WinMin Problem and browser hijack

therock · 11-14-2004, 07:12 AM

Hallo i've been facing these 2 problems and i would really like your help!When i shutdown my pc there's an error of WinMin not responding,and everytime i open the internet explorer the home page is set to "http://yoursearcher.com/index.htm".
I've read another topic here on how to deal with WinMin but the problem hasn't been solved!I turned off the system restore and scaned in safe mode with hijack this,spybot,adaware and about buster but no luck.Any clues?I'll also post my 2 logs here

DoubleClick: Tracking cookie (Internet Explorer: Administrator) (Cookie, fixed)

Advertising.com: Tracking cookie (Internet Explorer: Administrator) (Cookie, fixed)

Advertising.com: Tracking cookie (Internet Explorer: Administrator) (Cookie, fixed)

Alexa Related: What's related link (Replace file, fixed)
C:\WINDOWS\Web\related.htm

Avenue A, Inc.: Tracking cookie (Internet Explorer: Administrator) (Cookie, fixed)

BFast: Tracking cookie (Internet Explorer: Administrator) (Cookie, fixed)

BlazeFind.Bridge: Autorun settings (Registry value, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RunDLL

Commission Junction: Tracking cookie (Internet Explorer: Administrator) (Cookie, fixed)

CoolWWWSearch: Tracking cookie (Internet Explorer: Administrator) (Cookie, fixed)

CoolWWWSearch: Tracking cookie (Internet Explorer: Administrator) (Cookie, fixed)

CoreMetrics: Tracking cookie (Internet Explorer: Administrator) (Cookie, fixed)

DSO Exploit: Data source object exploit (Registry change, fixed)
HKEY_USERS\S-1-5-21-4177550750-1896881845-2489994563-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3

DyFuCA.InternetOptimizer: Program directory (Directory, fixed)
C:\Program Files\Internet Optimizer\

DyFuCA.InternetOptimizer: Uninstall settings (Registry key, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Internet Optimizer Active Alert

DyFuCA.InternetOptimizer: Uninstall settings (Registry key, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Internet Optimizer

HitBox: Tracking cookie (Internet Explorer: Administrator) (Cookie, fixed)

HitBox: Tracking cookie (Internet Explorer: Administrator) (Cookie, fixed)

HitBox: Tracking cookie (Internet Explorer: Administrator) (Cookie, fixed)

HitBox: Tracking cookie (Internet Explorer: Administrator) (Cookie, fixed)

HitBox: Tracking cookie (Internet Explorer: Administrator) (Cookie, fixed)

HitsLink: Tracking cookie (Internet Explorer: Administrator) (Cookie, fixed)

HitsLink: Tracking cookie (Internet Explorer: Administrator) (Cookie, fixed)

ISTbar.Slotch: Tracking cookie (Internet Explorer: Administrator) (Cookie, fixed)

ISTbar.Slotch: Tracking cookie (Internet Explorer: Administrator) (Cookie, fixed)

MediaPlex: Tracking cookie (Internet Explorer: Administrator) (Cookie, fixed)

PornTracker: Tracking cookie (Internet Explorer: Administrator) (Cookie, fixed)

PowerScan: User settings (Registry key, fixed)
HKEY_USERS\S-1-5-21-4177550750-1896881845-2489994563-500\Software\PowerScan

SexList: Tracking cookie (Internet Explorer: Administrator) (Cookie, fixed)

SexTracker: Tracking cookie (Internet Explorer: Administrator) (Cookie, fixed)

SexTracker: Tracking cookie (Internet Explorer: Administrator) (Cookie, fixed)

SexTracker: Tracking cookie (Internet Explorer: Administrator) (Cookie, fixed)

SexTracker: Tracking cookie (Internet Explorer: Administrator) (Cookie, fixed)

SexTracker: Tracking cookie (Internet Explorer: Administrator) (Cookie, fixed)

TargetNet: Tracking cookie (Internet Explorer: Administrator) (Cookie, fixed)

ValueClick: Tracking cookie (Internet Explorer: Administrator) (Cookie, fixed)

WebTrends live: Tracking cookie (Internet Explorer: Administrator) (Cookie, fixed)

WebTrends live: Tracking cookie (Internet Explorer: Administrator) (Cookie, fixed)

WebTrends live: Tracking cookie (Internet Explorer: Administrator) (Cookie, fixed)

WebTrends live: Tracking cookie (Internet Explorer: Administrator) (Cookie, fixed)

WebTrends live: Tracking cookie (Internet Explorer: Administrator) (Cookie, fixed)

WebTrends live: Tracking cookie (Internet Explorer: Administrator) (Cookie, fixed)

WebTrends live: Tracking cookie (Internet Explorer: Administrator) (Cookie, fixed)

WebTrends live: Tracking cookie (Internet Explorer: Administrator) (Cookie, fixed)

--- Spybot - Search && Destroy version: 1.3 ---
2004-05-12 Includes\Cookies.sbi
2004-05-12 Includes\Dialer.sbi
2004-05-12 Includes\Hijackers.sbi
2004-05-12 Includes\Keyloggers.sbi
2004-05-12 Includes\LSP.sbi
2004-05-12 Includes\Malware.sbi
2004-05-12 Includes\Revision.sbi
2004-05-12 Includes\Security.sbi
2004-05-12 Includes\Spybots.sbi
2004-05-12 Includes\Tracks.uti
2004-05-12 Includes\Trojans.sbi

Last minute warning!

When i try to open the hijack this log,mcafee doesn't let me!It says mcafee has detected a virus and the log doesn't open!I tried to close t from the tray but same thing happened!

CTSNKY · 11-14-2004, 07:16 AM

Try a fresh copy of HJT:

Please download HijackThis. Create a folder at C:\HJT and move HijackThis.exe there. Run a scan and save the log file. Post the whole log file here. Do not fix anything since most of them listed there are harmless (some are system required). This program will help us determine if there is any spyware/malware on your computer.

EDIT: Notepad may be your problem.....look here for copy.

Failing that, try:

If you have a fast internet connection (broadband), run an online virus scan at TrendMicro. Make sure to select the Autoclean option. Otherwise, make sure your antivirus program has the latest definitions and run a full system scan.

Please download Ad-aware SE and install it if you don't have it already. Make sure it's the newest version and check for any updates before running it. Go to this site to get the plug-in for fixing VX2 variants. To run this tool, go into Ad-aware->Add-ons and select VX2 Cleaner. Then click Run Tool and OK to start it. If it's clean, it will say Status System Clean. Otherwise, you will have to click on the Clean button to remove the VX2 infection. Also make sure to customize the settings in Ad-aware for better scan results. Run the scan and fix everything that it finds.

therock · 11-14-2004, 08:14 AM

That's the verison of hijack this that i Have.And the log doesn't open.I also don't think there's a notepad problem cause the spybot log opened just fine.

Also do i really need ad-aware SE?Cause i already have professional.Can't i do something with tha or do i need to download se as well?The plugin didn't work with professional though.

I have 56 k connection.Tried an online scan with bit defender but took too long and i stopped.As far as it went it revealed a "Download.Dyfuca" something like that virus and said that disinfection failed.

I'll see what i can do with the hijack this log.

I replaced the notepad.exe with the one from the link but same thing.But somehow on safemode the log opens,so i copied the loc into a microft word doc and here it goes.And i also gow the ad-aware se and the plugin.Can i have both se and pro installed at the same time.

Logfile of HijackThis v1.98.2
Scan saved at 4:37:11 μμ, on 14/11/2004
Platform: Unknown Windows (WinNT 5.02.3790)
MSIE: Internet Explorer v6.00 (6.00.3790.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Downloads\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://shdoclc.dll/softAdmin.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://yoursearcher.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://yoursearcher.com/index.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yoursearcher.com/index.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://yoursearcher.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://yoursearcher.com/index.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.insomnia.gr/
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0 CE\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Idea2 SidebarBrowserMonitor Class - {45AD732C-2CE2-4666-B366-B2214AD57A49} - C:\Program Files\Desktop Sidebar\sbhelp.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FLASHGET\jccatch.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\fgiebar.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [PmProxy] C:\Program Files\Analog Devices\SoundMAX\PmProxy.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
O4 - HKLM\..\Run: [CpuIdle] C:\Program Files\CpuIdlePro\cpuidle.exe
O4 - HKLM\..\Run: [RunDLL] rundll32.exe "C:\WINDOWS\system32\bridge.dll",Load
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RAM Idle Professional] C:\Program Files\RAM Idle\RAM_XP.exe
O4 - HKLM\..\Run: [MOD] C:\Program Files\Microangelo\muamgr.exe
O4 - HKLM\..\Run: [yrknef] C:\WINDOWS\yrknef.exe
O4 - HKLM\..\Run: [kdcvqss] C:\WINDOWS\system32\hjqjgjdn.exe
O4 - HKLM\..\Run: [McRegWiz] C:\PROGRA~1\McAfee.com\Agent\mcregwiz.exe /autorun
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [imekrmig7.0] "C:\Program Files\Common Files\Microsoft Shared\IME\IMKR7\IMEKRMIG.EXE"
O4 - HKLM\..\Run: [IMSCMig] C:\PROGRA~1\COMMON~1\MICROS~1\IME\IMSC40A\IMSCMIG.EXE /Preload
O4 - HKLM\..\Run: [CJIMETIPSYNC] C:\Program Files\Common Files\Microsoft Shared\IME\IMTC65\CHANGJIE\CINTLCFG.EXE /CJIMETIPSync
O4 - HKLM\..\Run: [PHIMETIPSYNC] C:\Program Files\Common Files\Microsoft Shared\IME\IMTC65\PHONETIC\TINTLCFG.EXE /PHIMETIPSync
O4 - HKLM\..\Run: [IMJPMIG9.0] C:\PROGRA~1\COMMON~1\MICROS~1\IME\IMJP9\IMJPMIG.EXE /Preload /Migration32
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKCU\..\Run: [IncrediMail] C:\PROGRA~1\INCRED~1\bin\IncMail.exe /c
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SIDEBAR] "C:\Program Files\Desktop Sidebar\dsidebar.exe"
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - HKCU\..\Run: [CD Eject Tool] C:\Program Files\CD Eject Tool\CD Eject Tool.exe
O4 - HKCU\..\Run: [UIWatcher] C:\Program Files\Ashampoo\Ashampoo UnInstaller Suite Plus\UnInstaller Suite\UIWatcher.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [kqkvfhs] c:\windows\ohowoiq.exe
O4 - Startup: Trillian.lnk = ?
O4 - Startup: Ashampoo Mail Virus Blocker Server.lnk = C:\Program Files\Ashampoo\Ashampoo UnInstaller Suite Plus\Mail Virus Blocker\Server.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: ShortKeys 2.lnk = ?
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O8 - Extra context menu item: Customize Menu &4 - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Get Flash by FlashKeeper - C:\Program Files\FlashKeeper\GetFlash.htm
O8 - Extra context menu item: RoboForm &2 - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Flash - res://C:\Program Files\UnH Solutions\Flash Saving Plugin\FlashSButton.dll/210
O8 - Extra context menu item: Subscribe in Desktop Sidebar - res://C:\Program Files\Desktop Sidebar\sbhelp.dll/menuhandler.html
O8 - Extra context menu item: Λήψη όλων με το FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Λήψη με χρήση του FlashGet - C:\Program Files\FlashGet\jc_link.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra button: Subscribe in Desktop Sidebar - {09FE188B-6E85-479e-9411-51FB2220DF80} - C:\Program Files\Desktop Sidebar\sbhelp.dll
O9 - Extra 'Tools' menuitem: Subscribe in Desktop Sidebar - {09FE188B-6E85-479e-9411-51FB2220DF80} - C:\Program Files\Desktop Sidebar\sbhelp.dll
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm &2 - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: FlashKeeper - {86301D40-94C1-4a5e-843B-7F43965E364A} - C:\Program Files\FlashKeeper\GetFlash.htm
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\flashget.exe
O9 - Extra button: Flash - {43CF38F3-5AEC-45a3-AD31-04EB06E9C6CA} - (no file) (HKCU)
O16 - DPF: {11111111-1111-1111-1111-111111113457} - file://c:\ied_s7m.cab
O16 - DPF: {11111111-1111-1111-1111-511111113457} - file://c:\x.cab
O16 - DPF: {11111111-1111-1111-1111-511111113458} - file://c:\x.cab
O16 - DPF: {14A3221B-1678-1982-A355-7263B1281987} - ms-its:mhtml:file://C:\foo.mht!http://82.179.166.145/x15.chm::/trs15.exe
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/...eInstaller.exe
O21 - SSODL: SystemCheck2 - {54645654-2225-4455-44A1-9F4543D34545} - C:\WINDOWS\system32\vbsys2 (file missing)

CTSNKY · 11-14-2004, 08:41 AM

Ouch brother, you have quite a nasty infection going on there. Definitiely need to run a full virus scan first thing! If you want a good, free AV program, try AVG at http://www.grisoft.com

Your AAW Pro is plenty, make sure you follow the customized scanning directions in last post.

Although we really need a log in Normal Mode, let's get to work. I am going to assume you have Windows XP for now.

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should not have any open browsers when you are following the procedures below.

Go to My Computer->Tools/View->Folder Options->View tab and make sure that 'Show hidden files and folders' (or 'Show all files') is enabled. Also make sure that Display the contents of System Folders' is checked. Windows XP's search feature is a little different. When you click on 'All files and folders' on the left pane, click on the 'More advanced options' at the bottom. Make sure that Search system folders, Search hidden files and folders, and Search subfolders are checked.

Download CWShredder and click on Fix (it will automatically fix anything it finds for you). If it asks if you want to delete a certain random file, choose No and post that filename here.

Reboot into Safe Mode (hit F8 key until menu shows up). Make sure to close any open browsers!!

Uninstall the following via the Add/Remove Panel (Start->(Settings)->Control Panel->Add/Remove Programs) if they exist:

Desktop SideBar

Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://shdoclc.dll/softAdmin.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://yoursearcher.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://yoursearcher.com/index.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yoursearcher.com/index.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://yoursearcher.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://yoursearcher.com/index.htm
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: Idea2 SidebarBrowserMonitor Class - {45AD732C-2CE2-4666-B366-B2214AD57A49} - C:\Program Files\Desktop Sidebar\sbhelp.dll
O4 - HKLM\..\Run: [RunDLL] rundll32.exe "C:\WINDOWS\system32\bridge.dll",Load
O4 - HKLM\..\Run: [yrknef] C:\WINDOWS\yrknef.exe
O4 - HKLM\..\Run: [kdcvqss] C:\WINDOWS\system32\hjqjgjdn.exe
O4 - HKCU\..\Run: [SIDEBAR] "C:\Program Files\Desktop Sidebar\dsidebar.exe"
O4 - HKCU\..\Run: [kqkvfhs] c:\windows\ohowoiq.exe
O8 - Extra context menu item: Subscribe in Desktop Sidebar - res://C:\Program Files\Desktop Sidebar\sbhelp.dll/menuhandler.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra button: Subscribe in Desktop Sidebar - {09FE188B-6E85-479e-9411-51FB2220DF80} - C:\Program Files\Desktop Sidebar\sbhelp.dll
O9 - Extra 'Tools' menuitem: Subscribe in Desktop Sidebar - {09FE188B-6E85-479e-9411-51FB2220DF80} - C:\Program Files\Desktop Sidebar\sbhelp.dll
O9 - Extra button: Flash - {43CF38F3-5AEC-45a3-AD31-04EB06E9C6CA} - (no file) (HKCU)
O16 - DPF: {11111111-1111-1111-1111-111111113457} - file://c:\ied_s7m.cab
O16 - DPF: {11111111-1111-1111-1111-511111113457} - file://c:\x.cab
O16 - DPF: {11111111-1111-1111-1111-511111113458} - file://c:\x.cab
O16 - DPF: {14A3221B-1678-1982-A355-7263B1281987} - ms-its:mhtml:file://C:\foo.mht!http://82.179.166.145/x15.chm::/trs15.exe
O21 - SSODL: SystemCheck2 - {54645654-2225-4455-44A1-9F4543D34545} - C:\WINDOWS\system32\vbsys2 (file missing)

Delete the following Files/Folders (delete folders if no filename is specified) according to their directory (if none, just do a search for them) and delete them if they exist:

:\WINDOWS\system32\bridge.dll
C:\WINDOWS\yrknef.exe
C:\WINDOWS\system32\hjqjgjdn.exe
C:\Program Files\Desktop Sidebar\
c:\windows\ohowoiq.exe
c:\ied_s7m.cab
c:\x.cab
C:\foo.mht!

Reboot into Normal Mode and post a new HijackThis log file so we can make sure it's clean.

Make sure to update Windows and Internet Explorer at http://windowsupdate.microsoft.com. Your IE is very outdated!

therock · 11-14-2004, 10:16 AM

Ok everything's understandable but one question before I proceed.My OS is Windows 2003 server Enterprise and every common antivirus i've tried isn't compatible.Norton 2004,macafee 2005,and Panda are the ones i've tried,and none of them was compatible,so is Avg gonna be?

So i first need to know about the antivirus use before i continuou.

I would also like to thank very mush for the help you're providing me my friend!

EDIT:Why do i need to uninstall the desktop sidebar?Is It infected?It's a programma i use,it's not something random.Also why do i need to update ie?I don't use it,i use Maxthon(MyIe).

CTSNKY · 11-14-2004, 10:45 AM

Ahhhhh......well then ignore the System Restore stuff. I highly doubt AVG will work there.

Press on with the instructions otherwise....

therock · 11-14-2004, 10:59 AM

Why should i ignore the system restore?I've found i way to have it as an option on win2003 and i've already disabled it.As for AVG I think proffesional works but not sure for the free edition,but i will try though!Where did i get all that spyware/trojan anyway?My zonealarm firewall is suppose to block all bad incoming traffic!

Also could you please answer to the answers in the above post,where I've edited the post?

CTSNKY · 11-14-2004, 11:04 AM

therock, if you want to keep Desktop Sidebar, that's fine. I was erring on the side of caution, with no knowledge of this application.

I have no idea where you problem started, probably inadequately protected against spyware in general.

Just press on and post a new log when complete, please.

therock · 11-14-2004, 01:26 PM

Well good news is winmin and browser hijack problems seem to have disappeared so far,but i should still have some virus as mcafee pops up some warnings(I have faulty installed it and i can't scan for viruses or even uninstall it)!And avg is not compatible!Well here's the log,did everything you said,except erasing same sidebar values as i want it.Though there was an error of a file not being deleted while in safe mode.Shall i now turn system restore on?

Logfile of HijackThis v1.98.2
Scan saved at 11:17:40 μμ, on 14/11/2004
Platform: Unknown Windows (WinNT 5.02.3790)
MSIE: Internet Explorer v6.00 (6.00.3790.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\WINDOWS\System32\svchost.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZONELABS\vsmon.exe
C:\WINDOWS\Explorer.EXE
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\system32\Dfssvc.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Analog Devices\SoundMAX\PmProxy.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
C:\Program Files\CpuIdlePro\cpuidle.exe
C:\Program Files\D-Tools\daemon.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\RAM Idle\RAM_XP.exe
C:\PROGRA~1\McAfee.com\Agent\mcregwiz.exe
C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\Program Files\Desktop Sidebar\dsidebar.exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\Program Files\CD Eject Tool\CD Eject Tool.exe
C:\Program Files\Ashampoo\Ashampoo UnInstaller Suite Plus\UnInstaller Suite\UIWatcher.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\PROGRA~1\SHORTK~1\shortkey.exe
C:\Program Files\Trillian\trillian.exe
C:\Program Files\Ashampoo\Ashampoo UnInstaller Suite Plus\Mail Virus Blocker\Server.exe
C:\PROGRA~1\INCRED~1\bin\IMAPP.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.insomnia.gr/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.insomnia.gr/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0 CE\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FLASHGET\jccatch.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\fgiebar.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [PmProxy] C:\Program Files\Analog Devices\SoundMAX\PmProxy.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
O4 - HKLM\..\Run: [CpuIdle] C:\Program Files\CpuIdlePro\cpuidle.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RAM Idle Professional] C:\Program Files\RAM Idle\RAM_XP.exe
O4 - HKLM\..\Run: [MOD] C:\Program Files\Microangelo\muamgr.exe
O4 - HKLM\..\Run: [McRegWiz] C:\PROGRA~1\McAfee.com\Agent\mcregwiz.exe /autorun
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [imekrmig7.0] "C:\Program Files\Common Files\Microsoft Shared\IME\IMKR7\IMEKRMIG.EXE"
O4 - HKLM\..\Run: [IMSCMig] C:\PROGRA~1\COMMON~1\MICROS~1\IME\IMSC40A\IMSCMIG.EXE /Preload
O4 - HKLM\..\Run: [CJIMETIPSYNC] C:\Program Files\Common Files\Microsoft Shared\IME\IMTC65\CHANGJIE\CINTLCFG.EXE /CJIMETIPSync
O4 - HKLM\..\Run: [PHIMETIPSYNC] C:\Program Files\Common Files\Microsoft Shared\IME\IMTC65\PHONETIC\TINTLCFG.EXE /PHIMETIPSync
O4 - HKLM\..\Run: [IMJPMIG9.0] C:\PROGRA~1\COMMON~1\MICROS~1\IME\IMJP9\IMJPMIG.EXE /Preload /Migration32
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKCU\..\Run: [IncrediMail] C:\PROGRA~1\INCRED~1\bin\IncMail.exe /c
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SIDEBAR] "C:\Program Files\Desktop Sidebar\dsidebar.exe"
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - HKCU\..\Run: [CD Eject Tool] C:\Program Files\CD Eject Tool\CD Eject Tool.exe
O4 - HKCU\..\Run: [UIWatcher] C:\Program Files\Ashampoo\Ashampoo UnInstaller Suite Plus\UnInstaller Suite\UIWatcher.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Trillian.lnk = ?
O4 - Startup: Ashampoo Mail Virus Blocker Server.lnk = C:\Program Files\Ashampoo\Ashampoo UnInstaller Suite Plus\Mail Virus Blocker\Server.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: ShortKeys 2.lnk = ?
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O8 - Extra context menu item: Customize Menu &4 - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Get Flash by FlashKeeper - C:\Program Files\FlashKeeper\GetFlash.htm
O8 - Extra context menu item: RoboForm &2 - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Flash - res://C:\Program Files\UnH Solutions\Flash Saving Plugin\FlashSButton.dll/210
O8 - Extra context menu item: Subscribe in Desktop Sidebar - res://C:\Program Files\Desktop Sidebar\sbhelp.dll/menuhandler.html
O8 - Extra context menu item: Λήψη όλων με το FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Λήψη με χρήση του FlashGet - C:\Program Files\FlashGet\jc_link.htm
O9 - Extra button: Subscribe in Desktop Sidebar - {09FE188B-6E85-479e-9411-51FB2220DF80} - (no file)
O9 - Extra 'Tools' menuitem: Subscribe in Desktop Sidebar - {09FE188B-6E85-479e-9411-51FB2220DF80} - (no file)
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm &2 - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: FlashKeeper - {86301D40-94C1-4a5e-843B-7F43965E364A} - C:\Program Files\FlashKeeper\GetFlash.htm
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\flashget.exe
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/...eInstaller.exe
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab

MicroBell · 11-14-2004, 02:10 PM

Yes..turn restore back on. The log is mostly clean...but consider that flashget hogs IE pretty bad. Read through this and decide if you want to keep it...http://www.pestpatrol.com/PestInfo/f/flashget.asp

Also consider installing SP1 service pack for IE6. Please read through the spyware prevention section on how to protect yourself from spyware/adware Here

11-14-2004, 07:12 AM	#1 (permalink)
therock Registered User Join Date: Nov 2004 Posts: 5 OS: Windows 2003	WinMin Problem and browser hijack Hallo i've been facing these 2 problems and i would really like your help!When i shutdown my pc there's an error of WinMin not responding,and everytime i open the internet explorer the home page is set to "http://yoursearcher.com/index.htm". I've read another topic here on how to deal with WinMin but the problem hasn't been solved!I turned off the system restore and scaned in safe mode with hijack this,spybot,adaware and about buster but no luck.Any clues?I'll also post my 2 logs here DoubleClick: Tracking cookie (Internet Explorer: Administrator) (Cookie, fixed) Advertising.com: Tracking cookie (Internet Explorer: Administrator) (Cookie, fixed) Advertising.com: Tracking cookie (Internet Explorer: Administrator) (Cookie, fixed) Alexa Related: What's related link (Replace file, fixed) C:\WINDOWS\Web\related.htm Avenue A, Inc.: Tracking cookie (Internet Explorer: Administrator) (Cookie, fixed) BFast: Tracking cookie (Internet Explorer: Administrator) (Cookie, fixed) BlazeFind.Bridge: Autorun settings (Registry value, fixed) HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RunDLL Commission Junction: Tracking cookie (Internet Explorer: Administrator) (Cookie, fixed) CoolWWWSearch: Tracking cookie (Internet Explorer: Administrator) (Cookie, fixed) CoolWWWSearch: Tracking cookie (Internet Explorer: Administrator) (Cookie, fixed) CoreMetrics: Tracking cookie (Internet Explorer: Administrator) (Cookie, fixed) DSO Exploit: Data source object exploit (Registry change, fixed) HKEY_USERS\S-1-5-21-4177550750-1896881845-2489994563-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3 DyFuCA.InternetOptimizer: Program directory (Directory, fixed) C:\Program Files\Internet Optimizer\ DyFuCA.InternetOptimizer: Uninstall settings (Registry key, fixed) HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Internet Optimizer Active Alert DyFuCA.InternetOptimizer: Uninstall settings (Registry key, fixed) HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Internet Optimizer HitBox: Tracking cookie (Internet Explorer: Administrator) (Cookie, fixed) HitBox: Tracking cookie (Internet Explorer: Administrator) (Cookie, fixed) HitBox: Tracking cookie (Internet Explorer: Administrator) (Cookie, fixed) HitBox: Tracking cookie (Internet Explorer: Administrator) (Cookie, fixed) HitBox: Tracking cookie (Internet Explorer: Administrator) (Cookie, fixed) HitsLink: Tracking cookie (Internet Explorer: Administrator) (Cookie, fixed) HitsLink: Tracking cookie (Internet Explorer: Administrator) (Cookie, fixed) ISTbar.Slotch: Tracking cookie (Internet Explorer: Administrator) (Cookie, fixed) ISTbar.Slotch: Tracking cookie (Internet Explorer: Administrator) (Cookie, fixed) MediaPlex: Tracking cookie (Internet Explorer: Administrator) (Cookie, fixed) PornTracker: Tracking cookie (Internet Explorer: Administrator) (Cookie, fixed) PowerScan: User settings (Registry key, fixed) HKEY_USERS\S-1-5-21-4177550750-1896881845-2489994563-500\Software\PowerScan SexList: Tracking cookie (Internet Explorer: Administrator) (Cookie, fixed) SexTracker: Tracking cookie (Internet Explorer: Administrator) (Cookie, fixed) SexTracker: Tracking cookie (Internet Explorer: Administrator) (Cookie, fixed) SexTracker: Tracking cookie (Internet Explorer: Administrator) (Cookie, fixed) SexTracker: Tracking cookie (Internet Explorer: Administrator) (Cookie, fixed) SexTracker: Tracking cookie (Internet Explorer: Administrator) (Cookie, fixed) TargetNet: Tracking cookie (Internet Explorer: Administrator) (Cookie, fixed) ValueClick: Tracking cookie (Internet Explorer: Administrator) (Cookie, fixed) WebTrends live: Tracking cookie (Internet Explorer: Administrator) (Cookie, fixed) WebTrends live: Tracking cookie (Internet Explorer: Administrator) (Cookie, fixed) WebTrends live: Tracking cookie (Internet Explorer: Administrator) (Cookie, fixed) WebTrends live: Tracking cookie (Internet Explorer: Administrator) (Cookie, fixed) WebTrends live: Tracking cookie (Internet Explorer: Administrator) (Cookie, fixed) WebTrends live: Tracking cookie (Internet Explorer: Administrator) (Cookie, fixed) WebTrends live: Tracking cookie (Internet Explorer: Administrator) (Cookie, fixed) WebTrends live: Tracking cookie (Internet Explorer: Administrator) (Cookie, fixed) --- Spybot - Search && Destroy version: 1.3 --- 2004-05-12 Includes\Cookies.sbi 2004-05-12 Includes\Dialer.sbi 2004-05-12 Includes\Hijackers.sbi 2004-05-12 Includes\Keyloggers.sbi 2004-05-12 Includes\LSP.sbi 2004-05-12 Includes\Malware.sbi 2004-05-12 Includes\Revision.sbi 2004-05-12 Includes\Security.sbi 2004-05-12 Includes\Spybots.sbi 2004-05-12 Includes\Tracks.uti 2004-05-12 Includes\Trojans.sbi Last minute warning! When i try to open the hijack this log,mcafee doesn't let me!It says mcafee has detected a virus and the log doesn't open!I tried to close t from the tray but same thing happened!

11-14-2004, 07:16 AM	#2 (permalink)
CTSNKY Knower of all that is MS Join Date: Aug 2004 Posts: 10,755 OS: (multiple machines) 95, 98, 2K & XP Home & Pro	Try a fresh copy of HJT: Please download HijackThis. Create a folder at C:\HJT and move HijackThis.exe there. Run a scan and save the log file. Post the whole log file here. Do not fix anything since most of them listed there are harmless (some are system required). This program will help us determine if there is any spyware/malware on your computer. EDIT: Notepad may be your problem.....look here for copy. Failing that, try: If you have a fast internet connection (broadband), run an online virus scan at TrendMicro. Make sure to select the Autoclean option. Otherwise, make sure your antivirus program has the latest definitions and run a full system scan. Please download Ad-aware SE and install it if you don't have it already. Make sure it's the newest version and check for any updates before running it. Go to this site to get the plug-in for fixing VX2 variants. To run this tool, go into Ad-aware->Add-ons and select VX2 Cleaner. Then click Run Tool and OK to start it. If it's clean, it will say Status System Clean. Otherwise, you will have to click on the Clean button to remove the VX2 infection. Also make sure to customize the settings in Ad-aware for better scan results. Run the scan and fix everything that it finds. __________________ GO BIG BLUE!! Last edited by CTSNKY : 11-14-2004 at 07:17 AM.

11-14-2004, 08:41 AM	#4 (permalink)
CTSNKY Knower of all that is MS Join Date: Aug 2004 Posts: 10,755 OS: (multiple machines) 95, 98, 2K & XP Home & Pro	Ouch brother, you have quite a nasty infection going on there. Definitiely need to run a full virus scan first thing! If you want a good, free AV program, try AVG at http://www.grisoft.com Your AAW Pro is plenty, make sure you follow the customized scanning directions in last post. Although we really need a log in Normal Mode, let's get to work. I am going to assume you have Windows XP for now. Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should not have any open browsers when you are following the procedures below. Go to My Computer->Tools/View->Folder Options->View tab and make sure that 'Show hidden files and folders' (or 'Show all files') is enabled. Also make sure that Display the contents of System Folders' is checked. Windows XP's search feature is a little different. When you click on 'All files and folders' on the left pane, click on the 'More advanced options' at the bottom. Make sure that Search system folders, Search hidden files and folders, and Search subfolders are checked. Download CWShredder and click on Fix (it will automatically fix anything it finds for you). If it asks if you want to delete a certain random file, choose No and post that filename here. Reboot into Safe Mode (hit F8 key until menu shows up). Make sure to close any open browsers!! Uninstall the following via the Add/Remove Panel (Start->(Settings)->Control Panel->Add/Remove Programs) if they exist: Desktop SideBar Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any): R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://shdoclc.dll/softAdmin.htm R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://yoursearcher.com/sp.htm R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://yoursearcher.com/index.htm R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yoursearcher.com/index.htm R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://yoursearcher.com/sp.htm R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://yoursearcher.com/index.htm R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file) O2 - BHO: Idea2 SidebarBrowserMonitor Class - {45AD732C-2CE2-4666-B366-B2214AD57A49} - C:\Program Files\Desktop Sidebar\sbhelp.dll O4 - HKLM\..\Run: [RunDLL] rundll32.exe "C:\WINDOWS\system32\bridge.dll",Load O4 - HKLM\..\Run: [yrknef] C:\WINDOWS\yrknef.exe O4 - HKLM\..\Run: [kdcvqss] C:\WINDOWS\system32\hjqjgjdn.exe O4 - HKCU\..\Run: [SIDEBAR] "C:\Program Files\Desktop Sidebar\dsidebar.exe" O4 - HKCU\..\Run: [kqkvfhs] c:\windows\ohowoiq.exe O8 - Extra context menu item: Subscribe in Desktop Sidebar - res://C:\Program Files\Desktop Sidebar\sbhelp.dll/menuhandler.html O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file) O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file) O9 - Extra button: Subscribe in Desktop Sidebar - {09FE188B-6E85-479e-9411-51FB2220DF80} - C:\Program Files\Desktop Sidebar\sbhelp.dll O9 - Extra 'Tools' menuitem: Subscribe in Desktop Sidebar - {09FE188B-6E85-479e-9411-51FB2220DF80} - C:\Program Files\Desktop Sidebar\sbhelp.dll O9 - Extra button: Flash - {43CF38F3-5AEC-45a3-AD31-04EB06E9C6CA} - (no file) (HKCU) O16 - DPF: {11111111-1111-1111-1111-111111113457} - file://c:\ied_s7m.cab O16 - DPF: {11111111-1111-1111-1111-511111113457} - file://c:\x.cab O16 - DPF: {11111111-1111-1111-1111-511111113458} - file://c:\x.cab O16 - DPF: {14A3221B-1678-1982-A355-7263B1281987} - ms-its:mhtml:file://C:\foo.mht!http://82.179.166.145/x15.chm::/trs15.exe O21 - SSODL: SystemCheck2 - {54645654-2225-4455-44A1-9F4543D34545} - C:\WINDOWS\system32\vbsys2 (file missing) Delete the following Files/Folders (delete folders if no filename is specified) according to their directory (if none, just do a search for them) and delete them if they exist: :\WINDOWS\system32\bridge.dll C:\WINDOWS\yrknef.exe C:\WINDOWS\system32\hjqjgjdn.exe C:\Program Files\Desktop Sidebar\ c:\windows\ohowoiq.exe c:\ied_s7m.cab c:\x.cab C:\foo.mht! Reboot into Normal Mode and post a new HijackThis log file so we can make sure it's clean. Make sure to update Windows and Internet Explorer at http://windowsupdate.microsoft.com. Your IE is very outdated! __________________ GO BIG BLUE!!

11-14-2004, 10:16 AM	#5 (permalink)
therock Registered User Join Date: Nov 2004 Posts: 5 OS: Windows 2003	Ok everything's understandable but one question before I proceed.My OS is Windows 2003 server Enterprise and every common antivirus i've tried isn't compatible.Norton 2004,macafee 2005,and Panda are the ones i've tried,and none of them was compatible,so is Avg gonna be? So i first need to know about the antivirus use before i continuou. I would also like to thank very mush for the help you're providing me my friend! EDIT:Why do i need to uninstall the desktop sidebar?Is It infected?It's a programma i use,it's not something random.Also why do i need to update ie?I don't use it,i use Maxthon(MyIe). Last edited by therock : 11-14-2004 at 10:45 AM.

11-14-2004, 10:45 AM	#6 (permalink)
CTSNKY Knower of all that is MS Join Date: Aug 2004 Posts: 10,755 OS: (multiple machines) 95, 98, 2K & XP Home & Pro	Ahhhhh......well then ignore the System Restore stuff. I highly doubt AVG will work there. Press on with the instructions otherwise.... __________________ GO BIG BLUE!!

11-14-2004, 08:14 AM	#3 (permalink)
therock Registered User Join Date: Nov 2004 Posts: 5 OS: Windows 2003	That's the verison of hijack this that i Have.And the log doesn't open.I also don't think there's a notepad problem cause the spybot log opened just fine. Also do i really need ad-aware SE?Cause i already have professional.Can't i do something with tha or do i need to download se as well?The plugin didn't work with professional though. I have 56 k connection.Tried an online scan with bit defender but took too long and i stopped.As far as it went it revealed a "Download.Dyfuca" something like that virus and said that disinfection failed. I'll see what i can do with the hijack this log. I replaced the notepad.exe with the one from the link but same thing.But somehow on safemode the log opens,so i copied the loc into a microft word doc and here it goes.And i also gow the ad-aware se and the plugin.Can i have both se and pro installed at the same time. Logfile of HijackThis v1.98.2 Scan saved at 4:37:11 μμ, on 14/11/2004 Platform: Unknown Windows (WinNT 5.02.3790) MSIE: Internet Explorer v6.00 (6.00.3790.0000) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\Explorer.EXE C:\Downloads\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://shdoclc.dll/softAdmin.htm R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://yoursearcher.com/sp.htm R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://yoursearcher.com/index.htm R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yoursearcher.com/index.htm R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://yoursearcher.com/sp.htm R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://yoursearcher.com/index.htm R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.insomnia.gr/ R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file) O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0 CE\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: Idea2 SidebarBrowserMonitor Class - {45AD732C-2CE2-4666-B366-B2214AD57A49} - C:\Program Files\Desktop Sidebar\sbhelp.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FLASHGET\jccatch.dll O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\fgiebar.dll O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll O4 - HKLM\..\Run: [PmProxy] C:\Program Files\Analog Devices\SoundMAX\PmProxy.exe O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe O4 - HKLM\..\Run: [CpuIdle] C:\Program Files\CpuIdlePro\cpuidle.exe O4 - HKLM\..\Run: [RunDLL] rundll32.exe "C:\WINDOWS\system32\bridge.dll",Load O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033 O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [RAM Idle Professional] C:\Program Files\RAM Idle\RAM_XP.exe O4 - HKLM\..\Run: [MOD] C:\Program Files\Microangelo\muamgr.exe O4 - HKLM\..\Run: [yrknef] C:\WINDOWS\yrknef.exe O4 - HKLM\..\Run: [kdcvqss] C:\WINDOWS\system32\hjqjgjdn.exe O4 - HKLM\..\Run: [McRegWiz] C:\PROGRA~1\McAfee.com\Agent\mcregwiz.exe /autorun O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe" O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe O4 - HKLM\..\Run: [imekrmig7.0] "C:\Program Files\Common Files\Microsoft Shared\IME\IMKR7\IMEKRMIG.EXE" O4 - HKLM\..\Run: [IMSCMig] C:\PROGRA~1\COMMON~1\MICROS~1\IME\IMSC40A\IMSCMIG.EXE /Preload O4 - HKLM\..\Run: [CJIMETIPSYNC] C:\Program Files\Common Files\Microsoft Shared\IME\IMTC65\CHANGJIE\CINTLCFG.EXE /CJIMETIPSync O4 - HKLM\..\Run: [PHIMETIPSYNC] C:\Program Files\Common Files\Microsoft Shared\IME\IMTC65\PHONETIC\TINTLCFG.EXE /PHIMETIPSync O4 - HKLM\..\Run: [IMJPMIG9.0] C:\PROGRA~1\COMMON~1\MICROS~1\IME\IMJP9\IMJPMIG.EXE /Preload /Migration32 O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe O4 - HKCU\..\Run: [IncrediMail] C:\PROGRA~1\INCRED~1\bin\IncMail.exe /c O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [SIDEBAR] "C:\Program Files\Desktop Sidebar\dsidebar.exe" O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" O4 - HKCU\..\Run: [CD Eject Tool] C:\Program Files\CD Eject Tool\CD Eject Tool.exe O4 - HKCU\..\Run: [UIWatcher] C:\Program Files\Ashampoo\Ashampoo UnInstaller Suite Plus\UnInstaller Suite\UIWatcher.exe O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe O4 - HKCU\..\Run: [kqkvfhs] c:\windows\ohowoiq.exe O4 - Startup: Trillian.lnk = ? O4 - Startup: Ashampoo Mail Virus Blocker Server.lnk = C:\Program Files\Ashampoo\Ashampoo UnInstaller Suite Plus\Mail Virus Blocker\Server.exe O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe O4 - Global Startup: ShortKeys 2.lnk = ? O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm O8 - Extra context menu item: Customize Menu &4 - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: Get Flash by FlashKeeper - C:\Program Files\FlashKeeper\GetFlash.htm O8 - Extra context menu item: RoboForm &2 - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html O8 - Extra context menu item: Save Flash - res://C:\Program Files\UnH Solutions\Flash Saving Plugin\FlashSButton.dll/210 O8 - Extra context menu item: Subscribe in Desktop Sidebar - res://C:\Program Files\Desktop Sidebar\sbhelp.dll/menuhandler.html O8 - Extra context menu item: Λήψη όλων με το FlashGet - C:\Program Files\FlashGet\jc_all.htm O8 - Extra context menu item: Λήψη με χρήση του FlashGet - C:\Program Files\FlashGet\jc_link.htm O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file) O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file) O9 - Extra button: Subscribe in Desktop Sidebar - {09FE188B-6E85-479e-9411-51FB2220DF80} - C:\Program Files\Desktop Sidebar\sbhelp.dll O9 - Extra 'Tools' menuitem: Subscribe in Desktop Sidebar - {09FE188B-6E85-479e-9411-51FB2220DF80} - C:\Program Files\Desktop Sidebar\sbhelp.dll O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html O9 - Extra 'Tools' menuitem: RoboForm &2 - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html O9 - Extra button: FlashKeeper - {86301D40-94C1-4a5e-843B-7F43965E364A} - C:\Program Files\FlashKeeper\GetFlash.htm O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\flashget.exe O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\flashget.exe O9 - Extra button: Flash - {43CF38F3-5AEC-45a3-AD31-04EB06E9C6CA} - (no file) (HKCU) O16 - DPF: {11111111-1111-1111-1111-111111113457} - file://c:\ied_s7m.cab O16 - DPF: {11111111-1111-1111-1111-511111113457} - file://c:\x.cab O16 - DPF: {11111111-1111-1111-1111-511111113458} - file://c:\x.cab O16 - DPF: {14A3221B-1678-1982-A355-7263B1281987} - ms-its:mhtml:file://C:\foo.mht!http://82.179.166.145/x15.chm::/trs15.exe O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/...eInstaller.exe O21 - SSODL: SystemCheck2 - {54645654-2225-4455-44A1-9F4543D34545} - C:\WINDOWS\system32\vbsys2 (file missing)

11-14-2004, 10:59 AM	#7 (permalink)
therock Registered User Join Date: Nov 2004 Posts: 5 OS: Windows 2003	Why should i ignore the system restore?I've found i way to have it as an option on win2003 and i've already disabled it.As for AVG I think proffesional works but not sure for the free edition,but i will try though!Where did i get all that spyware/trojan anyway?My zonealarm firewall is suppose to block all bad incoming traffic! Also could you please answer to the answers in the above post,where I've edited the post?

11-14-2004, 11:04 AM	#8 (permalink)
CTSNKY Knower of all that is MS Join Date: Aug 2004 Posts: 10,755 OS: (multiple machines) 95, 98, 2K & XP Home & Pro	therock, if you want to keep Desktop Sidebar, that's fine. I was erring on the side of caution, with no knowledge of this application. I have no idea where you problem started, probably inadequately protected against spyware in general. Just press on and post a new log when complete, please. __________________ GO BIG BLUE!!

11-14-2004, 01:26 PM	#9 (permalink)
therock Registered User Join Date: Nov 2004 Posts: 5 OS: Windows 2003	Well good news is winmin and browser hijack problems seem to have disappeared so far,but i should still have some virus as mcafee pops up some warnings(I have faulty installed it and i can't scan for viruses or even uninstall it)!And avg is not compatible!Well here's the log,did everything you said,except erasing same sidebar values as i want it.Though there was an error of a file not being deleted while in safe mode.Shall i now turn system restore on? Logfile of HijackThis v1.98.2 Scan saved at 11:17:40 μμ, on 14/11/2004 Platform: Unknown Windows (WinNT 5.02.3790) MSIE: Internet Explorer v6.00 (6.00.3790.0000) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\drivers\CDAC11BA.EXE C:\WINDOWS\System32\svchost.exe c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\WINDOWS\system32\nvsvc32.exe C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\ZONELABS\vsmon.exe C:\WINDOWS\Explorer.EXE c:\PROGRA~1\mcafee.com\agent\mcagent.exe C:\WINDOWS\system32\Dfssvc.exe c:\PROGRA~1\mcafee.com\vso\mcshield.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Analog Devices\SoundMAX\PmProxy.exe C:\Program Files\QuickTime\qttask.exe C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe C:\Program Files\CpuIdlePro\cpuidle.exe C:\Program Files\D-Tools\daemon.exe C:\WINDOWS\system32\RUNDLL32.EXE C:\Program Files\RAM Idle\RAM_XP.exe C:\PROGRA~1\McAfee.com\Agent\mcregwiz.exe C:\PROGRA~1\mcafee.com\agent\McUpdate.exe C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe C:\Program Files\Desktop Sidebar\dsidebar.exe C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe C:\Program Files\CD Eject Tool\CD Eject Tool.exe C:\Program Files\Ashampoo\Ashampoo UnInstaller Suite Plus\UnInstaller Suite\UIWatcher.exe C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe C:\WINDOWS\system32\rundll32.exe C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe C:\PROGRA~1\SHORTK~1\shortkey.exe C:\Program Files\Trillian\trillian.exe C:\Program Files\Ashampoo\Ashampoo UnInstaller Suite Plus\Mail Virus Blocker\Server.exe C:\PROGRA~1\INCRED~1\bin\IMAPP.EXE C:\WINDOWS\system32\wuauclt.exe C:\HJT\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.insomnia.gr/ R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.insomnia.gr/ O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0 CE\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FLASHGET\jccatch.dll O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\fgiebar.dll O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll O4 - HKLM\..\Run: [PmProxy] C:\Program Files\Analog Devices\SoundMAX\PmProxy.exe O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe O4 - HKLM\..\Run: [CpuIdle] C:\Program Files\CpuIdlePro\cpuidle.exe O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033 O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [RAM Idle Professional] C:\Program Files\RAM Idle\RAM_XP.exe O4 - HKLM\..\Run: [MOD] C:\Program Files\Microangelo\muamgr.exe O4 - HKLM\..\Run: [McRegWiz] C:\PROGRA~1\McAfee.com\Agent\mcregwiz.exe /autorun O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe" O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe O4 - HKLM\..\Run: [imekrmig7.0] "C:\Program Files\Common Files\Microsoft Shared\IME\IMKR7\IMEKRMIG.EXE" O4 - HKLM\..\Run: [IMSCMig] C:\PROGRA~1\COMMON~1\MICROS~1\IME\IMSC40A\IMSCMIG.EXE /Preload O4 - HKLM\..\Run: [CJIMETIPSYNC] C:\Program Files\Common Files\Microsoft Shared\IME\IMTC65\CHANGJIE\CINTLCFG.EXE /CJIMETIPSync O4 - HKLM\..\Run: [PHIMETIPSYNC] C:\Program Files\Common Files\Microsoft Shared\IME\IMTC65\PHONETIC\TINTLCFG.EXE /PHIMETIPSync O4 - HKLM\..\Run: [IMJPMIG9.0] C:\PROGRA~1\COMMON~1\MICROS~1\IME\IMJP9\IMJPMIG.EXE /Preload /Migration32 O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe O4 - HKCU\..\Run: [IncrediMail] C:\PROGRA~1\INCRED~1\bin\IncMail.exe /c O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [SIDEBAR] "C:\Program Files\Desktop Sidebar\dsidebar.exe" O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" O4 - HKCU\..\Run: [CD Eject Tool] C:\Program Files\CD Eject Tool\CD Eject Tool.exe O4 - HKCU\..\Run: [UIWatcher] C:\Program Files\Ashampoo\Ashampoo UnInstaller Suite Plus\UnInstaller Suite\UIWatcher.exe O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe O4 - Startup: Trillian.lnk = ? O4 - Startup: Ashampoo Mail Virus Blocker Server.lnk = C:\Program Files\Ashampoo\Ashampoo UnInstaller Suite Plus\Mail Virus Blocker\Server.exe O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe O4 - Global Startup: ShortKeys 2.lnk = ? O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm O8 - Extra context menu item: Customize Menu &4 - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: Get Flash by FlashKeeper - C:\Program Files\FlashKeeper\GetFlash.htm O8 - Extra context menu item: RoboForm &2 - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html O8 - Extra context menu item: Save Flash - res://C:\Program Files\UnH Solutions\Flash Saving Plugin\FlashSButton.dll/210 O8 - Extra context menu item: Subscribe in Desktop Sidebar - res://C:\Program Files\Desktop Sidebar\sbhelp.dll/menuhandler.html O8 - Extra context menu item: Λήψη όλων με το FlashGet - C:\Program Files\FlashGet\jc_all.htm O8 - Extra context menu item: Λήψη με χρήση του FlashGet - C:\Program Files\FlashGet\jc_link.htm O9 - Extra button: Subscribe in Desktop Sidebar - {09FE188B-6E85-479e-9411-51FB2220DF80} - (no file) O9 - Extra 'Tools' menuitem: Subscribe in Desktop Sidebar - {09FE188B-6E85-479e-9411-51FB2220DF80} - (no file) O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html O9 - Extra 'Tools' menuitem: RoboForm &2 - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html O9 - Extra button: FlashKeeper - {86301D40-94C1-4a5e-843B-7F43965E364A} - C:\Program Files\FlashKeeper\GetFlash.htm O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\flashget.exe O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\flashget.exe O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/...eInstaller.exe O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab

11-14-2004, 02:10 PM	#10 (permalink)
MicroBell Manager Emeritus - Security Center, Expert Analyst, Moderator - Security Team; Rangemaster, TSF Academy & Supporter Join Date: Sep 2004 Location: Carmichaels, PA-USA Posts: 6,954 OS: Windows XP-Pro SP2	Yes..turn restore back on. The log is mostly clean...but consider that flashget hogs IE pretty bad. Read through this and decide if you want to keep it...http://www.pestpatrol.com/PestInfo/f/flashget.asp Also consider installing SP1 service pack for IE6. Please read through the spyware prevention section on how to protect yourself from spyware/adware Here __________________ We Are The BORG Spyware KILLER and Adware Destroyer! Spyware/Adware Removal Tools Hijackthis Ad-aware SE Spybot Search&Destroy SpywareBlaster CWShredder