1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

HJT log:need help,... (about:blank,...)

Discussion in 'Virus & Other Malware Removal' started by boliv, Jan 26, 2005.

Thread Status:
Not open for further replies.
Advertisement
  1. boliv

    boliv Thread Starter

    Joined:
    Jan 23, 2005
    Messages:
    12
    Hi,

    I have several problems with the browser.
    I ran Spybot, Ad-Aware SE personal and CSShredder, but still remains some problems.

    Here is my HJT log.
    I hope you can help!

    Thanks.

    Logfile of HijackThis v1.98.2
    Scan saved at 08:49:24, on 26/01/2005
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Analog Devices\SoundMAX\PmProxy.exe
    C:\Program Files\ltmoh\Ltmoh.exe
    C:\Program Files\Apoint2K\Apoint.exe
    C:\WINDOWS\System32\00THotkey.exe
    C:\WINDOWS\System32\TPWRTRAY.EXE
    C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
    C:\WINDOWS\System32\TFNF5.exe
    C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
    C:\Program Files\Toshiba\ConfigFree\NDSTray.exe
    C:\WINDOWS\System32\EZSP_PX.EXE
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
    C:\Program Files\Apoint2K\Apntex.exe
    C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\WINDOWS\System32\alg.exe
    C:\WINDOWS\System32\DVDRAMSV.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
    C:\WINDOWS\System32\MsPMSPSv.exe
    C:\Program Files\Hewlett-Packard\Toolbox2.0\Javasoft\JRE\1.3.1\bin\javaw.exe
    C:\Maintenance Ordi\FreeScanner.exe
    C:\WINDOWS\system32\RAMASST.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\PCHealth\HelpCtr\Binaries\HelpCtr.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\WINDOWS\PCHealth\HelpCtr\Binaries\HelpSvc.exe
    C:\WINDOWS\PCHealth\HelpCtr\Binaries\HelpHost.exe
    C:\Program Files\Outlook Express\msimn.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\WINDOWS\System32\smbdins.exe
    C:\WINDOWS\System32\sethcd.exe
    C:\WINDOWS\System32\tsmsetup.exe
    C:\toshiba\ivp\ism\ivpsvmgr.exe
    C:\Program Files\Symantec\LiveUpdate\ALUNOTIFY.EXE
    C:\Documents and Settings\User\Desktop\HJT\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = http://clearsurfing.net/srch.php?qq=%s
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshiba.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.spss.com/
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: FreshBar - {06ABAA2D-34AB-4902-A326-409BD9B9A7A5} - C:\WINDOWS\System32\iesp1.dll
    O4 - HKLM\..\Run: [PmProxy] C:\Program Files\Analog Devices\SoundMAX\PmProxy.exe
    O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
    O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
    O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe
    O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
    O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE
    O4 - HKLM\..\Run: [TFncKy] TFncKy.exe /Type 28
    O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
    O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
    O4 - HKLM\..\Run: [NDSTray.exe] "C:\Program Files\Toshiba\ConfigFree\NDSTray.exe"
    O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\EZSP_PX.EXE
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
    O4 - HKLM\..\Run: [TSysSMon] c:\toshiba\sysstability\tsyssmon.exe /detect
    O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
    O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
    O4 - HKLM\..\Run: [StatusClient] C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe /auto
    O4 - HKLM\..\Run: [TomcatStartup] C:\Program Files\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [Spyware Vanisher] C:\Maintenance Ordi\FreeScanner.exe -FastScan
    O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
    O15 - Trusted Zone: http://*.63.219.181.7
    O16 - DPF: {11111111-1111-1111-1111-111111113457} - file://c:\ied_s7.cab
    O16 - DPF: {11111111-1111-1111-1111-111191113457} - file://c:\ied_s7.cab
    O16 - DPF: {11111111-1111-1111-1111-511111113457} - file://c:\x.cab
    O16 - DPF: {11111111-1111-1111-1111-511111113458} - file://c:\x.cab
    O16 - DPF: {11111111-1111-1111-1111-511111193457} - file://c:\x.cab
    O16 - DPF: {11111111-1111-1111-1111-511111193458} - file://c:\x.cab
    O16 - DPF: {11111111-1111-1111-1111-611111193457} - file://c:\wx.cab
    O16 - DPF: {11111111-1111-1111-1111-611111193458} - file://c:\wx.cab
    O16 - DPF: {11212111-2121-1311-1141-115611111222} - ms-its:mhtml:file://d: oo.mht!http://69.50.166.214/counter/new/x.chm::/update.exe
    O16 - DPF: {23232323-2323-2323-2323-232323231122} - file://c:\x.cab
    O16 - DPF: {23232323-2323-2323-2323-232323291122} - file://c:\x.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{17274213-8D60-46D1-8554-41A9C7E0DA8B}: NameServer = 69.50.188.180 195.225.176.31
    O17 - HKLM\System\CCS\Services\Tcpip\..\{422234A2-19FD-4715-9AA1-61E527D712A8}: NameServer = 69.50.188.180,195.225.176.31
    O17 - HKLM\System\CCS\Services\Tcpip\..\{6FA80035-DE34-4FB8-A1FB-5B0427245276}: NameServer = 69.50.188.180,195.225.176.31
    O17 - HKLM\System\CS1\Services\Tcpip\..\{17274213-8D60-46D1-8554-41A9C7E0DA8B}: NameServer = 69.50.188.180 195.225.176.31
    O21 - SSODL: SystemCheck2 - {54645654-2225-4455-44A1-9F4543D34545} - C:\WINDOWS\System32\vbsys2 (file missing)
     
  2. wdm2291

    wdm2291

    Joined:
    Nov 4, 2004
    Messages:
    403
    Hi boliv,

    First off, go here and download the latest version of Hijack This:

    http://tomcoyote.org/hjt

    After installing the newer HijackThis, do this:

