very serious problems

vampyr2005 · 03-16-2005, 08:51 AM

2 days ago I noticed that my computer was having some major problems ..... I went to use programs and they would come up with a windows installer window instead of opening the program..... when i tried to do a disk cleanup from the start/programs/system tools area the window that usually has all the areas that you can cleanup was blank...... majority of my programs were missing from my add/remove programs window.....my all programs window wont even open up anymore and my recycle bin disappeared from my desktop while the icons for internet explorer/my computer and my network places suddenly turned up without me even putting them there...... I have run scans of the system with spybot, adaware, cleanup, cwshredder all the latest updates already installed on them, I am using AVG free antivirus and have no firewall installed as my modem is a firewall router..... I have included my hijack this logfile and also included snagit pics of the add/remove programs area and the proram files and windows file folders on my computer however the hidden files are not displayed because my folder options view tab is also just a blank space (no options at all displayed), I cannot even get any of these blank spaces to re-appear as normal in safe mode. After I realised that there were problems I decided to reformat the computer and re-install windows on a new partition. After doing this my computer was fine, I installed all my programs again and did all the relevant windows updates and spyware definition updates and then went to do a disc cleanup before i used acronis true image v6 to create an image of my hard drive so I didnt have to spend 12 hours reinstalling programs if I had any more problems, only to find that my disc cleanup window was again blank! As was the folder options view window and my desktop had again been modified without my doing so.

Here is my hijack this log:
Logfile of HijackThis v1.99.1
Scan saved at 12:27:15 AM, on 17/03/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\netdde.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Vampy\My Documents\hijack this\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: Download ALL with IDA - C:\Program Files\InternetDownloadAccelerator\idaieall.htm
O8 - Extra context menu item: Download with IDA - C:\Program Files\InternetDownloadAccelerator\idaie.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Internet Download Accelerator - {9819CC0E-9669-4D01-9CD7-2C66DA43AC6C} - C:\Program Files\InternetDownloadAccelerator\ida.exe
O9 - Extra 'Tools' menuitem: &Internet Download Accelerator - {9819CC0E-9669-4D01-9CD7-2C66DA43AC6C} - C:\Program Files\InternetDownloadAccelerator\ida.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O13 - DefaultPrefix:
O13 - WWW Prefix:
O13 - Home Prefix:
O13 - Mosaic Prefix:
O13 - FTP Prefix:
O13 - Gopher Prefix:
O15 - ProtocolDefaults: '@ivt' protocol is in My Computer Zone, should be Intranet Zone (HKLM)
O15 - ProtocolDefaults: 'file' protocol is in My Computer Zone, should be Internet Zone (HKLM)
O15 - ProtocolDefaults: 'ftp' protocol is in My Computer Zone, should be Internet Zone (HKLM)
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone (HKLM)
O15 - ProtocolDefaults: 'https' protocol is in My Computer Zone, should be Internet Zone (HKLM)
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/game...s/y/pote_x.cab
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
And here is the log ffrom the hijackthisanalizer by greyknight17:
====================================================================
Log was analyzed using KRC HijackThis Analyzer - Updated on 3/2/05
Get updates at http://www.greyknight17.com/download.htm#programs

***Security Programs Detected***

C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Logfile of HijackThis v1.99.1
Scan saved at 12:27:15 AM, on 17/03/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!

Running processes:
C:\Documents and Settings\Vampy\My Documents\hijack this\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O8 - Extra context menu item: Download ALL with IDA - C:\Program Files\InternetDownloadAccelerator\idaieall.htm
O8 - Extra context menu item: Download with IDA - C:\Program Files\InternetDownloadAccelerator\idaie.htm
O9 - Extra button: Internet Download Accelerator - {9819CC0E-9669-4D01-9CD7-2C66DA43AC6C} - C:\Program Files\InternetDownloadAccelerator\ida.exe
O9 - Extra 'Tools' menuitem: &Internet Download Accelerator - {9819CC0E-9669-4D01-9CD7-2C66DA43AC6C} - C:\Program Files\InternetDownloadAccelerator\ida.exe
O13 - DefaultPrefix:
O13 - WWW Prefix:
O13 - Home Prefix:
O13 - Mosaic Prefix:
O13 - FTP Prefix:
O13 - Gopher Prefix:
O15 - ProtocolDefaults: '@ivt' protocol is in My Computer Zone, should be Intranet Zone (HKLM)
O15 - ProtocolDefaults: 'file' protocol is in My Computer Zone, should be Internet Zone (HKLM)
O15 - ProtocolDefaults: 'ftp' protocol is in My Computer Zone, should be Internet Zone (HKLM)
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone (HKLM)
O15 - ProtocolDefaults: 'https' protocol is in My Computer Zone, should be Internet Zone (HKLM)
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/game...s/y/pote_x.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

End of KRC HijackThis Analyzer Log.
====================================================================

Thank you

**Pancake** · 03-17-2005, 01:13 AM

Start by updating to SpyBot 1.3,rescan with that and then post a fresh log.Make sure you also run Adaware..

How to setup Ad-Aware

Download Ad-Aware
Save aawsepersonal.exe into its own directory, NOT in a TEMPorary folder or on the Desktop. I recommend c:/program files/Adaware/
Doubleclick aawsepersonal.exe. Make sure to direct the program to install in the c:/program files/adaware/ directory, NOT the default directory.
Open AdAware from Start | Programs | Lavasoft | AdAware.
Select <Check for updates now>, <Proceed>
After installation, run the program and click the start button.Then click the next button. This lets ad-aware scan your computer.
After ad-aware is done running, hit the next button. Then right click the area with the listed spy ware objects.Choose the "Select all objects" option.
At this point all the boxes next to the items should be checked. Then hit the next button.
It will ask if you want to delete the selected objects. Hit the Okay button.
Now most of the spyware should have been deleted from your hard drive.

XTTX · 03-17-2005, 01:28 AM

Just a question, you wouldn't happen to already have tried to delete some files? IF you deleted critical files needed to the system, then it can cause these errors.

vampyr2005 · 03-17-2005, 08:31 AM

Hi .... in response to the reply about the spybot and adaware releases..... I am using the absolute latest spybot and its definition files .... updated about 6 hrs before I posted the log in the original thread..... and I had the latest adaware personal edition and it was also updated at the same time and that is the logfile from the scan that happened after I had all those programs on the computer and I cant download or update anything anymore cos my computer is a client to another machine that has ADSL internet and is on a home network and the network is no longer working to allow me access to the internet on the client machine (problematic computer) and the problematic computer will now allow me to properly install programs anymore....(see above thread for explanations)....
and in response to the other question about whether or not I have deleted any files the answer is no .... I did delete some temporary files and registry items that referred to files no longer on my system but no system files and nothing in the registry that referred to anything that was currently on the system or that my registry cleaner had not removed MANY times before without causing problems. I could try re-installing the latest spybot and adawareSE IF my computer will let me however I would consider that a pointless venture considering I have no internet access to update them to todays current definition files and without those they will be useless ....
thanks for your consideration of this problem and anymore questions or ideas on causes or solutions please feel free to post replies.

greyknight17 · 03-17-2005, 11:48 AM

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should not have any open browsers when you are following the procedures below.

Go to My Computer->Tools/View->Folder Options->View tab and make sure that 'Show hidden files and folders' (or 'Show all files') is enabled. Also make sure that 'Display the contents of system folders' is checked. Windows XP's search feature is a little different. When you click on 'All files and folders' on the left pane, click on the 'More advanced options' at the bottom. Make sure that Search system folders, Search hidden files and folders, and Search subfolders are checked.

For the options that you checked/enabled earlier, you may uncheck them after your log is clean. If we ask you to fix a program that you use or want to keep, please post back saying that (we don't know every program that exists, so we may tell you to delete a program that we think is bad to keep).

Download CWShredder and run it. Click on 'I Agree' button if you agree with it. Click on 'Fix' (it will automatically fix anything it finds for you) and OK. If it asks if you want to delete a certain random file, choose No and post that filename here. Let it finish the scan and then hit Next and Exit.

Reboot into Safe Mode (hit F8 key until menu shows up). Make sure to close any open browsers. Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O13 - DefaultPrefix:
O13 - WWW Prefix:
O13 - Home Prefix:
O13 - Mosaic Prefix:
O13 - FTP Prefix:
O13 - Gopher Prefix:
O15 - ProtocolDefaults: '@ivt' protocol is in My Computer Zone, should be Intranet Zone (HKLM)
O15 - ProtocolDefaults: 'file' protocol is in My Computer Zone, should be Internet Zone (HKLM)
O15 - ProtocolDefaults: 'ftp' protocol is in My Computer Zone, should be Internet Zone (HKLM)
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone (HKLM)
O15 - ProtocolDefaults: 'https' protocol is in My Computer Zone, should be Internet Zone (HKLM)

Reboot into Normal Mode and run new HijackThis scan. If there were some entries that didn't show up in Safe Mode, you may check and fix those that appear now in normal mode (if you do that, make sure to run a new scan again). Save the log file and run KRC HijackThis Analyzer in the same folder to get the result.txt log. Just post the contents of the result.txt file in the forum.

vampyr2005 · 03-18-2005, 12:29 AM

hi greyknight ..... thanks for the quick response and I will try using CWshredder as you suggest and run the hijackthis fixes, however I would like to stress, and I have already mentioned this in my original post, that I am UNABLE to make my computer show its hidden files as the area that gives you those options when you click on tools and folder options and view is completely blank. (see the snagit pic of the folder options area that was posted with the original post and also see the following quote from my original post: however the hidden files are not displayed because my folder options view tab is also just a blank space (no options at all displayed),. I will try the fixes you have suggested and post new logs after doing so .... thank you

vampyr2005 · 03-18-2005, 01:34 AM

okay I have now done what was suggested by Greyknight, except for the files view step because as I have previously stated my computer will not allow me to do that. When I did the CWShredder scan it came up completely clean. I rebooted into windows and did the hijack this scans and after I removed the O13 and O15 options they just came back. After rebooting into normal windows mode and doing the scans and then repairing them they again just kept coming back .... here are the results of the logs and the analyzer logs

before fixing in safe mode:
Logfile of HijackThis v1.99.1
Scan saved at 7:03:16 PM, on 18/03/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
F:\installed\spyware cleaners\hijack this\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Internet Download Accelerator - {9819CC0E-9669-4D01-9CD7-2C66DA43AC6C} - C:\Program Files\InternetDownloadAccelerator\ida.exe
O9 - Extra 'Tools' menuitem: &Internet Download Accelerator - {9819CC0E-9669-4D01-9CD7-2C66DA43AC6C} - C:\Program Files\InternetDownloadAccelerator\ida.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O13 - DefaultPrefix:
O13 - WWW Prefix:
O13 - Home Prefix:
O13 - Mosaic Prefix:
O13 - FTP Prefix:
O13 - Gopher Prefix:
O15 - ProtocolDefaults: '@ivt' protocol is in My Computer Zone, should be Intranet Zone (HKLM)
O15 - ProtocolDefaults: 'file' protocol is in My Computer Zone, should be Internet Zone (HKLM)
O15 - ProtocolDefaults: 'ftp' protocol is in My Computer Zone, should be Internet Zone (HKLM)
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone (HKLM)
O15 - ProtocolDefaults: 'https' protocol is in My Computer Zone, should be Internet Zone (HKLM)
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/game...s/y/pote_x.cab
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

analyzer log:
====================================================================
Log was analyzed using KRC HijackThis Analyzer - Updated on 3/2/05
Get updates at http://www.greyknight17.com/download.htm#programs

***Security Programs Detected***

O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Logfile of HijackThis v1.99.1
Scan saved at 7:03:16 PM, on 18/03/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!

Running processes:
F:\installed\spyware cleaners\hijack this\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O9 - Extra button: Internet Download Accelerator - {9819CC0E-9669-4D01-9CD7-2C66DA43AC6C} - C:\Program Files\InternetDownloadAccelerator\ida.exe
O9 - Extra 'Tools' menuitem: &Internet Download Accelerator - {9819CC0E-9669-4D01-9CD7-2C66DA43AC6C} - C:\Program Files\InternetDownloadAccelerator\ida.exe
O13 - DefaultPrefix:
O13 - WWW Prefix:
O13 - Home Prefix:
O13 - Mosaic Prefix:
O13 - FTP Prefix:
O13 - Gopher Prefix:
O15 - ProtocolDefaults: '@ivt' protocol is in My Computer Zone, should be Intranet Zone (HKLM)
O15 - ProtocolDefaults: 'file' protocol is in My Computer Zone, should be Internet Zone (HKLM)
O15 - ProtocolDefaults: 'ftp' protocol is in My Computer Zone, should be Internet Zone (HKLM)
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone (HKLM)
O15 - ProtocolDefaults: 'https' protocol is in My Computer Zone, should be Internet Zone (HKLM)
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/game...s/y/pote_x.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

End of KRC HijackThis Analyzer Log.
====================================================================

after fixing in safe mode:
Logfile of HijackThis v1.99.1
Scan saved at 7:04:43 PM, on 18/03/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
F:\installed\spyware cleaners\hijack this\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Internet Download Accelerator - {9819CC0E-9669-4D01-9CD7-2C66DA43AC6C} - C:\Program Files\InternetDownloadAccelerator\ida.exe
O9 - Extra 'Tools' menuitem: &Internet Download Accelerator - {9819CC0E-9669-4D01-9CD7-2C66DA43AC6C} - C:\Program Files\InternetDownloadAccelerator\ida.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O13 - DefaultPrefix:
O13 - WWW Prefix:
O13 - Home Prefix:
O13 - Mosaic Prefix:
O13 - FTP Prefix:
O13 - Gopher Prefix:
O15 - ProtocolDefaults: '@ivt' protocol is in My Computer Zone, should be Intranet Zone (HKLM)
O15 - ProtocolDefaults: 'file' protocol is in My Computer Zone, should be Internet Zone (HKLM)
O15 - ProtocolDefaults: 'ftp' protocol is in My Computer Zone, should be Internet Zone (HKLM)
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone (HKLM)
O15 - ProtocolDefaults: 'https' protocol is in My Computer Zone, should be Internet Zone (HKLM)
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/game...s/y/pote_x.cab
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

analyzer log:
====================================================================
Log was analyzed using KRC HijackThis Analyzer - Updated on 3/2/05
Get updates at http://www.greyknight17.com/download.htm#programs

***Security Programs Detected***

O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Logfile of HijackThis v1.99.1
Scan saved at 7:04:43 PM, on 18/03/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!

Running processes:
F:\installed\spyware cleaners\hijack this\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O9 - Extra button: Internet Download Accelerator - {9819CC0E-9669-4D01-9CD7-2C66DA43AC6C} - C:\Program Files\InternetDownloadAccelerator\ida.exe
O9 - Extra 'Tools' menuitem: &Internet Download Accelerator - {9819CC0E-9669-4D01-9CD7-2C66DA43AC6C} - C:\Program Files\InternetDownloadAccelerator\ida.exe
O13 - DefaultPrefix:
O13 - WWW Prefix:
O13 - Home Prefix:
O13 - Mosaic Prefix:
O13 - FTP Prefix:
O13 - Gopher Prefix:
O15 - ProtocolDefaults: '@ivt' protocol is in My Computer Zone, should be Intranet Zone (HKLM)
O15 - ProtocolDefaults: 'file' protocol is in My Computer Zone, should be Internet Zone (HKLM)
O15 - ProtocolDefaults: 'ftp' protocol is in My Computer Zone, should be Internet Zone (HKLM)
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone (HKLM)
O15 - ProtocolDefaults: 'https' protocol is in My Computer Zone, should be Internet Zone (HKLM)
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/game...s/y/pote_x.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

End of KRC HijackThis Analyzer Log.
====================================================================

before fixing in normal windows mode:
Logfile of HijackThis v1.99.1
Scan saved at 7:09:06 PM, on 18/03/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\netdde.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
F:\installed\spyware cleaners\hijack this\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: Download ALL with IDA - C:\Program Files\InternetDownloadAccelerator\idaieall.htm
O8 - Extra context menu item: Download with IDA - C:\Program Files\InternetDownloadAccelerator\idaie.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Internet Download Accelerator - {9819CC0E-9669-4D01-9CD7-2C66DA43AC6C} - C:\Program Files\InternetDownloadAccelerator\ida.exe
O9 - Extra 'Tools' menuitem: &Internet Download Accelerator - {9819CC0E-9669-4D01-9CD7-2C66DA43AC6C} - C:\Program Files\InternetDownloadAccelerator\ida.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O13 - DefaultPrefix:
O13 - WWW Prefix:
O13 - Home Prefix:
O13 - Mosaic Prefix:
O13 - FTP Prefix:
O13 - Gopher Prefix:
O15 - ProtocolDefaults: '@ivt' protocol is in My Computer Zone, should be Intranet Zone (HKLM)
O15 - ProtocolDefaults: 'file' protocol is in My Computer Zone, should be Internet Zone (HKLM)
O15 - ProtocolDefaults: 'ftp' protocol is in My Computer Zone, should be Internet Zone (HKLM)
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone (HKLM)
O15 - ProtocolDefaults: 'https' protocol is in My Computer Zone, should be Internet Zone (HKLM)
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/game...s/y/pote_x.cab
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

analyzer log:
====================================================================
Log was analyzed using KRC HijackThis Analyzer - Updated on 3/2/05
Get updates at http://www.greyknight17.com/download.htm#programs

***Security Programs Detected***

C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Logfile of HijackThis v1.99.1
Scan saved at 7:09:06 PM, on 18/03/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!

Running processes:
F:\installed\spyware cleaners\hijack this\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O8 - Extra context menu item: Download ALL with IDA - C:\Program Files\InternetDownloadAccelerator\idaieall.htm
O8 - Extra context menu item: Download with IDA - C:\Program Files\InternetDownloadAccelerator\idaie.htm
O9 - Extra button: Internet Download Accelerator - {9819CC0E-9669-4D01-9CD7-2C66DA43AC6C} - C:\Program Files\InternetDownloadAccelerator\ida.exe
O9 - Extra 'Tools' menuitem: &Internet Download Accelerator - {9819CC0E-9669-4D01-9CD7-2C66DA43AC6C} - C:\Program Files\InternetDownloadAccelerator\ida.exe
O13 - DefaultPrefix:
O13 - WWW Prefix:
O13 - Home Prefix:
O13 - Mosaic Prefix:
O13 - FTP Prefix:
O13 - Gopher Prefix:
O15 - ProtocolDefaults: '@ivt' protocol is in My Computer Zone, should be Intranet Zone (HKLM)
O15 - ProtocolDefaults: 'file' protocol is in My Computer Zone, should be Internet Zone (HKLM)
O15 - ProtocolDefaults: 'ftp' protocol is in My Computer Zone, should be Internet Zone (HKLM)
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone (HKLM)
O15 - ProtocolDefaults: 'https' protocol is in My Computer Zone, should be Internet Zone (HKLM)
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/game...s/y/pote_x.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

End of KRC HijackThis Analyzer Log.
====================================================================

after fixing in normal windows mode:
Logfile of HijackThis v1.99.1
Scan saved at 7:17:10 PM, on 18/03/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\netdde.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
F:\installed\spyware cleaners\hijack this\HijackThis.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: Download ALL with IDA - C:\Program Files\InternetDownloadAccelerator\idaieall.htm
O8 - Extra context menu item: Download with IDA - C:\Program Files\InternetDownloadAccelerator\idaie.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Internet Download Accelerator - {9819CC0E-9669-4D01-9CD7-2C66DA43AC6C} - C:\Program Files\InternetDownloadAccelerator\ida.exe
O9 - Extra 'Tools' menuitem: &Internet Download Accelerator - {9819CC0E-9669-4D01-9CD7-2C66DA43AC6C} - C:\Program Files\InternetDownloadAccelerator\ida.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O13 - DefaultPrefix:
O13 - WWW Prefix:
O13 - Home Prefix:
O13 - Mosaic Prefix:
O13 - FTP Prefix:
O13 - Gopher Prefix:
O15 - ProtocolDefaults: '@ivt' protocol is in My Computer Zone, should be Intranet Zone (HKLM)
O15 - ProtocolDefaults: 'file' protocol is in My Computer Zone, should be Internet Zone (HKLM)
O15 - ProtocolDefaults: 'ftp' protocol is in My Computer Zone, should be Internet Zone (HKLM)
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone (HKLM)
O15 - ProtocolDefaults: 'https' protocol is in My Computer Zone, should be Internet Zone (HKLM)
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/game...s/y/pote_x.cab
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

analyzer log:
====================================================================
Log was analyzed using KRC HijackThis Analyzer - Updated on 3/2/05
Get updates at http://www.greyknight17.com/download.htm#programs

***Security Programs Detected***

C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Logfile of HijackThis v1.99.1
Scan saved at 7:17:10 PM, on 18/03/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!

Running processes:
F:\installed\spyware cleaners\hijack this\HijackThis.exe

O8 - Extra context menu item: Download ALL with IDA - C:\Program Files\InternetDownloadAccelerator\idaieall.htm
O8 - Extra context menu item: Download with IDA - C:\Program Files\InternetDownloadAccelerator\idaie.htm
O9 - Extra button: Internet Download Accelerator - {9819CC0E-9669-4D01-9CD7-2C66DA43AC6C} - C:\Program Files\InternetDownloadAccelerator\ida.exe
O9 - Extra 'Tools' menuitem: &Internet Download Accelerator - {9819CC0E-9669-4D01-9CD7-2C66DA43AC6C} - C:\Program Files\InternetDownloadAccelerator\ida.exe
O13 - DefaultPrefix:
O13 - WWW Prefix:
O13 - Home Prefix:
O13 - Mosaic Prefix:
O13 - FTP Prefix:
O13 - Gopher Prefix:
O15 - ProtocolDefaults: '@ivt' protocol is in My Computer Zone, should be Intranet Zone (HKLM)
O15 - ProtocolDefaults: 'file' protocol is in My Computer Zone, should be Internet Zone (HKLM)
O15 - ProtocolDefaults: 'ftp' protocol is in My Computer Zone, should be Internet Zone (HKLM)
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone (HKLM)
O15 - ProtocolDefaults: 'https' protocol is in My Computer Zone, should be Internet Zone (HKLM)
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/game...s/y/pote_x.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

End of KRC HijackThis Analyzer Log.
====================================================================

thanks

greyknight17 · 03-18-2005, 07:57 AM

OK,not sure if it could be a bug in HijackThis that's causing those entries to show up.

If you keep getting the DSO Exploit entries in Spybot, even after you updated Windows and fixed them, then download the Spybot DSO Exploit Fix and install it over the current Spybot installation.

Right click on this link http://www.greyknight17.com/spy/DelO15Domains.inf and choose Save As. Save it to your desktop. Right click on that file and choose Install. You may delete it afterwards.

Go to Start->Run and type in sfc /scannow and hit OK. See if that will find any missing/corrupted files.

vampyr2005 · 03-18-2005, 12:23 PM

Hi Greyknight .... thanks for the help ...... I did what you told me to do and the Spybot exploit program detected 1 error to do with windows media player, details below:
spybot log before fixing:

--- Search result list ---
Windows Media Player: Anonymous ID (Registry change, nothing done)
HKEY_USERS\S-1-5-21-725345543-436374069-1060284298-1003\Software\Microsoft\MediaPlayer\Preferences\SendUserGUID!=B=0

--- Spybot - Search & Destroy version: 1.3 .1TX (build: 20040801) ---

2003-03-16 blindman.exe
2004-08-30 SpybotSD.exe (1.3.0.12)
2004-06-15 unins000.exe (51.15.0.0)
2003-03-16 Update.exe
2004-10-04 advcheck.dll (1.0.1.0)
2003-03-16 borlndmm.dll (7.0.4.453)
2003-03-16 delphimm.dll (7.0.4.453)
2003-03-16 SDHelper.dll
2003-03-16 Tools.dll
2003-03-16 UnzDll.dll (1.7.0.8)
2003-03-16 ZipDll.dll (1.7.0.8)
2003-03-16 Includes\Cookies.sbi
2003-03-16 Includes\Dialer.sbi
2003-03-16 Includes\Hijackers.sbi
2003-03-16 Includes\Keyloggers.sbi
2003-03-16 Includes\Malware.sbi
2003-03-16 Includes\plugin-ignore.ini
2003-03-16 Includes\Security.sbi
2003-03-16 Includes\Spybots.sbi
2003-03-16 Includes\Temporary.sbi
2003-03-16 Includes\Tracks.uti
2003-03-16 Includes\Trojans.sbi

--- System information ---
Windows XP (Build: 2600) Service Pack 2
/ .NETFramework / 1.0: Microsoft .NET Framework 1.0 Hotfix (KB886906)
/ .NETFramework / 1.0: Microsoft .NET Framework 1.0 Service Pack 3 (KB867461)
/ .NETFramework / 1.1: Microsoft .NET Framework 1.1 Hotfix (KB886903)
/ .NETFramework / 1.1: Microsoft .NET Framework 1.1 Service Pack 1 (KB867460)
/ Windows XP / SP3: Windows XP Hotfix - KB867282
/ Windows XP / SP3: Windows XP Hotfix - KB873333
/ Windows XP / SP3: Windows XP Hotfix - KB873339
/ Windows XP / SP3: Windows XP Hotfix - KB885250
/ Windows XP / SP3: Windows XP Hotfix - KB885835
/ Windows XP / SP3: Windows XP Hotfix - KB885836
/ Windows XP / SP3: Windows XP Hotfix - KB885884
/ Windows XP / SP3: Windows XP Hotfix - KB886185
/ Windows XP / SP3: Windows XP Hotfix - KB887742
/ Windows XP / SP3: Windows XP Hotfix - KB888113
/ Windows XP / SP3: Windows XP Hotfix - KB888302
/ Windows XP / SP3: Windows XP Hotfix - KB890047
/ Windows XP / SP3: Windows XP Hotfix - KB890175
/ Windows XP / SP3: Windows XP Hotfix - KB891781

--- Startup entries list ---
Located: HK_CU:Run, ctfmon.exe
command: C:\WINDOWS\system32\ctfmon.exe
file: C:\WINDOWS\system32\ctfmon.exe
size: 15360
MD5: 24232996a38c0b0cf151c2140ae29fc8

Located: WinLogon, crypt32chain
command: crypt32.dll

Located: WinLogon, cryptnet
command: cryptnet.dll

Located: WinLogon, cscdll
command: cscdll.dll

Located: WinLogon, ScCertProp
command: wlnotify.dll

Located: WinLogon, Schedule
command: wlnotify.dll

Located: WinLogon, sclgntfy
command: sclgntfy.dll

Located: WinLogon, SensLogn
command: WlNotify.dll

Located: WinLogon, termsrv
command: wlnotify.dll

Located: WinLogon, wlballoon
command: wlnotify.dll

--- Browser helper object list ---

--- ActiveX list ---
Yahoo! Pool 2 (Yahoo! Pool 2)
DPF name: Yahoo! Pool 2
CLSID name:

--- Process list ---

PID: 0 ( 0) [System]
PID: 4 ( 0) System
PID: 256 ( 300) C:\WINDOWS\system32\NOTEPAD.EXE
PID: 300 ( 240) C:\WINDOWS\Explorer.EXE
PID: 316 ( 912) C:\WINDOWS\system32\wuauclt.exe
PID: 508 ( 4) \SystemRoot\System32\smss.exe
PID: 564 ( 508) csrss.exe
PID: 588 ( 508) \??\C:\WINDOWS\system32\winlogon.exe
PID: 632 ( 588) C:\WINDOWS\system32\services.exe
PID: 644 ( 588) C:\WINDOWS\system32\lsass.exe
PID: 756 ( 300) C:\WINDOWS\system32\ctfmon.exe
PID: 804 ( 632) C:\WINDOWS\system32\svchost.exe
PID: 848 ( 632) svchost.exe
PID: 912 ( 632) C:\WINDOWS\System32\svchost.exe
PID: 956 ( 632) svchost.exe
PID: 1004 ( 632) svchost.exe
PID: 1232 ( 632) C:\WINDOWS\system32\spoolsv.exe
PID: 1352 ( 632) C:\WINDOWS\system32\netdde.exe
PID: 1404 ( 632) C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
PID: 1420 ( 632) C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
PID: 1496 ( 632) C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
PID: 1600 ( 632) C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
PID: 1688 ( 632) wdfmgr.exe
PID: 1928 ( 632) alg.exe
PID: 2032 ( 300) C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
Spybot - Search && Destroy process list report, 19/03/2005 3:28:23 AM

--- Browser start & search pages list ---
Spybot - Search && Destroy browser pages report, 19/03/2005 3:28:23 AM

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Search Page
http://www.microsoft.com/isapi/redir...ie&ar=iesearch
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start Page
http://www.google.com/
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Search Page
http://www.microsoft.com/isapi/redir...ie&ar=iesearch
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Start Page
http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Default_Page_URL
http://www.microsoft.com/isapi/redir...r=6&ar=msnhome
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Default_Search_URL
http://www.microsoft.com/isapi/redir...ie&ar=iesearch
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\SearchAssistant
http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\CustomizeSearch
http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm

--- Winsock Layered Service Provider list ---
Protocol 0: MSAFD Tcpip [TCP/IP]
GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll

Protocol 1: MSAFD Tcpip [UDP/IP]
GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll

Protocol 2: MSAFD Tcpip [RAW/IP]
GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll

Protocol 3: RSVP UDP Service Provider
GUID: {9D60A9E0-337A-11D0-BD88-0000C082E69A}
Filename: %SystemRoot%\system32\rsvpsp.dll

Protocol 4: RSVP TCP Service Provider
GUID: {9D60A9E0-337A-11D0-BD88-0000C082E69A}
Filename: %SystemRoot%\system32\rsvpsp.dll

Protocol 5: MSAFD NetBIOS [\Device\NetBT_Tcpip_{D3B13AAC-DB54-4583-80B6-0105D415077B}] SEQPACKET 0
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll

Protocol 6: MSAFD NetBIOS [\Device\NetBT_Tcpip_{D3B13AAC-DB54-4583-80B6-0105D415077B}] DATAGRAM 0
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll

Protocol 7: MSAFD NetBIOS [\Device\NetBT_Tcpip_{61CD2BFB-E942-4BC5-9256-A9FCF43BC154}] SEQPACKET 1
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll

Protocol 8: MSAFD NetBIOS [\Device\NetBT_Tcpip_{61CD2BFB-E942-4BC5-9256-A9FCF43BC154}] DATAGRAM 1
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll

Protocol 9: MSAFD NetBIOS [\Device\NetBT_Tcpip_{475A5BD5-0A81-4148-BF3F-3153C0421F12}] SEQPACKET 2
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll

Protocol 10: MSAFD NetBIOS [\Device\NetBT_Tcpip_{475A5BD5-0A81-4148-BF3F-3153C0421F12}] DATAGRAM 2
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll

Namespace Provider 0: Tcpip
GUID: {22059D40-7E9E-11CF-AE5A-00AA00A7112B}
Filename: %SystemRoot%\System32\mswsock.dll

Namespace Provider 1: NTDS
GUID: {3B2637EE-E580-11CF-A555-00C04FD8D4AC}
Filename: %SystemRoot%\System32\winrnr.dll

Namespace Provider 2: Network Location Awareness (NLA) Namespace
GUID: {6642243A-3BA8-4AA6-BAA5-2E0BD71FDD83}
Filename: %SystemRoot%\System32\mswsock.dll

spybot log after fixing:

--- Search result list ---
Windows Media Player: Anonymous ID (Registry change, fixed)
HKEY_USERS\S-1-5-21-725345543-436374069-1060284298-1003\Software\Microsoft\MediaPlayer\Preferences\SendUserGUID!=B=0

--- Spybot - Search & Destroy version: 1.3 .1TX (build: 20040801) ---

2003-03-16 blindman.exe
2004-08-30 SpybotSD.exe (1.3.0.12)
2004-06-15 unins000.exe (51.15.0.0)
2003-03-16 Update.exe
2004-10-04 advcheck.dll (1.0.1.0)
2003-03-16 borlndmm.dll (7.0.4.453)
2003-03-16 delphimm.dll (7.0.4.453)
2003-03-16 SDHelper.dll
2003-03-16 Tools.dll
2003-03-16 UnzDll.dll (1.7.0.8)
2003-03-16 ZipDll.dll (1.7.0.8)
2003-03-16 Includes\Cookies.sbi
2003-03-16 Includes\Dialer.sbi
2003-03-16 Includes\Hijackers.sbi
2003-03-16 Includes\Keyloggers.sbi
2003-03-16 Includes\Malware.sbi
2003-03-16 Includes\plugin-ignore.ini
2003-03-16 Includes\Security.sbi
2003-03-16 Includes\Spybots.sbi
2003-03-16 Includes\Temporary.sbi
2003-03-16 Includes\Tracks.uti
2003-03-16 Includes\Trojans.sbi

--- System information ---
Windows XP (Build: 2600) Service Pack 2
/ .NETFramework / 1.0: Microsoft .NET Framework 1.0 Hotfix (KB886906)
/ .NETFramework / 1.0: Microsoft .NET Framework 1.0 Service Pack 3 (KB867461)
/ .NETFramework / 1.1: Microsoft .NET Framework 1.1 Hotfix (KB886903)
/ .NETFramework / 1.1: Microsoft .NET Framework 1.1 Service Pack 1 (KB867460)
/ Windows XP / SP3: Windows XP Hotfix - KB867282
/ Windows XP / SP3: Windows XP Hotfix - KB873333
/ Windows XP / SP3: Windows XP Hotfix - KB873339
/ Windows XP / SP3: Windows XP Hotfix - KB885250
/ Windows XP / SP3: Windows XP Hotfix - KB885835
/ Windows XP / SP3: Windows XP Hotfix - KB885836
/ Windows XP / SP3: Windows XP Hotfix - KB885884
/ Windows XP / SP3: Windows XP Hotfix - KB886185
/ Windows XP / SP3: Windows XP Hotfix - KB887742
/ Windows XP / SP3: Windows XP Hotfix - KB888113
/ Windows XP / SP3: Windows XP Hotfix - KB888302
/ Windows XP / SP3: Windows XP Hotfix - KB890047
/ Windows XP / SP3: Windows XP Hotfix - KB890175
/ Windows XP / SP3: Windows XP Hotfix - KB891781

--- Startup entries list ---
Located: HK_CU:Run, ctfmon.exe
command: C:\WINDOWS\system32\ctfmon.exe
file: C:\WINDOWS\system32\ctfmon.exe
size: 15360
MD5: 24232996a38c0b0cf151c2140ae29fc8

Located: WinLogon, crypt32chain
command: crypt32.dll

Located: WinLogon, cryptnet
command: cryptnet.dll

Located: WinLogon, cscdll
command: cscdll.dll

Located: WinLogon, ScCertProp
command: wlnotify.dll

Located: WinLogon, Schedule
command: wlnotify.dll

Located: WinLogon, sclgntfy
command: sclgntfy.dll

Located: WinLogon, SensLogn
command: WlNotify.dll

Located: WinLogon, termsrv
command: wlnotify.dll

Located: WinLogon, wlballoon
command: wlnotify.dll

--- Browser helper object list ---

--- ActiveX list ---
Yahoo! Pool 2 (Yahoo! Pool 2)
DPF name: Yahoo! Pool 2
CLSID name:

--- Process list ---

PID: 0 ( 0) [System]
PID: 4 ( 0) System
PID: 256 ( 300) C:\WINDOWS\system32\NOTEPAD.EXE
PID: 300 ( 240) C:\WINDOWS\Explorer.EXE
PID: 316 ( 912) C:\WINDOWS\system32\wuauclt.exe
PID: 508 ( 4) \SystemRoot\System32\smss.exe
PID: 564 ( 508) csrss.exe
PID: 588 ( 508) \??\C:\WINDOWS\system32\winlogon.exe
PID: 632 ( 588) C:\WINDOWS\system32\services.exe
PID: 644 ( 588) C:\WINDOWS\system32\lsass.exe
PID: 756 ( 300) C:\WINDOWS\system32\ctfmon.exe
PID: 804 ( 632) C:\WINDOWS\system32\svchost.exe
PID: 848 ( 632) svchost.exe
PID: 912 ( 632) C:\WINDOWS\System32\svchost.exe
PID: 956 ( 632) svchost.exe
PID: 1004 ( 632) svchost.exe
PID: 1232 ( 632) C:\WINDOWS\system32\spoolsv.exe
PID: 1352 ( 632) C:\WINDOWS\system32\netdde.exe
PID: 1404 ( 632) C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
PID: 1420 ( 632) C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
PID: 1496 ( 632) C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
PID: 1600 ( 632) C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
PID: 1688 ( 632) wdfmgr.exe
PID: 1928 ( 632) alg.exe
PID: 2032 ( 300) C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
Spybot - Search && Destroy process list report, 19/03/2005 3:28:58 AM

--- Browser start & search pages list ---
Spybot - Search && Destroy browser pages report, 19/03/2005 3:28:58 AM

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Search Page
http://www.microsoft.com/isapi/redir...ie&ar=iesearch
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start Page
http://www.google.com/
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Search Page
http://www.microsoft.com/isapi/redir...ie&ar=iesearch
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Start Page
http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Default_Page_URL
http://www.microsoft.com/isapi/redir...r=6&ar=msnhome
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Default_Search_URL
http://www.microsoft.com/isapi/redir...ie&ar=iesearch
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\SearchAssistant
http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\CustomizeSearch
http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm

--- Winsock Layered Service Provider list ---
Protocol 0: MSAFD Tcpip [TCP/IP]
GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll

Protocol 1: MSAFD Tcpip [UDP/IP]
GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll

Protocol 2: MSAFD Tcpip [RAW/IP]
GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll

Protocol 3: RSVP UDP Service Provider
GUID: {9D60A9E0-337A-11D0-BD88-0000C082E69A}
Filename: %SystemRoot%\system32\rsvpsp.dll

Protocol 4: RSVP TCP Service Provider
GUID: {9D60A9E0-337A-11D0-BD88-0000C082E69A}
Filename: %SystemRoot%\system32\rsvpsp.dll

Protocol 5: MSAFD NetBIOS [\Device\NetBT_Tcpip_{D3B13AAC-DB54-4583-80B6-0105D415077B}] SEQPACKET 0
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll

Protocol 6: MSAFD NetBIOS [\Device\NetBT_Tcpip_{D3B13AAC-DB54-4583-80B6-0105D415077B}] DATAGRAM 0
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll

Protocol 7: MSAFD NetBIOS [\Device\NetBT_Tcpip_{61CD2BFB-E942-4BC5-9256-A9FCF43BC154}] SEQPACKET 1
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll

Protocol 8: MSAFD NetBIOS [\Device\NetBT_Tcpip_{61CD2BFB-E942-4BC5-9256-A9FCF43BC154}] DATAGRAM 1
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll

Protocol 9: MSAFD NetBIOS [\Device\NetBT_Tcpip_{475A5BD5-0A81-4148-BF3F-3153C0421F12}] SEQPACKET 2
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll

Protocol 10: MSAFD NetBIOS [\Device\NetBT_Tcpip_{475A5BD5-0A81-4148-BF3F-3153C0421F12}] DATAGRAM 2
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll

Namespace Provider 0: Tcpip
GUID: {22059D40-7E9E-11CF-AE5A-00AA00A7112B}
Filename: %SystemRoot%\System32\mswsock.dll

Namespace Provider 1: NTDS
GUID: {3B2637EE-E580-11CF-A555-00C04FD8D4AC}
Filename: %SystemRoot%\System32\winrnr.dll

Namespace Provider 2: Network Location Awareness (NLA) Namespace
GUID: {6642243A-3BA8-4AA6-BAA5-2E0BD71FDD83}
Filename: %SystemRoot%\System32\mswsock.dll

When I did the sfc /scannow check I got a message which you will find a copy of attached below, telling me that .dll files were missing, and while scanning the progress bar only moves very slowly and just a little bit before again showing the same error message.
Would you suggest that I try to fix the problem that way or just trying to repair windows using the XP cd and do you have any idea how it might have happened. I use system mechanic for and norton system works One Button Checkup for detecting registry errors and nortons fixes the problems while system mechanic gives me a list and asks me what to remove and I check the list and try to make sure that I'm only removing entries that correspond to unused items. When using Spybot I only delete items in RED. One other question..... I just noticed in my spybot logs under system information that when it lists the windows XP hotfixes it lists them as /windows /SP3:windows XP hotfix .... Is that meant to be like that? cos I thought that there was so far only a SP2 for windows XP..
thanks..

greyknight17 · 03-18-2005, 01:18 PM

Allow SFC to copy it to the DLL Cache folder.

For that windows media player detection by Spybot, there's a setting that you need to change in Windows Media Player so that Microsoft can't uniquely identify you. You just need to go into the settings and look for that option to change it. I'm not in front of my XP computer now, so I can't give you the specifics.

Any other problems now?

vampyr2005 · 03-19-2005, 02:27 AM

Hi .... thanks for the latest advice.... SFC has copied the dll files back to the dll cache .... however after restarting the problems still remain..... no options in the folder view settings area ...... half of my quickstart icons when clicked on will not open programs they just do nothing ...... my network is working intermittently ..... this afternoon my computer actually downloaded a file from windows update site for me to install, however when I install it it tells m e that it has been successfully installed and 2 mins later the icon is in the clock area telling me that I have an update file that needs to be installed and it is the exact same file that I had just installed ...... also when I try to turn my screensaver off, I click apply and okay and then 10 mins later my screensaver suddenly starts up again no matter how many times I turn it off ..... I have a USB laptop hard drive that I use like a pendrive for portable files n stuff, when I plug that in I get the little window that XP uses to ask you if you want to open the folder or play files in media player etc etc but instead of those options all I hav is a blank space the same as the one in the folder view options area ....... and I still can't access my recycle bin to delete any of those files..... and the my programs link on my start bar still refuses to open unless I right click on it and even then it only shows one folder titled programs and only about 4 things inside that folder....

In regards to the windows media player issue ... is it the following option:
Tools/options/privacy/enhanced content provider services and the checkbox with the words- send unique player ID to content providers ???? cos if so then it has been unchecked and unallowed since installation because I NEVER allow any of my programs to send any kind of statistics to anywhere because I had already been told that some hackers make use of those areas in programs to get access to your system .....

Thanks..

greyknight17 · 03-20-2005, 11:27 AM

Yes, I thought that was the problem with Media Player, but I guess it's not since you have it unchecked already.

OK, I PMed another Analyst here to help me out with this. The O13 and O15 entries in HijackThis should be removed. I will ask the other analyst (MicroBell) to come take a look at this for you, so hang in there.

vampyr2005 · 03-20-2005, 02:49 PM

okay greyknight ... thanks very much for your assistance .... I have literally tried everything ..... trendmicro's housecall online virus scanner came up perfectly clean... as did the windows online trojan scanner .... also adaware and spybot with latest definitions and CWShredder also came up clean .... and I cant access system restore to restore my computer that way cos it tells me that helpctr.exe is missing from my computer ....

MicroBell · 03-20-2005, 06:35 PM

I need some info.

Click start...run...type in regedit. Navigate to the following key..
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\URL\DefaultPrefix\

On the right side...list all entrys found. You should have only one there called
Default....REG_SZ....http:\\ If more then that..list them.

The navigate to each of the following keys...

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges

List whats in each of those folders. I think spybots picking up the registry changes from 2 programs you installed. Windows Media Connect and that Webfldrs program. Somethings still amiss though..since you just came off of a reinstall you should not have all these OS problems.

vampyr2005 · 03-21-2005, 12:26 AM

Hi and thanks ...
In regards to the first entry you told me to check in the registry:
"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\URL\DefaultPrefix\" .... I could not find the folder in the registry titled URL at all
In relation to all of the other entries there was only one thing on the right hand side and that was: default ........ reg_sz....... and nothing written in the data field ......

Do you have any idea what the webfldrs and windows media connect refer to ??

thanks .....

MicroBell · 03-21-2005, 12:46 AM

Webfldrs= Web Folders, or WebDAV, is a file transfer protocol that supports secure file transfer over intranets and the Internet. With Web Folders, you can upload, download, and manage files on a remote computer across an intranet and the Internet. Web Folders is similar to File Transfer Protocol (FTP); however, Web Folders provides a more secure environment for transferring files over the Web.

Windows Media Connect= Windows® Media Connect enables your digital media receiver (DMR) to stream music, video, and photos stored on your Windows XP–based computer anywhere in your home.

Run regedit and navigate to this key...
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults

Once that folders open...give me the value data for each of these..I just need the last number like so..(3)..

File
Ftp
HTTP
HTTPS
@ivt
shell

Lets see if their is something else causing this...

Download and install TDS-3 Update it's database and run a FULL system scan. Copy and paste the alarms it finds in the bottom window.

Download: StartDreck

Unzip to its own folder and start the program:
Press 'Config'
Press 'Mark All'

UN-Check the 'NT-Services & NT-Kernel...' boxes only:
Press 'Ok'

Press 'Save' and select the location to save the log file (default is the same folder as the application)

Post the log in this thread..

Download Silent runners.Vbs http://www.silentrunners.org/
1. Make sure you have any script blocking software disabled
2. Run the program. It will take a few minutes to complete.
3. Once complete it will produce a log named “StartupPrograms” with Your user and date in the filename. Open that txt file and posts it contents in your next post

Download Find-qoologic.zip from my attachment here.
Umonitor among others
1. Unzip (It must be unzipped) the files to a folder on your desktop.
2. Open the qoologic folder, run qoologic.bat from there and wait for it to finish.
3. It will take awhile so wait until the dos window disappears and disk activity stops.
4. Then open the text file it created… found here c:\log.txt and paste the contents into your next post.

Download DLLCompare http://downloads.subratam.org/DllCompare.exe

Please put it in a folder on the root drive (C:\)
Click the Run locate.com button
When the scan is complete click the Compare button.

It will sort through the files it found and determine which should be flagged as "No access" and display them in the lower box.
In a few minutes it will complete.
Click the button Make a Log of what was Found

Post that log.

**Note** Only if you get an error after pressing Run Locate.com:
Copy autoexec.nt from c:\windows\repair\ folder to c:\windows\system32\ folder..

Please post all those logs

vampyr2005 · 03-21-2005, 01:09 AM

okay I will do all of that, while I am doing that ..... is it okay to remove the webfldrs and the windows media connect from my computer ??
I do not believe that windows media connect in itself is the problem because my girlfriends computer, the one that I'm on doing these posts and that my computer is networked to has the windows media connect software installed on it ... however we have no use for it at all so I would like to uninstall it if that will not cause any problems .....

vampyr2005 · 03-21-2005, 01:30 AM

okay I went into regedit again and looked for the protocol values that you requested and the protocol value folder is not there either .....

with regards to these downloads that need to be unzipped .... is it alright for me to download them on the working computer and unzip them to folders on a portable drive and then copy them onto the problematic machine and run them that way ..... cos the problematic computer will not allow me to use winrar properly atm either.......

thanks....

vampyr2005 · 03-21-2005, 02:26 AM

I have another question .....
I have just done a CWShredder scan on my girlfriends computer because she has been getting a search window popup coming up even when she is not navigating through any pages or anything and it detected and removed CWS.BOOTCONF however if we run the scan again it removes it again ..... isnt it supposed to have been gone the first time ?

does anyone know how I can get rid of it completely ?

vampyr2005 · 03-21-2005, 03:34 AM

I have one more question for microbell ...... can I use the programs that you directed me to download to check for and/or fix spyware problems on my girlfriends computer as well or are they only for specific problems that they should be used?

03-17-2005, 01:13 AM	#2 (permalink)
Pancake Security Team (ret.) Join Date: Nov 2003 Location: Victoria.Australia Posts: 7,404 OS: XP Pro SP3	Start by updating to SpyBot 1.3,rescan with that and then post a fresh log.Make sure you also run Adaware.. How to setup Ad-Aware Download Ad-Aware Save aawsepersonal.exe into its own directory, NOT in a TEMPorary folder or on the Desktop. I recommend c:/program files/Adaware/ Doubleclick aawsepersonal.exe. Make sure to direct the program to install in the c:/program files/adaware/ directory, NOT the default directory. Open AdAware from Start \| Programs \| Lavasoft \| AdAware. Select <Check for updates now>, <Proceed> After installation, run the program and click the start button.Then click the next button. This lets ad-aware scan your computer. After ad-aware is done running, hit the next button. Then right click the area with the listed spy ware objects.Choose the "Select all objects" option. At this point all the boxes next to the items should be checked. Then hit the next button. It will ask if you want to delete the selected objects. Hit the Okay button. Now most of the spyware should have been deleted from your hard drive. __________________ Eddy

03-17-2005, 08:31 AM	#4 (permalink)
vampyr2005 Registered User Join Date: Mar 2005 Posts: 181 OS: XP professional	Latest spybot and adaware and deleting files. Hi .... in response to the reply about the spybot and adaware releases..... I am using the absolute latest spybot and its definition files .... updated about 6 hrs before I posted the log in the original thread..... and I had the latest adaware personal edition and it was also updated at the same time and that is the logfile from the scan that happened after I had all those programs on the computer and I cant download or update anything anymore cos my computer is a client to another machine that has ADSL internet and is on a home network and the network is no longer working to allow me access to the internet on the client machine (problematic computer) and the problematic computer will now allow me to properly install programs anymore....(see above thread for explanations).... and in response to the other question about whether or not I have deleted any files the answer is no .... I did delete some temporary files and registry items that referred to files no longer on my system but no system files and nothing in the registry that referred to anything that was currently on the system or that my registry cleaner had not removed MANY times before without causing problems. I could try re-installing the latest spybot and adawareSE IF my computer will let me however I would consider that a pointless venture considering I have no internet access to update them to todays current definition files and without those they will be useless .... thanks for your consideration of this problem and anymore questions or ideas on causes or solutions please feel free to post replies.

03-17-2005, 11:48 AM	#5 (permalink)
greyknight17 Analyst, Security Team Join Date: Jul 2004 Location: New York Posts: 14,327 OS: Windows 98 & Windows XP Home/Pro My System	Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should not have any open browsers when you are following the procedures below. Go to My Computer->Tools/View->Folder Options->View tab and make sure that 'Show hidden files and folders' (or 'Show all files') is enabled. Also make sure that 'Display the contents of system folders' is checked. Windows XP's search feature is a little different. When you click on 'All files and folders' on the left pane, click on the 'More advanced options' at the bottom. Make sure that Search system folders, Search hidden files and folders, and Search subfolders are checked. For the options that you checked/enabled earlier, you may uncheck them after your log is clean. If we ask you to fix a program that you use or want to keep, please post back saying that (we don't know every program that exists, so we may tell you to delete a program that we think is bad to keep). Download CWShredder and run it. Click on 'I Agree' button if you agree with it. Click on 'Fix' (it will automatically fix anything it finds for you) and OK. If it asks if you want to delete a certain random file, choose No and post that filename here. Let it finish the scan and then hit Next and Exit. Reboot into Safe Mode (hit F8 key until menu shows up). Make sure to close any open browsers. Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any): R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = O13 - DefaultPrefix: O13 - WWW Prefix: O13 - Home Prefix: O13 - Mosaic Prefix: O13 - FTP Prefix: O13 - Gopher Prefix: O15 - ProtocolDefaults: '@ivt' protocol is in My Computer Zone, should be Intranet Zone (HKLM) O15 - ProtocolDefaults: 'file' protocol is in My Computer Zone, should be Internet Zone (HKLM) O15 - ProtocolDefaults: 'ftp' protocol is in My Computer Zone, should be Internet Zone (HKLM) O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone (HKLM) O15 - ProtocolDefaults: 'https' protocol is in My Computer Zone, should be Internet Zone (HKLM) Reboot into Normal Mode and run new HijackThis scan. If there were some entries that didn't show up in Safe Mode, you may check and fix those that appear now in normal mode (if you do that, make sure to run a new scan again). Save the log file and run KRC HijackThis Analyzer in the same folder to get the result.txt log. Just post the contents of the result.txt file in the forum. __________________ Please do NOT PM me. Post whatever questions you may have in the forum and we will take a look at it when we get to it. If you have waited for more than 3 days, you may then and ONLY then PM me for assistance. I will take a look at it. Adaware :: CWShredder :: HijackThis :: Panda ActiveScan :: Spybot S&D Anti-Spyware Tutorial :: Spyware Prevention Tools

03-18-2005, 07:57 AM	#8 (permalink)
greyknight17 Analyst, Security Team Join Date: Jul 2004 Location: New York Posts: 14,327 OS: Windows 98 & Windows XP Home/Pro My System	OK,not sure if it could be a bug in HijackThis that's causing those entries to show up. If you keep getting the DSO Exploit entries in Spybot, even after you updated Windows and fixed them, then download the Spybot DSO Exploit Fix and install it over the current Spybot installation. Right click on this link http://www.greyknight17.com/spy/DelO15Domains.inf and choose Save As. Save it to your desktop. Right click on that file and choose Install. You may delete it afterwards. Go to Start->Run and type in sfc /scannow and hit OK. See if that will find any missing/corrupted files. __________________ Please do NOT PM me. Post whatever questions you may have in the forum and we will take a look at it when we get to it. If you have waited for more than 3 days, you may then and ONLY then PM me for assistance. I will take a look at it. Adaware :: CWShredder :: HijackThis :: Panda ActiveScan :: Spybot S&D Anti-Spyware Tutorial :: Spyware Prevention Tools

03-18-2005, 01:18 PM	#10 (permalink)
greyknight17 Analyst, Security Team Join Date: Jul 2004 Location: New York Posts: 14,327 OS: Windows 98 & Windows XP Home/Pro My System	Allow SFC to copy it to the DLL Cache folder. For that windows media player detection by Spybot, there's a setting that you need to change in Windows Media Player so that Microsoft can't uniquely identify you. You just need to go into the settings and look for that option to change it. I'm not in front of my XP computer now, so I can't give you the specifics. Any other problems now? __________________ Please do NOT PM me. Post whatever questions you may have in the forum and we will take a look at it when we get to it. If you have waited for more than 3 days, you may then and ONLY then PM me for assistance. I will take a look at it. Adaware :: CWShredder :: HijackThis :: Panda ActiveScan :: Spybot S&D Anti-Spyware Tutorial :: Spyware Prevention Tools

03-17-2005, 01:28 AM	#3 (permalink)
XTTX Registered User Join Date: Mar 2005 Location: US Posts: 160 OS: Windows XP	Just a question, you wouldn't happen to already have tried to delete some files? IF you deleted critical files needed to the system, then it can cause these errors.

03-18-2005, 12:29 AM	#6 (permalink)
vampyr2005 Registered User Join Date: Mar 2005 Posts: 181 OS: XP professional	hi greyknight ..... thanks for the quick response and I will try using CWshredder as you suggest and run the hijackthis fixes, however I would like to stress, and I have already mentioned this in my original post, that I am UNABLE to make my computer show its hidden files as the area that gives you those options when you click on tools and folder options and view is completely blank. (see the snagit pic of the folder options area that was posted with the original post and also see the following quote from my original post: however the hidden files are not displayed because my folder options view tab is also just a blank space (no options at all displayed),. I will try the fixes you have suggested and post new logs after doing so .... thank you

03-19-2005, 02:27 AM	#11 (permalink)
vampyr2005 Registered User Join Date: Mar 2005 Posts: 181 OS: XP professional	Hi .... thanks for the latest advice.... SFC has copied the dll files back to the dll cache .... however after restarting the problems still remain..... no options in the folder view settings area ...... half of my quickstart icons when clicked on will not open programs they just do nothing ...... my network is working intermittently ..... this afternoon my computer actually downloaded a file from windows update site for me to install, however when I install it it tells m e that it has been successfully installed and 2 mins later the icon is in the clock area telling me that I have an update file that needs to be installed and it is the exact same file that I had just installed ...... also when I try to turn my screensaver off, I click apply and okay and then 10 mins later my screensaver suddenly starts up again no matter how many times I turn it off ..... I have a USB laptop hard drive that I use like a pendrive for portable files n stuff, when I plug that in I get the little window that XP uses to ask you if you want to open the folder or play files in media player etc etc but instead of those options all I hav is a blank space the same as the one in the folder view options area ....... and I still can't access my recycle bin to delete any of those files..... and the my programs link on my start bar still refuses to open unless I right click on it and even then it only shows one folder titled programs and only about 4 things inside that folder.... In regards to the windows media player issue ... is it the following option: Tools/options/privacy/enhanced content provider services and the checkbox with the words- send unique player ID to content providers ???? cos if so then it has been unchecked and unallowed since installation because I NEVER allow any of my programs to send any kind of statistics to anywhere because I had already been told that some hackers make use of those areas in programs to get access to your system ..... Thanks..

03-20-2005, 11:27 AM	#12 (permalink)
greyknight17 Analyst, Security Team Join Date: Jul 2004 Location: New York Posts: 14,327 OS: Windows 98 & Windows XP Home/Pro My System	Yes, I thought that was the problem with Media Player, but I guess it's not since you have it unchecked already. OK, I PMed another Analyst here to help me out with this. The O13 and O15 entries in HijackThis should be removed. I will ask the other analyst (MicroBell) to come take a look at this for you, so hang in there. __________________ Please do NOT PM me. Post whatever questions you may have in the forum and we will take a look at it when we get to it. If you have waited for more than 3 days, you may then and ONLY then PM me for assistance. I will take a look at it. Adaware :: CWShredder :: HijackThis :: Panda ActiveScan :: Spybot S&D Anti-Spyware Tutorial :: Spyware Prevention Tools

03-20-2005, 02:49 PM	#13 (permalink)
vampyr2005 Registered User Join Date: Mar 2005 Posts: 181 OS: XP professional	okay greyknight ... thanks very much for your assistance .... I have literally tried everything ..... trendmicro's housecall online virus scanner came up perfectly clean... as did the windows online trojan scanner .... also adaware and spybot with latest definitions and CWShredder also came up clean .... and I cant access system restore to restore my computer that way cos it tells me that helpctr.exe is missing from my computer ....

03-20-2005, 06:35 PM	#14 (permalink)
MicroBell Manager Emeritus - Security Center, Expert Analyst, Moderator - Security Team; Rangemaster, TSF Academy & Supporter Join Date: Sep 2004 Location: Carmichaels, PA-USA Posts: 6,965 OS: Windows XP-Pro SP2	I need some info. Click start...run...type in regedit. Navigate to the following key.. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\URL\DefaultPrefix\ On the right side...list all entrys found. You should have only one there called Default....REG_SZ....http:\\ If more then that..list them. The navigate to each of the following keys... HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges List whats in each of those folders. I think spybots picking up the registry changes from 2 programs you installed. Windows Media Connect and that Webfldrs program. Somethings still amiss though..since you just came off of a reinstall you should not have all these OS problems. __________________ We Are The BORG Spyware KILLER and Adware Destroyer! Spyware/Adware Removal Tools Hijackthis Ad-aware SE Spybot Search&Destroy SpywareBlaster CWShredder

03-21-2005, 12:26 AM	#15 (permalink)
vampyr2005 Registered User Join Date: Mar 2005 Posts: 181 OS: XP professional	Hi and thanks ... In regards to the first entry you told me to check in the registry: "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\URL\DefaultPrefix\" .... I could not find the folder in the registry titled URL at all In relation to all of the other entries there was only one thing on the right hand side and that was: default ........ reg_sz....... and nothing written in the data field ...... Do you have any idea what the webfldrs and windows media connect refer to ?? thanks .....

03-21-2005, 12:46 AM	#16 (permalink)
MicroBell Manager Emeritus - Security Center, Expert Analyst, Moderator - Security Team; Rangemaster, TSF Academy & Supporter Join Date: Sep 2004 Location: Carmichaels, PA-USA Posts: 6,965 OS: Windows XP-Pro SP2	Webfldrs= Web Folders, or WebDAV, is a file transfer protocol that supports secure file transfer over intranets and the Internet. With Web Folders, you can upload, download, and manage files on a remote computer across an intranet and the Internet. Web Folders is similar to File Transfer Protocol (FTP); however, Web Folders provides a more secure environment for transferring files over the Web. Windows Media Connect= Windows® Media Connect enables your digital media receiver (DMR) to stream music, video, and photos stored on your Windows XP–based computer anywhere in your home. Run regedit and navigate to this key... HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults Once that folders open...give me the value data for each of these..I just need the last number like so..(3).. File Ftp HTTP HTTPS @ivt shell Lets see if their is something else causing this... Download and install TDS-3 Update it's database and run a FULL system scan. Copy and paste the alarms it finds in the bottom window. Download: StartDreck Unzip to its own folder and start the program: Press 'Config' Press 'Mark All' UN-Check the 'NT-Services & NT-Kernel...' boxes only: Press 'Ok' Press 'Save' and select the location to save the log file (default is the same folder as the application) Post the log in this thread.. Download Silent runners.Vbs http://www.silentrunners.org/ 1. Make sure you have any script blocking software disabled 2. Run the program. It will take a few minutes to complete. 3. Once complete it will produce a log named “StartupPrograms” with Your user and date in the filename. Open that txt file and posts it contents in your next post Download Find-qoologic.zip from my attachment here. Umonitor among others 1. Unzip (It must be unzipped) the files to a folder on your desktop. 2. Open the qoologic folder, run qoologic.bat from there and wait for it to finish. 3. It will take awhile so wait until the dos window disappears and disk activity stops. 4. Then open the text file it created… found here c:\log.txt and paste the contents into your next post. Download DLLCompare http://downloads.subratam.org/DllCompare.exe Please put it in a folder on the root drive (C:\) Click the Run locate.com button When the scan is complete click the Compare button. It will sort through the files it found and determine which should be flagged as "No access" and display them in the lower box. In a few minutes it will complete. Click the button Make a Log of what was Found Post that log. Note Only if you get an error after pressing Run Locate.com: Copy autoexec.nt from c:\windows\repair\ folder to c:\windows\system32\ folder.. Please post all those logs __________________ We Are The BORG Spyware KILLER and Adware Destroyer! Spyware/Adware Removal Tools Hijackthis Ad-aware SE Spybot Search&Destroy SpywareBlaster CWShredder Last edited by MicroBell; 03-21-2005 at 01:04 AM.

03-21-2005, 01:09 AM	#17 (permalink)
vampyr2005 Registered User Join Date: Mar 2005 Posts: 181 OS: XP professional	okay I will do all of that, while I am doing that ..... is it okay to remove the webfldrs and the windows media connect from my computer ?? I do not believe that windows media connect in itself is the problem because my girlfriends computer, the one that I'm on doing these posts and that my computer is networked to has the windows media connect software installed on it ... however we have no use for it at all so I would like to uninstall it if that will not cause any problems .....

03-21-2005, 01:30 AM	#18 (permalink)
vampyr2005 Registered User Join Date: Mar 2005 Posts: 181 OS: XP professional	okay I went into regedit again and looked for the protocol values that you requested and the protocol value folder is not there either ..... with regards to these downloads that need to be unzipped .... is it alright for me to download them on the working computer and unzip them to folders on a portable drive and then copy them onto the problematic machine and run them that way ..... cos the problematic computer will not allow me to use winrar properly atm either....... thanks....

03-21-2005, 02:26 AM	#19 (permalink)
vampyr2005 Registered User Join Date: Mar 2005 Posts: 181 OS: XP professional	I have another question ..... I have just done a CWShredder scan on my girlfriends computer because she has been getting a search window popup coming up even when she is not navigating through any pages or anything and it detected and removed CWS.BOOTCONF however if we run the scan again it removes it again ..... isnt it supposed to have been gone the first time ? does anyone know how I can get rid of it completely ?

03-21-2005, 03:34 AM	#20 (permalink)
vampyr2005 Registered User Join Date: Mar 2005 Posts: 181 OS: XP professional	I have one more question for microbell ...... can I use the programs that you directed me to download to check for and/or fix spyware problems on my girlfriends computer as well or are they only for specific problems that they should be used?