filost & oldgame Hijaking

hedd_jones · 02-27-2005, 11:55 AM

I keep getting a new window opening with filost and old games appearing in the window.

Just done a Hijack this scan, the result is this:-

<?xml version = "1.0"?>
<Session START = "27 Feb 05 18:43:48" END = "27 Feb 05 18:43:48">
<Information Version = "4.10" DatabaseVersion = "64" DataBaseDate = "24 February 2005"/>
<Information OS = "Win XP"/>
<Information ServicePack = "Service Pack 1"/>
<Information WorkingDirectory = "C:\Program Files\XoftSpy\"/>
<Information Option = "AdvSpyware Scan" State = "ON"/>
<Information Option = "Scan IE Favorites" State = "ON"/>
<Information Option = "Scan Host Files" State = "ON"/>
<Information Option = "Scan Drives" State = "ON"/>
<Information Option = "Do Not Scan Executables" State = "OFF"/>
<Information Option = "Scan Registry" State = "ON"/>
<Information Option = "Scan Active Processes" State = "ON"/>
<Information RootKey = "HKEY_CURRENT_USER" KeyPath = "Software\Microsoft\Windows\CurrentVersion\Run"/>
<Information Value = "ctfmon.exe" Data = "C:\WINDOWS\System32\ctfmon.exe"/>
<Information Value = "MSMSGS" Data = ""C:\Program Files\Messenger\msmsgs.exe" /background"/>
<Information Value = "Sonic RecordNow!" Data = ""/>
<Information RootKey = "HKEY_CURRENT_USER" KeyPath = "Software\Microsoft\Internet Explorer\Main"/>
<Information Value = "NoUpdateCheck" Data = ""/>
<Information Value = "NoJITSetup" Data = ""/>
<Information Value = "Disable Script Debugger" Data = "yes"/>
<Information Value = "Show_ChannelBand" Data = "No"/>
<Information Value = "Anchor Underline" Data = "yes"/>
<Information Value = "Cache_Update_Frequency" Data = "Once_Per_Session"/>
<Information Value = "Display Inline Images" Data = "yes"/>
<Information Value = "Do404Search" Data = ""/>
<Information Value = "Local Page" Data = "C:\WINDOWS\System32\blank.htm"/>
<Information Value = "Save_Session_History_On_Exit" Data = "no"/>
<Information Value = "Show_FullURL" Data = "no"/>
<Information Value = "Show_StatusBar" Data = "yes"/>
<Information Value = "Show_ToolBar" Data = "yes"/>
<Information Value = "Show_URLinStatusBar" Data = "yes"/>
<Information Value = "Show_URLToolBar" Data = "yes"/>
<Information Value = "Start Page" Data = "http://www.google.co.uk/"/>
<Information Value = "Use_DlgBox_Colors" Data = "yes"/>
<Information Value = "Search Page" Data = ""/>
<Information Value = "Window Title" Data = "Packard Bell"/>
<Information Value = "Search Bar" Data = "http://format.packardbell.com/cgi-bin/redirect/?country=UK&range=AD&phase=6&key=SEARCH"/>
<Information Value = "Use Custom Search URL" Data = ""/>
<Information Value = "FullScreen" Data = "no"/>
<Information Value = "Window_Placement" Data = ","/>
<Information Value = "Error Dlg Displayed On Every Error" Data = "no"/>
<Information Value = "Error Dlg Details Pane Open" Data = "no"/>
<Information Value = "AddToFavoritesExpanded" Data = ""/>
<Information Value = "Use FormSuggest" Data = "no"/>
<Information Value = "NotifyDownloadComplete" Data = "yes"/>
<Information Value = "Save Directory" Data = "C:\Hedd\"/>
<Information Value = "Expand Alt Text" Data = "no"/>
<Information Value = "Move System Caret" Data = "no"/>
<Information Value = "NscSingleExpand" Data = ""/>
<Information Value = "NoWebJITSetup" Data = ""/>
<Information Value = "Page_Transitions" Data = ""/>
<Information Value = "FavIntelliMenus" Data = "no"/>
<Information Value = "Enable Browser Extensions" Data = "yes"/>
<Information Value = "UseThemes" Data = ""/>
<Information Value = "Force Offscreen Composition" Data = ""/>
<Information Value = "AllowWindowReuse" Data = ""/>
<Information Value = "Friendly http errors" Data = "yes"/>
<Information Value = "ShowGoButton" Data = "yes"/>
<Information Value = "SmoothScroll" Data = ""/>
<Information Value = "Enable AutoImageResize" Data = "yes"/>
<Information Value = "Enable_MyPics_Hoverbar" Data = "yes"/>
<Information Value = "Play_Animations" Data = "yes"/>
<Information Value = "Play_Background_Sounds" Data = "yes"/>
<Information Value = "Display Inline Videos" Data = "yes"/>
<Information Value = "Show image placeholders" Data = ""/>
<Information Value = "Print_Background" Data = "no"/>
<Information Value = "AutoSearch" Data = ""/>
<Information Value = "LastCheckedHi" Data = "…Å"/>
<Information RootKey = "HKEY_LOCAL_MACHINE" KeyPath = "Software\Microsoft\Internet Explorer\Main"/>
<Information Value = "Default_Page_URL" Data = "file://C:\APPS\IE\offline\uk.htm"/>
<Information Value = "Default_Search_URL" Data = "http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch"/>
<Information Value = "Search Page" Data = ""/>
<Information Value = "Enable_Disk_Cache" Data = "yes"/>
<Information Value = "Cache_Percent_of_Disk" Data = "
"/>
<Information Value = "Delete_Temp_Files_On_Exit" Data = "yes"/>
<Information Value = "Local Page" Data = "%SystemRoot%\system32\blank.htm"/>
<Information Value = "Anchor_Visitation_Horizon" Data = ""/>