    Do a CTRL+ALT+DEL to open Task Manager and under running "Processes" kill ("End Process") EACH and EVERY one of EACH of the following processes (if you find them) - you may find more than one occurance of either of them:

    sethcd.exe
    smbdins.exe
    FreeScanner.exe
    tsmsetup.exe
    iesp1.dll


    Run Hijack This again and put a check next to each of the following items, then close all other windows and browsers (including this one - leaving only HijackThis open) and then click "Fix checked":

    R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = http://clearsurfing.net/srch.php?qq=%s

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank

    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = about:blank

    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank

    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank

    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank

    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank

    O3 - Toolbar: FreshBar - {06ABAA2D-34AB-4902-A326-409BD9B9A7A5} - C:\WINDOWS\System32\iesp1.dll

    O4 - HKCU\..\Run: [Spyware Vanisher] C:\Maintenance Ordi\FreeScanner.exe -FastScan

    O16 - DPF: {11111111-1111-1111-1111-111111113457} - file://c:\ied_s7.cab

    O16 - DPF: {11111111-1111-1111-1111-111191113457} - file://c:\ied_s7.cab

    O16 - DPF: {11111111-1111-1111-1111-511111113457} - file://c:\x.cab

    O16 - DPF: {11111111-1111-1111-1111-511111113458} - file://c:\x.cab

    O16 - DPF: {11111111-1111-1111-1111-511111193457} - file://c:\x.cab

    O16 - DPF: {11111111-1111-1111-1111-511111193458} - file://c:\x.cab

    O16 - DPF: {11111111-1111-1111-1111-611111193457} - file://c:\wx.cab

    O16 - DPF: {11111111-1111-1111-1111-611111193458} - file://c:\wx.cab

    O16 - DPF: {11212111-2121-1311-1141-115611111222} - ms-its:mhtml:file://d: oo.mht!http://69.50.166.214/counter/new/x.chm::/update.exe

    O21 - SSODL: SystemCheck2 - {54645654-2225-4455-44A1-9F4543D34545} - C:\WINDOWS\System32\vbsys2 (file missing)



    If you don't use or know this entry, then you should also fix it in HijackThis:

    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL


    If your ISP or network doesn't use these (following) entries, they should also be fixed in Hijack This:

    O17 - HKLM\System\CCS\Services\Tcpip\..\{17274213-8D60-46D1-8554-41A9C7E0DA8B}: NameServer = 69.50.188.180 195.225.176.31

    O17 - HKLM\System\CCS\Services\Tcpip\..\{422234A2-19FD-4715-9AA1-61E527D712A8}: NameServer = 69.50.188.180,195.225.176.31

    O17 - HKLM\System\CCS\Services\Tcpip\..\{6FA80035-DE34-4FB8-A1FB-5B0427245276}: NameServer = 69.50.188.180,195.225.176.31

    O17 - HKLM\System\CS1\Services\Tcpip\..\{17274213-8D60-46D1-8554-41A9C7E0DA8B}: NameServer = 69.50.188.180 195.225.176.31



    Uninstall spywarevanisher - it is scumware, it is adding spyware to your system


    Now boot to Safe Mode

    How to boot to Safe Mode:

    http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406

    To make your hidden files and folders visible, go to Start > Search and under "More advanced search options". Make sure there is a check next to "Search System Folders" and "Search hidden files and folders" and "Search system subfolders"

    Now click on My Computer. Go to Tools > Folder Options. Click on the "View" tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and "Hide extensions for known file types" . Now click "Apply to all folders"
    Click "Apply" then "OK"


    Now in Safe Mode find and delete the following files:

    C:\WINDOWS\System32\smbdins.exe
    C:\WINDOWS\System32\sethcd.exe
    C:\WINDOWS\System32\tsmsetup.exe
    C:\Maintenance Ordi\FreeScanner.exe <-- if still there after uninstalling spywarevanisher
    C:\WINDOWS\System32\iesp1.dll


    Delete files/folders from the following directories (But not the directory itself, for example delete all files/folder IN temp.
    C:\Windows\Temp\
    C:\Documents and Settings\<Your Profile>\Local Settings\Temp\
    C:\Documents and Settings\<All other users Profile>\Local Settings\Temp\
    C:\Documents and Settings\<Your Profile>\Local Settings\Temporary Internet Files\ <<<This will delete your files in your internet cache--including cookies.
    C:\Documents and Settings\<All other users Profile>\Local Settings\Temporary Internet Files\

    Then empty the Recycle Bin.

    Then reboot to normal mode.

    Now go here to do an online virus scan (make sure you checkmark to scan AND clean):

    http://housecall.trendmicro.com/


    Run Hijack This again and post a new log here


    Wayne
     
  3. boliv

    boliv Thread Starter

    Joined:
    Jan 23, 2005
    Messages:
    12
    Thanks Wayne for your help. I did what you mentionned.
    I didn’t find the 5 processes in the Task Manager.
    When I fixed the checked entries by HJT, there was an error message concerning the “021- SSODL,…” line. (“unexpected error has occurred at procedure …”_). However the line was deleted. All the rest went fine.
    With the online virus scan, it found one "Troj Mediket.c" that it said "uncleanable". However, I could delete it.

    I join the new HJT log file; as you can see there is still 2 suspicious 016 lines.
    Tell me what to do...

    Thanks.



