Tech Support Forum banner
Cancel
Create thread New Forums
Status
Not open for further replies.

Newbie Needs help - Never used Forum before - May require patience

Jump to Latest
4.3K views 27 replies 5 participants last post by  CTSNKY  
L
#1 ·
I've got a yellow shield icon that keeps poping up on my task bar suggesting that I need virus protection.

Have played around with a few fixes but nothing seems to make the little bugger go away. - Claims to be a Microsoft ap but is an obvious hoax. Also a pop up window keeps appearing warning me to get virus protection.

I try to run Hijackthis so I have a log to post but each time I do that it craps out before I get a chance to cut and paste. ANy ideas what would be making the Hijack this freeze up ??
 
G
#2 ·
Try attaching the hijackthis.log file here since it's giving you problems copying and pasting.

Then do the following:

Let's use a program to scan for any trojans that may exist. Download TDS-3. Learn how to use it here. Make sure to update it after you installed it. You can get the manual updates here. When you launch the program, it will scan your memory for running processes. This will take less than 30 seconds. Next go to System Testing on the menu and choose Full System Scan. After that's finished, post the log file by selecting everything on the top pane (select from bottom to top). If any alarms are found, it will be listed in the bottom window. Please copy and paste that here also if it applies.
 
Save
Like Like
L
#4 ·
Hijack This freezes up before I can cut and paste

Hi - more attempts but could not cut and paste from HiJack This - Saw an option that allowed me to create a start up list - Is this sufficient/helpful for you to take a look at ? (See below) Will do the TDS-3 Scan (I found it) and post seperately.
Leo

StartupList report, 1/12/2005, 10:37:23 AM
StartupList version: 1.52.2
Started from : C:\Documents and Settings\ldwyer.MAIN\My Documents\Temp\Spy Ware\HijackThis.EXE
Detected: Windows XP SP2 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP2 (6.00.2900.2180)
* Using default options
* Including empty and uninteresting sections
* Showing rarely important sections
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\KeyboardSurrogate.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\NavNT\defwatch.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Transmeta\Crusoe Persistent Translation Service\pttsvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\SYSTEM32\WISPTIS.EXE
C:\WINDOWS\System32\tabbtnu.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Compaq\Compaq Q Menu\QIcon.exe
C:\Program Files\Compaq\Mode Change Service\CpqMcSrV.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\TCServer.exe
C:\Program Files\Enigma Software Group\SpyHunter\PopupBlocker\EnigmaPopupStop.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\CallWave\IAM.exe
C:\Program Files\Microsoft Broadband Networking\MSBNTray.exe
C:\Program Files\Alias\Alias SketchBook Pro 1.0\AliasSketchSnap.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\TabTip.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\ldwyer.MAIN\My Documents\Temp\Spy Ware\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\unlodctl.exe
C:\WINDOWS\system32\nlsfuncs.exe
C:\WINDOWS\system32\openconf.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\Documents and Settings\ldwyer.MAIN\Start Menu\Programs\Startup]
*No files*

Shell folders AltStartup:
*Folder not found*

User shell folders Startup:
*Folder not found*

User shell folders AltStartup:
*Folder not found*

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
Internet Answering Machine.lnk = C:\Program Files\CallWave\IAM.exe
Microsoft Broadband Networking.lnk = ?
Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
SketchBook Snapshot.lnk = C:\Program Files\Alias\Alias SketchBook Pro 1.0\AliasSketchSnap.exe

Shell folders Common AltStartup:
*Folder not found*

User shell folders Common Startup:
*Folder not found*

User shell folders Alternate Common Startup:
*Folder not found*

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

[HKLM\Software\Microsoft\Windows\CurrentVersion\Winlogon]
*Registry key not found*

[HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
*Registry value not found*

[HKCU\Software\Microsoft\Windows\CurrentVersion\Winlogon]
*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

TabletTip = "C:\Program Files\Common Files\microsoft shared\ink\tabtip.exe" /resume
NvCplDaemon = RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
nwiz = rundll32 nview.dll,nViewLoadHook
AGRSMMSG = AGRSMMSG.exe
srmclean = C:\Cpqs\Scom\srmclean.exe
Compaq Q Menu = C:\Program Files\Compaq\Compaq Q Menu\QIcon.exe -QICON
Mode Change Service = "C:\Program Files\Compaq\Mode Change Service\CpqMcSrV.exe" /Start
pttrun = "C:\Program Files\Transmeta\Crusoe Persistent Translation Service\pttrun.exe"
IntelliType = "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
POINTER = point32.exe
vptray = C:\Program Files\NavNT\vptray.exe
NeroCheck = C:\WINDOWS\System32\NeroCheck.exe
FineReader7NewsReaderPro = "C:\Program Files\ABBYY FineReader 7.0 Professional Edition\AbbyyNewsReader.exe"
SpyHunter = C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter.exe
EnigmaPopupStop = C:\Program Files\Enigma Software Group\SpyHunter\PopupBlocker\EnigmaPopupStop.exe
TkBellExe = "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
TabletWizard = C:\WINDOWS\help\SplshWrp.exe
gcasServ = "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

ctfmon.exe = C:\WINDOWS\system32\ctfmon.exe
Spyware Doctor = "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run

*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

[OptionalComponents]
*No values found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*

--------------------------------------------------

File association entry for .EXE:
HKEY_CLASSES_ROOT\exefile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .COM:
HKEY_CLASSES_ROOT\comfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .BAT:
HKEY_CLASSES_ROOT\batfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .PIF:
HKEY_CLASSES_ROOT\piffile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .SCR:
HKEY_CLASSES_ROOT\scrfile\shell\open\command

(Default) = "%1" /S

--------------------------------------------------

File association entry for .HTA:
HKEY_CLASSES_ROOT\htafile\shell\open\command

(Default) = C:\WINDOWS\System32\mshta.exe "%1" %*

--------------------------------------------------

File association entry for .TXT:
HKEY_CLASSES_ROOT\txtfile\shell\open\command

(Default) = %SystemRoot%\system32\NOTEPAD.EXE %1

--------------------------------------------------

Enumerating Active Setup stub paths:
HKLM\Software\Microsoft\Active Setup\Installed Components
(* = disabled by HKCU twin)

[>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
StubPath = C:\WINDOWS\inf\unregmp2.exe /ShowWMP

[>{26923b43-4d38-484f-9b9e-de460746276c}] *
StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigIE

[>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS] *
StubPath = RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP

[>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}] *
StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE

[{2C7339CF-2B09-4501-B3F3-F3508C9228ED}] *
StubPath = %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll

[{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install

[{44BBA842-CC51-11CF-AAFA-00AA00B6015B}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT

[{4b218e3e-bc98-4770-93d3-2731b9329278}] *
StubPath = %SystemRoot%\System32\rundll32.exe setupapi,InstallHinfSection MarketplaceLinkInstall 896 %systemroot%\inf\ie.inf

[{5945c046-1e7d-11d1-bc44-00c04fd912be}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.QuietInstall.PerUser

[{6BF52A52-394A-11d3-B153-00C04F79FAA6}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp10.inf,PerUserStub

[{7790769C-0471-11d2-AF11-00C04FA35D02}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install

[{89820200-ECBD-11cf-8B85-00AA005B4340}] *
StubPath = regsvr32.exe /s /n /i:U shell32.dll

[{89820200-ECBD-11cf-8B85-00AA005B4383}] *
StubPath = %SystemRoot%\system32\ie4uinit.exe

[{8b15971b-5355-4c82-8c07-7e181ea07608}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\fxsocm.inf,Fax.Install.PerUser

--------------------------------------------------

Enumerating ICQ Agent Autostart apps:
HKCU\Software\Mirabilis\ICQ\Agent\Apps

*Registry key not found*

--------------------------------------------------

Load/Run keys from C:\WINDOWS\WIN.INI:

load=*INI section not found*
run=*INI section not found*

Load/Run keys from Registry:

HKLM\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKLM\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKLM\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKCU\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKCU\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\Windows: load=
HKCU\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: AppInit_DLLs=*Registry value not found*

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=C:\WINDOWS\System32\logon.scr
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry key not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------

Checking for EXPLORER.EXE instances:

C:\WINDOWS\Explorer.exe: PRESENT!

C:\Explorer.exe: not present
C:\WINDOWS\Explorer\Explorer.exe: not present
C:\WINDOWS\System\Explorer.exe: not present
C:\WINDOWS\System32\Explorer.exe: not present
C:\WINDOWS\Command\Explorer.exe: not present
C:\WINDOWS\Fonts\Explorer.exe: not present

--------------------------------------------------

Checking for superhidden extensions:

.lnk: HIDDEN! (arrow overlay: yes)
.pif: HIDDEN! (arrow overlay: yes)
.exe: not hidden
.com: not hidden
.bat: not hidden
.hta: not hidden
.scr: not hidden
.shs: HIDDEN!
.shb: HIDDEN!
.vbs: not hidden
.vbe: not hidden
.wsh: not hidden
.scf: HIDDEN! (arrow overlay: NO!)
.url: HIDDEN! (arrow overlay: yes)
.js: not hidden
.jse: not hidden

--------------------------------------------------

Verifying REGEDIT.EXE integrity:

- Regedit.exe found in C:\WINDOWS
- .reg open command is normal (regedit.exe %1)
- Company name OK: 'Microsoft Corporation'
- Original filename OK: 'REGEDIT.EXE'
- File description: 'Registry Editor'

Registry check passed

--------------------------------------------------

Enumerating Browser Helper Objects:

(no name) - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB}
(no name) - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll - {B56A7D7D-6927-48C8-A975-17DF180C71AC}

--------------------------------------------------

Enumerating Task Scheduler jobs:

*No jobs found*

--------------------------------------------------

Enumerating Download Program Files:

[DirectAnimation Java Classes]
CODEBASE = file://C:\WINDOWS\Java\classes\dajava.cab
OSD = C:\WINDOWS\Downloaded Program Files\DirectAnimation Java Classes.osd

[Microsoft XML Parser for Java]
CODEBASE = file://C:\WINDOWS\Java\classes\xmldso.cab
OSD = C:\WINDOWS\Downloaded Program Files\Microsoft XML Parser for Java.osd

[Windows Genuine Advantage Validation Tool]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\LegitCheckControl.DLL
CODEBASE = http://go.microsoft.com/fwlink/?linkid=34738&clcid=0x409

[{90C9629E-CD32-11D3-BBFB-00105A1F0D68}]
CODEBASE = http://www.installengine.com/engine/isetup.cab

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\System32\macromed\flash\Flash.ocx
CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

[QuickBooks Online Edition Utilities Class v7]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\qboax7.dll
CODEBASE = https://accounting.quickbooks.com/v11.165/qboax7.cab

--------------------------------------------------

Enumerating Winsock LSP files:

NameSpace #1: C:\WINDOWS\System32\mswsock.dll
NameSpace #2: C:\WINDOWS\System32\winrnr.dll
NameSpace #3: C:\WINDOWS\System32\mswsock.dll
Protocol #1: C:\WINDOWS\system32\mswsock.dll
Protocol #2: C:\WINDOWS\system32\mswsock.dll
Protocol #3: C:\WINDOWS\system32\mswsock.dll
Protocol #4: C:\WINDOWS\system32\rsvpsp.dll
Protocol #5: C:\WINDOWS\system32\rsvpsp.dll
Protocol #6: C:\WINDOWS\system32\mswsock.dll
Protocol #7: C:\WINDOWS\system32\mswsock.dll
Protocol #8: C:\WINDOWS\system32\mswsock.dll
Protocol #9: C:\WINDOWS\system32\mswsock.dll
Protocol #10: C:\WINDOWS\system32\mswsock.dll
Protocol #11: C:\WINDOWS\system32\mswsock.dll
Protocol #12: C:\WINDOWS\system32\mswsock.dll
Protocol #13: C:\WINDOWS\system32\mswsock.dll
Protocol #14: C:\WINDOWS\system32\mswsock.dll
Protocol #15: C:\WINDOWS\system32\mswsock.dll
Protocol #16: C:\WINDOWS\system32\mswsock.dll
Protocol #17: C:\WINDOWS\system32\mswsock.dll
Protocol #18: C:\WINDOWS\system32\mswsock.dll
Protocol #19: C:\WINDOWS\system32\mswsock.dll

--------------------------------------------------

Enumerating Windows NT/2000/XP services

Microsoft ACPI Driver: System32\DRIVERS\ACPI.sys (system)
Microsoft Embedded Controller Driver: System32\DRIVERS\ACPIEC.sys (system)
aeaudio: system32\drivers\aeaudio.sys (manual start)
Microsoft Kernel Acoustic Echo Canceller: system32\drivers\aec.sys (manual start)
AFD Networking Support Environment: \SystemRoot\System32\drivers\afd.sys (system)
Agere Systems Soft Modem: System32\DRIVERS\AGRSM.sys (manual start)
Alerter: %SystemRoot%\System32\svchost.exe -k LocalService (disabled)
Application Layer Gateway Service: %SystemRoot%\System32\alg.exe (manual start)
Application Management: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
RAS Asynchronous Media Driver: System32\DRIVERS\asyncmac.sys (manual start)
Standard IDE/ESDI Hard Disk Controller: System32\DRIVERS\atapi.sys (system)
ATM ARP Client Protocol: System32\DRIVERS\atmarpc.sys (manual start)
Windows Audio: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Audio Stub Driver: System32\DRIVERS\audstub.sys (manual start)
Background Intelligent Transfer Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Computer Browser: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
CD-ROM Driver: System32\DRIVERS\cdrom.sys (system)
Xircom Ethernet Adapter 10/100 Service: System32\DRIVERS\ce3n5.sys (manual start)
Indexing Service: %SystemRoot%\system32\cisvc.exe (manual start)
ClipBook: %SystemRoot%\system32\clipsrv.exe (disabled)
ClntMgmt.sys: \SystemRoot\System32\Drivers\ClntMgmt.sys (system)
Microsoft AC Adapter Driver: System32\DRIVERS\CmBatt.sys (manual start)
Microsoft Composite Battery Driver: System32\DRIVERS\compbatt.sys (system)
COM+ System Application: C:\WINDOWS\System32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235} (manual start)
Transmeta Crusoe Processor Driver: System32\DRIVERS\crusoe.sys (system)
Cryptographic Services: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Compaq 802.11b WLAN Mini-PCI: System32\DRIVERS\cwl200.sys (manual start)
DCOM Server Process Launcher: %SystemRoot%\system32\svchost -k DcomLaunch (autostart)
DefWatch: C:\Program Files\NavNT\defwatch.exe (autostart)
DHCP Client: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Disk Driver: System32\DRIVERS\disk.sys (system)
Logical Disk Manager Administrative Service: %SystemRoot%\System32\dmadmin.exe /com (manual start)
dmboot: System32\drivers\dmboot.sys (disabled)
Logical Disk Manager Driver: System32\drivers\dmio.sys (system)
dmload: System32\drivers\dmload.sys (system)
Logical Disk Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Microsoft Kernel DLS Syntheiszer: system32\drivers\DMusic.sys (manual start)
DNS Client: %SystemRoot%\System32\svchost.exe -k NetworkService (autostart)
Microsoft Kernel DRM Audio Descrambler: system32\drivers\drmkaud.sys (manual start)
Intel(R) PRO Adapter Driver: System32\DRIVERS\e100b325.sys (manual start)
Eplpdx02: \??\C:\WINDOWS\System32\Drivers\EPLPDX02.SYS (manual start)
Error Reporting Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Event Log: %SystemRoot%\system32\services.exe (autostart)
COM+ Event System: C:\WINDOWS\System32\svchost.exe -k netsvcs (manual start)
Fast User Switching Compatibility: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Fax: %systemroot%\system32\fxssvc.exe (autostart)
FinePoint Innovations Serial HID Driver: System32\DRIVERS\FpHidDrv.sys (manual start)
FltMgr: system32\drivers\fltmgr.sys (system)
Volume Manager Driver: System32\DRIVERS\ftdisk.sys (system)
Generic Packet Classifier: System32\DRIVERS\msgpc.sys (manual start)
Compaq Tablet PC Key Buttons HID Driver: System32\DRIVERS\CPQBttn.sys (manual start)
Help and Support: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
HID Input Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Microsoft HID Class Driver: System32\DRIVERS\hidusb.sys (manual start)
HTTP: System32\Drivers\HTTP.sys (manual start)
HTTP SSL: %SystemRoot%\System32\svchost.exe -k HTTPFilter (manual start)
PS/2 Keyboard Port Driver: System32\DRIVERS\i8042prt.sys (manual start)
CD-Burning Filter Driver: System32\DRIVERS\imapi.sys (system)
IMAPI CD-Burning COM Service: C:\WINDOWS\System32\imapi.exe (manual start)
IPv6 Windows Firewall Driver: system32\drivers\ip6fw.sys (manual start)
Microsoft IntelliPoint Features driver: System32\DRIVERS\IPFilter.sys (manual start)
IP Traffic Filter Driver: System32\DRIVERS\ipfltdrv.sys (manual start)
IP in IP Tunnel Driver: System32\DRIVERS\ipinip.sys (manual start)
IP Network Address Translator: System32\DRIVERS\ipnat.sys (manual start)
IPSEC driver: System32\DRIVERS\ipsec.sys (system)
IR Enumerator Service: System32\DRIVERS\irenum.sys (manual start)
PnP ISA/EISA Bus Driver: System32\DRIVERS\isapnp.sys (system)
Keyboard Class Driver: System32\DRIVERS\kbdclass.sys (system)
Keyboard HID Driver: System32\DRIVERS\kbdhid.sys (system)
Microsoft Kernel Wave Audio Mixer: system32\drivers\kmixer.sys (manual start)
Server: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Workstation: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
TCP/IP NetBIOS Helper: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)
Messenger: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
NetMeeting Remote Desktop Sharing: C:\WINDOWS\System32\mnmsrvc.exe (manual start)
Mouse Class Driver: System32\DRIVERS\mouclass.sys (system)
Mouse HID Driver: System32\DRIVERS\mouhid.sys (manual start)
WebDav Client Redirector: System32\DRIVERS\mrxdav.sys (manual start)
MRXSMB: System32\DRIVERS\mrxsmb.sys (system)
Distributed Transaction Coordinator: C:\WINDOWS\System32\msdtc.exe (manual start)
Windows Installer: C:\WINDOWS\System32\msiexec.exe /V (manual start)
Microsoft Streaming Service Proxy: system32\drivers\MSKSSRV.sys (manual start)
Microsoft Streaming Clock Proxy: system32\drivers\MSPCLOCK.sys (manual start)
Microsoft Streaming Quality Manager Proxy: system32\drivers\MSPQM.sys (manual start)
Microsoft System Management BIOS Driver: System32\DRIVERS\mssmbios.sys (manual start)
NAVAP: \??\C:\Program Files\NavNT\NAVAP.sys (manual start)
NAVAPEL: \??\C:\Program Files\NavNT\NAVAPEL.SYS (autostart)
NAVENG: \??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20040616.035\NAVENG.sys (manual start)
NAVEX15: \??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20040616.035\NAVEX15.sys (manual start)
Remote Access NDIS TAPI Driver: System32\DRIVERS\ndistapi.sys (manual start)
NDIS Usermode I/O Protocol: System32\DRIVERS\ndisuio.sys (manual start)
Remote Access NDIS WAN Driver: System32\DRIVERS\ndiswan.sys (manual start)
NetBIOS Interface: System32\DRIVERS\netbios.sys (system)
NetBios over Tcpip: System32\DRIVERS\netbt.sys (system)
Network DDE: %SystemRoot%\system32\netdde.exe (disabled)
Network DDE DSDM: %SystemRoot%\system32\netdde.exe (disabled)
Net Logon: %SystemRoot%\System32\lsass.exe (autostart)
Network Connections: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Network Location Awareness (NLA): %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Norton AntiVirus Client: C:\Program Files\NavNT\rtvscan.exe (autostart)
NT LM Security Support Provider: %SystemRoot%\System32\lsass.exe (manual start)
Removable Storage: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
nv: System32\DRIVERS\nv4_mini.sys (manual start)
NVIDIA Driver Helper Service: %SystemRoot%\System32\nvsvc32.exe (autostart)
IPX Traffic Filter Driver: System32\DRIVERS\nwlnkflt.sys (manual start)
IPX Traffic Forwarder Driver: System32\DRIVERS\nwlnkfwd.sys (manual start)
PCI Bus Driver: System32\DRIVERS\pci.sys (system)
Pcmcia: System32\DRIVERS\pcmcia.sys (system)
Plug and Play: %SystemRoot%\system32\services.exe (autostart)
IPSEC Services: %SystemRoot%\System32\lsass.exe (manual start)
WAN Miniport (PPTP): System32\DRIVERS\raspptp.sys (manual start)
Protected Storage: %SystemRoot%\system32\lsass.exe (autostart)
QoS Packet Scheduler: System32\DRIVERS\psched.sys (manual start)
Direct Parallel Link Driver: System32\DRIVERS\ptilink.sys (manual start)
Crusoe Persistent Translation Service: C:\Program Files\Transmeta\Crusoe Persistent Translation Service\pttsvc.exe (autostart)
Remote Access Auto Connection Driver: System32\DRIVERS\rasacd.sys (system)
Remote Access Auto Connection Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
WAN Miniport (L2TP): System32\DRIVERS\rasl2tp.sys (manual start)
Remote Access Connection Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Remote Access PPPOE Driver: System32\DRIVERS\raspppoe.sys (manual start)
Direct Parallel: System32\DRIVERS\raspti.sys (manual start)
Rdbss: System32\DRIVERS\rdbss.sys (system)
RDPCDD: System32\DRIVERS\RDPCDD.sys (system)
Terminal Server Device Redirector Driver: System32\DRIVERS\rdpdr.sys (manual start)
Remote Desktop Help Session Manager: C:\WINDOWS\system32\sessmgr.exe (manual start)
Digital CD Audio Playback Filter Driver: System32\DRIVERS\redbook.sys (system)
Routing and Remote Access: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
Remote Registry: %SystemRoot%\system32\svchost.exe -k LocalService (autostart)
Remote Procedure Call (RPC) Locator: %SystemRoot%\System32\locator.exe (manual start)
Remote Procedure Call (RPC): %SystemRoot%\system32\svchost -k rpcss (autostart)
QoS RSVP: %SystemRoot%\System32\rsvp.exe (manual start)
Security Accounts Manager: %SystemRoot%\system32\lsass.exe (autostart)
Smart Card: %SystemRoot%\System32\SCardSvr.exe (manual start)
Task Scheduler: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Secdrv: System32\DRIVERS\secdrv.sys (manual start)
Secondary Logon: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
System Event Notification: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Serial Port Driver: System32\DRIVERS\serial.sys (manual start)
High-Capacity Floppy Disk Drive: System32\DRIVERS\sfloppy.sys (manual start)
Windows Firewall/Internet Connection Sharing (ICS): %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Shell Hardware Detection: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
smwdm: system32\drivers\smwdm.sys (manual start)
SoundMAX Agent Service: C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe (autostart)
Microsoft Kernel Audio Splitter: system32\drivers\splitter.sys (manual start)
Print Spooler: %SystemRoot%\system32\spoolsv.exe (autostart)
System Restore Filter Driver: System32\DRIVERS\sr.sys (system)
System Restore Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Srv: System32\DRIVERS\srv.sys (manual start)
SSDP Discovery Service: %SystemRoot%\System32\svchost.exe -k LocalService (manual start)
Windows Image Acquisition (WIA): %SystemRoot%\System32\svchost.exe -k imgsvc (autostart)
Software Bus Driver: System32\DRIVERS\swenum.sys (manual start)
Microsoft Kernel GS Wavetable Synthesizer: system32\drivers\swmidi.sys (manual start)
MS Software Shadow Copy Provider: C:\WINDOWS\System32\dllhost.exe /Processid:{C71427F4-50FD-4772-A373-6FFB9B6DC94A} (manual start)
SymEvent: \??\C:\Program Files\Symantec\SYMEVENT.SYS (manual start)
Microsoft Kernel System Audio Device: system32\drivers\sysaudio.sys (manual start)
Performance Logs and Alerts: %SystemRoot%\system32\smlogsvc.exe (manual start)
Telephony: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
TCP/IP Protocol Driver: System32\DRIVERS\tcpip.sys (system)
Terminal Device Driver: System32\DRIVERS\termdd.sys (system)
Terminal Services: %SystemRoot%\System32\svchost -k DComLaunch (manual start)
Themes: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Telnet: C:\WINDOWS\System32\tlntsvr.exe (disabled)
Distributed Link Tracking Client: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Windows User Mode Driver Framework: C:\WINDOWS\system32\wdfmgr.exe (autostart)
Microcode Update Driver: System32\DRIVERS\update.sys (manual start)
Universal Plug and Play Device Host: %SystemRoot%\System32\svchost.exe -k LocalService (manual start)
Uninterruptible Power Supply: %SystemRoot%\System32\ups.exe (manual start)
Microsoft USB Generic Parent Driver: System32\DRIVERS\usbccgp.sys (manual start)
Microsoft USB 2.0 Enhanced Host Controller Miniport Driver: System32\DRIVERS\usbehci.sys (manual start)
Microsoft USB Standard Hub Driver: System32\DRIVERS\usbhub.sys (manual start)
Microsoft USB Open Host Controller Miniport Driver: System32\DRIVERS\usbohci.sys (manual start)
Microsoft USB PRINTER Class: System32\DRIVERS\usbprint.sys (manual start)
USB Scanner Driver: System32\DRIVERS\usbscan.sys (manual start)
USB Mass Storage Driver: System32\DRIVERS\USBSTOR.SYS (manual start)
VGA Display Controller.: \SystemRoot\System32\drivers\vga.sys (system)
ViaIde: System32\DRIVERS\viaide.sys (system)
VIA AC'97 Audio Controller (WDM): system32\drivers\ac97via.sys (manual start)
vsdatant: \??\C:\WINDOWS\System32\vsdatant.sys (manual start)
Volume Shadow Copy: %SystemRoot%\System32\vssvc.exe (manual start)
Windows Time: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Remote Access IP ARP Driver: System32\DRIVERS\wanarp.sys (manual start)
Microsoft WINMM WDM Audio Compatibility Driver: system32\drivers\wdmaud.sys (manual start)
WebClient: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)
Windows Management Instrumentation: %systemroot%\system32\svchost.exe -k netsvcs (autostart)
Portable Media Serial Number Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Windows Management Instrumentation Driver Extensions: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Microsoft Windows Management Interface for ACPI: System32\DRIVERS\wmiacpi.sys (system)
WMI Performance Adapter: C:\WINDOWS\System32\wbem\wmiapsrv.exe (manual start)
Security Center: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Automatic Updates: %systemroot%\system32\svchost.exe -k netsvcs (autostart)
Wireless Zero Configuration: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Network Provisioning Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)


--------------------------------------------------

Enumerating Windows NT logon/logoff scripts:
*No scripts set to run*

Windows NT checkdisk command:
BootExecute = autocheck autochk *

Windows NT 'Wininit.ini':
PendingFileRenameOperations: *Registry value not found*

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\System32\webcheck.dll
SysTray: C:\WINDOWS\System32\stobject.dll

--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

*No values found*

--------------------------------------------------

End of report, 34,754 bytes
Report generated in 0.932 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only
 
L
#6 ·
TDS-3 Log

Finally got my TDS-3 log file and alarms done (See below) - Apologies for the previous long post from Hijack this - Any way to delete a post to open up the space ?

Thanks again
Leo

07:32:11 [Quit] Unloading ...
10:54:58 [Init] Trojan Defence Suite v3.2.0 (UNLICENSED)
10:54:59 [Init] Started 12-01-05 10:54:59 Eastern Standard Time (UTC: 5), Internet Time @704.85
10:54:59 [Init] Loading TDS-3 Systems ...
10:54:59 [Init] Token successfully adjusted.
10:54:59 [Init] • TDS Privileges : OK. Adjusted TDS-3 token privileges to maximum
10:55:00 [Init] • Plugins : OK. Loaded 13
10:55:00 [Init] • Exec Protection : Not Installed
10:55:00 [Init] WARNING: Your Radius.TD3 database needs to be updated!
10:55:00 [Init] Please download the latest from http://tds.diamondcs.com.au/radius.td3
10:55:00 [Init] Licensed users can use the Update facility from the TDS menu
10:55:01 [Init] Loading Radius Advanced Scanning Systems ... <R3 Engine, DCS Labs>
10:57:09 [Init] Trojan Defence Suite v3.2.0 (UNLICENSED)
10:57:09 [Init] Started 12-01-05 10:57:09 Eastern Standard Time (UTC: 5), Internet Time @706.35
10:57:09 [Init] Loading TDS-3 Systems ...
10:57:10 [Init] Token successfully adjusted.
10:57:10 [Init] • TDS Privileges : OK. Adjusted TDS-3 token privileges to maximum
10:57:10 [Init] • Plugins : OK. Loaded 13
10:57:10 [Init] • Exec Protection : Not Installed
10:57:10 [Init] WARNING: Your Radius.TD3 database needs to be updated!
10:57:10 [Init] Please download the latest from http://tds.diamondcs.com.au/radius.td3
10:57:10 [Init] Licensed users can use the Update facility from the TDS menu
10:57:10 [Init] Loading Radius Advanced Scanning Systems ... <R3 Engine, DCS Labs>
10:57:54 [Init] • Radius Advanced Specialist Extensions on standby for 13 trojan families
10:57:54 [Init] • Systems Initialised [44216 references - 20387 primaries/11695 traces/12134 variants/other]
10:57:55 [Init] Radius Systems loaded. <Databases updated 11-01-2005>
10:57:55 [Init] TDS-3 Ready. <Ldwyer@192.168.2.29, 127.0.0.1, 192.168.2.30 - United States>
10:57:55 [Tip Of The Day] Did you know? - DiamondCS are the only anti-trojan company that updates DAILY.
10:57:55 [TDS] Good morning Ldwyer.
10:58:31 [Mutex Memory Scan] Started...
10:58:35 [Mutex Memory Scan] Finished (no trojan mutexes found).
10:58:35 [TDS-3] This is an EVALUATION demo of TDS-3. Please see the help file for help on registering.
10:59:07 [CRC32] Started - verifying 29 files ...
10:59:09 [CRC32] File doesn't exist: C:\autoexec.bat
10:59:28 [CRC32] Test finished.
11:08:08 [Memory Scan] Memory scan started, please wait a moment ...
11:08:18 [Memory Scan] Memory scan complete.
11:08:18 [Mutex Memory Scan] Started...
11:08:20 [Mutex Memory Scan] Finished (no trojan mutexes found).
11:08:20 [Trace Scan] Started...
11:08:46 [Trace Scan] Finished.
11:08:46 [Service\Driver Scan] Scanning for services and drivers ...
11:09:01 [Service\Driver Scan] Scanned 300 services and drivers.
11:09:01 [File Scan] Scanning in C:\ ...
13:46:51 [File Scan] Scanned 62587 files: 10 alarms in 9469.969 seconds (Avg 7.61 files/sec)
13:46:53 [File Scan] Scanning in D:\ ...
13:46:53 [File Scan] Scanned 0 files: 10 alarms in 5.078125E-02 seconds (Avg 1. files/sec)
13:46:53 [Scan] Finished.
13:55:06 [Screen Text] Saved to C:\Program Files\TDS3\scr0.txt

ALARMS****************

Scan Control Dumped @ 13:58:40 12-01-05
Positive identification (DLL): RAT.Agent.aq (dll)
File: c:\documents and settings\ldwyer.main\local settings\temp\d38.tmp

Positive identification: TrojanDownloader.Win32.PurityScan.b
File: c:\documents and settings\ldwyer.main\local settings\temp\rs.exe

Suspicious Filename: Dual extensions
File: c:\documents and settings\ldwyer.main\my documents\personal\thunder\board related papers\gin-lst[1].mst.doc

Suspicious Filename: Dual extensions
File: c:\documents and settings\ldwyer.main\my documents\personal\thunder\board related papers\o_d[1].mst.doc

Suspicious Filename: Dual extensions
File: c:\documents and settings\ldwyer.main\my documents\personal\thunder\interogatory\rqp.001.doc

Suspicious Filename: Dual extensions
File: c:\documents and settings\ldwyer.main\my documents\temp\install files\alias draw\sbk_aliassketchbookpro_1.0.3.exe

Suspicious Filename: Dual extensions
File: c:\documents and settings\ldwyer.main\my documents\temp\install files\key hole\keyhole2pro-2.2.990.exe

Positive identification: TrojanDownloader.Win32.WinShow.r
File: c:\program files\internet explorer\pslnukqi.exe

Positive identification (DLL): Adware.Winshow.c1 (dll)
File: c:\recycler\s-1-5-21-1411321444-1648729201-207133339-500\dc1.dll

Positive identification (DLL): TrojanDownloader.Win32.Winshow.u1 (dll)
File: c:\recycler\s-1-5-21-1411321444-1648729201-207133339-500\dc2.dll
 
G
#7 · (Edited)
Before you do anything else, please create a folder for HijackThis and put it in a permanent folder (like C:\HJT) instead of the Temp folder. This is required because HijackThis will create backups and we don't want them to be deleted.

Where's the HijackThis log?

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should not have any open browsers when you are following the procedures below.

Download KillBox (http://www.greyknight17.com/spy/KillBox.exe). Run KillBox and check the box that says 'End Explorer Shell While Killing File'. Next click on 'Replace on Reboot' and check the box underneath that. For each of the following files below, check the box that says 'Unregister .dll Before Deleting' if it's not grayed out. Copy and paste each of the following into the top line (hitting the X button for each file - choose NO when it asks if you want to reboot):

C:\WINDOWS\system32\unlodctl.exe
C:\WINDOWS\system32\nlsfuncs.exe
C:\WINDOWS\system32\openconf.exe
c:\program files\internet explorer\pslnukqi.exe
c:\recycler\s-1-5-21-1411321444-1648729201-207133339-500\dc1.dll
c:\recycler\s-1-5-21-1411321444-1648729201-207133339-500\dc2.dll

If you have Windows XP, go to C:\Windows\Prefetch and delete everything inside that Prefetch folder.

Run the CleanUp program now and choose Yes when it asks if you want to log off.

Restart and post new HijackThis log.
 
Save
Like Like
L
#8 ·
"CleanUp Program" ??

Hi - Have run "Kill Box" am now looking for the "CleanUp" program - Where would I find that. - Ditto for Silent Runners, Find-qoologic and DllCompare

Also - every time I run HiJack this it runs through the program with the log scrolling on screen but when it gets to the end it gives a dialogue box that says "Hijack this has encountered a problem and needs to close. We are sorry for the inconvenience" and then asks if I want to tell Bill Gates about the problem. ANy thoughts ? that is why I have yet to post a HJT log.
Leo
 
G
#9 ·
Sorry about that. Ignore that. I will edit my post now.

The Temp folders should be cleaned out periodically as installation programs and hijack programs leave a lot of junk there. Download CleanUp! (Alternate Link if main link don't work) and install it. Run CleanUp! and click on CleanUp! button. When it asks you if you want to logoff, click on Yes.

Restart and post a new HijackThis log. Any problems now?
 
Save
Like Like
L
#10 ·
Ugh - Icon still there

Ugh - Did all steps - ran cleanup and yellow shield Icon still there and I can't get HJT to run without bombing out and giving me the "Hijack this has encountered a problem and needs to close. We are sorry for the inconvenience" dialogue box

Any bright ideas ??
Leo
 
#11 ·
Yes, several actually........

- The yellow shield icon should be Windows telling you that you have Updates to install. If you double-click on that icon, a window should pop-up giving you an option to do an Expres or Custom Install. That is NOT a hoax, that is Windows SP2 doing its job. You should install those updates!

- Let's try the older version of HJT and see if it still bombs out on you:

Please download HijackThis - this program will help us determine if there are any spyware/malware on your computer. Create a folder at C:\HJT and move HijackThis1982.exe there. Run a scan and save the log file. Get HijackThis Analyzer and save it to the same folder as the hijackthis.log file. Run HijackThis Analyzer and type in y if you agree. Open up the result.txt file created. Copy the whole result.txt log and post it in the forum. Do not fix anything in HijackThis since they may be harmless.
 
D
#12 · (Edited)
Re: Little Yellow Sign... I just got off my XP and had the symbol for MS Update notifier. It in fact is the new updates and they have something new for Adware... If you click it open to view the titles it will show you what they intend to install. If you are still unsure then on your browser click Tools then Windows Update and let the real page tell you what they have (or don't) If you don't trust the pop-up then download from their site directly. YES, they do have an Adware update but it's for 2000 and XP!, not 98 like I'm on now.
I just got it.

digit

P.S. CTSNKY... sorry to 'hijack' your thread :1angel: ..... again. Just trying to help.
 
L
#13 ·
The Older HJT ran fine -

CTSNKY - thanks for the post - The old program ran fine have posted the analyzed results below - As for Digit;s suggestion I appreciate the thought - but I think I know the icon he is referring to and this one is different - clicking it takes you to a pretty lame looking page that purports to be MS but is obviously a fake - not to mention the fact that every five minutes a naked woman pops up asking me if I want to play poker with her.

Look forward to your comments
Leo

===========================================================================================================================
Log was analyzed using KRC HijackThis Analyzer - Updated on 1/12/05
Get updates at http://www.greyknight17.com/download.htm#programs

***Security Programs Detected***

C:\Program Files\NavNT\defwatch.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Logfile of HijackThis v1.98.2
Scan saved at 11:20:51 PM, on 1/12/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\Program Files\Common Files\Microsoft Shared\Ink\KeyboardSurrogate.exe
C:\Program Files\Transmeta\Crusoe Persistent Translation Service\pttsvc.exe
C:\WINDOWS\System32\tabbtnu.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\TCServer.exe
C:\Program Files\Compaq\Compaq Q Menu\QIcon.exe
C:\Program Files\Compaq\Mode Change Service\CpqMcSrV.exe
C:\Program Files\Enigma Software Group\SpyHunter\PopupBlocker\EnigmaPopupStop.exe
C:\Program Files\Alias\Alias SketchBook Pro 1.0\AliasSketchSnap.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\TabTip.exe
C:\WINDOWS\system32\unlodctl.exe
C:\WINDOWS\system32\openconf.exe
C:\PROGRA~1\MICROS~3\Office10\OUTLOOK.EXE
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\WINDOWS\system32\unlodctl.exe
C:\WINDOWS\system32\nlsfuncs.exe
C:\Documents and Settings\ldwyer.MAIN\Desktop\Old HJT\HijackThis1982.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = http://fastsearchweb.com/srh.php?q=%s
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\snnpapi.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\snnpapi.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\snnpapi.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\snnpapi.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\snnpapi.dll/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\snnpapi.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O2 - BHO: (no name) - {5582F471-5DA6-4D17-8AAF-C5ACEF8071E3} - C:\WINDOWS\system32\snnpapi.dll
O4 - HKLM\..\Run: [TabletTip] "C:\Program Files\Common Files\microsoft shared\ink\tabtip.exe" /resume
O4 - HKLM\..\Run: [nwiz] rundll32 nview.dll,nViewLoadHook
O4 - HKLM\..\Run: [Compaq Q Menu] C:\Program Files\Compaq\Compaq Q Menu\QIcon.exe -QICON
O4 - HKLM\..\Run: [Mode Change Service] "C:\Program Files\Compaq\Mode Change Service\CpqMcSrV.exe" /Start
O4 - HKLM\..\Run: [pttrun] "C:\Program Files\Transmeta\Crusoe Persistent Translation Service\pttrun.exe"
O4 - HKLM\..\Run: [FineReader7NewsReaderPro] "C:\Program Files\ABBYY FineReader 7.0 Professional Edition\AbbyyNewsReader.exe"
O4 - HKLM\..\Run: [SpyHunter] C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter.exe
O4 - HKLM\..\Run: [EnigmaPopupStop] C:\Program Files\Enigma Software Group\SpyHunter\PopupBlocker\EnigmaPopupStop.exe
O4 - HKLM\..\Run: [TabletWizard] C:\WINDOWS\help\SplshWrp.exe
O4 - Global Startup: Internet Answering Machine.lnk = C:\Program Files\CallWave\IAM.exe
O4 - Global Startup: SketchBook Snapshot.lnk = C:\Program Files\Alias\Alias SketchBook Pro 1.0\AliasSketchSnap.exe
O12 - Plugin for .tiff: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin5.dll
O15 - Trusted Zone: http://*.63.219.181.7
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=34738&clcid=0x409
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} - http://www.installengine.com/engine/isetup.cab
O16 - DPF: {D92D7607-05D9-4DD8-B68B-D458948FB883} (QuickBooks Online Edition Utilities Class v7) - https://accounting.quickbooks.com/v11.165/qboax7.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = Main.calcot.com
O17 - HKLM\Software\..\Telephony: DomainName = Main.calcot.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{35F5B02F-7379-42A2-BCF1-9AEAD5D4F04E}: NameServer = 69.50.188.178,69.31.80.244
O17 - HKLM\System\CCS\Services\Tcpip\..\{4948B7E3-F940-47A0-AA07-1EE059F8ABAD}: NameServer = 69.50.188.178,69.31.80.244
O17 - HKLM\System\CCS\Services\Tcpip\..\{F7733988-ECA9-4E2F-B666-542B99A1BAC8}: NameServer = 69.50.188.178,69.31.80.244
O18 - Filter: text/html - {44299B07-5BE3-45EE-88D8-868ECE70EAF4} - C:\WINDOWS\system32\snnpapi.dll
O18 - Filter: text/plain - {44299B07-5BE3-45EE-88D8-868ECE70EAF4} - C:\WINDOWS\system32\snnpapi.dll


End of KRC HijackThis Analyzer Log
 
D
#14 ·
Interesting info Leo. Thanks. Maybe someone is taking advantage of the MS early release of their Beta prog. I actually got the D/L just hours ago and mine was legit. These guys jump on the bandwagon awfully fast.
Good Luck,
digit
 
L
#15 ·
Digit was correct

Digit - 1000 apologies - your last post inspired me to qlick on the update ballon off the yellow shield as prompted - It was infact a MS uddate - I swear last night when I did the same thing it took me to a childish page with a picture of a thief on it - oh well make that 2,000 apologies - Still have the woman who wants to play poker nude and my home page is being hijacked so there is still a gremlin in here somewhere

Leo
 
#16 ·
Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should not have any open browsers when you are following the procedures below.

Download Hoster (http://www.greyknight17.com/spy/Hoster.exe) and run it. Choose the 'Restore Original Hosts' button and press OK.

Right click on this link and choose Save As. Save it to your desktop. Right click on that file and choose Install. You may delete it afterwards.

Reboot into Safe Mode (hit F8 key until menu shows up). Make sure to close any open browsers. Go into HijackThis->Config->Misc. Tools->Open process manager. Select the following and click Kill process for each one if they are still listed (they shouldn't be - but double check it):

C:\WINDOWS\system32\unlodctl.exe
C:\WINDOWS\system32\openconf.exe
C:\WINDOWS\system32\unlodctl.exe
C:\WINDOWS\system32\nlsfuncs.exe

Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):

R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = http://fastsearchweb.com/srh.php?q=%s
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\snnpapi.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\snnpapi.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\snnpapi.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\snnpapi.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\snnpapi.dll/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\snnpapi.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O2 - BHO: (no name) - {5582F471-5DA6-4D17-8AAF-C5ACEF8071E3} - C:\WINDOWS\system32\snnpapi.dll
O15 - Trusted Zone: http://*.63.219.181.7
O18 - Filter: text/html - {44299B07-5BE3-45EE-88D8-868ECE70EAF4} - C:\WINDOWS\system32\snnpapi.dll
O18 - Filter: text/plain - {44299B07-5BE3-45EE-88D8-868ECE70EAF4} - C:\WINDOWS\system32\snnpapi.dll

Delete the following Files/Folders (delete folders if no filename is specified) according to their directory (if none, just do a search for them) and delete them if they exist:

C:\WINDOWS\system32\openconf.exe
C:\WINDOWS\system32\unlodctl.exe
C:\WINDOWS\system32\nlsfuncs.exe
C:\WINDOWS\system32\snnpapi.dll

Reboot into Normal Mode and run new HijackThis scan. Save the log file and run HijackThis Analyzer in the same folder to get the result.txt log. Just post the contents of the result.txt file in the forum.
 
L
#17 ·
I think we won

Log below
Did I get it ???

Running processes:
C:\Program Files\Common Files\Microsoft Shared\Ink\KeyboardSurrogate.exe
C:\WINDOWS\System32\tabbtnu.exe
C:\Program Files\Transmeta\Crusoe Persistent Translation Service\pttsvc.exe
C:\Program Files\Compaq\Compaq Q Menu\QIcon.exe
C:\Program Files\Compaq\Mode Change Service\CpqMcSrV.exe
C:\Program Files\Enigma Software Group\SpyHunter\PopupBlocker\EnigmaPopupStop.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Alias\Alias SketchBook Pro 1.0\AliasSketchSnap.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\TCServer.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\TabTip.exe
C:\WINDOWS\system32\nlsfuncs.exe
C:\WINDOWS\system32\openconf.exe
C:\Documents and Settings\ldwyer.MAIN\Desktop\Old HJT\HijackThis1982.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = http://fastsearchweb.com/srh.php?q=%s
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\snnpapi.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\snnpapi.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\snnpapi.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O4 - HKLM\..\Run: [TabletTip] "C:\Program Files\Common Files\microsoft shared\ink\tabtip.exe" /resume
O4 - HKLM\..\Run: [nwiz] rundll32 nview.dll,nViewLoadHook
O4 - HKLM\..\Run: [Compaq Q Menu] C:\Program Files\Compaq\Compaq Q Menu\QIcon.exe -QICON
O4 - HKLM\..\Run: [Mode Change Service] "C:\Program Files\Compaq\Mode Change Service\CpqMcSrV.exe" /Start
O4 - HKLM\..\Run: [pttrun] "C:\Program Files\Transmeta\Crusoe Persistent Translation Service\pttrun.exe"
O4 - HKLM\..\Run: [FineReader7NewsReaderPro] "C:\Program Files\ABBYY FineReader 7.0 Professional Edition\AbbyyNewsReader.exe"
O4 - HKLM\..\Run: [SpyHunter] C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter.exe
O4 - HKLM\..\Run: [EnigmaPopupStop] C:\Program Files\Enigma Software Group\SpyHunter\PopupBlocker\EnigmaPopupStop.exe
O4 - HKLM\..\Run: [TabletWizard] C:\WINDOWS\help\SplshWrp.exe
O4 - Global Startup: Internet Answering Machine.lnk = C:\Program Files\CallWave\IAM.exe
O4 - Global Startup: SketchBook Snapshot.lnk = C:\Program Files\Alias\Alias SketchBook Pro 1.0\AliasSketchSnap.exe
O12 - Plugin for .tiff: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin5.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=34738&clcid=0x409
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} - http://www.installengine.com/engine/isetup.cab
O16 - DPF: {D92D7607-05D9-4DD8-B68B-D458948FB883} (QuickBooks Online Edition Utilities Class v7) - https://accounting.quickbooks.com/v11.165/qboax7.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = Main.calcot.com
O17 - HKLM\Software\..\Telephony: DomainName = Main.calcot.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{35F5B02F-7379-42A2-BCF1-9AEAD5D4F04E}: NameServer = 69.50.188.178,69.31.80.244
O17 - HKLM\System\CCS\Services\Tcpip\..\{4948B7E3-F940-47A0-AA07-1EE059F8ABAD}: NameServer = 69.50.188.178,69.31.80.244
O17 - HKLM\System\CCS\Services\Tcpip\..\{F7733988-ECA9-4E2F-B666-542B99A1BAC8}: NameServer = 69.50.188.178,69.31.80.244


End of KRC HijackThis Analyzer Log.
 
#18 · (Edited)
Not yet...

Download and install CleanUp http://cleanup.stevengould.org/

Download the following attachment remv3.zip http://forums.skads.org/index.php?showtopic=80

Make a folder on the root drive C:\ and and unzip the files into it.

Now...run Cleanup and reboot/logoff when prompted. ON the reboot...boot directly to safe mode. YOU MUST be in safe mode to run this program.

Open the folder were you saved those files and click the rem.bat file and let it run. It will delete the files and remove the infection and then make a log of the files it finds. The log file will be C:\log.txt and bad1.txt

Open add/remove programs and remove the following..

EnigmaPopupStop
SpyHunter

Both those programs are considered rouge and suspect spyware removal and prevention tools. It's recommend you remove them as they can't be trusted.

Now open hijackthis and fix the following..

R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = http://fastsearchweb.com/srh.php?q=%s
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\snnpapi.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\snnpapi.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\snnpapi.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O4 - HKLM\..\Run: [SpyHunter] C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter.exe
O4 - HKLM\..\Run: [EnigmaPopupStop] C:\Program Files\Enigma Software Group\SpyHunter\PopupBlocker\EnigmaPopupStop.exe

**Note** If the following entrys are not related to your ISP or company servers/network fix them also.
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = Main.calcot.com
O17 - HKLM\Software\..\Telephony: DomainName = Main.calcot.com


Delete the folllowing files/folders in bold.

C:\WINDOWS\system32\snnpapi.dll
C:\Program Files\Enigma Software Group\SpyHunter\PopupBlocker\EnigmaPopupStop.exe

Reboot back to normal mode and Post both those logs (from the program you ran) as well as a new hijackthis log so I can confirm what was removed.
 
Save
Like Like
L
#19 ·
No change here

think it is still here

I went through the steps - twice -with the following differences from instructions:

The program I ran was Remv3.bat (assume this is a up to date version of rem.bat

logs on last run were
-----------------------------------
Log Text


Files Found.................
----------------------------------------
unlodctl.exe
spnping.exe
qappsrvc32.exe
openconf.exe
nlsfuncs.exe
dx9vbc.dll
dnsauth.dll
taskopen.exe
iecust.dll
iecust.exe
setvers.exe
snnpapi.dll

Files Not deleted.................
----------------------------------------

Merging registry entries
-----------------------------------------------------------------
The Registry Entries Found...
-----------------------------------------------------------------


Other bad files to be Manually deleted.. Please note that this might also list legit Files, be careful while deleting
-----------------------------------------------------------------
hdlk.dll
hdnm.dll
hdqp.dll
msi.dll
mspq.dll
msxy.dll
Finished

------------------------------------
Bad1 Text


! REG.EXE VERSION 3.0

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Hd
<NO NAME> REG_BINARY 5854D1CFDF8A75438898E9096D50FD65
Name REG_BINARY 45CD48AEDBED0CC209DCC02283D814305B9476958A57B47600FBC0ED

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Hd\#1#

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Hd\#2#

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Hd\#3#

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Hd\#4#
---------------------------------------------------------------------------

I tried to add/remove EnigmaPopupStop & SpyHunter but they weren't in my list - there was an entry for BPS Spyware but when I tried to remove it it said "unins000.dat does not exist"
I did delete the program files in the C:\Program area.
On my first time through HJT (BTW I am running an older version as latest version consistently bombs out) I was able to "Fix" (delete the following:

O4 - HKLM\..\Run: [SpyHunter] C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter.exe
O4 - HKLM\..\Run: [EnigmaPopupStop] C:\Program Files\Enigma Software Group\SpyHunter\PopupBlocker\EnigmaPopupStop.exe

On my second attempt (I did the whole thing twice) I had the following seven to "Fix" (Including the two above meaning that they were getting back somehow.


Could not find C:\WINDOWS\system32\snnpapi.dll (There was a Snmpapi.dll which I left)

As stated above I did delete
C:\Program Files\Enigma Software Group\SpyHunter\PopupBlocker\EnigmaPopupStop.exe
on the first pass (Interestingly the folder did include a file named snnpapi.dll)

THis is my current HJT
===========================================================================================================================
Log was analyzed using KRC HijackThis Analyzer - Updated on 1/12/05
Get updates at http://www.greyknight17.com/download.htm#programs

***Security Programs Detected***

C:\Program Files\NavNT\defwatch.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Logfile of HijackThis v1.98.2
Scan saved at 3:19:37 PM, on 1/13/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\Program Files\Common Files\Microsoft Shared\Ink\KeyboardSurrogate.exe
C:\WINDOWS\System32\tabbtnu.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\TCServer.exe
C:\Program Files\Transmeta\Crusoe Persistent Translation Service\pttsvc.exe
C:\Program Files\Compaq\Compaq Q Menu\QIcon.exe
C:\Program Files\Compaq\Mode Change Service\CpqMcSrV.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\TabTip.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Alias\Alias SketchBook Pro 1.0\AliasSketchSnap.exe
C:\Documents and Settings\ldwyer.MAIN\Desktop\Old HJT\HijackThis1982.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = http://fastsearchweb.com/srh.php?q=%s
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\snnpapi.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\snnpapi.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\snnpapi.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {ADD9FBB2-8A9A-43D8-9133-26653C401B3C} - C:\WINDOWS\system32\snnpapi.dll (file missing)
O3 - Toolbar: FreshBar - {06ABAA2D-34AB-4902-A326-409BD9B9A7A5} - C:\WINDOWS\system32\iecust.dll (file missing)
O4 - HKLM\..\Run: [TabletTip] "C:\Program Files\Common Files\microsoft shared\ink\tabtip.exe" /resume
O4 - HKLM\..\Run: [nwiz] rundll32 nview.dll,nViewLoadHook
O4 - HKLM\..\Run: [Compaq Q Menu] C:\Program Files\Compaq\Compaq Q Menu\QIcon.exe -QICON
O4 - HKLM\..\Run: [Mode Change Service] "C:\Program Files\Compaq\Mode Change Service\CpqMcSrV.exe" /Start
O4 - HKLM\..\Run: [pttrun] "C:\Program Files\Transmeta\Crusoe Persistent Translation Service\pttrun.exe"
O4 - HKLM\..\Run: [FineReader7NewsReaderPro] "C:\Program Files\ABBYY FineReader 7.0 Professional Edition\AbbyyNewsReader.exe"
O4 - HKLM\..\Run: [TabletWizard] C:\WINDOWS\help\SplshWrp.exe
O4 - HKLM\..\Run: [taskopen.exe] taskopen.exe
O4 - Global Startup: Internet Answering Machine.lnk = C:\Program Files\CallWave\IAM.exe
O4 - Global Startup: SketchBook Snapshot.lnk = C:\Program Files\Alias\Alias SketchBook Pro 1.0\AliasSketchSnap.exe
O12 - Plugin for .tiff: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin5.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=34738&clcid=0x409
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} - http://www.installengine.com/engine/isetup.cab
O16 - DPF: {D92D7607-05D9-4DD8-B68B-D458948FB883} (QuickBooks Online Edition Utilities Class v7) - https://accounting.quickbooks.com/v11.165/qboax7.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = Main.calcot.com
O17 - HKLM\Software\..\Telephony: DomainName = Main.calcot.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{35F5B02F-7379-42A2-BCF1-9AEAD5D4F04E}: NameServer = 69.50.188.178,69.31.80.244
O17 - HKLM\System\CCS\Services\Tcpip\..\{4948B7E3-F940-47A0-AA07-1EE059F8ABAD}: NameServer = 69.50.188.178,69.31.80.244
O17 - HKLM\System\CCS\Services\Tcpip\..\{F7733988-ECA9-4E2F-B666-542B99A1BAC8}: NameServer = 69.50.188.178,69.31.80.244
O18 - Filter: text/html - {0F8E4324-BBF6-4149-BE0E-851F6AFC990F} - C:\WINDOWS\system32\snnpapi.dll
O18 - Filter: text/plain - {0F8E4324-BBF6-4149-BE0E-851F6AFC990F} - C:\WINDOWS\system32\snnpapi.dll


End of KRC HijackThis Analyzer Log.
===========================================================================================================================
Also note - now on reboot I get a message "qappsrvc32.exe - Windows canot find qappsrvc32.exe make sure you typed the name correctly"

Also since rebooting my "U Beat" new MS Spyware protection beta courtesy of Mr Gates has warned me that "Melkosoft" "coolwebsearch" were both trying to install (I blocked both) and that something was attempting to change my browser default to "about:blank" which I also choose to block - but it still got changed (I guess that is why they call it a Beta)
I am getting tired of this
THanks again
Leo
 
G
#20 ·
You said to assume that that was an up-to-date version or rem.bat. Do you have the updated one now? If so, do the below fixes now and post a new log along with the new rem.bat log.

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should not have any open browsers when you are following the procedures below.

Go to My Computer->Tools/View->Folder Options->View tab and make sure that 'Show hidden files and folders' (or 'Show all files') is enabled. Also make sure that Display the contents of System Folders' is checked. Windows XP's search feature is a little different. When you click on 'All files and folders' on the left pane, click on the 'More advanced options' at the bottom. Make sure that Search system folders, Search hidden files and folders, and Search subfolders are checked.

For the options that you checked/enabled earlier, you may uncheck them after your log is clean. If we ask you to fix a program that you use or want to keep, please post back saying that (we don't know every program that exists, so we may tell you to delete a program that we think is bad to keep).

Turn off system restore by right clicking on My Computer and go to Properties->System Restore and check the box for Turn off System Restore. Click Apply and then OK. Restart your computer. After we are finished with your log file and verified that it's clean, you may turn it back on and create a new restore point.

Download SpHjfix.exe and run it.

Reboot into Safe Mode (hit F8 key until menu shows up). Make sure to close any open browsers. Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):

R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = http://fastsearchweb.com/srh.php?q=%s
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\snnpapi.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\snnpapi.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\snnpapi.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {ADD9FBB2-8A9A-43D8-9133-26653C401B3C} - C:\WINDOWS\system32\snnpapi.dll (file missing)
O3 - Toolbar: FreshBar - {06ABAA2D-34AB-4902-A326-409BD9B9A7A5} - C:\WINDOWS\system32\iecust.dll (file missing)
O4 - HKLM\..\Run: [taskopen.exe] taskopen.exe
O18 - Filter: text/html - {0F8E4324-BBF6-4149-BE0E-851F6AFC990F} - C:\WINDOWS\system32\snnpapi.dll
O18 - Filter: text/plain - {0F8E4324-BBF6-4149-BE0E-851F6AFC990F} - C:\WINDOWS\system32\snnpapi.dll

Delete the following Files/Folders (delete folders if no filename is specified) according to their directory (if none, just do a search for them) and delete them if they exist:

C:\WINDOWS\system32\iecust.dll
taskopen.exe
C:\WINDOWS\system32\snnpapi.dll

Reboot into Normal Mode and run new HijackThis scan. If there were some entries that didn't show up in Safe Mode, you may check and fix those that appear now in normal mode (if you do that, make sure to run a new scan again). Save the log file and run KRC HijackThis Analyzer in the same folder to get the result.txt log. Just post the contents of the result.txt file in the forum.

To help prevent future spyware installations/infections, please read the Anti-Spyware Tutorial and use the tools/programs provided.
 
Save
Like Like
G
#22 ·
If that's what they have, it should be current. Post that and a new HijackThis log.
 
Save
Like Like
L
#23 ·
I think you got it

THis is after a clean reboot and just running HJT

How does it look - seems to be running smoother

Leo

==========================================================================================================================
Log was analyzed using KRC HijackThis Analyzer - Updated on 1/12/05
Get updates at http://www.greyknight17.com/download.htm#programs

***Security Programs Detected***

C:\Program Files\NavNT\vptray.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Logfile of HijackThis v1.98.2
Scan saved at 6:37:02 PM, on 1/13/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\Program Files\Common Files\Microsoft Shared\Ink\KeyboardSurrogate.exe
C:\WINDOWS\System32\tabbtnu.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\TCServer.exe
C:\Program Files\Compaq\Compaq Q Menu\QIcon.exe
C:\Program Files\Compaq\Mode Change Service\CpqMcSrV.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Alias\Alias SketchBook Pro 1.0\AliasSketchSnap.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\TabTip.exe
C:\Program Files\Transmeta\Crusoe Persistent Translation Service\pttsvc.exe
C:\Documents and Settings\ldwyer.MAIN\Desktop\Old HJT\HijackThis1982.exe

O4 - HKLM\..\Run: [TabletTip] "C:\Program Files\Common Files\microsoft shared\ink\tabtip.exe" /resume
O4 - HKLM\..\Run: [nwiz] rundll32 nview.dll,nViewLoadHook
O4 - HKLM\..\Run: [Compaq Q Menu] C:\Program Files\Compaq\Compaq Q Menu\QIcon.exe -QICON
O4 - HKLM\..\Run: [Mode Change Service] "C:\Program Files\Compaq\Mode Change Service\CpqMcSrV.exe" /Start
O4 - HKLM\..\Run: [pttrun] "C:\Program Files\Transmeta\Crusoe Persistent Translation Service\pttrun.exe"
O4 - HKLM\..\Run: [FineReader7NewsReaderPro] "C:\Program Files\ABBYY FineReader 7.0 Professional Edition\AbbyyNewsReader.exe"
O4 - HKLM\..\Run: [TabletWizard] C:\WINDOWS\help\SplshWrp.exe
O4 - Global Startup: Internet Answering Machine.lnk = C:\Program Files\CallWave\IAM.exe
O4 - Global Startup: SketchBook Snapshot.lnk = C:\Program Files\Alias\Alias SketchBook Pro 1.0\AliasSketchSnap.exe
O12 - Plugin for .tiff: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin5.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=34738&clcid=0x409
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} - http://www.installengine.com/engine/isetup.cab
O16 - DPF: {D92D7607-05D9-4DD8-B68B-D458948FB883} (QuickBooks Online Edition Utilities Class v7) - https://accounting.quickbooks.com/v11.165/qboax7.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = Main.calcot.com
O17 - HKLM\Software\..\Telephony: DomainName = Main.calcot.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{35F5B02F-7379-42A2-BCF1-9AEAD5D4F04E}: NameServer = 69.50.188.178,69.31.80.244
O17 - HKLM\System\CCS\Services\Tcpip\..\{4948B7E3-F940-47A0-AA07-1EE059F8ABAD}: NameServer = 69.50.188.178,69.31.80.244
O17 - HKLM\System\CCS\Services\Tcpip\..\{F7733988-ECA9-4E2F-B666-542B99A1BAC8}: NameServer = 69.50.188.178,69.31.80.244


End of KRC HijackThis Analyzer Log.
 
D
#24 · (Edited)
Leo the Lion said:
Digit - your last post inspired me to qlick on the update ballon off the yellow shield as prompted - It was infact a MS uddate - I swear last night when I did the same thing it took me to a childish page with a picture of a thief on it - Still have the woman who wants to play poker nude and my home page is being hijacked so there is still a gremlin in here somewhere

Leo
Click to expand...
Leo,
Thanks for the info. Pleased at least that part worked out and it seems the rest is good with thanks to the highly regarded 'official' team members of the site that worked with you. Hope the naked lady gets dumped!
digit
 
Status
Not open for further replies.
You have insufficient privileges to reply here.
Tech Support Forum
posts
4.8M
members
966K
Since
2002
A forum community dedicated to tech experts and enthusiasts. Come join the discussion about articles, computer security, Mac, Microsoft, Linux, hardware, networking, gaming, reviews, accessories, and more!
Full Forum Listing
Explore Our Forums
Windows 7 , Windows Vista Support Motherboards, Bios|UEFI & CPU Networking Support Hard Drive & SSD Support PC Gaming Support