<Information Value = "Use_Async_DNS" Data = "yes"/>
<Information Value = "Placeholder_Width" Data = ""/>
<Information Value = "Placeholder_Height" Data = ""/>
<Information Value = "Start Page" Data = "http://www.google.co.uk/"/>
<Information Value = "Wizard_Version" Data = "6.00.2800.1106"/>
<Information Value = "FullScreen" Data = "no"/>
<Information RootKey = "HKEY_LOCAL_MACHINE" KeyPath = "Software\Microsoft\Internet Explorer\Search"/>
<Information Value = "SearchAssistant" Data = "http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm"/>
<Information Value = "CustomizeSearch" Data = "http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm"/>
<Information RootKey = "HKEY_LOCAL_MACHINE" KeyPath = "Software\Microsoft\Windows\CurrentVersion\Run"/>
<Information Value = "Apoint" Data = "C:\Program Files\Apoint2K\Apoint.exe"/>
<Information Value = "NECMFK" Data = "C:\Program Files\necmfk\necmfk.exe"/>
<Information Value = "Smapp" Data = "C:\Program Files\Analog Devices\SoundMAX\SMTray.exe"/>
<Information Value = "ATIModeChange" Data = "Ati2mdxx.exe"/>
<Information Value = "ATIPTA" Data = "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"/>
<Information Value = "AGRSMMSG" Data = "AGRSMMSG.exe"/>
<Information Value = "RealTray" Data = "C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER"/>
<Information Value = "AOL Spyware Protection" Data = ""C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe""/>
<Information Value = "ccApp" Data = ""C:\Program Files\Common Files\Symantec Shared\ccApp.exe""/>
<Information Value = "URLLSTCK.exe" Data = "C:\Program Files\Norton Internet Security\UrlLstCk.exe"/>
<Information Value = "REGSHAVE" Data = "C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN"/>
<Information Value = "EPSON Stylus C46 Series" Data = "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0T1.EXE /P23 "EPSON Stylus C46 Series" /O6 "USB001" /M "Stylus C46""/>
<Information Value = "SunJavaUpdateSched" Data = "C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe"/>
<Information Value = "Symantec NetDriver Monitor" Data = "C:\PROGRA~1\SYMNET~1\SNDMon.exe"/>
<Information Value = "SSC_UserPrompt" Data = "C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe"/>
<Information Value = "KernelFaultCheck" Data = "%systemroot%\system32\dumprep 0 -k"/>
<Information RootKey = "HKEY_LOCAL_MACHINE" KeyPath = "SYSTEM\ControlSet001\Services\Winsock2\Parameters\Protocol_Catalog9"/>
<Information Value = "Num_Catalog_Entries" Data = ""/>
<Information Value = "Next_Catalog_Entry_ID" Data = "$"/>
<Information Value = "Serial_Access_Num" Data = ""/>
<Information RootKey = "HKEY_LOCAL_MACHINE" KeyPath = "SYSTEM\ControlSet003\Services\Winsock2\Parameters\Protocol_Catalog9"/>
<Information Value = "Num_Catalog_Entries" Data = ""/>
<Information Value = "Next_Catalog_Entry_ID" Data = "$"/>
<Information Value = "Serial_Access_Num" Data = ""/>
<Information RootKey = "HKEY_LOCAL_MACHINE" KeyPath = "Software\Microsoft\Windows NT\CurrentVersion\Windows"/>
<Information Value = "AppInit_DLLs" Data = ""/>
<Information Value = "DeviceNotSelectedTimeout" Data = "15"/>
<Information Value = "GDIProcessHandleQuota" Data = "'"/>
<Information Value = "Spooler" Data = "yes"/>
<Information Value = "swapdisk" Data = ""/>
<Information Value = "TransmissionRetryTimeout" Data = "90"/>
<Information Value = "USERProcessHandleQuota" Data = "'"/>
<Information RootKey = "HKEY_CURRENT_USER" KeyPath = "Software\Microsoft\Windows NT\CurrentVersion\Windows"/>
<Information Value = "DebugOptions" Data = "2048"/>
<Information Value = "Documents" Data = ""/>
<Information Value = "DosPrint" Data = "no"/>
<Information Value = "load" Data = ""/>
<Information Value = "NetMessage" Data = "no"/>
<Information Value = "NullPort" Data = "None"/>
<Information Value = "Programs" Data = "com exe bat pif cmd"/>
<Information Value = "Device" Data = "EPSON Stylus C46 Series,winspool,Ne00:"/>
<Information RootKey = "HKEY_CURRENT_USER" KeyPath = "Software\Microsoft\Internet Explorer\URLSearchHooks"/>
<Information Value = "{CFBFAE00-17A6-11D0-99CB-00C04FD64497}" Data = ""/>
<Scanning TIME = "27 Feb 05 18:43:48">
<PROCESS NAME = "-" MD5 = "(null)"/>
<PROCESS NAME = "\SystemRoot\System32\smss.exe" MD5 = "(null)"/>
<PROCESS NAME = "\??\C:\WINDOWS\system32\csrss.exe" MD5 = "(null)"/>
<PROCESS NAME = "\??\C:\WINDOWS\system32\winlogon.exe" MD5 = "(null)"/>
<PROCESS NAME = "C:\WINDOWS\system32\services.exe" MD5 = "e3df4a0252d287c44606ee55355e1623"/>
<PROCESS NAME = "C:\WINDOWS\system32\lsass.exe" MD5 = "b2b6ba905d0e3f8a32a0eb3b4051807b"/>
<PROCESS NAME = "C:\WINDOWS\System32\Ati2evxx.exe" MD5 = "94627116f20d1f1350d2d14470043a60"/>
<PROCESS NAME = "C:\WINDOWS\system32\svchost.exe" MD5 = "0f7d9c87b0ce1fa520473119752c6f79"/>
<PROCESS NAME = "C:\WINDOWS\System32\svchost.exe" MD5 = "0f7d9c87b0ce1fa520473119752c6f79"/>
<PROCESS NAME = "C:\WINDOWS\System32\svchost.exe" MD5 = "0f7d9c87b0ce1fa520473119752c6f79"/>
<PROCESS NAME = "C:\WINDOWS\System32\svchost.exe" MD5 = "0f7d9c87b0ce1fa520473119752c6f79"/>
<PROCESS NAME = "C:\WINDOWS\Explorer.EXE" MD5 = "a82b28bfc2e4455fe43022a498c0ef0a"/>
<PROCESS NAME = "C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe" MD5 = "e761fc4a1e6cfecdae543452d3b1d0f1"/>
<PROCESS NAME = "C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe" MD5 = "997bf60bef992c61c3014ef5c56d93ea"/>
<PROCESS NAME = "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe" MD5 = "04c97539e8555d7cd5b7cea7e75804f7"/>
<PROCESS NAME = "C:\Program Files\Apoint2K\Apoint.exe" MD5 = "59acf24b5cd10dc1af661d8d8fbf8ea4"/>
<PROCESS NAME = "C:\Program Files\necmfk\necmfk.exe" MD5 = "db9b36d5daf2bb1c85d179f81c114d89"/>
<PROCESS NAME = "C:\Program Files\Analog Devices\SoundMAX\SMTray.exe" MD5 = "00ec08331def75c56a62dbbfd3be47f5"/>
<PROCESS NAME = "C:\Program Files\Apoint2K\Apntex.exe" MD5 = "cca1b81492b40890e44b2b20a780ee1f"/>
<PROCESS NAME = "C:\Program Files\Apoint2K\HidFind.exe" MD5 = "053a8f4958541cbcd0c5eec1fa796ba6"/>
<PROCESS NAME = "C:\WINDOWS\AGRSMMSG.exe" MD5 = "88de365f132a59ea016c7800a515e67d"/>
<PROCESS NAME = "C:\Program Files\Real\RealPlayer\RealPlay.exe" MD5 = "849d97fe4cc09cfc2772d10f641e1baf"/>
<PROCESS NAME = "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe" MD5 = "1ff1298e77c4a4ba6702b3c84bd78b71"/>
<PROCESS NAME = "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" MD5 = "22755776eccc7165ac109c381782a957"/>
<PROCESS NAME = "C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe" MD5 = "b3f49526347a82f8939881804c56aa94"/>
<PROCESS NAME = "C:\WINDOWS\System32\ctfmon.exe" MD5 = "414de7cf9d3f19c3ea902f1bb38ec116"/>
<PROCESS NAME = "C:\Program Files\Messenger\msmsgs.exe" MD5 = "1e455b08870d4ac3bb6ab5968603e8af"/>
<PROCESS NAME = "C:\Program Files\FinePixViewer\QuickDCF.exe" MD5 = "9f2e8c6f27292ded3f8d206d784c36f6"/>
<PROCESS NAME = "C:\WINDOWS\system32\spoolsv.exe" MD5 = "9b4155ba58192d4073082b8fc5d42612"/>
<PROCESS NAME = "C:\WINDOWS\System32\alg.exe" MD5 = "497aead5ecef9512f6b364977a5308ee"/>
<PROCESS NAME = "C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe" MD5 = "ef74eebb2d3ddc9f71c6d3cc8c7889c6"/>
<PROCESS NAME = "C:\Program Files\Common Files\Symantec Shared\ccProxy.exe" MD5 = "94542982737bb8bc684d6193eb9b39a4"/>
<PROCESS NAME = "C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe" MD5 = "106188ee7fce8c769defec27c1edb67c"/>
<PROCESS NAME = "C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe" MD5 = "bfba4ed75bcdf0f5681a6749d8f27fc7"/>
<PROCESS NAME = "C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe" MD5 = "3978f082274f723ad5a0a8058c2417dd"/>
<PROCESS NAME = "C:\WINDOWS\System32\wuauclt.exe" MD5 = "a3763ce319d9eb3ec2ac04901f293b9d"/>
<PROCESS NAME = "C:\Program Files\XoftSpy\XoftSpy.exe" MD5 = "a32b6df132bcab46d04ba3d273a61cba"/>
<FILE PATH = "AdClick-AC C:\WINDOWS\System32\vbsys2.dll"/>
<ScanningRegKeys>
</SW>
<SW NAME = "OrbitExplorer">
<REGKEYFOUND NAME = "TYPELIB\{205ff72e-ca67-11d5-99dd-444553540000}"/>
<REGKEY NAME = "OrbitExplorer TYPELIB\{205ff72e-ca67-11d5-99dd-444553540000}"/>
</SW>
<SW NAME = "WildTangent">
<REGKEYFOUND NAME = "install.install"/>
<REGKEY NAME = "WildTangent install.install"/>
</SW>
<SW NAME = "WildTangent">
<REGKEYFOUND NAME = "install.install.1"/>
<REGKEY NAME = "WildTangent install.install.1"/>
</SW>
<SW NAME = "WildTangent">
<REGKEYFOUND NAME = "TYPELIB\{205ff72e-ca67-11d5-99dd-444553540000}"/>
</SW>
<SW NAME = "Alexa">
<REGKEYFOUND NAME = "software\microsoft\internet explorer\Extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a}"/>
<REGKEY NAME = "Alexa software\microsoft\internet explorer\Extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a}"/>
</SW>
<SW NAME = "AdClick-AC">
<REGKEYFOUND NAME = "CLSID\{54645654-2225-4455-44A1-9F4543D34545}"/>
<REGKEY NAME = "AdClick-AC CLSID\{54645654-2225-4455-44A1-9F4543D34545}"/>
</ScanningRegKeys>
<ScanningRegValues>
</SW>
<SW NAME = "AdClick-AC">
<REGVALUE VALUE = "AdClick-AC SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\SystemCheck2:@:{54645654-2225-4455-44A1-9F4543D34545}"/>
<REGVALUEFOUND NAME = "SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\SystemCheck2:@:{54645654-2225-4455-44A1-9F4543D34545}"/>
</ScanningRegValues>
<ScanningRegValuesChanged>
</ScanningRegValuesChanged>
<FILE PATH = "Tracking Cookie C:\Documents and Settings\Jones\Cookies\jones@atdmt[2].txt"/>
<FILE PATH = "C:\Documents and Settings\Jones\Cookies\jones@atdmt[2].txt"/>
<FILE PATH = "Tracking Cookie C:\Documents and Settings\Jones\Cookies\jones@casalemedia[1].txt"/>
<FILE PATH = "C:\Documents and Settings\Jones\Cookies\jones@casalemedia[1].txt"/>
<FILE PATH = "Tracking Cookie C:\Documents and Settings\Jones\Cookies\jones@fastclick[1].txt"/>
<FILE PATH = "C:\Documents and Settings\Jones\Cookies\jones@fastclick[1].txt"/>
<FILE PATH = "Tracking Cookie C:\Documents and Settings\Jones\Cookies\jones@tribalfusion[1].txt"/>
<FILE PATH = "C:\Documents and Settings\Jones\Cookies\jones@tribalfusion[1].txt"/>
</Scanning>

Can anyone help with my problems??

Thanks in advance

greyknight17 · 02-27-2005, 12:09 PM

Could you run it again and save the log. Make sure Notepad is opening it. It seems to be formatted in XML.

hedd_jones · 03-09-2005, 02:33 PM

I'll tey again.

This time I've done a ad-aware and spy-bot scan and fixes, still have the same problem tho'

I think the log above came from xsoft spy, I now have hi-jack this, here is the log.

Logfile of HijackThis v1.99.1
Scan saved at 21:17:20, on 09/03/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\necmfk\necmfk.exe
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Apoint2K\HidFind.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Hedd\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://format.packardbell.com/cgi-bi...e=6&key=SEARCH
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = file://C:\APPS\IE\offline\uk.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.google.co.uk/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Packard Bell
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [NECMFK] C:\Program Files\necmfk\necmfk.exe
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [EPSON Stylus C46 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0T1.EXE /P23 "EPSON Stylus C46 Series" /O6 "USB001" /M "Stylus C46"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Exif Launcher.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O12 - Plugin for .wav: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O14 - IERESET.INF: START_PAGE_URL=file://C:\APPS\IE\offline\uk.htm
O16 - DPF: {11111111-1111-1111-1111-111191113457} - file://c:\ied_s7.cab
O16 - DPF: {33331111-1111-1111-1111-611111193457} - file://c:\wx.cab
O16 - DPF: {33331111-1111-1111-1111-611111193458} - file://c:\wx.cab
O21 - SSODL: SystemCheck2 - {54645654-2225-4455-44A1-9F4543D34545} - C:\WINDOWS\System32\vbsys2.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

Hope this is the correct log this time.

Can anybody advise what to remove??

Many thanks in advance

CTSNKY · 03-10-2005, 04:25 AM

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should not have any open browsers when you are following the procedures below.

Go to My Computer->Tools/View->Folder Options->View tab and make sure that 'Show hidden files and folders' (or 'Show all files') is enabled. Also make sure that Display the contents of System Folders' is checked. Windows XP's search feature is a little different. When you click on 'All files and folders' on the left pane, click on the 'More advanced options' at the bottom. Make sure that Search system folders, Search hidden files and folders, and Search subfolders are checked.

For the options that you checked/enabled earlier, you may uncheck them after your log is clean. If we ask you to fix a program that you use or want to keep, please post back saying that (we don't know every program that exists, so we may tell you to delete a program that we think is bad to keep).

Turn off system restore by right clicking on My Computer and go to Properties->System Restore and check the box for Turn off System Restore. Click Apply and then OK. Restart your computer. After we are finished with your log file and verified that it's clean, you may turn it back on and create a new restore point.

The Temp folders should be cleaned out periodically as installation programs and hijack programs leave a lot of junk there. Download CleanUp! (Alternate Link if main link don't work) and install it. Run CleanUp! and click on CleanUp! button. When it asks you if you want to logoff, click on Yes.

Reboot into Safe Mode (hit F8 key until menu shows up). Make sure to close any open browsers.

Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O16 - DPF: {11111111-1111-1111-1111-111191113457} - file://c:\ied_s7.cab
O16 - DPF: {33331111-1111-1111-1111-611111193457} - file://c:\wx.cab
O16 - DPF: {33331111-1111-1111-1111-611111193458} - file://c:\wx.cab
O21 - SSODL: SystemCheck2 - {54645654-2225-4455-44A1-9F4543D34545} - C:\WINDOWS\System32\vbsys2.dll

Delete the following Files/Folders (delete folders if no filename is specified) according to their directory (if none, just do a search for them) and delete them if they exist:

c:\ied_s7.cab
c:\wx.cab
C:\WINDOWS\System32\vbsys2.dll

Reboot into Normal Mode and run new HijackThis scan. If there were some entries that didn't show up in Safe Mode, you may check and fix those that appear now in normal mode (if you do that, make sure to run a new scan again). Save the log file and run KRC HijackThis Analyzer in the same folder to get the result.txt log. Just post the contents of the result.txt file in the forum.

02-27-2005, 11:55 AM	#1 (permalink)
hedd_jones Registered User Join Date: Feb 2005 Posts: 2 OS: xp home	filost & oldgame Hijaking I keep getting a new window opening with filost and old games appearing in the window. Just done a Hijack this scan, the result is this:- <?xml version = "1.0"?> <Session START = "27 Feb 05 18:43:48" END = "27 Feb 05 18:43:48"> <Information Version = "4.10" DatabaseVersion = "64" DataBaseDate = "24 February 2005"/> <Information OS = "Win XP"/> <Information ServicePack = "Service Pack 1"/> <Information WorkingDirectory = "C:\Program Files\XoftSpy\"/> <Information Option = "AdvSpyware Scan" State = "ON"/> <Information Option = "Scan IE Favorites" State = "ON"/> <Information Option = "Scan Host Files" State = "ON"/> <Information Option = "Scan Drives" State = "ON"/> <Information Option = "Do Not Scan Executables" State = "OFF"/> <Information Option = "Scan Registry" State = "ON"/> <Information Option = "Scan Active Processes" State = "ON"/> <Information RootKey = "HKEY_CURRENT_USER" KeyPath = "Software\Microsoft\Windows\CurrentVersion\Run"/> <Information Value = "ctfmon.exe" Data = "C:\WINDOWS\System32\ctfmon.exe"/> <Information Value = "MSMSGS" Data = ""C:\Program Files\Messenger\msmsgs.exe" /background"/> <Information Value = "Sonic RecordNow!" Data = ""/> <Information RootKey = "HKEY_CURRENT_USER" KeyPath = "Software\Microsoft\Internet Explorer\Main"/> <Information Value = "NoUpdateCheck" Data = ""/> <Information Value = "NoJITSetup" Data = ""/> <Information Value = "Disable Script Debugger" Data = "yes"/> <Information Value = "Show_ChannelBand" Data = "No"/> <Information Value = "Anchor Underline" Data = "yes"/> <Information Value = "Cache_Update_Frequency" Data = "Once_Per_Session"/> <Information Value = "Display Inline Images" Data = "yes"/> <Information Value = "Do404Search" Data = ""/> <Information Value = "Local Page" Data = "C:\WINDOWS\System32\blank.htm"/> <Information Value = "Save_Session_History_On_Exit" Data = "no"/> <Information Value = "Show_FullURL" Data = "no"/> <Information Value = "Show_StatusBar" Data = "yes"/> <Information Value = "Show_ToolBar" Data = "yes"/> <Information Value = "Show_URLinStatusBar" Data = "yes"/> <Information Value = "Show_URLToolBar" Data = "yes"/> <Information Value = "Start Page" Data = "http://www.google.co.uk/"/> <Information Value = "Use_DlgBox_Colors" Data = "yes"/> <Information Value = "Search Page" Data = ""/> <Information Value = "Window Title" Data = "Packard Bell"/> <Information Value = "Search Bar" Data = "http://format.packardbell.com/cgi-bin/redirect/?country=UK&range=AD&phase=6&key=SEARCH"/> <Information Value = "Use Custom Search URL" Data = ""/> <Information Value = "FullScreen" Data = "no"/> <Information Value = "Window_Placement" Data = ","/> <Information Value = "Error Dlg Displayed On Every Error" Data = "no"/> <Information Value = "Error Dlg Details Pane Open" Data = "no"/> <Information Value = "AddToFavoritesExpanded" Data = ""/> <Information Value = "Use FormSuggest" Data = "no"/> <Information Value = "NotifyDownloadComplete" Data = "yes"/> <Information Value = "Save Directory" Data = "C:\Hedd\"/> <Information Value = "Expand Alt Text" Data = "no"/> <Information Value = "Move System Caret" Data = "no"/> <Information Value = "NscSingleExpand" Data = ""/> <Information Value = "NoWebJITSetup" Data = ""/> <Information Value = "Page_Transitions" Data = ""/> <Information Value = "FavIntelliMenus" Data = "no"/> <Information Value = "Enable Browser Extensions" Data = "yes"/> <Information Value = "UseThemes" Data = ""/> <Information Value = "Force Offscreen Composition" Data = ""/> <Information Value = "AllowWindowReuse" Data = ""/> <Information Value = "Friendly http errors" Data = "yes"/> <Information Value = "ShowGoButton" Data = "yes"/> <Information Value = "SmoothScroll" Data = ""/> <Information Value = "Enable AutoImageResize" Data = "yes"/> <Information Value = "Enable_MyPics_Hoverbar" Data = "yes"/> <Information Value = "Play_Animations" Data = "yes"/> <Information Value = "Play_Background_Sounds" Data = "yes"/> <Information Value = "Display Inline Videos" Data = "yes"/> <Information Value = "Show image placeholders" Data = ""/> <Information Value = "Print_Background" Data = "no"/> <Information Value = "AutoSearch" Data = ""/> <Information Value = "LastCheckedHi" Data = "…Å"/> <Information RootKey = "HKEY_LOCAL_MACHINE" KeyPath = "Software\Microsoft\Internet Explorer\Main"/> <Information Value = "Default_Page_URL" Data = "file://C:\APPS\IE\offline\uk.htm"/> <Information Value = "Default_Search_URL" Data = "http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch"/> <Information Value = "Search Page" Data = ""/> <Information Value = "Enable_Disk_Cache" Data = "yes"/> <Information Value = "Cache_Percent_of_Disk" Data = " "/> <Information Value = "Delete_Temp_Files_On_Exit" Data = "yes"/> <Information Value = "Local Page" Data = "%SystemRoot%\system32\blank.htm"/> <Information Value = "Anchor_Visitation_Horizon" Data = ""/> <Information Value = "Use_Async_DNS" Data = "yes"/> <Information Value = "Placeholder_Width" Data = ""/> <Information Value = "Placeholder_Height" Data = ""/> <Information Value = "Start Page" Data = "http://www.google.co.uk/"/> <Information Value = "Wizard_Version" Data = "6.00.2800.1106"/> <Information Value = "FullScreen" Data = "no"/> <Information RootKey = "HKEY_LOCAL_MACHINE" KeyPath = "Software\Microsoft\Internet Explorer\Search"/> <Information Value = "SearchAssistant" Data = "http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm"/> <Information Value = "CustomizeSearch" Data = "http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm"/> <Information RootKey = "HKEY_LOCAL_MACHINE" KeyPath = "Software\Microsoft\Windows\CurrentVersion\Run"/> <Information Value = "Apoint" Data = "C:\Program Files\Apoint2K\Apoint.exe"/> <Information Value = "NECMFK" Data = "C:\Program Files\necmfk\necmfk.exe"/> <Information Value = "Smapp" Data = "C:\Program Files\Analog Devices\SoundMAX\SMTray.exe"/> <Information Value = "ATIModeChange" Data = "Ati2mdxx.exe"/> <Information Value = "ATIPTA" Data = "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"/> <Information Value = "AGRSMMSG" Data = "AGRSMMSG.exe"/> <Information Value = "RealTray" Data = "C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER"/> <Information Value = "AOL Spyware Protection" Data = ""C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe""/> <Information Value = "ccApp" Data = ""C:\Program Files\Common Files\Symantec Shared\ccApp.exe""/> <Information Value = "URLLSTCK.exe" Data = "C:\Program Files\Norton Internet Security\UrlLstCk.exe"/> <Information Value = "REGSHAVE" Data = "C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN"/> <Information Value = "EPSON Stylus C46 Series" Data = "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0T1.EXE /P23 "EPSON Stylus C46 Series" /O6 "USB001" /M "Stylus C46""/> <Information Value = "SunJavaUpdateSched" Data = "C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe"/> <Information Value = "Symantec NetDriver Monitor" Data = "C:\PROGRA~1\SYMNET~1\SNDMon.exe"/> <Information Value = "SSC_UserPrompt" Data = "C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe"/> <Information Value = "KernelFaultCheck" Data = "%systemroot%\system32\dumprep 0 -k"/> <Information RootKey = "HKEY_LOCAL_MACHINE" KeyPath = "SYSTEM\ControlSet001\Services\Winsock2\Parameters\Protocol_Catalog9"/> <Information Value = "Num_Catalog_Entries" Data = ""/> <Information Value = "Next_Catalog_Entry_ID" Data = "$"/> <Information Value = "Serial_Access_Num" Data = ""/> <Information RootKey = "HKEY_LOCAL_MACHINE" KeyPath = "SYSTEM\ControlSet003\Services\Winsock2\Parameters\Protocol_Catalog9"/> <Information Value = "Num_Catalog_Entries" Data = ""/> <Information Value = "Next_Catalog_Entry_ID" Data = "$"/> <Information Value = "Serial_Access_Num" Data = ""/> <Information RootKey = "HKEY_LOCAL_MACHINE" KeyPath = "Software\Microsoft\Windows NT\CurrentVersion\Windows"/> <Information Value = "AppInit_DLLs" Data = ""/> <Information Value = "DeviceNotSelectedTimeout" Data = "15"/> <Information Value = "GDIProcessHandleQuota" Data = "'"/> <Information Value = "Spooler" Data = "yes"/> <Information Value = "swapdisk" Data = ""/> <Information Value = "TransmissionRetryTimeout" Data = "90"/> <Information Value = "USERProcessHandleQuota" Data = "'"/> <Information RootKey = "HKEY_CURRENT_USER" KeyPath = "Software\Microsoft\Windows NT\CurrentVersion\Windows"/> <Information Value = "DebugOptions" Data = "2048"/> <Information Value = "Documents" Data = ""/> <Information Value = "DosPrint" Data = "no"/> <Information Value = "load" Data = ""/> <Information Value = "NetMessage" Data = "no"/> <Information Value = "NullPort" Data = "None"/> <Information Value = "Programs" Data = "com exe bat pif cmd"/> <Information Value = "Device" Data = "EPSON Stylus C46 Series,winspool,Ne00:"/> <Information RootKey = "HKEY_CURRENT_USER" KeyPath = "Software\Microsoft\Internet Explorer\URLSearchHooks"/> <Information Value = "{CFBFAE00-17A6-11D0-99CB-00C04FD64497}" Data = ""/> <Scanning TIME = "27 Feb 05 18:43:48"> <PROCESS NAME = "-" MD5 = "(null)"/> <PROCESS NAME = "\SystemRoot\System32\smss.exe" MD5 = "(null)"/> <PROCESS NAME = "\??\C:\WINDOWS\system32\csrss.exe" MD5 = "(null)"/> <PROCESS NAME = "\??\C:\WINDOWS\system32\winlogon.exe" MD5 = "(null)"/> <PROCESS NAME = "C:\WINDOWS\system32\services.exe" MD5 = "e3df4a0252d287c44606ee55355e1623"/> <PROCESS NAME = "C:\WINDOWS\system32\lsass.exe" MD5 = "b2b6ba905d0e3f8a32a0eb3b4051807b"/> <PROCESS NAME = "C:\WINDOWS\System32\Ati2evxx.exe" MD5 = "94627116f20d1f1350d2d14470043a60"/> <PROCESS NAME = "C:\WINDOWS\system32\svchost.exe" MD5 = "0f7d9c87b0ce1fa520473119752c6f79"/> <PROCESS NAME = "C:\WINDOWS\System32\svchost.exe" MD5 = "0f7d9c87b0ce1fa520473119752c6f79"/> <PROCESS NAME = "C:\WINDOWS\System32\svchost.exe" MD5 = "0f7d9c87b0ce1fa520473119752c6f79"/> <PROCESS NAME = "C:\WINDOWS\System32\svchost.exe" MD5 = "0f7d9c87b0ce1fa520473119752c6f79"/> <PROCESS NAME = "C:\WINDOWS\Explorer.EXE" MD5 = "a82b28bfc2e4455fe43022a498c0ef0a"/> <PROCESS NAME = "C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe" MD5 = "e761fc4a1e6cfecdae543452d3b1d0f1"/> <PROCESS NAME = "C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe" MD5 = "997bf60bef992c61c3014ef5c56d93ea"/> <PROCESS NAME = "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe" MD5 = "04c97539e8555d7cd5b7cea7e75804f7"/> <PROCESS NAME = "C:\Program Files\Apoint2K\Apoint.exe" MD5 = "59acf24b5cd10dc1af661d8d8fbf8ea4"/> <PROCESS NAME = "C:\Program Files\necmfk\necmfk.exe" MD5 = "db9b36d5daf2bb1c85d179f81c114d89"/> <PROCESS NAME = "C:\Program Files\Analog Devices\SoundMAX\SMTray.exe" MD5 = "00ec08331def75c56a62dbbfd3be47f5"/> <PROCESS NAME = "C:\Program Files\Apoint2K\Apntex.exe" MD5 = "cca1b81492b40890e44b2b20a780ee1f"/> <PROCESS NAME = "C:\Program Files\Apoint2K\HidFind.exe" MD5 = "053a8f4958541cbcd0c5eec1fa796ba6"/> <PROCESS NAME = "C:\WINDOWS\AGRSMMSG.exe" MD5 = "88de365f132a59ea016c7800a515e67d"/> <PROCESS NAME = "C:\Program Files\Real\RealPlayer\RealPlay.exe" MD5 = "849d97fe4cc09cfc2772d10f641e1baf"/> <PROCESS NAME = "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe" MD5 = "1ff1298e77c4a4ba6702b3c84bd78b71"/> <PROCESS NAME = "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" MD5 = "22755776eccc7165ac109c381782a957"/> <PROCESS NAME = "C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe" MD5 = "b3f49526347a82f8939881804c56aa94"/> <PROCESS NAME = "C:\WINDOWS\System32\ctfmon.exe" MD5 = "414de7cf9d3f19c3ea902f1bb38ec116"/> <PROCESS NAME = "C:\Program Files\Messenger\msmsgs.exe" MD5 = "1e455b08870d4ac3bb6ab5968603e8af"/> <PROCESS NAME = "C:\Program Files\FinePixViewer\QuickDCF.exe" MD5 = "9f2e8c6f27292ded3f8d206d784c36f6"/> <PROCESS NAME = "C:\WINDOWS\system32\spoolsv.exe" MD5 = "9b4155ba58192d4073082b8fc5d42612"/> <PROCESS NAME = "C:\WINDOWS\System32\alg.exe" MD5 = "497aead5ecef9512f6b364977a5308ee"/> <PROCESS NAME = "C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe" MD5 = "ef74eebb2d3ddc9f71c6d3cc8c7889c6"/> <PROCESS NAME = "C:\Program Files\Common Files\Symantec Shared\ccProxy.exe" MD5 = "94542982737bb8bc684d6193eb9b39a4"/> <PROCESS NAME = "C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe" MD5 = "106188ee7fce8c769defec27c1edb67c"/> <PROCESS NAME = "C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe" MD5 = "bfba4ed75bcdf0f5681a6749d8f27fc7"/> <PROCESS NAME = "C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe" MD5 = "3978f082274f723ad5a0a8058c2417dd"/> <PROCESS NAME = "C:\WINDOWS\System32\wuauclt.exe" MD5 = "a3763ce319d9eb3ec2ac04901f293b9d"/> <PROCESS NAME = "C:\Program Files\XoftSpy\XoftSpy.exe" MD5 = "a32b6df132bcab46d04ba3d273a61cba"/> <FILE PATH = "AdClick-AC C:\WINDOWS\System32\vbsys2.dll"/> <ScanningRegKeys> </SW> <SW NAME = "OrbitExplorer"> <REGKEYFOUND NAME = "TYPELIB\{205ff72e-ca67-11d5-99dd-444553540000}"/> <REGKEY NAME = "OrbitExplorer TYPELIB\{205ff72e-ca67-11d5-99dd-444553540000}"/> </SW> <SW NAME = "WildTangent"> <REGKEYFOUND NAME = "install.install"/> <REGKEY NAME = "WildTangent install.install"/> </SW> <SW NAME = "WildTangent"> <REGKEYFOUND NAME = "install.install.1"/> <REGKEY NAME = "WildTangent install.install.1"/> </SW> <SW NAME = "WildTangent"> <REGKEYFOUND NAME = "TYPELIB\{205ff72e-ca67-11d5-99dd-444553540000}"/> </SW> <SW NAME = "Alexa"> <REGKEYFOUND NAME = "software\microsoft\internet explorer\Extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a}"/> <REGKEY NAME = "Alexa software\microsoft\internet explorer\Extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a}"/> </SW> <SW NAME = "AdClick-AC"> <REGKEYFOUND NAME = "CLSID\{54645654-2225-4455-44A1-9F4543D34545}"/> <REGKEY NAME = "AdClick-AC CLSID\{54645654-2225-4455-44A1-9F4543D34545}"/> </ScanningRegKeys> <ScanningRegValues> </SW> <SW NAME = "AdClick-AC"> <REGVALUE VALUE = "AdClick-AC SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\SystemCheck2:@:{54645654-2225-4455-44A1-9F4543D34545}"/> <REGVALUEFOUND NAME = "SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\SystemCheck2:@:{54645654-2225-4455-44A1-9F4543D34545}"/> </ScanningRegValues> <ScanningRegValuesChanged> </ScanningRegValuesChanged> <FILE PATH = "Tracking Cookie C:\Documents and Settings\Jones\Cookies\jones@atdmt[2].txt"/> <FILE PATH = "C:\Documents and Settings\Jones\Cookies\jones@atdmt[2].txt"/> <FILE PATH = "Tracking Cookie C:\Documents and Settings\Jones\Cookies\jones@casalemedia[1].txt"/> <FILE PATH = "C:\Documents and Settings\Jones\Cookies\jones@casalemedia[1].txt"/> <FILE PATH = "Tracking Cookie C:\Documents and Settings\Jones\Cookies\jones@fastclick[1].txt"/> <FILE PATH = "C:\Documents and Settings\Jones\Cookies\jones@fastclick[1].txt"/> <FILE PATH = "Tracking Cookie C:\Documents and Settings\Jones\Cookies\jones@tribalfusion[1].txt"/> <FILE PATH = "C:\Documents and Settings\Jones\Cookies\jones@tribalfusion[1].txt"/> </Scanning> Can anyone help with my problems?? Thanks in advance

02-27-2005, 12:09 PM	#2 (permalink)
greyknight17 Analyst, Security Team Join Date: Jul 2004 Location: New York Posts: 14,331 OS: Windows 98 & Windows XP Home/Pro My System	Could you run it again and save the log. Make sure Notepad is opening it. It seems to be formatted in XML. __________________ Please do NOT PM me. Post whatever questions you may have in the forum and we will take a look at it when we get to it. If you have waited for more than 3 days, you may then and ONLY then PM me for assistance. I will take a look at it. Adaware :: CWShredder :: HijackThis :: Panda ActiveScan :: Spybot S&D Anti-Spyware Tutorial :: Spyware Prevention Tools

03-10-2005, 04:25 AM	#4 (permalink)
CTSNKY Knower of all that is MS Join Date: Aug 2004 Posts: 10,755 OS: (multiple machines) 95, 98, 2K & XP Home & Pro	Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should not have any open browsers when you are following the procedures below. Go to My Computer->Tools/View->Folder Options->View tab and make sure that 'Show hidden files and folders' (or 'Show all files') is enabled. Also make sure that Display the contents of System Folders' is checked. Windows XP's search feature is a little different. When you click on 'All files and folders' on the left pane, click on the 'More advanced options' at the bottom. Make sure that Search system folders, Search hidden files and folders, and Search subfolders are checked. For the options that you checked/enabled earlier, you may uncheck them after your log is clean. If we ask you to fix a program that you use or want to keep, please post back saying that (we don't know every program that exists, so we may tell you to delete a program that we think is bad to keep). Turn off system restore by right clicking on My Computer and go to Properties->System Restore and check the box for Turn off System Restore. Click Apply and then OK. Restart your computer. After we are finished with your log file and verified that it's clean, you may turn it back on and create a new restore point. The Temp folders should be cleaned out periodically as installation programs and hijack programs leave a lot of junk there. Download CleanUp! (Alternate Link if main link don't work) and install it. Run CleanUp! and click on CleanUp! button. When it asks you if you want to logoff, click on Yes. Reboot into Safe Mode (hit F8 key until menu shows up). Make sure to close any open browsers. Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any): O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k O16 - DPF: {11111111-1111-1111-1111-111191113457} - file://c:\ied_s7.cab O16 - DPF: {33331111-1111-1111-1111-611111193457} - file://c:\wx.cab O16 - DPF: {33331111-1111-1111-1111-611111193458} - file://c:\wx.cab O21 - SSODL: SystemCheck2 - {54645654-2225-4455-44A1-9F4543D34545} - C:\WINDOWS\System32\vbsys2.dll Delete the following Files/Folders (delete folders if no filename is specified) according to their directory (if none, just do a search for them) and delete them if they exist: c:\ied_s7.cab c:\wx.cab C:\WINDOWS\System32\vbsys2.dll Reboot into Normal Mode and run new HijackThis scan. If there were some entries that didn't show up in Safe Mode, you may check and fix those that appear now in normal mode (if you do that, make sure to run a new scan again). Save the log file and run KRC HijackThis Analyzer in the same folder to get the result.txt log. Just post the contents of the result.txt file in the forum. __________________ GO BIG BLUE!!

03-09-2005, 02:33 PM	#3 (permalink)
hedd_jones Registered User Join Date: Feb 2005 Posts: 2 OS: xp home	I'll tey again. This time I've done a ad-aware and spy-bot scan and fixes, still have the same problem tho' I think the log above came from xsoft spy, I now have hi-jack this, here is the log. Logfile of HijackThis v1.99.1 Scan saved at 21:17:20, on 09/03/2005 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\System32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\Program Files\Apoint2K\Apoint.exe C:\Program Files\necmfk\necmfk.exe C:\Program Files\Analog Devices\SoundMAX\SMTray.exe C:\WINDOWS\AGRSMMSG.exe C:\Program Files\Apoint2K\Apntex.exe C:\Program Files\Apoint2K\HidFind.exe C:\Program Files\Real\RealPlayer\RealPlay.exe C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe C:\WINDOWS\System32\ctfmon.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\FinePixViewer\QuickDCF.exe C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe C:\Program Files\Common Files\Symantec Shared\ccProxy.exe C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe C:\WINDOWS\System32\wuauclt.exe C:\Hedd\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://format.packardbell.com/cgi-bi...e=6&key=SEARCH R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = file://C:\APPS\IE\offline\uk.htm R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/ R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.google.co.uk/ R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Packard Bell O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe O4 - HKLM\..\Run: [NECMFK] C:\Program Files\necmfk\necmfk.exe O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe" O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN O4 - HKLM\..\Run: [EPSON Stylus C46 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0T1.EXE /P23 "EPSON Stylus C46 Series" /O6 "USB001" /M "Stylus C46" O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - Global Startup: Exif Launcher.lnk = ? O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll O12 - Plugin for .wav: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll O14 - IERESET.INF: START_PAGE_URL=file://C:\APPS\IE\offline\uk.htm O16 - DPF: {11111111-1111-1111-1111-111191113457} - file://c:\ied_s7.cab O16 - DPF: {33331111-1111-1111-1111-611111193457} - file://c:\wx.cab O16 - DPF: {33331111-1111-1111-1111-611111193458} - file://c:\wx.cab O21 - SSODL: SystemCheck2 - {54645654-2225-4455-44A1-9F4543D34545} - C:\WINDOWS\System32\vbsys2.dll O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe Hope this is the correct log this time. Can anybody advise what to remove?? Many thanks in advance