    Logfile of HijackThis v1.99.0
    Scan saved at 14:49:02, on 26/01/2005
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Analog Devices\SoundMAX\PmProxy.exe
    C:\Program Files\ltmoh\Ltmoh.exe
    C:\Program Files\Apoint2K\Apoint.exe
    C:\WINDOWS\System32\00THotkey.exe
    C:\WINDOWS\System32\TPWRTRAY.EXE
    C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
    C:\WINDOWS\System32\TFNF5.exe
    C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
    C:\Program Files\Toshiba\ConfigFree\NDSTray.exe
    C:\WINDOWS\System32\EZSP_PX.EXE
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
    C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\Apoint2K\Apntex.exe
    C:\WINDOWS\system32\RAMASST.exe
    C:\WINDOWS\System32\alg.exe
    C:\WINDOWS\System32\DVDRAMSV.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
    C:\WINDOWS\System32\MsPMSPSv.exe
    C:\Program Files\Hewlett-Packard\Toolbox2.0\Javasoft\JRE\1.3.1\bin\javaw.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\Program Files\Outlook Express\msimn.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\toshiba\ivp\ism\ivpsvmgr.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\spsswin.exe
    C:\Program Files\Symantec\LiveUpdate\ALUNOTIFY.EXE
    C:\Documents and Settings\User\Desktop\HJT last\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshiba.com
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.spss.com/
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [PmProxy] C:\Program Files\Analog Devices\SoundMAX\PmProxy.exe
    O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
    O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
    O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe
    O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
    O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE
    O4 - HKLM\..\Run: [TFncKy] TFncKy.exe /Type 28
    O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
    O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
    O4 - HKLM\..\Run: [NDSTray.exe] "C:\Program Files\Toshiba\ConfigFree\NDSTray.exe"
    O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\EZSP_PX.EXE
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
    O4 - HKLM\..\Run: [TSysSMon] c:\toshiba\sysstability\tsyssmon.exe /detect
    O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
    O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
    O4 - HKLM\..\Run: [StatusClient] C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe /auto
    O4 - HKLM\..\Run: [TomcatStartup] C:\Program Files\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
    O16 - DPF: {23232323-2323-2323-2323-232323231122} - file://c:\x.cab
    O16 - DPF: {23232323-2323-2323-2323-232323291122} - file://c:\x.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
    O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Password Validation Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
    O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
    O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
    O23 - Service: SoundMAX Agent Service - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
     
  4. boliv

    boliv Thread Starter

    Joined:
    Jan 23, 2005
    Messages:
    12
    Hi,
    Can anybody continue to help me on this?
    The "about:blank" start page has gone as well as some other things but there is still some hijacking web pages. Also, I regularly receive some "messages" from "Windows Security Centre" mentionning that "warning Windows firewall detected suspicious activity on your computer,...., do you want to download certified software,...". (I didn't). Also some baloons with "Your computer might be at risk"....

    Thanks for help.
    I join a current HJT, in case.

    boliv.

    Logfile of HijackThis v1.99.0
    Scan saved at 08:34:01, on 28/01/2005
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Analog Devices\SoundMAX\PmProxy.exe
    C:\Program Files\ltmoh\Ltmoh.exe
    C:\Program Files\Apoint2K\Apoint.exe
    C:\WINDOWS\System32\00THotkey.exe
    C:\WINDOWS\System32\TPWRTRAY.EXE
    C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
    C:\WINDOWS\System32\TFNF5.exe
    C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
    C:\Program Files\Toshiba\ConfigFree\NDSTray.exe
    C:\WINDOWS\System32\EZSP_PX.EXE
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
    C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\WINDOWS\system32\RAMASST.exe
    C:\Program Files\Apoint2K\Apntex.exe
    C:\WINDOWS\System32\alg.exe
    C:\WINDOWS\System32\DVDRAMSV.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
    C:\WINDOWS\System32\MsPMSPSv.exe
    C:\Program Files\Hewlett-Packard\Toolbox2.0\Javasoft\JRE\1.3.1\bin\javaw.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\Program Files\Outlook Express\msimn.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\WINDOWS\System32\wuauclt.exe
    C:\toshiba\ivp\ism\ivpsvmgr.exe
    C:\Program Files\Symantec\LiveUpdate\ALUNOTIFY.EXE
    C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
    C:\Program Files\spsswin.exe
    C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE
    C:\WINDOWS\System32\sethcd.exe
    C:\WINDOWS\System32\tsmsetup.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Documents and Settings\User\Desktop\HJT last\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshiba.com
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.spss.com/
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [PmProxy] C:\Program Files\Analog Devices\SoundMAX\PmProxy.exe
    O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
    O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
    O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe
    O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
    O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE
    O4 - HKLM\..\Run: [TFncKy] TFncKy.exe /Type 28
    O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
    O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
    O4 - HKLM\..\Run: [NDSTray.exe] "C:\Program Files\Toshiba\ConfigFree\NDSTray.exe"
    O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\EZSP_PX.EXE
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
    O4 - HKLM\..\Run: [TSysSMon] c:\toshiba\sysstability\tsyssmon.exe /detect
    O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
    O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
    O4 - HKLM\..\Run: [StatusClient] C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe /auto
    O4 - HKLM\..\Run: [TomcatStartup] C:\Program Files\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
    O15 - Trusted Zone: http://*.63.219.181.7
    O16 - DPF: {23232323-2323-2323-2323-232323231122} - file://c:\x.cab
    O16 - DPF: {23232323-2323-2323-2323-232323291122} - file://c:\x.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{17274213-8D60-46D1-8554-41A9C7E0DA8B}: NameServer = 69.50.188.180 195.225.176.31
    O17 - HKLM\System\CS1\Services\Tcpip\..\{17274213-8D60-46D1-8554-41A9C7E0DA8B}: NameServer = 69.50.188.180 195.225.176.31
    O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Password Validation Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
    O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
    O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
    O23 - Service: SoundMAX Agent Service - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
     
  5. wdm2291

    wdm2291

    Joined:
    Nov 4, 2004
    Messages:
    403
    Hi boliv,

    Sorry, Pal, I have been super busy and haven't been on here for more than a day because I have had so much going on, sorry about that,

    Try this:

    Do a CTRL+ALT+DEL to open Task Manager and under running "Processes" kill ("End Process") EACH and EVERY one of EACH of the following processes (if you find them) - you may find more than one occurance of either of them:

    spsswin.exe
    sethcd.exe
    tsmsetup.exe
    vbsys2.dll


    Run Hijack This again and put a check next to each of the following items, then close all other windows and browsers (including this one - leaving only HijackThis open) and then click "Fix checked":

    O15 - Trusted Zone: http://*.63.219.181.7

    O16 - DPF: {23232323-2323-2323-2323-232323231122} - file://c:\x.cab

    O16 - DPF: {23232323-2323-2323-2323-232323291122} - file://c:\x.cab



    If you aren't using the following, then you should fix them also in Hijack This:

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshiba.com

    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.spss.com/



    If you haven't updated your Antivirus recently (Norton), then please do that now (don't run it yet, tho').

    Also, if you haven't updated Spybot or Adaware recently, then, while online, click to search for updates for them as well (again, don't run them yet).

    Now boot to Safe Mode

    How to boot to Safe Mode:

    http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406

    To make your hidden files and folders visible, go to Start > Search and under "More advanced search options". Make sure there is a check next to "Search System Folders" and "Search hidden files and folders" and "Search system subfolders"

    Now click on My Computer. Go to Tools > Folder Options. Click on the "View" tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and "Hide extensions for known file types" . Now click "Apply to all folders"
    Click "Apply" then "OK"


    Now in Safe Mode find and delete the following files (some of them may not be there, but you have to look):

    c:\x.cab
    C:\WINDOWS\System32\vbsys2.dll
    C:\WINDOWS\System32\smbdins.exe
    C:\WINDOWS\System32\sethcd.exe
    C:\WINDOWS\System32\tsmsetup.exe


    Delete files/folders from the following directories (But not the directory itself, for example delete all files/folder IN temp.
    C:\Windows\Temp\
    C:\Documents and Settings\<Your Profile>\Local Settings\Temp\
    C:\Documents and Settings\<All other users Profile>\Local Settings\Temp\
    C:\Documents and Settings\<Your Profile>\Local Settings\Temporary Internet Files\ <<<This will delete your files in your internet cache--including cookies.
    C:\Documents and Settings\<All other users Profile>\Local Settings\Temporary Internet Files\

    Then empty the Recycle Bin.

    Go to Properties of Internet Explorer (right mouse click on Internet Explorer on your desktop), click on the "Security" tab along the top (I'm making a wild guess that in XP you'll see basically the same things I see in 98 (right now that's all I am using), but you can get to/find these settings easily enough if my directions here don't tell you how (if you have difficulty, let me know and I'll find the exact directions for ya). When you click on the "Security" tab, you'll see four icons in the white window across the top - one of them is "Trusted Sites (might say "safe" sites in XP, whatever)" it is a green circle w/ a check mark in it. Click on that icon to highlight it, and, when it's highlighted, then click on the "Sites" button just below that window, and then, in the page that comes up, look in the list of sites in the lower window for the following entry:

    http://*.63.219.181.7

    If you find it in there, click it to highlight it and click the "Remove" button, to the right, and then "OK, and "OK"

    Now do a scan of your computer first with your antivirus, and then with Adaware, and then with Spybot (fixing/killing/deleting all they find).

    Then reboot to normal mode.

    Go here and download SpywareBlaster:

    http://www.javacoolsoftware.com/spywareblaster.html

    Install and run it, and, while online, get the updates, and then click on all three of the tabs across the top (Internet Explorer, Restricted sites, and (if you use it) Mozilla Firefox) and enable protection under each tab against all listed nasties. Make sure before you close the program, that, when the "Status" tab (along the top) is highlighted, it says (for (next to) each of the above three categories) "0 items have protection disabled".

    SpywareBlaster installs itself into your computer and tweaks your browser settings so they are very secure and keeps spyware from implanting itself on your computer (it's not completely foolproof, but it's an excellent extra layer of added protection in the war against the bad guys)

    Now go here to do an online virus scan (make sure you checkmark to scan AND clean):

    http://housecall.trendmicro.com/


    Run Hijack This again and post a new log here


    Wayne
     
  6. boliv

    boliv Thread Starter

    Joined:
    Jan 23, 2005
    Messages:
    12
    Thanks again Wayne!
    Before i do all what you said, I have a question: you said to delete`the process "spsswin.exe". This is probably refering to the "SPSS" software I have; so better not to delete, isn't it??

    Please let me know.


    boliv.
     
  7. wdm2291

    wdm2291

    Joined:
    Nov 4, 2004
    Messages:
    403
    The reason I told you to delete that file is that it is normally supposed to be in its own folder called SPSS (or similar) within the Program Files folder, and that isn't where it's running (that could be ok, I don't know, I just know that it isn't running where it (from what I have found by googling around) should be running - often viruses and trojans will do that, use a legitimate file name but be running in a place they shouldn't be running). That might or might not be a problem. If you're wanting to be cautious about deleting it, I understand. I did find that there is some leeway regarding location of this file, but I didn't find any place where it says it's ok for it to be running in other than its own folder. If you want to be cautious, then leave that file alone and see if, by doing the other things I said, it fixes the problem.

    Wayne
     
  8. boliv

    boliv Thread Starter

    Joined:
    Jan 23, 2005
    Messages:
    12
    Thanks.
    Here is my new HJT after I did what you mention. (I didn't find this http//63.219.181.7 in the Trusted Sites).

    So far, it seems ok. I'll let you know if some bizarre things appear again,...

    Thanks again.

    boliv:
    Logfile of HijackThis v1.99.0
    Scan saved at 18:27:17, on 28/01/2005
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Analog Devices\SoundMAX\PmProxy.exe
    C:\Program Files\ltmoh\Ltmoh.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Apoint2K\Apoint.exe
    C:\WINDOWS\System32\00THotkey.exe
    C:\WINDOWS\System32\TPWRTRAY.EXE
    C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
    C:\WINDOWS\System32\TFNF5.exe
    C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
    C:\Program Files\Toshiba\ConfigFree\NDSTray.exe
    C:\WINDOWS\System32\EZSP_PX.EXE
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
    C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe
    C:\Program Files\Apoint2K\Apntex.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\WINDOWS\system32\RAMASST.exe
    C:\WINDOWS\System32\alg.exe
    C:\WINDOWS\System32\DVDRAMSV.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
    C:\WINDOWS\System32\MsPMSPSv.exe
    C:\Program Files\Hewlett-Packard\Toolbox2.0\Javasoft\JRE\1.3.1\bin\javaw.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\toshiba\ivp\ism\ivpsvmgr.exe
    C:\Program Files\Outlook Express\msimn.exe
    C:\Program Files\SpywareBlaster\spywareblaster.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Documents and Settings\User\Desktop\HJT last\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.spss.com/
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [PmProxy] C:\Program Files\Analog Devices\SoundMAX\PmProxy.exe
    O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
    O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
    O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe
    O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
    O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE
    O4 - HKLM\..\Run: [TFncKy] TFncKy.exe /Type 28
    O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
    O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
    O4 - HKLM\..\Run: [NDSTray.exe] "C:\Program Files\Toshiba\ConfigFree\NDSTray.exe"
    O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\EZSP_PX.EXE
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
    O4 - HKLM\..\Run: [TSysSMon] c:\toshiba\sysstability\tsyssmon.exe /detect
    O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
    O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
    O4 - HKLM\..\Run: [StatusClient] C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe /auto
    O4 - HKLM\..\Run: [TomcatStartup] C:\Program Files\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{17274213-8D60-46D1-8554-41A9C7E0DA8B}: NameServer = 69.50.188.180 195.225.176.31
    O17 - HKLM\System\CS1\Services\Tcpip\..\{17274213-8D60-46D1-8554-41A9C7E0DA8B}: NameServer = 69.50.188.180 195.225.176.31
    O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Password Validation Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
    O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
    O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
    O23 - Service: SoundMAX Agent Service - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
     
  9. wdm2291

    wdm2291

    Joined:
    Nov 4, 2004
    Messages:
    403
    It looks clean to me. I would only emphasize how important it is to be running a firewall (it doesn't look like you are now), keeping both your antivirus and antispyware programs updated (especially SpywareBlaster), and running a complete system scan with all of them regularly - once every week or two - (and occasionally run them in Safe Mode to see if they find anything different).

    here are links to two excellent and free firewalls:

    ZoneAlarm: http://www.zonelabs.com

    Sygate: http://smb.sygate.com/products/spf_standard.htm

    following installation and configuration, go here to test your firewall:

    http://www.grc.com/x/ne.dll?bh0bkyd2

    God bless and happy surfing =)

    Wayne
     
  10. boliv

    boliv Thread Starter

    Joined:
    Jan 23, 2005
    Messages:
    12
    Well, well; it seems I am still not out of it,...
    I installed Zone Alarm and tested it.
    Despite of it, I still have some nasties coming on.
    e.g: the site "findyourgirl.net" pops in time to time (curiously, before I installed ZA, it came with pictures, while now there is only the text remaining!!); also other pages like "http://rooms4poker.com/in.html" or "http://rooms4poker.com/cards.jpg" or "res://C:\WINDOWS\System32\shdoclc.dll/offcancl.htm#http://www.allspyware.org"...
    In addition, there is still those messages from "Windows Security Centre" mentionning that "warning Windows firewall detected suspicious activity on your computer,...., do you want to download certified software,...". (I didn't). Also some baloons with "Your computer might be at risk"....

    Last:I also removed the "Trusted Zone: http://*.63.219.181.7", but it came back.

    I still paste a HJT log,...
    Thanks if you still can do something for me.

    boliv.

    Logfile of HijackThis v1.99.0
    Scan saved at 15:55:38, on 31/01/2005
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Analog Devices\SoundMAX\PmProxy.exe
    C:\Program Files\ltmoh\Ltmoh.exe
    C:\Program Files\Apoint2K\Apoint.exe
    C:\WINDOWS\System32\00THotkey.exe
    C:\WINDOWS\System32\TPWRTRAY.EXE
    C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
    C:\WINDOWS\System32\TFNF5.exe
    C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
    C:\Program Files\Toshiba\ConfigFree\NDSTray.exe
    C:\WINDOWS\System32\EZSP_PX.EXE
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\toshiba\ivp\ism\pinger.exe
    C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe
    C:\Program Files\Apoint2K\Apntex.exe
    C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
    C:\WINDOWS\System32\alg.exe
    C:\WINDOWS\System32\DVDRAMSV.exe
    C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
    C:\WINDOWS\system32\RAMASST.exe
    C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    C:\WINDOWS\System32\MsPMSPSv.exe
    C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
    C:\Program Files\Hewlett-Packard\Toolbox2.0\Javasoft\JRE\1.3.1\bin\javaw.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\Program Files\Outlook Express\msimn.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\WINDOWS\System32\smbdins.exe
    C:\WINDOWS\System32\sethcd.exe
    C:\WINDOWS\System32\tsmsetup.exe
    C:\Program Files\Symantec\LiveUpdate\ALUNOTIFY.EXE
    C:\Documents and Settings\User\Desktop\HJT last\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [PmProxy] C:\Program Files\Analog Devices\SoundMAX\PmProxy.exe
    O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
    O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
    O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe
    O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
    O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE
    O4 - HKLM\..\Run: [TFncKy] TFncKy.exe /Type 28
    O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
    O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
    O4 - HKLM\..\Run: [NDSTray.exe] "C:\Program Files\Toshiba\ConfigFree\NDSTray.exe"
    O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\EZSP_PX.EXE
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
    O4 - HKLM\..\Run: [TSysSMon] c:\toshiba\sysstability\tsyssmon.exe /detect
    O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
    O4 - HKLM\..\Run: [StatusClient] C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe /auto
    O4 - HKLM\..\Run: [TomcatStartup] C:\Program Files\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe
    O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
    O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
    O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
    O15 - Trusted Zone: http://*.63.219.181.7
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
    O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Password Validation Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
    O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
    O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
    O23 - Service: SoundMAX Agent Service - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
    O23 - Service: TrueVector Internet Monitor - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
     
  11. wdm2291

    wdm2291

    Joined:
    Nov 4, 2004
    Messages:
    403
    do the CTRL + ALT + DEL to "end process" the following processes (it looks like they're back again):

    smbdins.exe
    sethcd.exe
    tsmsetup.exe
    vbsys2.dll


    Kill the following in HijackThis:

    O15 - Trusted Zone: http://*.63.219.181.7

    While online, open Spybot and download the latest updates from the internet, then do the same with AdAware SE, and then open SpywareBlaster and click on the link at the bottom to download the latest protection updates (or "check for updates", whatever it says), download them and it will install them. Don't run them yet.

    Now boot to Safe Mode

    How to boot to Safe Mode:

    http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406

    To make your hidden files and folders visible, go to Start > Search and under "More advanced search options". Make sure there is a check next to "Search System Folders" and "Search hidden files and folders" and "Search system subfolders"

    Now click on My Computer. Go to Tools > Folder Options. Click on the "View" tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and "Hide extensions for known file types" . Now click "Apply to all folders"
    Click "Apply" then "OK"

    Find and delete any of the following that you can find:

    c:\x.cab
    C:\WINDOWS\System32\vbsys2.dll
    C:\WINDOWS\System32\smbdins.exe
    C:\WINDOWS\System32\sethcd.exe
    C:\WINDOWS\System32\tsmsetup.exe


    Delete files/folders from the following directories (But not the directory itself, for example delete all files/folder IN temp.
    C:\Windows\Temp\
    C:\Documents and Settings\<Your Profile>\Local Settings\Temp\
    C:\Documents and Settings\<All other users Profile>\Local Settings\Temp\
    C:\Documents and Settings\<Your Profile>\Local Settings\Temporary Internet Files\ <<<This will delete your files in your internet cache--including cookies.
    C:\Documents and Settings\<All other users Profile>\Local Settings\Temporary Internet Files\

    Then empty the Recycle Bin.

    Stay in Safe Mode.

    Go to Properties of Internet Explorer (right mouse click on Internet Explorer on your desktop), click on the "Security" tab along the top (I'm making a wild guess that in XP you'll see basically the same things I see in 98 (right now that's all I am using), but you can get to/find these settings easily enough if my directions here don't tell you how (if you have difficulty, let me know and I'll find the exact directions for ya). When you click on the "Security" tab, you'll see four icons in the white window across the top - one of them is "Trusted Sites (might say "safe" sites in XP, whatever)" it is a green circle w/ a check mark in it. Click on that icon to highlight it, and, when it's highlighted, then click on the "Sites" button just below that window, and then, in the page that comes up, look in the list of sites in the lower window for the following entry:

    http://*.63.219.181.7

    If you find it in there, click it to highlight it and click the "Remove" button, to the right, and then "OK"

    Now click on the "Restricted Sites" icon in that white window in the upper part of the
    "Security" tab, and then click on the "Sites" button right below it. When that window opens, you should see a whole bunch of sites in the lower box that have been added in there (they got in there by your "Immunizing" in Spybot, or "enabling protection" from all these sites in SpyWareBlaster (you DID install and enable all the protection in SpywareBlaster, right?).

    Now in the box that says, "Add this Web site to the zone", type in :

    63.219.181.7

    just like you see it here.

    then click "Add" and scroll down (if you need to) in the window below to make sure it added it to the list in that box. (that box should be chock full of site names and numbers)

    Then click on "OK", and, making sure the "Restricted Sites" is the icon that is still highlighted in the upper window (click on it again just to make sure), now click on the "Custom Level" button near the bottom of the window, and you'll see a list, from top to bottom, of different "permissions" and permission levels. Make sure that every one of them in this window (scroll down to the bottom one) has "Disable" selected/checked (SoftwareChannel permissions should be: High Safety) and that the bottom one has "Prompt for user name and password" selected/clicked.

    When all of them have "Disable" chosen (and the last one "Prompt for username and password"), then click "OK" and "OK"

    I would now open SpywareBlaster, and make sure it has everything enabled (all protection ). . you should see three lines along the right side that say "0 items have protection disabled", and then below that should be some number over 3000 "items in database". Don't close Spywareblaster til it says that 0 items have protection (in three different places along the right on the main "Status" page, unless you don't have or use Mozilla Firefox, then it should still say it for Internet Explorer and Restricted Sites). If it doesn't say that, make sure you have done the following:

    Click the "Internet Explorer" tab along the top (this is all in SpywareBlaster), now click the two boxes just below the top that say:

    "Prevent the installation of ActiveX based spyware, dialers, etc."
    "Prevent spyware/tracking cookies"


    Then click the box along the bottom that says: "protect against checked items"

    then when it's done, click the "Restricted Sites" item along the top of SpywareBlaster

    click the box just below the top that says:

    "Restrict the actions of spyware/ad/tracking sites in Internet Explorer"

    Then click the "protect against checked items" button along the bottom, wait til it's done, click on the "Status" button on the top,
    and now it should say, next to each of the above mentioned items (IE, Restricted sites, and Mozilla Firefox) " 0 items have protection disabled" and below that the list of items in the database.

    Now close SpywareBlaster and run Spybot, fixing all it finds, and then do the same with Adaware SE (all of this still in Safe Mode).

    Reboot your computer to normal mode

    Go to more than one of the following sites to do an online virus scan
    http://housecall.trendmicro.com/
    http://www.pandasoftware.com/activescan/
    http://www.ravantivirus.com/scan/
    http://www3.ca.com/securityadvisor/virusinfo/scan.aspx

    Run Hijack This again and post a new log back here


    Wayne
     
  12. boliv

    boliv Thread Starter

    Joined:
    Jan 23, 2005
    Messages:
    12
    Hi Wayne,

    Shall I start to loose hope? I did all what you said, and…., the same symptoms occurred again,…
    Only, I never found the processes you mentioned. Neither this “c:\x.cab”.
    I added 63.219.181.7, as well as *.63.219.181.7 to the restricted sites and removed it from the Trusted ones, but it always comes back.
    When running AdAware, the same kind of entries comes also back after some times (linked to this zone): I paste here those two entries from Adaware:

    “Trusted zone presumably compromised : 63.219.181.7

    Possible Browser Hijack attempt Object Recognized!
    Type : Regkey
    Data :
    Category : Vulnerability
    Comment : Trusted zone presumably compromised : 63.219.181.7
    Rootkey : HKEY_CURRENT_USER
    Object : Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\63.219.181.7

    Possible Browser Hijack attempt Object Recognized!
    Type : RegValue
    Data :
    Category : Vulnerability
    Comment : Trusted zone presumably compromised : 63.219.181.7
    Rootkey : HKEY_CURRENT_USER
    Object : Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\63.219.181.7
    Value : http”

    I ran 3 antivirus online, they found few things, but no change after.
    Here is the result of Ravantivirus:
    RavAntivirus:
    Scan started at 01/02/2005 15:07:33

    Scanning memory...
    Scanning boot sectors...
    Scanning files...
    C:\Documents and Settings\User\Desktop\HJT last\backups\backup-20050126-105359-493 - Exploit:HTML/MhtRedir.gen* -> Infected
    C:\Maintenance Ordi\hijackthis 23-01.log - Exploit:HTML/MhtRedir.gen* -> Infected
    C:\Maintenance Ordi\hijackthis 26-01.log - Exploit:HTML/MhtRedir.gen* -> Infected
    Scanned
    ============================
    Objects: 62377
    Directories: 3221
    Archives: 6898
    Size(Kb): 1879775
    Infected files: 3

    Found
    ============================
    Viruses found: 1
    Suspicious files: 0
    Disinfected files: 0
    Mail files: 2770


    The one of Panda is:

    Incident Status Location

    Virus:Trj/Downloader.AJU Disinfected Operating system
    Virus:Trj/Downloader.AIB Disinfected C:\Documents and Settings\User\Desktop\HJT last\backups\backup-20050126-105359-399.inf
    Virus:Trj/Downloader.AIB Disinfected C:\Documents and Settings\User\Desktop\HJT last\backups\backup-20050126-105359-815.inf
    Virus:Trj/Downloader.AIB Disinfected C:\WINDOWS\internt.exe
    Virus:Trj/Downloader.AJU Renamed C:\WINDOWS\system32\delaybuf.dll

    (I don’t know if this information can help?).

    Here is the last HJT log.
    I gave you the one just done before a last Adaware cleaning, so that it includes the “O15 Trusted zone”. If I do it after Adaware this line disappears. (however, it will come back after some times…).

    Thanks for your time spent on this!.

    Boliv:

    Logfile of HijackThis v1.99.0
    Scan saved at 09:37:38, on 02/02/2005
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Analog Devices\SoundMAX\PmProxy.exe
    C:\Program Files\ltmoh\Ltmoh.exe
    C:\Program Files\Apoint2K\Apoint.exe
    C:\WINDOWS\System32\00THotkey.exe
    C:\WINDOWS\System32\TPWRTRAY.EXE
    C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
    C:\WINDOWS\System32\TFNF5.exe
    C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
    C:\Program Files\Toshiba\ConfigFree\NDSTray.exe
    C:\WINDOWS\System32\EZSP_PX.EXE
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Apoint2K\Apntex.exe
    C:\WINDOWS\System32\alg.exe
    C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe
    C:\WINDOWS\System32\DVDRAMSV.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
    C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\WINDOWS\system32\RAMASST.exe
    C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
    C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    C:\WINDOWS\System32\MsPMSPSv.exe
    C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
    C:\Program Files\Hewlett-Packard\Toolbox2.0\Javasoft\JRE\1.3.1\bin\javaw.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\Program Files\Outlook Express\msimn.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\WINDOWS\System32\smbdins.exe
    C:\WINDOWS\System32\sethcd.exe
    C:\WINDOWS\System32\tsmsetup.exe
    C:\TOSHIBA\Ivp\netint\netint.exe
    C:\toshiba\ivp\ism\pinger.exe
    C:\Program Files\Symantec\LiveUpdate\ALUNOTIFY.EXE
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
    C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe
    C:\Documents and Settings\User\Desktop\HJT last\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [PmProxy] C:\Program Files\Analog Devices\SoundMAX\PmProxy.exe
    O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
    O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
    O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe
    O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
    O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE
    O4 - HKLM\..\Run: [TFncKy] TFncKy.exe /Type 28
    O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
    O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
    O4 - HKLM\..\Run: [NDSTray.exe] "C:\Program Files\Toshiba\ConfigFree\NDSTray.exe"
    O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\EZSP_PX.EXE
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
    O4 - HKLM\..\Run: [TSysSMon] c:\toshiba\sysstability\tsyssmon.exe /detect
    O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
    O4 - HKLM\..\Run: [StatusClient] C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe /auto
    O4 - HKLM\..\Run: [TomcatStartup] C:\Program Files\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe
    O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
    O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
    O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
    O15 - Trusted Zone: http://*.63.219.181.7
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
    O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
    O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
    O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Password Validation Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
    O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
    O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
    O23 - Service: SoundMAX Agent Service - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
    O23 - Service: TrueVector Internet Monitor - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
     
  13. wdm2291

    wdm2291

    Joined:
    Nov 4, 2004
    Messages:
    403
    hi boliv, Don't despair or lose hope, there's always more things to try :)

    You might want to print out these instructions before you do them, cause you won't have access to your desktop for part of this time.

    Download KillBox (http://www.greyknight17.com/spy/KillBox.exe). Run KillBox and check the box that says 'End Explorer Shell While Killing File'. Next click on 'Replace on Reboot' and check the box underneath that. For each of the following files below, check the box that says 'Unregister .dll Before Deleting' if it's not grayed out. Copy and paste each of the following into the top line (hitting the X button for each file - choose NO when it asks if you want to reboot until you get to the last file to delete):

    C:\Windows\System32\smbdins.exe
    C:\Windows\System32\tsmsetup.exe
    C:\Windows\System32\sethcd.exe
    C:\Windows\System32\nbrtstat.exe
    C:\Windows\System32\rdspclips.exe
    C:\Windows\System32\ipvcx6.exe
    C:\Windows\System32\sprestrst.exe
    C:\Windows\System32\upncont.exe
    C:\Windows\System32\wowdbe.exe
    C:\Windows\System32\od.exe
    c:\windows\system32\msi.dll
    C:\Windows\system32\mszsv.dll



    download DelDomains here and unzip it to your desktop:

    http://www.mvps.org/winhelp2002/DelDomains.inf

    Right-click on the deldomains.inf file and select 'Install'

    This should clear out that trusted entry that will not be removed.


    Download CleanUp here:

    http://cleanup.stevengould.org/

    or here:
    http://www.greyknight17.com/spy/Cleanup.exe

    Install it. Run CleanUp and click on CleanUp button. When it asks you if you want to logoff, click on Yes.


    Boot to DOS (if you are able) (hit the F8 key repeatedly when booting up and you should come to the black and white menu that includes Safe Mode and other choices). Choose "Command prompt" (might not say it exactly that way, but it will say command prompt)

    If you can't get to a command prompt this way, then do the following:

    In windows go to start, accessories, command prompt, and hit Enter (it'll be slightly different than this cause you have XP, but it's there somewhere after clicking Start menu (maybe under "programs")

    If it says, C:\Windows, then type cd\ and hit Enter

    It should come to the C:\ prompt.

    When it does, type in:

    del C:\Windows\System32\smbdins.exe

    and then hit "Enter" (notice there is a space after del)

    Now do the same for each of the following filenames, one at a time, hitting enter after each one (putting "del " in front of each) Some may or may not be there, but it's important to try to delete them all this way.

    C:\Windows\system32\sethcd.exe
    C:\WINDOWS\System32\tsmsetup.exe
    C:\Windows\system32\nbrtstat.exe
    C:\Windows\System32\ipvcx6.exe
    C:\Windows\System32\sprestrst.exe
    C:\Windows\System32\upncont.exe
    C:\Windows\System32\wowdbe.exe
    C:\Windows\System32\od.exe
    c:\Windows\system32\msi.dll
    C:\Windows\system32\mszsv.dll
    C:\Windows\System32\rdspclips.exe
    C:\Windows\rdspclips.exe
    <--this is in case it's in the Windows folder instead of System32
    C:\rdspclips.exe <--- this is in case it's right on the C: drive
    C:\Windows\system32\msi.dll
    C:\Windows\system32\mszsv.dll

    now type in cd\Windows\Prefetch and hit Enter

    now it should say C:\Windows\Prefetch

    if it does, then type

    del *.*

    and hit "Enter" (note there is a space after del and before the first asterisk)

    Reboot to normal mode (or, if you got to the command prompt the second way, then just close the command prompt window).

    Run the CleanUp program again and choose Yes when it asks if you want to log off.

    Restart and run HijackThis again and post a new log here


    Wayne
     
  14. boliv

    boliv Thread Starter

    Joined:
    Jan 23, 2005
    Messages:
    12
    Hi Wayne,
    I tried, but:
    - on all the files to fix by Killbox, only "od.exe" and "msi.dll" were there. The others, there are almost similar ones, but always with one different letter .
    -For DelDomain, is it normal that when I select "Install", it doesn't do (or show) anything?
    - For the Command prompt, the black screen shows "c:\documents and settings\user>
    (not c:\windows). After cd\ it goes to "C:\>"
    Anyway, there, I typed the various "del,...". For all of them, it wrote "could not find,...", except msi.dll where it wrote "access denied".

    After all that, the same symptoms come again,...

    Can we try anything else?

    Thanks for your time.

    boliv.

    Here is the last HJT:
    Logfile of HijackThis v1.99.0
    Scan saved at 23:19:54, on 02/02/2005
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\alg.exe
    C:\WINDOWS\System32\DVDRAMSV.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
    C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    C:\WINDOWS\System32\MsPMSPSv.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Analog Devices\SoundMAX\PmProxy.exe
    C:\Program Files\ltmoh\Ltmoh.exe
    C:\Program Files\Apoint2K\Apoint.exe
    C:\WINDOWS\System32\00THotkey.exe
    C:\WINDOWS\System32\TPWRTRAY.EXE
    C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
    C:\WINDOWS\System32\TFNF5.exe
    C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
    C:\Program Files\Toshiba\ConfigFree\NDSTray.exe
    C:\WINDOWS\System32\EZSP_PX.EXE
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe
    C:\Program Files\Apoint2K\Apntex.exe
    C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
    C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
    C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\WINDOWS\system32\RAMASST.exe
    C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
    C:\Program Files\Hewlett-Packard\Toolbox2.0\Javasoft\JRE\1.3.1\bin\javaw.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\Program Files\Outlook Express\msimn.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\WINDOWS\System32\smbdins.exe
    C:\WINDOWS\System32\sethcd.exe
    C:\WINDOWS\System32\tsmsetup.exe
    C:\toshiba\ivp\ism\ivpsvmgr.exe
    C:\Program Files\Symantec\LiveUpdate\ALUNOTIFY.EXE
    C:\Documents and Settings\User\Desktop\HJT last\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [PmProxy] C:\Program Files\Analog Devices\SoundMAX\PmProxy.exe
    O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
    O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
    O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe
    O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
    O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE
    O4 - HKLM\..\Run: [TFncKy] TFncKy.exe /Type 28
    O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
    O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
    O4 - HKLM\..\Run: [NDSTray.exe] "C:\Program Files\Toshiba\ConfigFree\NDSTray.exe"
    O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\EZSP_PX.EXE
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
    O4 - HKLM\..\Run: [TSysSMon] c:\toshiba\sysstability\tsyssmon.exe /detect
    O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
    O4 - HKLM\..\Run: [StatusClient] C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe /auto
    O4 - HKLM\..\Run: [TomcatStartup] C:\Program Files\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe
    O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
    O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
    O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
    O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
    O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
    O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Password Validation Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
    O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
    O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
    O23 - Service: SoundMAX Agent Service - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
    O23 - Service: TrueVector Internet Monitor - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
     
  15. boliv

    boliv Thread Starter

    Joined:
    Jan 23, 2005
    Messages:
    12
    Hi Wayne,

    Can you still do something for me?
    Thanks.

    boliv.
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/323515

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice