1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Need Serious Pair of Eyes... Hijacked??

Discussion in 'Virus & Other Malware Removal' started by Dave001, Feb 8, 2005.

Thread Status:
Not open for further replies.
Advertisement
  1. Dave001

    Dave001 Thread Starter

    Joined:
    Feb 8, 2005
    Messages:
    39
    Hi guys...I have gotten infected with some wacky stuff... I tried to fix it on my own but I am locked out of alot of things. I can only access explorer threw the start run commands. If I click on any shortcut link on my pc I recive "application error from explorer.exe" and a message stating " instruction 0x0122d065 at 0x0000000 memory could not be written."

    Thus far I have completed the following fixes to try and remedy this problem to no avail.

    First I ran a reg cleaner and a program called Advanced Uninstaller Pro. I was able to disable alot of forgein startup programs and clean out most files . I saw these following recently downloaded entries though in my program list

    Search Extender
    Shopping Wizard
    Home Search Assitant.
    I forced removed all three

    RAN- killbox and pasted each of these lines into the box, selected standard file delete
    C:\WINDOWS\system32\d3ow.exe
    C:\WINDOWS\system32\netjz.exe
    C:\DOCUME~1\Chris\LOCALS~1\Temp\98.tmp.exe
    C:\WINDOWS\system32\Dqkoad.exe
    C:\WINDOWS\system32\Hepzdp.exe
    C:\DOCUME~1\Chris\LOCALS~1\Temp\73.tmp.exe
    C:\WINDOWS\system32\tibs5.exe
    C:\WINDOWS\addht32.exe
    C:\WINDOWS\system32\ipfk.dll
    C:\WINDOWS\hzowf.dll

    NONE OF THESE FILES WERE FOUND DURING DELETION IN KILLBOX


    THE I RAN- aboutbuster.

    NEXT RAN- Cwshredder
    Closed all browser windows,then click "FIX" (Not "Scan only") and let it do it's thing. Ran full scan and cleaned up those entries found


    NEXT I - Opened Windows Explorer & Go to Tools > Folder Options. Clicked on the View tab and made sure that "Show hidden files and folders" was checked. Also uncheck "Hide protected operating system files" and unticked "hide extensions for known file types" And Applied to all folders.


    THEN I- went to Start > Run and type %temp% in the Run box, press OK . The Temp folder opened. Clicked Edit > Select All then Edit > Deleted all entries

    WENT TO- C:\windows\temp and selected EVERYTHING and deleteed all that and then did the same for C:\temp.


    NEXT I --- Opened Control Panel
    Click on Internet Options
    On the General Tab, in the middle of the screen, clicked on Delete Files and Deleteed all offline content
    Deleteed Cookies


    THE I-
    Updated Adaware SE and Ran it
    Configurations as follows:

    General Button
    Safety:
    Check (Green) all three.

    Deselected "Search for negligible risk entries",

    RAN ADAWARE scanner using the Full Scan (Perform full system scan) mode.

    Deleted everything

    Finally REBOOTED

    Ran an online antivirus check from http://housecall.trendmicro.com/ and before I could run it eveything came back and ate me up again. However I still went on to Download Hoster and run hoster. Press "Restore Original Hosts"
    After an hour worth of work I was still slammed back to square one.....

    Went back into Advanced Uninstaller Pro and it recognized these three files I delete in the beggingin as new entries.

    Search Extender
    Shopping Wizard
    Home Search Assitant.

    Everything was back in the startup menus as well


    BELOW IS MY MOST CURRENT HIJACK LOG FILE CREATED AFTER I FAILED TO LENA THIS PROBLEM>>>MAYBE YOU GUYS COULD MAKE SOME SENS OF THIS PLEASE HELP !!!

