\ymmapi.dll" ["Yahoo! Inc."]
"{7D5C4BDD-B015-4401-8731-1507B87DE297}" = "QBVersionTool"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Common Files\Intuit\QuickBooks\QBVersionTool.dll" ["Intuit, Inc."]
"{81559C35-8464-49F7-BB0E-07A383BEF910}" = "SpywareGuard"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\SpywareGuard\spywareguard.dll" [null data]
"{709C6E11-538F-4759-86AC-6ACB302AA0DE}" = "Desktop Manager"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\msvdm.dll" [null data]
"{efb97cb8-a4a4-4357-a261-002ffaed0267}" = "CD Slideshow Powertoy"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\slideshow.dll" [MS]
"{1530F7EE-5128-43BD-9977-84A4B0FAD7DF}" = "PhotoToys"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\phototoys.dll" [MS]
"{51917337-5113-4EC2-9CB6-C6212D0EF3E9}" = "BPS Shredder Context Menu"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\BPS Data Shredder\CtxMenu.dll" ["BulletProofSoft.com"]
"{00DF1F20-0849-A4D1-0239-00D0AF3E9CB0}" = "TuneUp Shredder Shell Context Menu Extension"
-> {CLSID}\InProcServer32\(Default) = ""C:\Program Files\TuneUp Utilities 2004\sdshelex.dll"" ["TuneUp Software GmbH"]
"{1CE2AA40-1317-11D3-9922-00104B0AD431}" = "CA_AntiVirus"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\avshlext.dll" ["Computer Associates International, Inc."]
"{248A7248-2D62-4B49-ACFB-0C1B70C04F0D}" = "PKZIP Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Common Files\PKWARE\PKZIP7\PKCOM700.dll" ["PKWARE, Inc."]
"{8D1636FD-CA49-4B4E-90E4-0A20E03A15E8}" = "jetAudio"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\JetAudio\JetFlExt.dll" ["JetAudio, Inc."]
"{e57ce731-33e8-4c51-8354-bb4de9d215d1}" = "Universal Plug and Play Devices"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\upnpui.dll" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
INFECTION WARNING! "{54D9498B-CF93-414F-8984-8CE7FDE0D391}" = "ewido shell guard"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\ewido\security suite\shellhook.dll" ["TODO: <Firmenname>"]
INFECTION WARNING! "{81559C35-8464-49F7-BB0E-07A383BEF910}" = "SpywareGuard"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\SpywareGuard\spywareguard.dll" [null data]
INFECTION WARNING! "{9EF34FF2-3396-4527-9D27-04C8C1C67806}" = "Microsoft AntiSpyware Service Hook"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft AntiSpyware\shellextension.dll" [MS]

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\
INFECTION WARNING! "AppInit_DLLs" = "C:\PROGRA~1\Agnitum\OUTPOS~1.0\wl_hook.dll" [file not found]

HKLM\Software\Classes\PROTOCOLS\Filter\
INFECTION WARNING! text/xml\CLSID = "{807553E5-5146-11D5-A672-00B0D022E945}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL" [MS]


Enabled Active Desktop and Wallpaper:
-------------------------------------

Active Desktop is enabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Wallpaper1.bmp"


Enabled Screen Saver:
---------------------

HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\WINDOWS\system32\logon.scr" [MS]


Startup items in "Linda" & "All Users" startup folders:
-------------------------------------------------------

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
"New application" -> shortcut to: "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAV.exe" ["Computer Associates International, Inc."]


Enabled Scheduled Tasks:
------------------------

"1-Click Maintenance" -> launches: "C:\Program Files\TuneUp Utilities 2004\SystemOptimizer.exe /schedulestart" ["TuneUp Software GmbH"]
"System Restore" -> launches: "C:\WINDOWS\system32\Restore\rstrui.exe" [MS]
"TC_new" -> launches: "C:\Program Files\The Cleaner\cleaner.exe /e /s" ["MooSoft Development"]
"wrSpySweeper20050717165042" -> launches: "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /ScheduleSweep=wrSpySweeper20050717165042" ["Webroot Software, Inc."]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000004\LibraryPath = "%SystemRoot%\System32\nwprovau.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
C:\WINDOWS\system32\VetRedir.dll ["Computer Associates International, Inc."], 01 - 03, 14
%SystemRoot%\system32\mswsock.dll [MS], 04 - 06, 09 - 13, 15 - 28
%SystemRoot%\system32\rsvpsp.dll [MS], 07 - 08


Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0}"
-> {CLSID}\(Default) = "MSN"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll" [MS]

"{EF99BD32-C1FB-11D2-892F-0090271D4F88}"
-> {CLSID}\(Default) = "Yahoo! Toolbar"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll" ["Yahoo! Inc."]

"{2318C2B1-4965-11D4-9B18-009027A5CD4F}"
-> {CLSID}\(Default) = "&Google"
-> {CLSID}\InProcServer32\(Default) = "c:\program files\google\googletoolbar1.dll" ["Google Inc."]

"{DE9C389F-3316-41A7-809B-AA305ED9D922}"
-> {CLSID}\(Default) = "AOL Toolbar"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll" ["America Online, Inc."]

HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0}"
-> {CLSID}\(Default) = "MSN"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll" [MS]

"{2318C2B1-4965-11D4-9B18-009027A5CD4F}"
-> {CLSID}\(Default) = "&Google"
-> {CLSID}\InProcServer32\(Default) = "c:\program files\google\googletoolbar1.dll" ["Google Inc."]

"{DE9C389F-3316-41A7-809B-AA305ED9D922}"
-> {CLSID}\(Default) = "AOL Toolbar"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll" ["America Online, Inc."]

"{EF99BD32-C1FB-11D2-892F-0090271D4F88}"
-> {CLSID}\(Default) = "Yahoo! Toolbar"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll" ["Yahoo! Inc."]

Explorer Bars

HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\
{FE54FA40-D68C-11D2-98FA-00C0F0318AFE}\
-> {CLSID}\(Default) = "Real.com"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\Shdocvw.dll" [MS]

Dormant Explorer Bars in "View, Explorer Bar" menu

HKLM\Software\Classes\CLSID\{FF059E31-CC5A-4E2E-BF3B-96E929D65503}\
(Default) = "&Research"
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = "C:\PROGRA~1\MIF269~1\OFFICE11\REFIEBAR.DLL" [MS]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{3369AF0D-62E9-4BDA-8103-B4C75499B578}\
"ButtonText" = "AOL Toolbar"
"CLSIDExtension" = "{DE9C389F-3316-41A7-809B-AA305ED9D922}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll" ["America Online, Inc."]

{92780B25-18CC-41C8-B9BE-3C9C571A8263}\
"ButtonText" = "Research"

{AC9E2541-2814-11D5-BC6D-00B0D0A1DE45}\
"ButtonText" = "AIM"
"Exec" = "C:\Program Files\AIM\aim.exe" ["America Online, Inc."]

{CD67F990-D8E9-11D2-98FE-00C0F0318AFE}\
"ButtonText" = "Real.com"

{D6CE8C73-4D87-4404-9E98-B0463643FD94}\
"ButtonText" = "Vegas Palms Online Casino"
"Exec" = "C:\Program Files\vegaspalms\casinogame.exe" [file not found]

{FD9DE2B4-C926-4460-81C4-FC58C6F1062E}\
"ButtonText" = "SmartWhois"
"Exec" = "C:\PROGRA~1\SMARTW~1\SWMSIE~1.EXE" ["TamoSoft, Inc."]


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

AOL Connectivity Service, AOL ACS, "C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe" ["America Online, Inc."]
CAISafe, CAISafe, "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe" ["Computer Associates International, Inc."]
ewido security suite control, ewido security suite control, "C:\Program Files\ewido\security suite\ewidoctrl.exe" ["ewido networks"]
Gear Security Service, GEARSecurity, "C:\WINDOWS\system32\gearsec.exe" ["GEAR Software"]
Machine Debug Manager, MDM, ""C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE"" [MS]
VET Message Service, VETMSGNT, "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe" ["Computer Associates International, Inc."]
Webroot Spy Sweeper Engine, svcWRSSSDK, "C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe" ["Webroot Software, Inc."]
Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\system32\wdfmgr.exe" [MS]


----------
This report excludes default entries except where indicated.
To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
----------


Have a great day. You are helping me soooo much!
:tazz:
  • 0

#14
Excal

Excal

    Malware Slayer Extraordinaire!

  • Retired Staff
  • 12,739 posts

O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html


Anything in the O8's are things that are added to your right click menu when your on IE. This one is legit, although there are some that are bad (none u have :))

I don't see anything in this log. Whats going on with your computer?

:tazz:

Excal
  • 0

#15
Bookieanalyst

Bookieanalyst

    Member

  • Topic Starter
  • Member
  • PipPip
  • 21 posts
It's running better, but I still have problems with the browser settings changing. Any guidance on what they should be so I can make sure all of the defaults are set correctly? I still have a few problems but some of those might be the operator. What do you think?

:tazz: :)
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP