my HJT Log

[BZW]

seem like i will start dwnloading someqthing and the download freezes up:

Logfile of HijackThis v1.99.1
Scan saved at 7:53:55 PM, on 5/25/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RunDLL32.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://darkhippie.adsl.dk/boards.asp?msgb=1
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O15 - Trusted Zone: http://www.comcast.net
O15 - Trusted Zone: http://www.comcastsupport.com
O15 - Trusted Zone: http://www.gmail.com
O15 - Trusted Zone: http://www.rjtech.net
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pctuneup.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1108188222434
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

[blackduck30]

Hi and welcome to TSF.

I am currently reviewing your log. Please note that this is under the supervision of an expert analyst, and I will be back with a fix for your problem a.s.a.p

Please be patient with me during this time.

[blackduck30]

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should 'not' have any open browsers when you are following the procedures below.

Go to My Computer->Tools/View->Folder Options->View tab and make sure that 'Show hidden files and folders' (or 'Show all files') is enabled. Also make sure that 'Display the contents of system folders' is checked. If you have Windows XP, the search feature is a little different. When you click on 'All files and folders' on the left pane, click on the 'More advanced options' at the bottom. Make sure that 'Search system folders', 'Search hidden files and folders', and 'Search subfolders' are checked.

For the options that you checked/enabled earlier, you may uncheck them after your log is clean. If we ask you to fix a program that you use or want to keep, please post back saying that (we don't know every program that exists, so we may tell you to delete a program that we think is bad to keep).

Let's use a program to scan for any trojans that may exist. Download TDS-3 http://tds.diamondcs.com.au/index.php?page=download. Learn how to use it at http://tds.diamondcs.com.au/index.php?page=easytouse. Make sure to update it after you installed it. You can get the manual updates at http://tds.diamondcs.com.au/index.php?page=update. When you launch the program, it will scan your memory for running processes. This will take less than 30 seconds. Next go to 'System Testing' on the menu and choose 'Full System Scan'. After that's finished, post the log file by selecting everything on the top pane (select from bottom to top). If any alarms are found, it will be listed in the bottom window. Please copy and paste that here also if it applies. If you have problems copying the text, look (or search) for a file named scandump.txt and see if that has the alarms - post that here.

Right click on this link http://www.greyknight17.com/spy/DelO15Domains.inf and choose Save As. Save it to your desktop. Right click on that file and choose Install. It will run immediately (you won't be able to see anything happen). You may delete it afterwards.

The Temp folders should be cleaned out periodically as installation programs and hijack programs leave a lot of junk there. Download CleanUp! http://cleanup.stevengould.org/ (Alternate Link if main link don't work - http://www.greyknight17.com/spy/Cleanup.exe ) and install it. We will usethis later.

Please download Ad-aware at http://www.lavasoftusa.com/ and install it if you don't have it already. Make sure it's the newest version and check for any updates before running it. Also go to http://www.lavasoftusa.com/software...x2cleaner.shtml to download the plug-in for fixing VX2 variants. To run this tool, go into Ad-aware->Add-ons and select VX2 Cleaner. Then click Run Tool and OK to start it. If it's clean, it will say Status System Clean. Otherwise, you will have to click on the Clean button to remove the VX2 infection. Also make sure to customize the settings in Ad-aware at http://www.greyknight17.com/spyware.htm#adaware for better scan results. Run the scan and fix everything that it finds.

Download and install Spybot S&D http://security.kolla.de/. Run Spybot and click on the 'Search for Updates' button. Install any updates that are available.

Now click Mode menu and choose 'Advanced Mode'. Next click on Immunize to your left. Click the Immunize button (green cross) on top to Immunize your computer - you should do this each time there is an update. Now go to Tools->Resident and make sure that TeaTimer is checked. What this will do is monitor any system/registry changes and will ask you for permission to change any of these settings.

Now click on the 'Spybot-S&D' option on the top left to go back to the main screen. Next click on the 'Check for Problems' button. Let it run the scan. If it finds something, check all those in RED and hit the 'Fix Selected Problems' button. Exit Spybot. If you keep getting the DSO Exploit entries, even after you updated Windows and fixed them, then download the Spybot DSO Exploit Fix http://majorgeeks.com/download4392.html and install it over the current Spybot installation.


Reboot into Safe Mode by hitting the F8 key until menu shows up. In some systems, this may be the F5 key, so try that if F8 doesn't work. Make sure to close any open browsers.

Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

O15 - Trusted Zone: http://www.comcast.net
O15 - Trusted Zone: http://www.comcastsupport.com
O15 - Trusted Zone: http://www.gmail.com
O15 - Trusted Zone: http://www.rjtech.net


Run CleanUp! and click on CleanUp! button. When it asks you if you want to logoff, click on Yes.

Reboot into Normal Mode run a new HijackThis scan. Save the log file and run KRC HijackThis Analyzer http://www.greyknight17.com/spy/KRC...%20Analyzer.zip in the same folder to get the result.txt log. Just post the contents of the result.txt file in your next reply.
__________________

[BZW]

so the first thing you want me to do is download a porgram called Registry Mechanic?
the rason i ask is because when i click on "Downloasd Now" it takes me to Tucows with a link to Registry Mechanic.


im running WinXP SP2

[BZW]

ok i googled it and got it somewhere else but when i try to use it i get "Evaluation Expired"

[blackduck30]

Hello BZW,
If you are having problems downloading or running TDS-3, just leave that out for the moment and continue with the rest of the fix

[BZW]

====================================================================
Log was analyzed using KRC HijackThis Analyzer - Updated on 4/1/05
Get updates at http://www.greyknight17.com/download.htm#programs

***Security Programs Detected***

C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone

Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot -

Search & Destroy\TeaTimer.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs LLC -

C:\WINDOWS\system32\ZoneLabs\vsmon.exe

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Logfile of HijackThis v1.99.1
Scan saved at 5:13:28 PM, on 5/28/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\Program Files\Windows NT\Accessories\WORDPAD.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =

http://darkhippie.adsl.dk/boards.asp?msgb=1
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe

NvMCTray.dll,NvTaskbarInit
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501}

- C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console -

{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program

Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility)

- http://www.pctuneup.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX

Player) - http://www.cult3d.com/download/cult.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl

Class) -

http://v5.windowsupdate.microsoft.co...rols/en/x86/cl

ient/wuweb_site.cab?1108188222434
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control)

-

http://a840.g.akamai.net/7/840/537/2....trendmicro.co

m/housecall/xscan53.cab
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service

(default)) - Analog Devices, Inc. - C:\Program Files\Analog

Devices\SoundMAX\SMAgent.exe


End of KRC HijackThis Analyzer Log.
====================================================================

[blackduck30]

Your log looks clean if your not having anymore trouble then,


Turn off System Restore by Clicking Start > right-click My Computer and then click
Properties. Click the System Restore tab > Check
"Turn off System Restore" or "Turn off System Restore on all drives".
Click Apply. When turning off System Restore, the existing restore points will be
deleted. Click Yes to do this. Click OK.

Reboot your System.

To turn on System Restore by Clicking Start. Right-click My Computer, and then click
Properties. Click the System Restore tab. Uncheck
"Turn off System Restore" or "Turn off System Restore on all drives."
Click Apply, and then OK.



To help prevent future spyware installations/infections, please read the Anti-Spyware
Tutorial http://www.greyknight17.com/spyware.htm#prevent and use the tools provided.

Are there any problems now? If not, you should be set to go.

[BZW]

Great Blackduck thank you very much :)

i have 2 questions:

1. How do i uninstal this when i don't know where it's instaled at:
"Right click on this link http://www.greyknight17.com/spy/DelO15Domains.inf and choose Save As. Save it to your desktop. Right click on that file and choose Install. It will run immediately (you won't be able to see anything happen). You may delete it afterwards."?

2. after i ran the Clean Up Program it took the "XP Look off of my taskbar and browser, how can i get it back?

[blackduck30]

Hello BZW,

With Del015Domains you can just right click on it on your desktop and choose delete. This is a stand alone program and does not install on your system.

To restore your XP look you can right click an empty section of your desktop, It will bring up Display Properties, Under the Themes tab there will be a drop down box that you can change your theme, windows XP will be listed there

[BZW]

i tried that blackduck, everything but the taskbar & windows/browser changes

[blackduck30]

Hello BZW,

SYMPTOMS
You cannot change desktop themes, and you cannot select the Windows XP theme on a
Microsoft Windows XP-based computer.


CAUSE
This problem occurs when the Themes service is stopped.



To resolve this problem, start the Themes service. To do this, follow these steps:
1. Click Start, click Run, type services.msc, and then click OK.
2. In the list of services, right-click Themes, and then click Properties.
3. On the General tab, click Automatic in the Startup type list.
4. On the General tab, click Start under Service status, and then click OK.
5. Exit Services.

information from
http://support.microsoft.com/default...b;en-us;883391

See if that helps

[BZW]

i can change themes but my browser and the windows skins stay in the classic ode.

[blackduck30]

Hello BZW,
Did you try changing windows and buttons under appearance in display properties to windows XP style from windows classic style ?

[BZW]

windows classic style is the only choice