    Logfile of HijackThis v1.99.0
    Scan saved at 5:08:22 AM, on 2/8/2005
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
    C:\Program Files\Executive Software\Diskeeper\DkService.exe
    C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
    C:\PROGRA~1\Symantec\NORTON~1\GHOSTS~2.EXE
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
    C:\WINDOWS\system32\RioMSC.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    C:\WINDOWS\system32\fxssvc.exe
    C:\WINDOWS\System32\Fast.exe
    C:\WINDOWS\d3dh32.exe
    C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
    C:\Program Files\Logitech\Video\LogiTray.exe
    C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
    C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    C:\Program Files\Winamp\winampa.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\CleanMyPC\Registry Cleaner\RCScheduler.exe
    C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
    C:\Program Files\interMute\SpySubtract\SpySub.exe
    C:\WINDOWS\System32\LVComsX.exe
    C:\Program Files\Logitech\Video\FxSvr2.exe
    C:\WINDOWS\explorer.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\WINDOWS\ntsy32.exe
    C:\Documents and Settings\Zaro\Desktop\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\ytkls.dll/sp.html#28129
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\ytkls.dll/sp.html#28129
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\ytkls.dll/sp.html#28129
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\ytkls.dll/sp.html#28129
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\ytkls.dll/sp.html#28129
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\ytkls.dll/sp.html#28129
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\ytkls.dll/sp.html#28129
    R3 - Default URLSearchHook is missing
    O2 - BHO: (no name) - {3C6CC514-0686-8D4A-3795-115CE35C21E9} - C:\WINDOWS\system32\apidf.dll
    O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [BCWipeTM Startup] "C:\Program Files\Jetico\BCWipe\BCWipeTM.exe" startup
    O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
    O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\Video\ISStart.exe
    O4 - HKLM\..\Run: [FastUser] C:\WINDOWS\System32\fast.exe
    O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
    O4 - HKLM\..\Run: [vptray] C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
    O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
    O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
    O4 - HKLM\..\Run: [ntsy32.exe] C:\WINDOWS\ntsy32.exe
    O4 - HKLM\..\RunOnce: [d3dh32.exe] C:\WINDOWS\d3dh32.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
    O4 - HKCU\..\Run: [Registry Cleaner Scheduler] "C:\Program Files\CleanMyPC\Registry Cleaner\RCScheduler.exe" /startup
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
    O4 - Global Startup: EPSON Status Monitor 3 Environment Check(2).lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
    O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
    O4 - Global Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe
    O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
    O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
    O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
    O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O15 - Trusted Zone: *.frame.crazywinnings.com
    O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
    O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1093187410187
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
    O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab
    O16 - DPF: {BB95299D-B65B-47E0-8DDB-697A66298C3A} (UniVoiceX Control) - http://www.webcamnow.com/voice/voice.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{17E06402-3F3B-4E01-9983-C61FAF5656F9}: NameServer = 192.168.1.1
    O17 - HKLM\System\CS1\Services\Tcpip\..\{17E06402-3F3B-4E01-9983-C61FAF5656F9}: NameServer = 192.168.1.1
    O17 - HKLM\System\CS2\Services\Tcpip\..\{17E06402-3F3B-4E01-9983-C61FAF5656F9}: NameServer = 192.168.1.1
    O17 - HKLM\System\CS3\Services\Tcpip\..\{17E06402-3F3B-4E01-9983-C61FAF5656F9}: NameServer = 192.168.1.1
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: ATI Smart - Unknown - C:\WINDOWS\system32\ati2sgag.exe
    O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
    O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
    O23 - Service: EPSON Printer Status Agent2 - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
    O23 - Service: GhostStartService - Symantec Corporation - C:\PROGRA~1\Symantec\NORTON~1\GHOSTS~2.EXE
    O23 - Service: Symantec AntiVirus Client - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
    O23 - Service: Rio MSC Manager - Digital Networks North America, Inc. - C:\WINDOWS\system32\RioMSC.exe
    O23 - Service: TrueVector Internet Monitor - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    O23 - Service: Network Security Service - Unknown - C:\WINDOWS\ipov32.exe (file missing)
     
  2. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,223
    First Name:
    Derek
    Read all these instructions carefully, Print them out and download all the things mentioned before starting

    First download CWshredder from http://www.intermute.com/spysubtract/cwshredder_download.html and install it and update it, DO not run it yet
    Also
    Click here to download AboutBuster created by Rubber Ducky.

    Unzip AboutBuster to the Desktop then click the "Update Button" then click "Check for Update" and download the updates and then click "Exit" because I don't want you to run it yet. Just get the updates so it is ready to run later in safe mode.

    Download pocket killbox from Download pocket killbox from http://www.thespykiller.co.uk/files/killbox.exe & put it on the desktop where you can find it easily

    download http://www.mvps.org/winhelp2002/DelDomains.inf and place it of desktop
    right click the file and select install, that will reset the trusted zone domains that have been wrongly placed there


    Sign off the internet and remain offline until this procedure is complete. Unplug your modem or disconnect the cable or phone line. Copy these instructions to notepad and save them on your desktop for easy access. You must follow these directions exactly and you cannot skip any part of it.

    Now boot into safe mode

    How to start your computer in safe mode

    Run hijackthis, tick these entries listed below and ONLY these entries, double check to make sure, then make sure all browser & email windows are closed and press fix checked


    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\ytkls.dll/sp.html#28129
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\ytkls.dll/sp.html#28129
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\ytkls.dll/sp.html#28129
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\ytkls.dll/sp.html#28129
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\ytkls.dll/sp.html#28129
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\ytkls.dll/sp.html#28129
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\ytkls.dll/sp.html#28129
    R3 - Default URLSearchHook is missing
    O2 - BHO: (no name) - {3C6CC514-0686-8D4A-3795-115CE35C21E9} - C:\WINDOWS\system32\apidf.dll

    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

    O4 - HKLM\..\Run: [ntsy32.exe] C:\WINDOWS\ntsy32.exe
    O4 - HKLM\..\RunOnce: [d3dh32.exe] C:\WINDOWS\d3dh32.exe


    O15 - Trusted Zone: *.frame.crazywinnings.com
    O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)


    O23 - Service: Network Security Service - Unknown - C:\WINDOWS\ipov32.exe (file missing)



    now run killbox and paste each of these lines into the box, select standard file delete then press the red X button,say yes to the prompt then continue to paste the lines in in turn and follow the above procedure every time,

    C:\WINDOWS\ipov32.exe
    C:\WINDOWS\ntsy32.exe
    C:\WINDOWS\d3dh32.exe
    C:\WINDOWS\system32\apidf.dll
    C:\WINDOWS\ytkls.dll

    Next run aboutbuster. Double click aboutbuster.exe, click OK, click Start, then click OK. This will scan your computer for the bad files and delete them.

    then Run Cwshredder
    Close all browser windows, click on the cwshredder.exe then click "FIX" (Not "Scan only") and let it do it's thing.


    then as some of the files or folders you need to delete may be hidden do this:
    Open Windows Explorer & Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and untick "hide extensions for known file types" . Now click "Apply to all folders"
    Click "Apply" then "OK"

    then Go to Start > Run and type %temp% in the Run box, press OK . The Temp folder will open. Click Edit > Select All then Edit > Delete to delete the entire contents of that Temp folder.

    then go to C:\windows\temp and select EVERYTHING except temporary internet files, cookies and history folders and delete all that and then do the same for C:\temp

    1) Open Control Panel
    2) Click on Internet Options
    3) On the General Tab, in the middle of the screen, click on Delete Files
    4) You may also want to check the box "Delete all offline content"
    5) Click on OK and wait for the hourglass icon to stop after it deletes the temporary internet files
    6) You can now click on Delete Cookies and click OK to delete cookies that websites have placed on your hard drive

    then
    Run adaware

    Download and unzip or install this program/application if you haven't already got it. If you have it, then make sure it is updated and configured as described

    AdAware SE from http://www.lavasoft.de/support/download
    and while you are at the adaware site download and install http://www.lavasoft.de/software/addons/vx2cleaner.shtml
    and run it before the main adaware scan and follow it's directions
    Run ADAWARE

    Before you scan with AdAware, check for updates of the reference file by using the "webupdate".
    the current ref file should read at least SE1R26 25.01.2005 or a higher number/later date

    Set up the Configurations as follows:

    General Button
    Safety:
    Check (Green) all three.

    Click on "Proceed"

    Please deselect "Search for negligible risk entries", as negligible risk entries (MRU's) are not considered to be a threat.

    Click on "Scan Now"

    Run the scanner using the Full Scan (Perform full system scan) mode.

    When scan is finished, mark everything for removal and get rid of it. (Right-click the window and choose"select all" from the drop down menu) then press next and then say yes to the prompt, do you want to remove all these entries.

    NOW REBOOT

    download http://www.mvps.org/winhelp2002/DelDomains.inf and place it on desktop
    right click the file and select install, that will reset the trusted zone domains that have been wrongly placed there

    Run an online antivirus check from
    http://housecall.trendmicro.com/

    Make sure autoclean is ticked

    reboot again

    These hijackers are known to alter or delete certain files so check this out please:

    Download the Hoster from here . UnZip the file and run hoster then press "Restore Original Hosts" and press "OK". Exit Program.

    If you have Spybot S&D installed you will also need to replace one file.
    Go here and download SDHelper.dll. Copy the file to the folder containing you Spybot S&D program (normally C:\Program Files\Spybot - Search & Destroy)

    Check in the System32 folder to be sure you have a file named Shell.dll. If you do not have one, go to System32\dllcache
    Find shell.dll and right click on it. Choose Copy from the menu.
    Open System32 and right click on an empty space in the window. Choose Paste from the menu.


    control.exe may have been deleted.
    See if control.exe is present in C:\windows\system32

    If control.exe isn't there, go here, and download control.exe per the instructions at the site.


    Then post a new hijackthis log to check please
     
  3. Dave001

    Dave001 Thread Starter

    Joined:
    Feb 8, 2005
    Messages:
    39
    As reqested..here is my NEW hijackthis log file...It appears all is fine but still need someone with more experince to look it over before i can sleep easy.

    Logfile of HijackThis v1.99.0
    Scan saved at 4:02:40 PM, on 2/8/2005
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
    C:\Program Files\Logitech\Video\LogiTray.exe
    C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe
    C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
    C:\Program Files\Winamp\winampa.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\CleanMyPC\Registry Cleaner\RCScheduler.exe
    C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
    C:\WINDOWS\System32\LVComsX.exe
    C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
    C:\Program Files\interMute\SpySubtract\SpySub.exe
    C:\Program Files\Logitech\Video\FxSvr2.exe
    C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
    C:\Program Files\Executive Software\Diskeeper\DkService.exe
    C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
    C:\PROGRA~1\Symantec\NORTON~1\GHOSTS~2.EXE
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
    C:\WINDOWS\system32\RioMSC.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\fxssvc.exe
    C:\WINDOWS\System32\Fast.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\Zaro\Desktop\HijackThis.exe

    O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [BCWipeTM Startup] "C:\Program Files\Jetico\BCWipe\BCWipeTM.exe" startup
    O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
    O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\Video\ISStart.exe
    O4 - HKLM\..\Run: [FastUser] C:\WINDOWS\System32\fast.exe
    O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
    O4 - HKLM\..\Run: [vptray] C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe
    O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
    O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
    O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
    O4 - HKCU\..\Run: [Registry Cleaner Scheduler] "C:\Program Files\CleanMyPC\Registry Cleaner\RCScheduler.exe" /startup
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
    O4 - Global Startup: EPSON Status Monitor 3 Environment Check(2).lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
    O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
    O4 - Global Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe
    O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
    O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
    O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
    O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1093187410187
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
    O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab
    O16 - DPF: {BB95299D-B65B-47E0-8DDB-697A66298C3A} (UniVoiceX Control) - http://www.webcamnow.com/voice/voice.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{17E06402-3F3B-4E01-9983-C61FAF5656F9}: NameServer = 192.168.1.1
    O17 - HKLM\System\CS1\Services\Tcpip\..\{17E06402-3F3B-4E01-9983-C61FAF5656F9}: NameServer = 192.168.1.1
    O17 - HKLM\System\CS2\Services\Tcpip\..\{17E06402-3F3B-4E01-9983-C61FAF5656F9}: NameServer = 192.168.1.1
    O17 - HKLM\System\CS3\Services\Tcpip\..\{17E06402-3F3B-4E01-9983-C61FAF5656F9}: NameServer = 192.168.1.1
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: ATI Smart - Unknown - C:\WINDOWS\system32\ati2sgag.exe
    O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
    O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
    O23 - Service: EPSON Printer Status Agent2 - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
    O23 - Service: GhostStartService - Symantec Corporation - C:\PROGRA~1\Symantec\NORTON~1\GHOSTS~2.EXE
    O23 - Service: Symantec AntiVirus Client - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
    O23 - Service: Rio MSC Manager - Digital Networks North America, Inc. - C:\WINDOWS\system32\RioMSC.exe
    O23 - Service: TrueVector Internet Monitor - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
     
  4. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,223
    First Name:
    Derek
As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/328056

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice