1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

My freind need some major help

Discussion in 'Virus & Other Malware Removal' started by WarChild, Sep 15, 2003.

Thread Status:
Not open for further replies.
Advertisement
  1. WarChild

    WarChild Thread Starter

    Joined:
    Aug 17, 2003
    Messages:
    39
    Ok I dont know where to start butt my freind need some help with this virus or troj.. could someone look at this and helps us out.
    --------------------------------------------------------------------------------

    Logfile of HijackThis v1.97.2
    Scan saved at 5:16:33 PM, on 9/15/2003
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    F:\WINDOWS\System32\smss.exe
    F:\WINDOWS\system32\winlogon.exe
    F:\WINDOWS\system32\services.exe
    F:\WINDOWS\system32\lsass.exe
    F:\WINDOWS\system32\svchost.exe
    F:\WINDOWS\System32\svchost.exe
    F:\WINDOWS\system32\spoolsv.exe
    F:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    F:\WINDOWS\System32\Ati2evxx.exe
    F:\WINDOWS\System32\CTsvcCDA.exe
    F:\Program Files\Norton AntiVirus\navapsvc.exe
    F:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
    F:\WINDOWS\system32\ZoneLabs\vsmon.exe
    F:\WINDOWS\Explorer.EXE
    F:\WINDOWS\System32\MsPMSPSv.exe
    F:\Program Files\Common Files\Symantec Shared\ccApp.exe
    F:\Program Files\Ad Muncher\AdMunch.exe
    F:\Program Files\QuickTime\qttask.exe
    F:\WINDOWS\System32\winservn.exe
    F:\Program Files\Logitech\MouseWare\system\em_exec.exe
    F:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
    F:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
    F:\WINDOWS\System32\Klt3.exe
    F:\WINDOWS\System32\UbgrYIn.exe
    F:\Program Files\Teamspeak2_RC2\TeamSpeak.exe
    F:\Program Files\Yahoo!\Messenger\ypager.exe
    F:\Program Files\Messenger\msmsgs.exe
    F:\Documents and Settings\Home\Desktop\HijackThis.exe
    F:\Program Files\Internet Explorer\iexplore.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/customize/ie/defaults/stp/ymsgr*http://my.yahoo.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus.../*http://www.yahoo.com/ext/search/search.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.comcast.net
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
    O2 - BHO: (no name) - {000006B1-19B5-414A-849F-2A3C64AE6939 - (no file)
    O2 - BHO: (no name) - {000006B1-19B5-414A-849F-2A3C64AE6939} - (no file)
    O2 - BHO: (no name) - {00000762-3965-4A1A-98CE-3D4BF457D4C - (no file)
    O2 - BHO: (no name) - {00000762-3965-4A1A-98CE-3D4BF457D4C8} - F:\Program Files\Lycos\Sidesearch\sidesearch1211.dll (file missing)
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6B - (no file)
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE - (no file)
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0 - (no file)
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {2CF0B992-5EEB-4143-99C0-5297EF71F443} - F:\WINDOWS\System32\stlbdist.DLL
    O2 - BHO: (no name) - {65C8C1F5-230E-4DC9-9A0D-F3159A5 - (no file)
    O2 - BHO: (no name) - {65C8C1F5-230E-4DC9-9A0D-F3159A5E - (no file)
    O2 - BHO: (no name) - {65C8C1F5-230E-4DC9-9A0D-F3159A5E7 - (no file)
    O2 - BHO: (no name) - {65C8C1F5-230E-4DC9-9A0D-F3159A5E77 - (no file)
    O2 - BHO: (no name) - {A85C4A1B-BD36-44E5-A70F-8EC347D9B24F} - F:\WINDOWS\bs3.dll
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF1057 - (no file)
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577 - (no file)
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF105774 - (no file)
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF1057747 - (no file)
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473 - (no file)
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F - (no file)
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - f:\program files\google\googletoolbar1.dll
    O2 - BHO: (no name) - {B9A1EEEC-7EC3-469E-8891-5C51F20CFE17} - F:\WINDOWS\System32\asfsaipc.dll
    O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6 - (no file)
    O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B - (no file)
    O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B0 - (no file)
    O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B08 - (no file)
    O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084 - (no file)
    O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B0848 - (no file)
    O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B08487 - (no file)
    O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - F:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - F:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - F:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: Search - {2CF0B992-5EEB-4143-99C0-5297EF71F444} - F:\WINDOWS\System32\stlbdist.DLL
    O3 - Toolbar: Topicks Categories - {80E81A0E-9741-4FBC-8EE3-3B78C04ADA1D} - F:\Program Files\Topicks\Bin\TpBar.dll (file missing)
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - f:\program files\google\googletoolbar1.dll
    O3 - Toolbar: (no name) - {AD959F02-9A89-449C-8F99-0BBF57177CD3} - (no file)
    O4 - HKLM\..\Run: [BJCFD] F:\Program Files\BroadJump\Client Foundation\CFD.exe
    O4 - HKLM\..\Run: [CTStartup] F:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE /run
    O4 - HKLM\..\Run: [WorksFUD] F:\Program Files\Microsoft Works\wkfud.exe
    O4 - HKLM\..\Run: [Microsoft Works Portfolio] F:\Program Files\Microsoft Works\WksSb.exe /AllUsers
    O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
    O4 - HKLM\..\Run: [ccApp] "F:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "F:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [Advanced Tools Check] F:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
    O4 - HKLM\..\Run: [Ad Muncher] F:\Program Files\Ad Muncher\AdMunch.exe /bt
    O4 - HKCU\..\Run: [Yahoo! Pager] F:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
    O4 - HKCU\..\Run: [ContentService] F:\WINDOWS\System32\winservn.exe
    O4 - HKCU\..\Run: [Windows & Internet Cleaner Pro] F:\Program Files\Windows & Internet Cleaner Pro\WICleaner.exe /Startup
    O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
    O4 - Global Startup: ZoneAlarm.lnk = F:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
    O8 - Extra context menu item: &Google Search - res://F:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: Backward &Links - res://F:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://F:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: Si&milar Pages - res://F:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate Page - res://F:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
    O8 - Extra context menu item: Yahoo! Dictionary - file:///F:\Program Files\Yahoo!\Common/ycdict.htm
    O8 - Extra context menu item: Yahoo! Search - file:///F:\Program Files\Yahoo!\Common/ycsrch.htm
    O9 - Extra button: Sidesearch (HKLM)
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: Yahoo! Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O9 - Extra button: Support (HKCU)
    O9 - Extra button: ComcastHSI (HKCU)
    O9 - Extra button: Help (HKCU)
    O12 - Plugin for .spop: F:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.comcast.net
    O16 - DPF: Yahoo! Freecell Solitaire - http://yog55.games.scd.yahoo.com/yog/y/fs10_x.cab
    O16 - DPF: Yahoo! Poker - http://download.games.yahoo.com/games/clients/y/pt0_x.cab
    O16 - DPF: {01CA75F1-054B-4A63-9221-C6926369EC52} (HS_live Control) - http://install.homestead.com/~site/InstallFiles/SIFiles/lpxlive/HS_live.cab
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab
    O16 - DPF: {13197ACE-6851-45C3-A7FF-C281324D5489} - http://www.2nd-thought.com/files/install.exe
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {1E89F686-B78D-4C85-9EFC-3474516E3FE2} - http://80.96.119.7/fkdsgy/P/MSN_QTPieJess01.exe
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...ple.com/drakken/us/win/QuickTimeInstaller.exe
    O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/software/launch/alaunch.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/bcd48c18cb7498/housecall.antivirus.com/housecall/xscan53.cab
    O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37740.5473148148
    O16 - DPF: {AD7FAFB0-16D6-40C3-AF27-585D6E6453FD} - http://dload.ipbill.com/del/loader.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    _________________
     
  2. $teve

    $teve

    Joined:
    Oct 9, 2001
    Messages:
    9,396
    a bit of a mess isnt it?
    but ive seen worse today believe me:)

    run hijackthis again and put a checkmark against these entries....
    .....then,close all browser and outlook windows and "fix checked"

    if comcast is your prefered startpage,leave that entry..if not ,have H/T "fix" it.

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/cus...://my.yahoo.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus...rch/search.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.comcast.net
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
    O2 - BHO: (no name) - {000006B1-19B5-414A-849F-2A3C64AE6939 - (no file)
    O2 - BHO: (no name) - {000006B1-19B5-414A-849F-2A3C64AE6939} - (no file)
    O2 - BHO: (no name) - {00000762-3965-4A1A-98CE-3D4BF457D4C - (no file)
    O2 - BHO: (no name) - {00000762-3965-4A1A-98CE-3D4BF457D4C8} - F:\Program Files\Lycos\Sidesearch\sidesearch1211.dll (file missing)
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6B - (no file)
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE - (no file)
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0 - (no file)
    O2 - BHO: (no name) - {2CF0B992-5EEB-4143-99C0-5297EF71F443} - F:\WINDOWS\System32\stlbdist.DLL
    O2 - BHO: (no name) - {65C8C1F5-230E-4DC9-9A0D-F3159A5 - (no file)
    O2 - BHO: (no name) - {65C8C1F5-230E-4DC9-9A0D-F3159A5E - (no file)
    O2 - BHO: (no name) - {65C8C1F5-230E-4DC9-9A0D-F3159A5E7 - (no file)
    O2 - BHO: (no name) - {65C8C1F5-230E-4DC9-9A0D-F3159A5E77 - (no file)
    O2 - BHO: (no name) - {A85C4A1B-BD36-44E5-A70F-8EC347D9B24F} - F:\WINDOWS\bs3.dll
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF1057 - (no file)
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577 - (no file)
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF105774 - (no file)
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF1057747 - (no file)
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473 - (no file)
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F - (no file)
    O2 - BHO: (no name) - {B9A1EEEC-7EC3-469E-8891-5C51F20CFE17} - F:\WINDOWS\System32\asfsaipc.dll
    O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6 - (no file)
    O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B - (no file)
    O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B0 - (no file)
    O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B08 - (no file)
    O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084 - (no file)
    O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B0848 - (no file)
    O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B08487 - (no file)
    O3 - Toolbar: Search - {2CF0B992-5EEB-4143-99C0-5297EF71F444} - F:\WINDOWS\System32\stlbdist.DLL
    O3 - Toolbar: Topicks Categories - {80E81A0E-9741-4FBC-8EE3-3B78C04ADA1D} - F:\Program Files\Topicks\Bin\TpBar.dll (file missing)
    O3 - Toolbar: (no name) - {AD959F02-9A89-449C-8F99-0BBF57177CD3} - (no file)
    O4 - HKLM\..\Run: [BJCFD] F:\Program Files\BroadJump\Client Foundation\CFD.exe
    O4 - HKCU\..\Run: [ContentService] F:\WINDOWS\System32\winservn.exe


    i would "fix" this next one as it obviously dosent work,but its up to you.
    O4 - HKCU\..\Run: [Windows & Internet Cleaner Pro] F:\Program Files\Windows & Internet Cleaner Pro\WICleaner.exe /Startup
    O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?

    likewise here....if comcast is not your prefered startpage "fix" this next one also.
    O14 - IERESET.INF: START_PAGE_URL=http://www.comcast.net

    O16 - DPF: {1E89F686-B78D-4C85-9EFC-3474516E3FE2} - http://80.96.119.7/...QTPieJess01.exe


    re-boot into safe mode( by tapping the f8 key as windows starts)
    and delete the folowing:
    F:\WINDOWS\System32\winservn.exe
    F:\Program Files\Lycos\Sidesearch
    F:\WINDOWS\System32\stlbdist.DLL
    F:\WINDOWS\bs3.dll
    F:\WINDOWS\System32\asfsaipc.dll
    F:\Program Files\Topicks

    re-boot again and open internet explorer.....click the tools tab... Internet Options. Click the Programs
    tab. Click the Reset Web Settings button,you can then set YOUR start page.

    post another logfile incase we missed anything

    ;)
     
  3. WarChild

    WarChild Thread Starter

    Joined:
    Aug 17, 2003
    Messages:
    39
    Ok we deleted the stuff butt it left backup files on my desktop I put them in a folder Can I Delete that folder
     
  4. winchester73

    winchester73

    Joined:
    Aug 18, 2003
    Messages:
    2,438
    Before deleting anything, how about posting a new HT log.
     
  5. WarChild

    WarChild Thread Starter

    Joined:
    Aug 17, 2003
    Messages:
    39
    ok heres our new log file butt he says its still runs laggy is there anything else we can check or do...


    --------------------------------------------------------------------------------

    Logfile of HijackThis v1.97.2
    Scan saved at 7:34:24 PM, on 9/15/2003
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    F:\WINDOWS\System32\smss.exe
    F:\WINDOWS\system32\winlogon.exe
    F:\WINDOWS\system32\services.exe
    F:\WINDOWS\system32\lsass.exe
    F:\WINDOWS\system32\svchost.exe
    F:\WINDOWS\System32\svchost.exe
    F:\WINDOWS\system32\spoolsv.exe
    F:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    F:\WINDOWS\System32\Ati2evxx.exe
    F:\WINDOWS\System32\CTsvcCDA.exe
    F:\Program Files\Norton AntiVirus\navapsvc.exe
    F:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
    F:\WINDOWS\system32\ZoneLabs\vsmon.exe
    F:\WINDOWS\System32\MsPMSPSv.exe
    F:\WINDOWS\Explorer.EXE
    F:\Program Files\Common Files\Symantec Shared\ccApp.exe
    F:\Program Files\Ad Muncher\AdMunch.exe
    F:\Program Files\QuickTime\qttask.exe
    F:\Program Files\Logitech\MouseWare\system\em_exec.exe
    F:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
    F:\WINDOWS\System32\MkyAH.exe
    F:\WINDOWS\System32\XtfBt6.exe
    F:\Documents and Settings\Home\Desktop\HijackThis.exe
    F:\Program Files\Yahoo!\Messenger\ypager.exe
    F:\Program Files\Internet Explorer\IEXPLORE.EXE
    F:\Program Files\Messenger\msmsgs.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
    O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - F:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - F:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - F:\Program Files\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [CTStartup] F:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE /run
    O4 - HKLM\..\Run: [WorksFUD] F:\Program Files\Microsoft Works\wkfud.exe
    O4 - HKLM\..\Run: [Microsoft Works Portfolio] F:\Program Files\Microsoft Works\WksSb.exe /AllUsers
    O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
    O4 - HKLM\..\Run: [ccApp] "F:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "F:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [Advanced Tools Check] F:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
    O4 - HKLM\..\Run: [Ad Muncher] F:\Program Files\Ad Muncher\AdMunch.exe /bt
    O4 - HKCU\..\Run: [Yahoo! Pager] F:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
    O4 - Global Startup: Trojan Guarder.lnk = F:\Program Files\Trojan Guarder\Trojan Guarder.exe
    O4 - Global Startup: ZoneAlarm.lnk = F:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
    O8 - Extra context menu item: Yahoo! Dictionary - file:///F:\Program Files\Yahoo!\Common/ycdict.htm
    O8 - Extra context menu item: Yahoo! Search - file:///F:\Program Files\Yahoo!\Common/ycsrch.htm
    O9 - Extra button: Sidesearch (HKLM)
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: Yahoo! Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O9 - Extra button: Support (HKCU)
    O9 - Extra button: ComcastHSI (HKCU)
    O9 - Extra button: Help (HKCU)
    O12 - Plugin for .spop: F:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.comcast.net
    O16 - DPF: Yahoo! Freecell Solitaire - http://yog55.games.scd.yahoo.com/yog/y/fs10_x.cab
    O16 - DPF: Yahoo! Poker - http://download.games.yahoo.com/games/clients/y/pt0_x.cab
    O16 - DPF: {01CA75F1-054B-4A63-9221-C6926369EC52} (HS_live Control) - http://install.homestead.com/~site/InstallFiles/SIFiles/lpxlive/HS_live.cab
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab
    O16 - DPF: {13197ACE-6851-45C3-A7FF-C281324D5489} - http://www.2nd-thought.com/files/install.exe
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...ple.com/drakken/us/win/QuickTimeInstaller.exe
    O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/software/launch/alaunch.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/bcd48c18cb7498/housecall.antivirus.com/housecall/xscan53.cab
    O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37740.5473148148
    O16 - DPF: {AD7FAFB0-16D6-40C3-AF27-585D6E6453FD} - http://dload.ipbill.com/del/loader.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    _________________
     
  6. NiteHawk

    NiteHawk

    Joined:
    Mar 9, 2003
    Messages:
    4,699
    download Spybot - Search & Destroy (if you haven't got the program installed already)

    After installing, first press Online, and search for, put a check mark at, and install all updates.

    Next, close all Internet Explorer windows, hit 'Check for Problems', and have SpyBot remove/fix all it finds that are in RED

    Reboot

    Last, run HJT again and post your log again to see if anything was missed.

    Thanks
     
  7. winchester73

    winchester73

    Joined:
    Aug 18, 2003
    Messages:
    2,438
    You could also download Ad-Aware 6 and have it do a thorough cleaning of your unwanted files.

    Go here for the free Ad-Aware 6 Personal Build 181: http://www.lavasoft.de/support/download/

    Then please launch the program ... on the start-up screen, you will need to first run the Webupdate Feature (globe at the top), or click "check for updates" to get the Reference File up to date.

    Please use the Custom Scan with Memory and Both registry scans ON. Also.... make sure that you activate IN-DEPTH scanning before you proceed.

    Then we recommend that you have these options checked:
    Under Ad-aware 6 Settings, Tweaks, Scanning Engine:
    "Unload recognized processes during scanning."
    Under Ad-aware 6 Settings, Tweaks, Cleaning Engine:
    "Automatically try to unregister objects prior to deletion."
    "Let Windows remove files in use after reboot."

    Next ...

    Run Ad-aware 6.
    Mark the objects you wish to eliminate for removal. There are many options available with a right-click.
    Make a Quarantine only if you do not have the Auto-Quarantine option ON.
    Then choose "Next" to remove the chosen objects.
    Finally ... Reboot

    [Please read http://forums.techguy.org/t164245/s.html for further instructions, settings , etc.]
     
  8. $teve

    $teve

    Joined:
    Oct 9, 2001
    Messages:
    9,396
    winnie........hawk.
    have either of you seen these before?
    F:\WINDOWS\System32\MkyAH.exe
    F:\WINDOWS\System32\XtfBt6.exe
    apart from this his log is fine......he could lose a few "not neededs" but im interested to know what the above are."
     
  9. $teve

    $teve

    Joined:
    Oct 9, 2001
    Messages:
    9,396
    EDIT:
    checkout the same entries in the 1st log.
    F:\WINDOWS\System32\Klt3.exe
    F:\WINDOWS\System32\UbgrYIn.exe

    im off to work now...yes i do have a "normal job" folks:D

    catch ya later.......hi-ho!
     
  10. NiteHawk

    NiteHawk

    Joined:
    Mar 9, 2003
    Messages:
    4,699
    Sounds like something that we removed was recreated with a new random generated file name. You can bet the farm it doesn't belong in \Windows\System32 !!

    We just have to find the "parent" that is regererating these filenames.
     
  11. NiteHawk

    NiteHawk

    Joined:
    Mar 9, 2003
    Messages:
    4,699
    I would suggest fixing those two items with HJT first.

    Next, open msconfig and temporarily uncheck these two items

    O4 - HKLM\..\Run: [Ad Muncher] F:\Program Files\Ad Muncher\AdMunch.exe /bt
    O4 - Global Startup: Trojan Guarder.lnk = F:\Program Files\Trojan Guarder\Trojan Guarder.exe

    Then reboot and rerun HJT and see if we get any randomly named files in \Windows\System32.

    It wouldn't be the first time that a program that purports to be anti adware or anti Trojan turned out to be just the opposite.

    I have received email offers for an anti SPAM product that when you look deeper, the parent company is actually one of the larger SPAM houses. AntiSpam product from a company that makes their living off of SPAM?? I don't think so!!

    Back to the point. IF no random named files are generated in \Windows\System32 then go back into msconfig and re-enable just ONE. Then reboot and rerun HJT and check. IF still no random named files, back into msconfig and re-enable the other one.

    Something is generating those files; I'm just not sure what at this point.

    Let us know the results.
     
  12. $teve

    $teve

    Joined:
    Oct 9, 2001
    Messages:
    9,396
    trojan garder looks like a fairly new app but admunch is known and not flagged at pacsportal.
    but i bet your not too far away hawk but theres nothing else that really stands out that it could be. if not he should re-name both and see if anything goes jugs up.
    let us know.
    ;)
     
  13. winchester73

    winchester73

    Joined:
    Aug 18, 2003
    Messages:
    2,438
    I'd be interested in knowing the results of the SB and A-A scans ... anything left over would definitely need to be submitted for further evaluation.

    There are a few running processes that are definite resource hogs, but won't be causing this morphing.

    Suppose there is any value in running a remote on-line scan from Panda or TrendMicro?
     
  14. $teve

    $teve

    Joined:
    Oct 9, 2001
    Messages:
    9,396
    "Suppose there is any value in running a remote on-line scan from Panda or TrendMicro?"

    always a good idea whatevert the problem.
     
  15. WarChild

    WarChild Thread Starter

    Joined:
    Aug 17, 2003
    Messages:
    39
    Sorry Guys He Decided To Get A New HardDrive Today While I Was At Work It Was A Old Drive Anyways 5400/40 Butt I Do Apprecate The Time You Guys Spent On This..

    Again Sorry At Least Now He Will Have A Clean Drive
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/165075

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice