Go Back   Tech Support Forum > Security Center > Virus/Trojan/Spyware Help > Inactive Malware Help Topics

User Tag List

My Hijack files...what a mess!

This is a discussion on My Hijack files...what a mess! within the Inactive Malware Help Topics forums, part of the Tech Support Forum category. My AOL Spycatcher found "Trojan.win32.dialer.hc" and deleted it. I came on here to read about it and make sure it


 
 
Thread Tools Search this Thread
Old 11-08-2005, 04:27 PM   #1
Guest
 
Join Date: Nov 2005
Posts: 54
OS:



My AOL Spycatcher found "Trojan.win32.dialer.hc" and deleted it. I came on here to read about it and make sure it was all gone and when I went to, per your instructions: HKEY_CURRENT_USER/Software/Microsoft/Windows/Current Version/Internet Settings/Zone Map/Domains" all kinds of garbage folders were there including coolsearch, porn sites, sex sites, etc. I have NEVER EVER visited a porn site (I'm just a "Mommy"), and no one else has access to this computer. I have, and have had for some time, Norton System Works, AVG free antivirus, WinPatrol, Spybot, and Ad-Aware, which I constantly keep up to date. First of all HOW IN THE WORLD did I get this junk and how do I get rid of it? I did the entire thing you said to do, did the online scan (both Kaspersky and Trend Micro), etc. Norton, AVG, etc. never found this trojan before or now. AVG did find something called "Keylogger" a few weeks ago and caught it and deleted it, but they did not evidently catch this trojan. Also, most of the time when I click on a box to search or put my password, I get a long box at the bottom of my browser, with a pink square on the end and my typing ends up in that box. I have not added a toolbar, ever. I usually have to close the browser and start over to get rid of it. What is THAT? Here is the Hijack file, and the Hijack Analyzer file: Well, I just went to put the files here and the Analyzer file was there but the Hijack.log file has disappeared. I'm going to paste the Analyzer file here and get offline and go do the other file again. I will repost it. Ok, here are both of them. I saved the Hijack this file to my desktop instead of the HT folder this time. Man oh man...this is so goofy. When I clicked on my bookmark for here, I got a weird page with Chinese type writing on it (in English, but Asian looking writing). I had to close the browser and reopen it. Here are the files:
====================================================================
Logfile of HijackThis v1.99.1
Scan saved at 6:11:07 PM, on 11/8/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
C:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe
C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\keyhook.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2K1.EXE
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Common Files\AOL\1129301489\ee\AOLHostManager.exe
C:\Program Files\Common Files\AOL\1129301489\ee\AOLServiceHost.exe
c:\program files\common files\aol\1129301489\ee\services\antiSpywareApp\ver2_0_7\AOLSP Scheduler.exe
C:\Program Files\Common Files\AOL\1129301489\ee\AOLServiceHost.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\Sally.YOUR-DSHVPXMR2S\My Documents\Hijack This\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://wnd.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SiS Windows KeyHook] C:\WINDOWS\System32\keyhook.exe
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [EPSON Stylus Photo RX500] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2K1.EXE /P24 "EPSON Stylus Photo RX500" /O6 "USB001" /M "Stylus Photo RX500"
O4 - HKLM\..\Run: [WinPatrol] C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1129301489\ee\AOLHostManager.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Norton SystemWorks] "C:\Program Files\Norton SystemWorks\cfgwiz.exe" /GUID {05858CFD-5CC4-4ceb-AAAF-CF00BF39736A} /MODE CfgWiz
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Sony Handheld\Hotsync.exe
O4 - Startup: Screen Shot.lnk = C:\Program Files\Parsons Technology\Screen Shot\Sshot.exe
O4 - Global Startup: Event Planner Reminders Tray Icon.lnk = C:\SIERRA\CardStudio\PLNRnote.exe
O4 - Global Startup: F1U201.401.lnk = ?
O8 - Extra context menu item: Convert for CLIE - C:\Program Files\Sony\Image Converter\menu.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - https://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - https://www.kaspersky.com/downloads/k...an_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - https://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - https://security.symantec.com/sscv6/S...in/AvSniff.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - https://software-dl.real.com/22af453b...p/RdxIE601.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - https://v5.windowsupdate.microsoft.co...?1102124042937
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - https://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - https://update.microsoft.com/microsof...?1131475095386
O16 - DPF: {99B6E512-3893-4155-9964-8EB8E06099CB} (WebSpyWareKiller Class) - https://download.zonelabs.com/bin/pro...tor/WebSWK.cab
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\\aolserv.exe (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe



Log was analyzed using KRC HijackThis Analyzer - Updated on 9/28/05
Get updates at https://www.greyknight17.com/download.htm#programs

***Security Programs Detected***

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
C:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe
C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Logfile of HijackThis v1.99.1
Scan saved at 5:40:14 PM, on 11/8/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2K1.EXE
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\AOL\1129301489\ee\AOLHostManager.exe
C:\Program Files\Common Files\AOL\1129301489\ee\AOLServiceHost.exe
c:\program files\common files\aol\1129301489\ee\services\antiSpywareApp\ver2_0_7\AOLSP Scheduler.exe
C:\Program Files\Common Files\AOL\1129301489\ee\AOLServiceHost.exe
C:\Documents and Settings\Sally.YOUR-DSHVPXMR2S\My Documents\Hijack This\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://wnd.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
O4 - HKLM\..\Run: [EPSON Stylus Photo RX500] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2K1.EXE /P24 "EPSON Stylus Photo RX500" /O6 "USB001" /M "Stylus Photo RX500"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1129301489\ee\AOLHostManager.exe
O4 - HKCU\..\Run: [Norton SystemWorks] "C:\Program Files\Norton SystemWorks\cfgwiz.exe" /GUID {05858CFD-5CC4-4ceb-AAAF-CF00BF39736A} /MODE CfgWiz
O4 - Startup: Screen Shot.lnk = C:\Program Files\Parsons Technology\Screen Shot\Sshot.exe
O4 - Global Startup: F1U201.401.lnk = ?
O8 - Extra context menu item: Convert for CLIE - C:\Program Files\Sony\Image Converter\menu.htm
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - https://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - https://www.kaspersky.com/downloads/k...an_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - https://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - https://security.symantec.com/sscv6/S...in/AvSniff.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - https://software-dl.real.com/22af453b...p/RdxIE601.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - https://v5.windowsupdate.microsoft.co...?1102124042937
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - https://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - https://update.microsoft.com/microsof...?1131475095386
O16 - DPF: {99B6E512-3893-4155-9964-8EB8E06099CB} (WebSpyWareKiller Class) - https://download.zonelabs.com/bin/pro...tor/WebSWK.cab
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\\aolserv.exe (file missing)
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe


End of KRC HijackThis Analyzer Log.
====================================================================
Fieldmouse is offline  
Sponsored Links
Advertisement
 
Old 11-08-2005, 11:49 PM   #2
TSF Security Team, Emeritus
 
MicroBell's Avatar
 
Join Date: Sep 2004
Location: Carmichaels, PA-USA
Posts: 6,962
OS: Windows 7


Send a message via ICQ to MicroBell Send a message via MSN to MicroBell
Here comes a shocker.....your log is clean!

Lets see what we can uncover....

Before attacking an adware/spyware problem with hijackthis make sure you have already run the following tools. Download and update the databases on each program before running.
Also make sure you are using the the latest version (1.99.1) of HijackThis and it's installed in it's own folder on the root drive. (C:\HJT)

Perform an online scan with Internet Explorer with Panda ActiveScan
** click on "Free use ActiveScan" located on the top right hand corner
  1. Click Scan your PC & a 'pop up' window shall appear. *ensure that your pop up blocker doesn't block it
  2. Click Scan Now
  3. Enter your e-mail address & click Scan Now ...begins downloading 8 MB Panda's ActiveX controls
Begin the scan by selecting My Computer
  • If it finds any malware, it will offer you a report.
  • Click on see report. Then click Save report
Please post that log in your next reply


Download Silent runners.Vbs https://www.silentrunners.org/
1. Make sure you have any script blocking software disabled
2. Run the program. It will take a few minutes to complete.
3. Once complete it will produce a log named “StartupPrograms” with Your user and date in the filename. Open that txt file and posts it contents in your next post.

*Note* The entrys in this key

HKEY_CURRENT_USER/Software/Microsoft/Windows/CurrentVersion/Internet Settings/Zone Map/Domains


are fine. These are IE's RESTRICTED sites zone..meaning those are being blocked in IE.
__________________
We Are The BORG Spyware KILLER and Adware Destroyer!



MicroBell is offline  
Old 12-05-2005, 11:54 AM   #3
Guest
 
Join Date: Nov 2005
Posts: 54
OS:


I went to Silent Runners and clicked on the Silentrunners.vbs and a page came up that was just writing. No program. Is this correct?
Fieldmouse is offline  
Sponsored Links
Advertisement
 
Old 12-05-2005, 05:29 PM   #4
TSF Security Manager
Emeritus
 
tetonbob's Avatar
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 52,197
OS: XP Pro; XP Home; Win7 x86 & x64


Right click this link and Select Save As:

https://www.silentrunners.org/Silent%20Runners.vbs

Save it to your desktop. Follow MB's instructions from there.
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of UNITE since 2006

Microsoft MVP Consumer Security 2009 - 2015
tetonbob is offline  
Old 12-12-2005, 05:04 PM   #5
Guest
 
Join Date: Nov 2005
Posts: 54
OS:



I went and did what you said to do and there was no report from Panda. It said all was fine. I don't understand how to do the Script thing. It is just a text file. How do I "run" it? I rebooted and there was the Netster thing again. the Key says (always the same) 56336BCB-3D8A-11D6-A00B-00500A180E71, if that means anything. I ran the HiJack This again before I deleted that Netster key again and the log is below. Also, AOL continually says it find "Download.Win32.Trojan" and says that it kills it. Is that legit? One more thing...I was on the web a couple a few days ago and went to a website looking for a "Waverl" bedspread and all of a sudden boxes kept popping up asking me if I wanted to download file "dxru67234234.exe" or whatever, and I said no, but it did it automatically anyway and Norton caught them and told me they were trojans. If that is the case, do I have to worry about this, too? Is there any way that one of them could have gotten through? I can't remember if I did this HJ file before or after that happened. Here is the HJ file:

Logfile of HijackThis v1.99.1
Scan saved at 1:52:47 PM, on 12/10/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
C:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe
C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\keyhook.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2K1.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\SIERRA\CardStudio\PLNRnote.exe
C:\Program Files\Belkin\F1U201.401\usbshare.exe
C:\Program Files\Common Files\AOL\1129301489\ee\AOLHostManager.exe
C:\Program Files\Sony Handheld\Hotsync.exe
C:\Program Files\Parsons Technology\Screen Shot\Sshot.exe
C:\Program Files\Common Files\AOL\1129301489\ee\AOLServiceHost.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
c:\program files\common files\aol\1129301489\ee\services\antiSpywareApp\ver2_0_7\AOLSP Scheduler.exe
C:\Program Files\Common Files\AOL\1129301489\ee\AOLServiceHost.exe
C:\Program Files\Common Files\AOL\ACS\acsd.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\regedit.exe
C:\HiJackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.wnd.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SiS Windows KeyHook] C:\WINDOWS\System32\keyhook.exe
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [WinPatrol] C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1129301489\ee\AOLHostManager.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [EPSON Stylus Photo RX500] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2K1.EXE /P24 "EPSON Stylus Photo RX500" /O6 "USB001" /M "Stylus Photo RX500"
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Norton SystemWorks] "C:\Program Files\Norton SystemWorks\cfgwiz.exe" /GUID {05858CFD-5CC4-4ceb-AAAF-CF00BF39736A} /MODE CfgWiz
O4 - HKCU\..\Run: [HijackThis startup scan] C:\DOCUME~1\SALLY~1.YOU\LOCALS~1\Temp\Temporary Directory 4 for hijackthis.zip\HijackThis.exe /startupscan
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Sony Handheld\Hotsync.exe
O4 - Startup: Screen Shot.lnk = C:\Program Files\Parsons Technology\Screen Shot\Sshot.exe
O4 - Global Startup: Event Planner Reminders Tray Icon.lnk = C:\SIERRA\CardStudio\PLNRnote.exe
O4 - Global Startup: F1U201.401.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Convert for CLIE - C:\Program Files\Sony\Image Converter\menu.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) -
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - https://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - https://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - https://security.symantec.com/sscv6/S...in/AvSniff.cab
O16 - DPF: {31E68DE2-5548-4B23-88F0-C51E6A0F695E} (Microsoft PID Sniffer) - https://support.microsoft.com/OAS/ActiveX/odc.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - https://v5.windowsupdate.microsoft.co...?1102124042937
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - https://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - https://update.microsoft.com/microsof...?1131475095386
O16 - DPF: {99B6E512-3893-4155-9964-8EB8E06099CB} (WebSpyWareKiller Class) - https://download.zonelabs.com/bin/pro...tor/WebSWK.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - https://acs.pandasoftware.com/actives...ree/asinst.cab
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\\aolserv.exe (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
Fieldmouse is offline  
Old 12-12-2005, 07:46 PM   #6
TSF Team, Emeritus
 
greyknight17's Avatar
 
Join Date: Jul 2004
Location: New York
Posts: 14,311
OS: Windows 98 & Windows XP Home/Pro

My System

For Silent Runners, did you RIGHT-CLICK on it and choose Save Target As... Then save it. Run it from your computer.

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should 'not' have any open browsers when you are following the procedures below.

Please download Ewido Security Suite at https://www.ewido.net/en/download/.

1. Install Ewido Security Suite.
2. When installing, under 'Additional Options' uncheck:
* Install background guard
* Install scan via context menu
3. Launch Ewido, there should be an icon on your desktop, double click it.
4. The program will now open to the main screen.
5. When you run Ewido for the first time, you will get a warning 'Database could not be found!'. Click OK. We will fix this in a moment.
6. You will need to update Ewido to the latest definition files.
* On the left hand side of the main screen click update.
* Then click on Start Update.
7. The update will start and a progress bar will show the updates being installed. The status bar at the bottom will display 'Update successful'.
8. Exit Ewido. DO NOT scan yet.

If you are having problems with the updater, you can go to https://www.ewido.net/en/download/updates/ to update manually.

Download CleanUp! https://cleanup.stevengould.org/ (Alternate Link if main link don't work - https://www.greyknight17.com/spy/CleanUp.exe ) and install it. Don't run it yet.

Restart your computer and boot into Safe Mode (if you don't know how, go to https://www.bleepingcomputer.com/foru...howtutorial=61 ).

CleanUp! deletes EVERYTHING out of your temp/temporary folders, it does not make backups. If you have any documents or programs that are saved in any Temporary Folders, please make a backup of these before running CleanUp!. Run CleanUp! and click on the Options button. Uncheck 'Scan local drives for temporary files'. Also uncheck those two Newsgroup entries if you don't want to delete them. Click OK and then click on the CleanUp! button. Let it run. After it's done, choose Yes to logoff.

Now open Ewido and do a scan on your system.

* Click on scanner.
* Click on 'Complete System Scan' and the scan will begin.
* While the scan is in progress you will be prompted to clean the first infected file it finds. Choose 'Remove', then put a check next to 'Perform action on all infections' in the left corner of the box so you don't have to sit and watch Ewido the whole time. Click OK.
* Once the scan has completed, there will be a button located on the bottom of the screen named 'Save report'.
* Click 'Save report'.
* Save the report to your desktop.

Restart your computer. Post the logs for HijackThis and Ewido.
__________________
Please do NOT PM me. Post whatever questions you may have in the forum and we will take a look at it when we get to it. If you have waited for more than 3 days, you may then and ONLY then PM me for assistance. I will take a look at it.
greyknight17 is offline  
Old 12-20-2005, 05:53 PM   #7
Guest
 
Join Date: Nov 2005
Posts: 54
OS:



I did all that you said to do. When I rebooted, the "Netster" key was back in, STILL. It shows in the HijackThis file and I made a note underneath it that it is the "Netster" key. I forgot to have Spybot delete it and when I went to log on to this forum, the red box came up as I was typing in my User name and I realized it was that #@%$ Netster, so I deleted it. How in the world can I get the thing to be gone PERMANENTLY? I delete it from Spybot, SUPPOSEDLY permanently, every time I boot up but it comes back. Here are the logs.

Logfile of HijackThis v1.99.1
Scan saved at 7:19:18 PM, on 12/20/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
C:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe
C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\keyhook.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2K1.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Common Files\AOL\1129301489\ee\AOLHostManager.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Common Files\AOL\1129301489\ee\AOLServiceHost.exe
c:\program files\common files\aol\1129301489\ee\services\antiSpywareApp\ver2_0_7\AOLSP Scheduler.exe
C:\SIERRA\CardStudio\PLNRnote.exe
C:\Program Files\Common Files\AOL\1129301489\ee\AOLServiceHost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Belkin\F1U201.401\usbshare.exe
C:\Program Files\Sony Handheld\Hotsync.exe
C:\Program Files\Parsons Technology\Screen Shot\Sshot.exe
C:\WINDOWS\System32\svchost.exe
C:\HiJackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.wnd.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SiS Windows KeyHook] C:\WINDOWS\System32\keyhook.exe
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [WinPatrol] C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1129301489\ee\AOLHostManager.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [EPSON Stylus Photo RX500] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2K1.EXE /P24 "EPSON Stylus Photo RX500" /O6 "USB001" /M "Stylus Photo RX500"
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Norton SystemWorks] "C:\Program Files\Norton SystemWorks\cfgwiz.exe" /GUID {05858CFD-5CC4-4ceb-AAAF-CF00BF39736A} /MODE CfgWiz
O4 - HKCU\..\Run: [HijackThis startup scan] C:\DOCUME~1\SALLY~1.YOU\LOCALS~1\Temp\Temporary Directory 4 for hijackthis.zip\HijackThis.exe /startupscan
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Sony Handheld\Hotsync.exe
O4 - Startup: Screen Shot.lnk = C:\Program Files\Parsons Technology\Screen Shot\Sshot.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: Event Planner Reminders Tray Icon.lnk = C:\SIERRA\CardStudio\PLNRnote.exe
O4 - Global Startup: F1U201.401.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Convert for CLIE - C:\Program Files\Sony\Image Converter\menu.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) -
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - https://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - https://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - https://security.symantec.com/sscv6/S...in/AvSniff.cab
O16 - DPF: {31E68DE2-5548-4B23-88F0-C51E6A0F695E} (Microsoft PID Sniffer) - https://support.microsoft.com/OAS/ActiveX/odc.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} -
(THIS ONE ABOVE IS THE ONE THAT SAYS IT IS NETSTER MALWARE WHEN RUNNING SPYBOT)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - https://v5.windowsupdate.microsoft.co...?1102124042937
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - https://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - https://update.microsoft.com/microsof...?1131475095386
O16 - DPF: {99B6E512-3893-4155-9964-8EB8E06099CB} (WebSpyWareKiller Class) - https://download.zonelabs.com/bin/pro...tor/WebSWK.cab
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\\aolserv.exe (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 6:59:54 PM, 12/20/2005
+ Report-Checksum: 18FDF610

+ Scan result:

C:\Program Files\Common Files\Sony Shared\Visualizer\ExlGen.dll -> Dialer.Generic : Cleaned with backup


::Report End
Fieldmouse is offline  
Old 12-20-2005, 07:40 PM   #8
TSF Security Manager
Emeritus
 
tetonbob's Avatar
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 52,197
OS: XP Pro; XP Home; Win7 x86 & x64


The reason we keep asking for a SilentRunners log is that it shows us much more of what's running on your system.

We have now tried 3 times to get a log from this tool.

That O16 entry can be held in place by WinPatrol or Spybot's TeaTimer.

While TeaTimer is an excellent tool for the prevention of spyware, it can sometimes prevent HijackThis from fixing certain things.
Please disable TeaTimer for now until you are clean. TeaTimer can be re-activated once your HijackThis log is clean.
  • Open Spybot Search & Destroy.
  • In the Mode menu click "Advanced mode" if not already selected.
  • Choose "Yes" at the Warning prompt.
  • Expand the "Tools" menu.
  • Click "Resident".
  • Uncheck the "Resident "TeaTimer" (Protection of overall system settings) active." box.
  • In the File menu click "Exit" to exit Spybot Search & Destroy.

To disable WinPatrol, right click the icon in the System Tray, and select Exit Program.

Fix this entry with HJT:

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - https://software-dl.real.com/22af453b...p/RdxIE601.cab

Try to run SilentRunners and post a log from that tool.
Right click on https://www.silentrunners.org/Silent%20Runners.vbs and choose Save Target (or Link) As...Save it to your Desktop. Make sure you have disabled any programs that may block/disable scripts (ex: Ad-Watch, TeaTimer, Norton, etc.). Double click on 'Silent Runners' to run it. This will take a few minutes. It will create a file called 'Startup Programs' followed by your computer name and current date. Open up that file and post all the contents here in your next post.


Failing that, please do this:

Create a Startup List:
  • Open HiJackThis
  • Click on the configure button on the bottom right
  • Click on the tab "Misc Tools"
  • Check off the 2 boxes next to the Box that says "Generate StartupList log"
  • Click on the button "Generate StartupList log"
  • Copy and past the StartupList from the notebook onto your post

Re-enable TeaTimer and WinPatrol.

Post a new HJT log. Report on your system's condition, please.
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of UNITE since 2006

Microsoft MVP Consumer Security 2009 - 2015
tetonbob is offline  
Old 12-22-2005, 03:09 PM   #9
Guest
 
Join Date: Nov 2005
Posts: 54
OS:



I opened HiJack This and didn't understand what you mean by "Fix this entry with HJT:

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - https://software-dl.real.com/22af453b...p/RdxIE601.cab

I disabled Tea Timer, and Win Patrol and Norton Script writing, but now I don't know what to do with the above. Help?????
Fieldmouse is offline  
Old 12-22-2005, 04:18 PM   #10
Guest
 
Join Date: Nov 2005
Posts: 54
OS:



"Silent Runners.vbs", revision 41, https://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"ctfmon.exe" = "C:\WINDOWS\system32\ctfmon.exe" [MS]
"Sonic RecordNow!" = (empty string)
"Norton SystemWorks" = ""C:\Program Files\Norton SystemWorks\cfgwiz.exe" /GUID {05858CFD-5CC4-4ceb-AAAF-CF00BF39736A} /MODE CfgWiz" ["Symantec Corporation"]
"HijackThis startup scan" = "C:\HiJackThis\HijackThis.exe /startupscan" ["Soeperman Enterprises Ltd."]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"SiS Windows KeyHook" = "C:\WINDOWS\System32\keyhook.exe" ["Silicon Integrated Systems Corporation"]
"SiSUSBRG" = "C:\WINDOWS\SiSUSBrg.exe" ["Silicon Integrated Systems Corp."]
"SoundMan" = "SOUNDMAN.EXE" ["Realtek Semiconductor Corp."]
"WinPatrol" = "C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe" ["BillP Studios"]
"HP Component Manager" = ""C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"" ["Hewlett-Packard Company"]
"HPDJ Taskbar Utility" = "C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe" ["HP"]
"HP Software Update" = ""C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"" ["Hewlett-Packard Company"]
"ccApp" = ""C:\Program Files\Common Files\Symantec Shared\ccApp.exe"" ["Symantec Corporation"]
"Symantec NetDriver Monitor" = "C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer" ["Symantec Corporation"]
"AVG7_CC" = "C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP" ["GRISOFT, s.r.o."]
"AVG7_EMC" = "C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe" ["GRISOFT, s.r.o."]
"HostManager" = "C:\Program Files\Common Files\AOL\1129301489\ee\AOLHostManager.exe" ["America Online, Inc."]
"UserFaultCheck" = "C:\WINDOWS\system32\dumprep 0 -u" [MS]
"EPSON Stylus Photo RX500" = "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2K1.EXE /P24 "EPSON Stylus Photo RX500" /O6 "USB001" /M "Stylus Photo RX500"" ["SEIKO EPSON CORPORATION"]
"Zone Labs Client" = "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" ["Zone Labs, LLC"]
"gcasServ" = ""C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"" [MS]
"guard" = "C:\Program Files\ewido anti-malware\ewidoguard.exe" ["ewido networks"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = "AcroIEHlprObj Class" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\SPYBOT~1\SDHelper.dll" ["Safer Networking Limited"]
{BDF3E430-B101-42AD-A544-FADC6B084872}\(Default) = "NAV Helper"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{7D5C4BDD-B015-4401-8731-1507B87DE297}" = "QBVersionTool"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Common Files\Intuit\QuickBooks\QBVersionTool.dll" ["TODO: <Company name>"]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office10\OLKFSTUB.DLL" [MS]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office10\msohev.dll" [MS]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Real\RealPlayer\rpshell.dll" ["RealNetworks, Inc."]
"{DEE12703-6333-4D4E-8F34-738C4DCC2E04}" = "RecordNow! SendToExt"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Sonic\RecordNow!\shlext.dll" [null data]
"{A68865DD-EE3C-4442-9BE9-1BAB2576E3FA}" = "NOMAD Explorer"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Creative\Creative NOMAD Jukebox Zen Xtra\NOMAD Explorer\CTJBNS.DLL" ["Creative Technology Ltd"]
"{C14F7681-33D8-11D3-A09B-00500402F30B}" = "CtxMenu"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Sony\Image Converter\CtxMenu.dll" [empty string]
"{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]
"{9F97547E-460A-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Find Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]
"{955B7B84-5308-419c-8ED8-0B9CA3C56985}" = "America Online"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\aolshare\shell\us\shellext.dll" ["America Online, Inc."]
"{21569614-B795-46b1-85F4-E737A8DC09AD}" = "Shell Search Band"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\browseui.dll" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
INFECTION WARNING! "{9EF34FF2-3396-4527-9D27-04C8C1C67806}" = "Microsoft AntiSpyware Service Hook"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft AntiSpyware\shellextension.dll" [MS]
INFECTION WARNING! "{54D9498B-CF93-414F-8984-8CE7FDE0D391}" = "ewido shell guard"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\ewido anti-malware\shellhook.dll" ["TODO: <Firmenname>"]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]
CtxMenu\(Default) = "{C14F7681-33D8-11D3-A09B-00500402F30B}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Sony\Image Converter\CtxMenu.dll" [empty string]
ewido\(Default) = "{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\ewido anti-malware\context.dll" ["ewido networks"]
Symantec.Norton.Antivirus.IEContextMenu\(Default) = "{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
ewido\(Default) = "{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\ewido anti-malware\context.dll" ["ewido networks"]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]
Symantec.Norton.Antivirus.IEContextMenu\(Default) = "{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]


Active Desktop and Wallpaper:
-----------------------------

Active Desktop is disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Documents and Settings\Sally.YOUR-DSHVPXMR2S\Local Settings\Application Data\Microsoft\Wallpaper1.bmp"


Startup items in "Sally" & "All Users" startup folders:
-------------------------------------------------------

C:\Documents and Settings\Sally.YOUR-DSHVPXMR2S\Start Menu\Programs\Startup
"HotSync Manager" -> shortcut to: "C:\Program Files\Sony Handheld\Hotsync.exe" ["Palm, Inc."]
"Screen Shot" -> shortcut to: "C:\Program Files\Parsons Technology\Screen Shot\Sshot.exe" [empty string]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
"America Online 9.0 Tray Icon" -> shortcut to: "C:\Program Files\America Online 9.0\aoltray.exe -check" ["America Online, Inc."]
"Event Planner Reminders Tray Icon" -> shortcut to: "C:\SIERRA\CardStudio\PLNRnote.exe" ["Sierra Online, Inc."]
"F1U201.401" -> shortcut to: "C:\Program Files\Belkin\F1U201.401\usbshare.exe" [null data]


Enabled Scheduled Tasks:
------------------------

"Norton AntiVirus - Scan my computer - Sally" -> launches: "C:\PROGRA~1\NORTON~1\NORTON~1\Navw32.exe /task:"C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Tasks\mycomp.sca"" ["Symantec Corporation"]
"Norton SystemWorks One Button Checkup" -> launches: "C:\Program Files\Norton SystemWorks\OBC.exe /CUSTOM /SCHEDULE /AUTO" ["Symantec Corporation"]
"Symantec Drmc" -> launches: "C:\Program Files\Common Files\Symantec Shared\SymDrmc.exe /CUSTOM /SCHEDULE" ["Symantec Corporation"]
"Symantec NetDetect" -> launches: "C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE" ["Symantec Corporation"]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 17
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\
"{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}" = "Norton AntiVirus" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]

HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}" = "Norton AntiVirus"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]

Explorer Bars

HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\
{FE54FA40-D68C-11D2-98FA-00C0F0318AFE}\ = "Real.com" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\Shdocvw.dll" [MS]


Miscellaneous IE Hijack Points
------------------------------

C:\WINDOWS\INF\IERESET.INF (used to "Reset Web Settings")

Added lines (compared with English-language version):
[Strings]: START_PAGE_URL=https://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome

Missing lines (compared with English-language version):
[Strings]: 1 line

HKLM\Software\Microsoft\Internet Explorer\AboutURLs\
HIJACK WARNING! "MGINavigationCanceled" = (empty string)
HIJACK WARNING! "MGIWelcome" = (empty string)
HIJACK WARNING! "MGIOfflineInformation" = (empty string)


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

AOL Connectivity Service, AOL ACS, "C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe" ["America Online, Inc."]
AVG7 Alert Manager Server, Avg7Alrt, "C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe" ["GRISOFT, s.r.o."]
AVG7 Update Service, Avg7UpdSvc, "C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe" ["GRISOFT, s.r.o."]
Machine Debug Manager, MDM, ""C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe"" [MS]
Norton AntiVirus Auto-Protect Service, navapsvc, ""C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe"" ["Symantec Corporation"]
Norton AntiVirus Firewall Monitor Service, NPFMntor, ""C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe"" ["Symantec Corporation"]
Norton Unerase Protection, NProtectService, "C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE" ["Symantec Corporation"]
SAVScan, SAVScan, ""C:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe"" ["Symantec Corporation"]
Speed Disk service, Speed Disk service, "C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE" ["Symantec Corporation"]
Symantec Core LC, Symantec Core LC, "C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe" ["Symantec Corporation"]
Symantec Event Manager, ccEvtMgr, ""C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"" ["Symantec Corporation"]
Symantec Network Drivers Service, SNDSrvc, ""C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe"" ["Symantec Corporation"]
Symantec Settings Manager, ccSetMgr, ""C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"" ["Symantec Corporation"]
Symantec SPBBCSvc, SPBBCSvc, ""C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe"" ["Symantec Corporation"]
TrueVector Internet Monitor, vsmon, "C:\WINDOWS\system32\ZoneLabs\vsmon.exe -service" ["Zone Labs, LLC"]
WAN Miniport (ATW) Service, WANMiniportService, ""C:\WINDOWS\wanmpsvc.exe"" ["America Online, Inc."]


Print Monitors:
---------------

HKLM\System\CurrentControlSet\Control\Print\Monitors\
EPSON V6 2KMonitor\Driver = "EBPMON24.DLL" ["SEIKO EPSON CORPORATION"]
hpzsnt10\Driver = "hpzsnt10.dll" ["HP"]
Microsoft Shared Fax Monitor\Driver = "FXSMON.DLL" [MS]


----------
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ The search for DESKTOP.INI DLL launch points on all local fixed drives
took 42 seconds.
+ The search for all Registry CLSIDs containing dormant Explorer Bars
took 27 seconds.
---------- (total run time: 125 seconds)
Fieldmouse is offline  
Old 12-22-2005, 06:09 PM   #11
TSF Security Manager
Emeritus
 
tetonbob's Avatar
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 52,197
OS: XP Pro; XP Home; Win7 x86 & x64


Quote:
Originally Posted by Fieldmouse
I opened HiJack This and didn't understand what you mean by "Fix this entry with HJT:

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - https://software-dl.real.com/22af453b...p/RdxIE601.cab

I disabled Tea Timer, and Win Patrol and Norton Script writing, but now I don't know what to do with the above. Help?????
Sorry, Fieldmouse, I didn't read the whole thread. Usually by the time someone gets as many posts in a thread as there are here, HJT has been used already to fix entries. Here's how:

Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - https://software-dl.real.com/22af453b...p/RdxIE601.cab

Is it just the Nester issue troubling your system now? Any improvement? I'm not seeing anything in that SilentRunners log, and thanks for providing it. You've run online scans, and nothing has been found. If you still have issues, we'll break out the bigger guns and dig deeper.

Let us know.
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of UNITE since 2006

Microsoft MVP Consumer Security 2009 - 2015
tetonbob is offline  
Old 12-28-2005, 05:37 PM   #12
Guest
 
Join Date: Nov 2005
Posts: 54
OS:



Well, not at any time has Hijack This had ANY checkmarks on it, ever. And I ALWAYS have had the "Netster" Active X thingy showing as malware in Spybot. If I didn't delete it EVERY time I booted up, when I went to type a password on the web, the red box came up trying to steal my password. NOW, however, the Netster Active X key is no long showing, BUT when I got on the web just now, there it popped up when I was going to put in one of my Passwords on a site. I have realized something interesting however, it is happening whenever I go to my bookmarks in Firefox and click on one of them to go to the web that the box is coming up. If I TYPE the address in the address bar, it DOESN'T pop up! But I just CAN'T DELETE ALL OF MY BOOKMARKS!!! I have had them for YEARS and had even imported my old ones from IE. This Netster thing didn't start happening until (I'm a musician) was looking for some lyrics on the web. Apparently, during one of those times, I inadvertantly downloaded it with some lyrics or something? Anyway, now what do I do. It is obviously somehow tied to my bookmarks, but now doesn't show up in the Active X keys, but is still "alive and well" if I click on a bookmark. Thanks, Sally
Fieldmouse is offline  
Old 12-30-2005, 03:23 PM   #13
Guest
 
Join Date: Nov 2005
Posts: 54
OS:



I'm just moving this back up to get a reply. Thanks
Fieldmouse is offline  
Old 12-31-2005, 02:22 PM   #14
Guest
 
Join Date: Nov 2005
Posts: 54
OS:


Well, not at any time has Hijack This had ANY checkmarks on it, ever. And I ALWAYS have had the "Netster" Active X thingy showing as malware in Spybot. If I didn't delete it EVERY time I booted up, when I went to type a password on the web, the red box came up trying to steal my password. NOW, however, the Netster Active X key is no long showing, BUT when I got on the web just now, there it popped up when I was going to put in one of my Passwords on a site. I have realized something interesting however, it is happening whenever I go to my bookmarks in Firefox and click on one of them to go to the web that the box is coming up. If I TYPE the address in the address bar, it DOESN'T pop up! But I just CAN'T DELETE ALL OF MY BOOKMARKS!!! I have had them for YEARS and had even imported my old ones from IE. This Netster thing didn't start happening until (I'm a musician) was looking for some lyrics on the web. Apparently, during one of those times, I inadvertantly downloaded it with some lyrics or something? Anyway, now what do I do. It is obviously somehow tied to my bookmarks, but now doesn't show up in the Active X keys, but is still "alive and well" if I click on a bookmark. Thanks, Sally
Fieldmouse is offline  
Old 12-31-2005, 08:53 PM   #15
TSF Team, Emeritus
 
greyknight17's Avatar
 
Join Date: Jul 2004
Location: New York
Posts: 14,311
OS: Windows 98 & Windows XP Home/Pro

My System

Run a virus scan using Kapersky Online Scanner. Just click on the Kapersky Online Scanner button and read what's posted there - hit Accept once you're done. Download the ActiveX file when prompted. Scanning will begin shortly. When it's done post the log here.

See if it finds anything. If not, try doing a search for netster.dll and delete it if found.

If all else fails, we'll try the uninstaller from Netster (we usually don't recommend using uninstallers from the authors who created it though...). Download it here.
__________________
Please do NOT PM me. Post whatever questions you may have in the forum and we will take a look at it when we get to it. If you have waited for more than 3 days, you may then and ONLY then PM me for assistance. I will take a look at it.
greyknight17 is offline  
Old 01-02-2006, 08:36 AM   #16
Guest
 
Join Date: Nov 2005
Posts: 54
OS:



How can I know that? My brother said they can put things in shrink wrap, etc. and put all kinds of viruses and trojans on them. How could I know if I tell Norton to allow the scripting? Also, my Norton is about to expire. What would you suggest? A tech friend said to use Trend Micro, the whole works. What do you think? Thanks, Sally
Fieldmouse is offline  
Old 01-02-2006, 12:08 PM   #17
Guest
 
Join Date: Nov 2005
Posts: 54
OS:



Here is the Kaspersky file. It found two trojans. Now what? Thanks.

-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Monday, January 02, 2006 13:10:08
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky On-line Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 2/01/2006
Kaspersky Anti-Virus database records: 158460
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\
F:\
G:\
H:\

Scan Statistics:
Total number of scanned objects: 84759
Number of viruses found: 1
Number of infected objects: 2
Number of suspicious objects: 0
Duration of the scan process: 5173 sec

Infected Object Name - Virus Name
C:\System Volume Information\_restore{5497ED88-1E36-409E-8F55-A516EA2CAD30}\RP416\A0075589.exe Infected: Trojan.Win32.Dialer.mi
C:\System Volume Information\_restore{5497ED88-1E36-409E-8F55-A516EA2CAD30}\RP416\A0075590.exe Infected: Trojan.Win32.Dialer.mi

Scan process completed.
Fieldmouse is offline  
Old 01-02-2006, 12:24 PM   #18
TSF Security Manager
Emeritus
 
tetonbob's Avatar
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 52,197
OS: XP Pro; XP Home; Win7 x86 & x64


Create a new System Restore point
  • click Start >> Run - type SYSDM.CPL & press Enter
  • select the System Restore Tab
  • tick on the checkbox - "Turn off System Restore on all drives"
  • click Apply
  • then untick the same checkbox & click OK

Post a new HJT log.

Did you elminate the netster.dll from the previous instructions?

What issues do you have still?
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of UNITE since 2006

Microsoft MVP Consumer Security 2009 - 2015
tetonbob is offline  
Old 01-02-2006, 09:47 PM   #19
Guest
 
Join Date: Nov 2005
Posts: 54
OS:



I haven't done the new restore point because I came on here to check your answer and at the same time, I ran the update to Spybot. It "hung" while installing the update, as has happened before, so I cancelled it and did it again and it worked. IMMEDIATELY after that I came in here to put my Username and password and the red "Netster" box popped up at the bottom as I was typing in my Username. Is this somehow associated with an errant Spybot update file? I haven't rebooted to see ief the key, which had been gone, is now back in the Active X files. Not sure what to do now...do I still do the Restore instructions or something else first in the light of this? For pete's sake......can you believe this????? Arggggggg.....
Fieldmouse is offline  
Old 01-04-2006, 01:29 AM   #20
TSF Security Team, Emeritus
 
MicroBell's Avatar
 
Join Date: Sep 2004
Location: Carmichaels, PA-USA
Posts: 6,962
OS: Windows 7


Send a message via ICQ to MicroBell Send a message via MSN to MicroBell
Let's poke around some more but I need to clarify this "Netster" thing. Are you saying it's still poping up and monitoring you...or is it just Spybot detecting some registry key for it?

Download: StartDreck

Unzip to its own folder and start the program:
Press 'Config'
Press 'Mark All'

UN-Check the 'NT-Services & NT-Kernel...' boxes only:
Press 'Ok'

Press 'Save' and select the location to save the log file (default is the same folder as the application)

Post the log in this thread.

Download WinPFInd https://www.bleepingcomputer.com/file...r/WinPFind.zip and extract it to your C:\ folder. This will create a folder called WinPFind in the C:\ folder.

Download Track qoo https://www.geekstogo.com/downloads/Trackqoo.zip
Save it somewhere you will remember like the Desktop. Unzip the Track qoo.vbs inside to your desktop. DO NOT run it yet!

Reboot into Safe Mode
Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.!



Inside C:\WinPFind is a file called WinPFind.exe. Double-click on this file to launch the program. Once it is launched, click on the Start Scan button and wait for it to finish. This program will scan large amounts of files on your computer for known patterns so please be patient while it works as it can take a while, upwards to 30 minutes or more.! Once the Scan is Complete it will make a txt file (log) of what was found.

1. Go to the WinPFind folder
2. Locate WinPFind.txt
3. Please post those results in your next post!

REBOOT to normal mode.

Double Click on "Track qoo.vbs"

Note - If you Antivirus has Script Blocking, you will get a Pop Up Windows asking you what to do. Allow this Entire Script to Run, its harmless!

Wait a few seconds and a notepad page will pop up, Copy & Paste those results and place them in the next post along with the results of WinPFind!

So I need the following tool logs..

WinPFind.txt log
Track qoo.vbs log
Startdreck log
__________________
We Are The BORG Spyware KILLER and Adware Destroyer!



MicroBell is offline  
 

Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is on
Smilies are on
[IMG] code is on
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off


Post a Question


» Site Navigation
 > FAQ
  > 10.0.0.2
Powered by vBadvanced CMPS v3.2.3


All times are GMT -7. The time now is 09:31 PM.


Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2020, vBulletin Solutions, Inc.
vBulletin Security provided by vBSecurity v2.2.2 (Pro) - vBulletin Mods & Addons Copyright © 2020 DragonByte Technologies Ltd.
User Alert System provided by Advanced User Tagging v3.1.0 (Pro) - vBulletin Mods & Addons Copyright © 2020 DragonByte Technologies Ltd.
Copyright 2001 - 2018, Tech Support Forum

Windows 10 - Windows 7 - Windows XP - Windows Vista - Trojan Removal - Spyware Removal - Virus Removal - Networking - Security - Top Web Hosts