1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Suspected Trojan in my Computer

Discussion in 'Virus & Other Malware Removal' started by sicksid, Apr 24, 2004.

?

Suspected Trojan in my Computer?

  1. Suspected Trojan in my Computer

    0 vote(s)
    0.0%
  2. Suspected Trojan in my Computer

    1 vote(s)
    100.0%
Thread Status:
Not open for further replies.
Advertisement
  1. sicksid

    sicksid Thread Starter

    Joined:
    Apr 24, 2004
    Messages:
    3
    Hi:

    The text was too large, so I have attached the message in a Word document. I paste here the maximum amount of characters allowed by the forum and who wants to read it completely will have to read the attached document. In fact the most important part is at the end. Here it is:


    "Hi:

    The mail is quite long, but I give a lot of information to let know the experts if I have still some virus/worm/spyware in my PC and also it could be helpful to help other people to solve the same problem I had (or still I’m having).

    I have two partitions in my computer (both with different installations of Windows XP Pro, called OWN XP FAT and NICE XP NFTS). From the first it is shown the first as C and the second as E. And from the second is shown the first as C and the second as D. I think the sicker Windows was the second, but still I think that the first Windows had some garbage.

    If you prefer to forget the intermediate steps I followed in order to remove the Spyware/Virus/Worms from my computer, just go to the end of the mail (just from the next sequence: "------>>>>>" to the end of the mail) to see the last HijackThis log in one of one of the two instances of the Windows XP (the second, the one that I'm using normally) that I have installed and to know the problems and the questions that I still have.

    The thing is that I think I had a Trojan or something similar. I don't know a lot about these things. After some hours of work it seems that my system is free of virus, worms and all this stuff, but I'm not completely sure. And this is the main purpose of this mail.

    The symptoms were that the system was much slower than before with some apparent processes accessing all the time to the hard disk and then leaving no processing time for others. Also when I killed some process (I think svchost.exe) I got sometimes this message:

    "This system is shutting down. Please save all work in progress and log off. Any unsaved changes will be lost. This shutdown was initiated by NT Authority/system.
    Message: Windows must now restart because the Remote Procedure Call (RPC) service terminated unexpectedly. "

    And then the system was shut down.

    In the first moments I thought it was related with svchost.exe, but I'm not sure.

    Before than doing something else I changed in both instances of the OS the settings for the Remote Procedure Call (RPC) Service in order to connect to the internet without the computer shutting down doing next:

    "Right-click the My Computer icon on the Windows desktop or in the Start menu.
    Select Manage. The Computer Management window will open.
    In the left pane, double-click on Services and Applications.
    Select Services and a list of services should appear.
    In the right pane, locate the Remote Procedure Call (RPC) service, it will have a Status of "Started".
    Right-click on the first Remote Procedure Call (RPC) service listed.
    Select Properties.
    Select the Recovery tab.
    Using the drop-down lists, change First failure, Second failure, and Subsequent failures from Restart the Computer to Take No Action.
    Click on Apply and then OK. "

    Also I installed in both Operating Systems the critical updates form the Web Site of Windows XP. I also had from before on both systems the Service Pack 1 installed.


    The process I followed is here. First I get a HyjackThis log file from the system from the first Windows XP. It is here:

    ------------------------------------------------------------------------------------
    Logfile of HijackThis v1.97.7
    Scan saved at 0:49:03, on 24/4/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\WINNT\system32\sistray.EXE
    C:\WINNT\System32\khooker.exe
    C:\Archivos de programa\Winamp\Winampa.exe
    C:\WINNT\System32\qttask.exe
    C:\ARCHIV~1\B'SCLI~1\Win2K\BSCLIP.exe
    C:\Archivos de programa\Messenger\msmsgs.exe
    C:\Program Files\Microsoft Reference\Bookshelf 98\qshelf98.exe
    C:\Archivos de programa\Microsoft Encarta\Biblioteca de Consulta Encarta 2004\EDICT.EXE
    C:\WINNT\System32\DVDRAMSV.exe
    C:\WINNT\System32\inetsrv\inetinfo.exe
    C:\Archivos de programa\Archivos comunes\Microsoft Shared\VS7Debug\mdm.exe
    C:\Archivos de programa\National Instruments\Shared\License Manager\Bin\lmgrd.exe
    C:\WINNT\System32\tcpsvcs.exe
    C:\Archivos de programa\National Instruments\Shared\License Manager\Bin\nilm.exe
    C:\WINNT\system32\slserv.exe
    C:\WINNT\System32\snmp.exe
    C:\Archivos de programa\VMware\VMware Workstation\Programs\vmware-authd.exe
    C:\WINNT\System32\vmnetdhcp.exe
    C:\WINNT\system32\vmnat.exe
    C:\WINNT\System32\mqtgsvc.exe
    C:\Archivos de programa\Yahoo!\Messenger\ymsgr_tray.exe
    C:\WINNT\System32\dllhost.exe
    C:\WINNT\system32\ZONELABS\vsmon.exe
    C:\ARCHIV~1\ZONELA~1\ZONEAL~1\zlclient.exe
    C:\ARCHIV~1\NETSCAPE\NETSCA~1\NETSCP6.EXE
    C:\WINNT\PCHEALTH\HELPCTR\Binaries\helpctr.exe
    C:\WINNT\PCHealth\HelpCtr\Binaries\HelpSvc.exe
    C:\WINNT\PCHealth\HelpCtr\Binaries\HelpHost.exe
    C:\WINNT\explorer.exe
    C:\Archivos de programa\Internet Explorer\iexplore.exe
    E:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe
    C:\WINNT\system32\NOTEPAD.EXE
    C:\Archivos de programa\Internet Explorer\iexplore.exe
    C:\Archivos de programa\Internet Explorer\iexplore.exe
    E:\Documents and Settings\Administrator\Desktop\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus.../*http://www.yahoo.com/ext/search/search.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/ymsgr/*http://www.yahoo.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/customize/ie/defaults/stp/ymsgr*http://my.yahoo.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus.../*http://www.yahoo.com/ext/search/search.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/ymsgr/*http://www.yahoo.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/stp/ymsgr*http://my.yahoo.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr/*http://www.yahoo.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr/*http://www.yahoo.com
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
    O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Archivos de programa\Yahoo!\Common\ycomp5_1_3_0.dll
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Archivos de programa\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {83A30C59-3A50-49E6-9DAF-4923C4EA3C23} - C:\Archivos de programa\Archivos comunes\WebSpeech.4.0\LgxIEBar.dll
    O2 - BHO: (no name) - {B930BA63-9E5A-11D3-A288-0000E80E2EDE} - (no file)
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Archivos de programa\Yahoo!\Common\ycomp5_1_3_0.dll
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [SiS Tray] C:\WINNT\system32\sistray.EXE
    O4 - HKLM\..\Run: [SiS KHooker] C:\WINNT\System32\khooker.exe
    O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
    O4 - HKLM\..\Run: [WinampAgent] "C:\Archivos de programa\Winamp\Winampa.exe"
    O4 - HKLM\..\Run: [QuickTime Task] C:\WINNT\System32\qttask.exe
    O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [CloneCDElbyCDFL] "C:\Archivos de programa\Elaborate Bytes\CloneCD\ElbyCheck.exe" /L ElbyCDFL
    O4 - HKLM\..\Run: [!!!!!es02] c:\windows\celebridad[1].exe s
    O4 - HKLM\..\Run: [IMAQBoot] C:\Archivos de programa\National Instruments\NI-IMAQ\bin\ImaqBoot.exe
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKLM\..\Run: [B'sCLiP] C:\ARCHIV~1\B'SCLI~1\Win2K\BSCLIP.exe
    O4 - HKLM\..\Run: [Zone Labs Client] C:\ARCHIV~1\ZONELA~1\ZONEAL~1\zlclient.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Archivos de programa\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [918530] rundll32.exe shell32.dll,Control_RunDLL C:\WINNT\918530.cpl
    O4 - HKCU\..\Run: [65836] rundll32.exe shell32.dll,Control_RunDLL C:\WINNT\65836.cpl
    O4 - HKCU\..\Run: [131396] rundll32.exe shell32.dll,Control_RunDLL C:\WINNT\131396.cpl
    O4 - HKCU\..\Run: [65824] rundll32.exe shell32.dll,Control_RunDLL C:\WINNT\65824.cpl
    O4 - HKCU\..\Run: [65882] rundll32.exe shell32.dll,Control_RunDLL C:\WINNT\65882.cpl
    O4 - HKCU\..\Run: [196810] rundll32.exe shell32.dll,Control_RunDLL C:\WINNT\196810.cpl
    O4 - HKCU\..\Run: [196948] rundll32.exe shell32.dll,Control_RunDLL C:\WINNT\196948.cpl
    O4 - HKCU\..\Run: [65904] rundll32.exe shell32.dll,Control_RunDLL C:\WINNT\65904.cpl
    O4 - HKCU\..\Run: [131230] rundll32.exe shell32.dll,Control_RunDLL C:\WINNT\131230.cpl
    O4 - HKCU\..\Run: [262432] rundll32.exe shell32.dll,Control_RunDLL C:\WINNT\262432.cpl
    O4 - HKCU\..\Run: [131318] rundll32.exe shell32.dll,Control_RunDLL C:\WINNT\131318.cpl
    O4 - HKCU\..\Run: [131440] rundll32.exe shell32.dll,Control_RunDLL C:\WINNT\131440.cpl
    O4 - HKCU\..\Run: [262400] rundll32.exe shell32.dll,Control_RunDLL C:\WINNT\262400.cpl
    O4 - HKCU\..\Run: [196908] rundll32.exe shell32.dll,Control_RunDLL C:\WINNT\196908.cpl
    O4 - HKCU\..\Run: [327994] rundll32.exe shell32.dll,Control_RunDLL C:\WINNT\327994.cpl
    O4 - HKCU\..\Run: [65894] rundll32.exe shell32.dll,Control_RunDLL C:\WINNT\65894.cpl
    O4 - HKCU\..\Run: [65854] rundll32.exe shell32.dll,Control_RunDLL C:\WINNT\65854.cpl
    O4 - HKCU\..\Run: [328002] rundll32.exe shell32.dll,Control_RunDLL C:\WINNT\328002.cpl
    O4 - HKCU\..\Run: [65874] rundll32.exe shell32.dll,Control_RunDLL C:\WINNT\65874.cpl
    O4 - HKCU\..\Run: [65906] rundll32.exe shell32.dll,Control_RunDLL C:\WINNT\65906.cpl
    O4 - HKCU\..\Run: [131366] rundll32.exe shell32.dll,Control_RunDLL C:\WINNT\131366.cpl
    O4 - HKCU\..\Run: [196924] rundll32.exe shell32.dll,Control_RunDLL C:\WINNT\196924.cpl
    O4 - HKCU\..\Run: [131346] rundll32.exe shell32.dll,Control_RunDLL C:\WINNT\131346.cpl
    O4 - HKCU\..\Run: [590140] rundll32.exe shell32.dll,Control_RunDLL C:\WINNT\590140.cpl
    O4 - HKCU\..\Run: [131400] rundll32.exe shell32.dll,Control_RunDLL C:\WINNT\131400.cpl
    O4 - HKCU\..\Run: [262396] rundll32.exe shell32.dll,Control_RunDLL C:\WINNT\262396.cpl
    O4 - HKCU\..\Run: [Yahoo! Pager] C:\Archivos de programa\Yahoo!\Messenger\ypager.exe -quiet
    O4 - Global Startup: Qshelf.lnk = C:\Program Files\Microsoft Reference\Bookshelf 98\qshelf98.exe
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Archivos de programa\Archivos comunes\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: RAMASST.lnk = C:\WINNT\system32\RAMASST.exe
    O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\ARCHIV~1\MICROS~2\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Archivos de programa\Yahoo!\Common/ycdict.htm
    O8 - Extra context menu item: Yahoo! Search - file:///C:\Archivos de programa\Yahoo!\Common/ycsrch.htm
    O9 - Extra button: WebSpeech (HKLM)
    O9 - Extra 'Tools' menuitem: Seite/Markierung vorlesen (WebSpeech) (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
    O9 - Extra button: Investigador (HKLM)
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O16 - DPF: {018B7EC3-EECA-11D3-8E71-0000E82C6C0D} - http://www.lyricsdomain.com/mp3.exe
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {0C568603-D79D-11D2-87A7-00C04FF158BB} (BrowseFolderPopup Class) - http://download.mcafee.com/molbin/Shared/MGBrwFld.cab
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2002060602/housecall.antivirus.com/housecall/xscan53.cab
    O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

    ------------------------------------------------------------------------------------

    I deactivated the restoring points utility of Windows XP (the first one). Afterwards, from this first Windows XP I install a Firewall (Zone Alarm) and blocked the access to some suspicious software and hosts that wanted to send or get information from my PC. After I ran the latest updated version of Addaware and cleaned all the spyware it found. Then I install and run all kind of protections that SpywareGuard and SpywareBlaster allowed. Also I install and run an evaluation copy of Trojan Hunter Guard and also I installed and run an evaluation copy of Antivir Task Manager 3.7, running also its own antivirus, that found nothing. Afterwards I used HijackThis 1.97.0.7 and some of the previous programs to delete manually some Start-up programs and some register keys. Also I deleted manually some suspicious programs in my system.

    Here is the HijackThis log file after all these operations, from the first Windows XP, without restarting Windows:

    -------------------------------------------------------------------------------------

    Logfile of HijackThis v1.97.7
    Scan saved at 1:23:56, on 24/4/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\WINNT\system32\sistray.EXE
    C:\WINNT\System32\khooker.exe
    C:\Archivos de programa\Winamp\Winampa.exe
    C:\WINNT\System32\qttask.exe
    C:\ARCHIV~1\B'SCLI~1\Win2K\BSCLIP.exe
    C:\Archivos de programa\Messenger\msmsgs.exe
    C:\Program Files\Microsoft Reference\Bookshelf 98\qshelf98.exe
    C:\Archivos de programa\Microsoft Encarta\Biblioteca de Consulta Encarta 2004\EDICT.EXE
    C:\WINNT\System32\DVDRAMSV.exe
    C:\WINNT\System32\inetsrv\inetinfo.exe
    C:\Archivos de programa\Archivos comunes\Microsoft Shared\VS7Debug\mdm.exe
    C:\Archivos de programa\National Instruments\Shared\License Manager\Bin\lmgrd.exe
    C:\WINNT\System32\tcpsvcs.exe
    C:\Archivos de programa\National Instruments\Shared\License Manager\Bin\nilm.exe
    C:\WINNT\system32\slserv.exe
    C:\WINNT\System32\snmp.exe
    C:\Archivos de programa\VMware\VMware Workstation\Programs\vmware-authd.exe
    C:\WINNT\System32\vmnetdhcp.exe
    C:\WINNT\system32\vmnat.exe
    C:\WINNT\System32\mqtgsvc.exe
    C:\Archivos de programa\Yahoo!\Messenger\ymsgr_tray.exe
    C:\WINNT\System32\dllhost.exe
    C:\WINNT\system32\ZONELABS\vsmon.exe
    C:\ARCHIV~1\ZONELA~1\ZONEAL~1\zlclient.exe
    C:\ARCHIV~1\NETSCAPE\NETSCA~1\NETSCP6.EXE
    C:\WINNT\PCHEALTH\HELPCTR\Binaries\helpctr.exe
    C:\WINNT\PCHealth\HelpCtr\Binaries\HelpSvc.exe
    C:\WINNT\PCHealth\HelpCtr\Binaries\HelpHost.exe
    C:\WINNT\explorer.exe
    C:\Archivos de programa\Internet Explorer\iexplore.exe
    C:\WINNT\system32\NOTEPAD.EXE
    C:\Archivos de programa\Internet Explorer\iexplore.exe
    C:\Archivos de programa\Internet Explorer\iexplore.exe
    C:\Archivos de programa\SpywareGuard\sgmain.exe
    C:\Archivos de programa\SpywareGuard\sgbhp.exe
    E:\Documents and Settings\Administrator\Desktop\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus.../*http://www.yahoo.com/ext/search/search.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/ymsgr/*http://www.yahoo.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/customize/ie/defaults/stp/ymsgr*http://my.yahoo.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus.../*http://www.yahoo.com/ext/search/search.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/ymsgr/*http://www.yahoo.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/stp/ymsgr*http://my.yahoo.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr/*http://www.yahoo.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr/*http://www.yahoo.com
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
    O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Archivos de programa\Yahoo!\Common\ycomp5_1_3_0.dll
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Archivos de programa\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Archivos de programa\SpywareGuard\dlprotect.dll
    O2 - BHO: (no name) - {83A30C59-3A50-49E6-9DAF-4923C4EA3C23} - C:\Archivos de programa\Archivos comunes\WebSpeech.4.0\LgxIEBar.dll
    O2 - BHO: (no name) - {B930BA63-9E5A-11D3-A288-0000E80E2EDE} - (no file)
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Archivos de programa\Yahoo!\Common\ycomp5_1_3_0.dll
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [SiS Tray] C:\WINNT\system32\sistray.EXE
    O4 - HKLM\..\Run: [SiS KHooker] C:\WINNT\System32\khooker.exe
    O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
    O4 - HKLM\..\Run: [WinampAgent] "C:\Archivos de programa\Winamp\Winampa.exe"
    O4 - HKLM\..\Run: [QuickTime Task] C:\WINNT\System32\qttask.exe
    O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [CloneCDElbyCDFL] "C:\Archivos de programa\Elaborate Bytes\CloneCD\ElbyCheck.exe" /L ElbyCDFL
    O4 - HKLM\..\Run: [IMAQBoot] C:\Archivos de programa\National Instruments\NI-IMAQ\bin\ImaqBoot.exe
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKLM\..\Run: [B'sCLiP] C:\ARCHIV~1\B'SCLI~1\Win2K\BSCLIP.exe
    O4 - HKLM\..\Run: [Zone Labs Client] C:\ARCHIV~1\ZONELA~1\ZONEAL~1\zlclient.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Archivos de programa\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [918530] rundll32.exe shell32.dll,Control_RunDLL C:\WINNT\918530.cpl
    O4 - HKCU\..\Run: [65836] rundll32.exe shell32.dll,Control_RunDLL C:\WINNT\65836.cpl
    O4 - HKCU\..\Run: [131396] rundll32.exe shell32.dll,Control_RunDLL C:\WINNT\131396.cpl
    O4 - HKCU\..\Run: [65824] rundll32.exe shell32.dll,Control_RunDLL C:\WINNT\65824.cpl
    O4 - HKCU\..\Run: [65882] rundll32.exe shell32.dll,Control_RunDLL C:\WINNT\65882.cpl
    O4 - HKCU\..\Run: [196810] rundll32.exe shell32.dll,Control_RunDLL C:\WINNT\196810.cpl
    O4 - HKCU\..\Run: [196948] rundll32.exe shell32.dll,Control_RunDLL C:\WINNT\196948.cpl
    O4 - HKCU\..\Run: [65904] rundll32.exe shell32.dll,Control_RunDLL C:\WINNT\65904.cpl
    O4 - HKCU\..\Run: [131230] rundll32.exe shell32.dll,Control_RunDLL C:\WINNT\131230.cpl
    O4 - HKCU\..\Run: [262432] rundll32.exe shell32.dll,Control_RunDLL C:\WINNT\262432.cpl
    O4 - HKCU\..\Run: [131318] rundll32.exe shell32.dll,Control_RunDLL C:\WINNT\131318.cpl
    O4 - HKCU\..\Run: [131440] rundll32.exe shell32.dll,Control_RunDLL C:\WINNT\131440.cpl
    O4 - HKCU\..\Run: [262400] rundll32.exe shell32.dll,Control_RunDLL C:\WINNT\262400.cpl
    O4 - HKCU\..\Run: [196908] rundll32.exe shell32.dll,Control_RunDLL C:\WINNT\196908.cpl
    O4 - HKCU\..\Run: [327994] rundll32.exe shell32.dll,Control_RunDLL C:\WINNT\327994.cpl
    O4 - HKCU\..\Run: [65894] rundll32.exe shell32.dll,Control_RunDLL C:\WINNT\65894.cpl
    O4 - HKCU\..\Run: [65854] rundll32.exe shell32.dll,Control_RunDLL C:\WINNT\65854.cpl
    O4 - HKCU\..\Run: [328002] rundll32.exe shell32.dll,Control_RunDLL C:\WINNT\328002.cpl
    O4 - HKCU\..\Run: [65874] rundll32.exe shell32.dll,Control_RunDLL C:\WINNT\65874.cpl
    O4 - HKCU\..\Run: [65906] rundll32.exe shell32.dll,Control_RunDLL C:\WINNT\65906.cpl
    O4 - HKCU\..\Run: [131366] rundll32.exe shell32.dll,Control_RunDLL C:\WINNT\131366.cpl
    O4 - HKCU\..\Run: [196924] rundll32.exe shell32.dll,Control_RunDLL C:\WINNT\196924.cpl
    O4 - HKCU\..\Run: [131346] rundll32.exe shell32.dll,Control_RunDLL C:\WINNT\131346.cpl
    O4 - HKCU\..\Run: [590140] rundll32.exe shell32.dll,Control_RunDLL C:\WINNT\590140.cpl
    O4 - HKCU\..\Run: [131400] rundll32.exe shell32.dll,Control_RunDLL C:\WINNT\131400.cpl
    O4 - HKCU\..\Run: [262396] rundll32.exe shell32.dll,Control_RunDLL C:\WINNT\262396.cpl
    O4 - HKCU\..\Run: [Yahoo! Pager] C:\Archivos de programa\Yahoo!\Messenger\ypager.exe -quiet
    O4 - Startup: SpywareGuard.lnk = C:\Archivos de programa\SpywareGuard\sgmain.exe
    O4 - Startup: Acceso directo a Ad-aware.lnk = E:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe
    O4 - Global Startup: Qshelf.lnk = C:\Program Files\Microsoft Reference\Bookshelf 98\qshelf98.exe
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Archivos de programa\Archivos comunes\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: RAMASST.lnk = C:\WINNT\system32\RAMASST.exe
    O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\ARCHIV~1\MICROS~2\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Archivos de programa\Yahoo!\Common/ycdict.htm
    O8 - Extra context menu item: Yahoo! Search - file:///C:\Archivos de programa\Yahoo!\Common/ycsrch.htm
    O9 - Extra button: WebSpeech (HKLM)
    O9 - Extra 'Tools' menuitem: Seite/Markierung vorlesen (WebSpeech) (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
    O9 - Extra button: Investigador (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {0C568603-D79D-11D2-87A7-00C04FF158BB} (BrowseFolderPopup Class) - http://download.mcafee.com/molbin/Shared/MGBrwFld.cab
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2002060602/housecall.antivirus.com/housecall/xscan53.cab
    O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

    -------------------------------------------------------------------------------------

    I must still run Addaware in the first Windows XP to see if still there is or not any Spyware running there.

    And I do more or less the same operations in the second Windows XP that is the OS instance that I'm using more. One of the differences is that I have in this system the Symantec Antivirus. I disabled it to avoid conflicts with the other anti-virus/worms programmes and followed more or less the same scheme. The HijackThis log before doing any action is this:"

    (To be continued in the attachment, please read it...)

    Sicksidviciuos.
     
  2. Styxx

    Styxx Banned

    Joined:
    Sep 8, 2001
    Messages:
    4,888
    This is a basic guide as to what the log means, and some tips on reading it yourself. This should in no way replace asking for help in the forums, but it will still help you somewhat in understanding and modifying the log yourself.
    --------------------------------------------------------------------------------

    Overview

    Each line in a HijackThis log starts with a section name.

    For practical information, click the section name you need help with:
    R0, R1, R2, R3 - Internet Explorer Start/Search pages URLs
    F0, F1 - Autoloading programs
    N1, N2, N3, N4 - Netscape/Mozilla Start/Search pages URLs
    O1 - Hosts file redirection
    O2 - Browser Helper Objects
    O3 - Internet Explorer toolbars
    O4 - Autoloading programs from Registry
    O5 - IE Options icon not visible in Control Panel
    O6 - IE Options access restricted by Administrator
    O7 - Regedit access restricted by Administrator
    O8 - Extra items in IE right-click menu
    O9 - Extra buttons on main IE button toolbar, or extra items in IE 'Tools' menu
    O10 - Winsock hijacker
    O11 - Extra group in IE 'Advanced Options' window
    O12 - IE plugins
    O13 - IE DefaultPrefix hijack
    O14 - 'Reset Web Settings' hijack
    O15 - Unwanted site in Trusted Zone
    O16 - ActiveX Objects (aka Downloaded Program Files)
    O17 - Lop.com domain hijackers
    O18 - Extra protocols and protocol hijackers
    O19 - User style sheet hijack

    --------------------------------------------------------------------------------

    R0, R1, R2, R3 - IE Start & Search page

    What it looks like:

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page=http://www.google.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL=http://www.google.com/
    R3 - Default URLSearchHook is missing
    What to do:
    If you recognize the URL at the end as your homepage or search engine, it's OK. If you don't, check it and have HijackThis fix it.
    For the R3 items, always fix them unless it mentions a program you recognize, like Copernic.
    --------------------------------------------------------------------------------

    F0, F1 - Autoloading programs

    What it looks like:
    F0 - system.ini: Shell=Explorer.exe Openme.exe
    F1 - win.ini: run=hpfsched

    What to do:
    The F0 items are always bad, so fix them.
    The F1 items are usually very old programs that are safe, so you should find some more info on the filename to see if it's good or bad.
    --------------------------------------------------------------------------------

    N1, N2, N3, N4 - Netscape/Mozilla Start & Search page

    What it looks like:
    N1 - Netscape 4: user_pref("browser.startup.homepage", "www.google.com"); (C:\Program Files\Netscape\Users\default\prefs.js)
    N2 - Netscape 6: user_pref("browser.startup.homepage", "http://www.google.com"); (C:\Documents and Settings\User\Application Data\Mozilla\Profiles\defaulto9t1tfl.slt\prefs.js)
    N2 - Netscape 6: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%206%5Csearchplugins%5CSBWeb_02.src"); (C:\Documents and Settings\User\Application Data\Mozilla\Profiles\defaulto9t1tfl.slt\prefs.js)
    What to do:
    Usually the Netscape and Mozilla homepage and search page are safe. They rarely get hijacked. Should you see an URL you don't recognize as your homepage or search page, have HijackThis fix it.
    --------------------------------------------------------------------------------

    O1 - Hostsfile redirection

    What it looks like:
    O1 - Hosts: 216.177.73.139 auto.search.msn.com
    O1 - Hosts: 216.177.73.139 search.netscape.com
    O1 - Hosts: 216.177.73.139 ieautosearch
    What to do:
    This hijack will redirect the address to the right to the IP address to the left. If the IP does not belong to the address, you will be redirected to a wrong site everytime you enter the address. You can always have HijackThis fix these, unless you knowingly put those lines in your Hosts file.
    --------------------------------------------------------------------------------

    O2 - Browser Helper Objects

    What it looks like:
    O2 - BHO: Yahoo! Companion BHO - {13F537F0-AF09-11d6-9029-0002B31F9E59} - C:\PROGRAM FILES\YAHOO!\COMPANION\YCOMP5_0_2_4.DLL
    O2 - BHO: (no name) - {1A214F62-47A7-4CA3-9D00-95A3965A8B4A} - C:\PROGRAM FILES\POPUP ELIMINATOR\AUTODISPLAY401.DLL (file missing)
    O2 - BHO: MediaLoads Enhanced - {85A702BA-EA8F-4B83-AA07-07A5186ACD7E} - C:\PROGRAM FILES\MEDIALOADS ENHANCED\ME1.DLL
    What to do:
    If you don't directly recognize a Browser Helper Object's name, use TonyK's BHO List to find it by the class ID (CLSID, the number between curly brackets) and see if it's good or bad. In the BHO List, 'X' means spyware and 'L' means safe.

    --------------------------------------------------------------------------------

    O3 - IE toolbars

    What it looks like:
    O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\YCOMP5_0_2_4.DLL
    O3 - Toolbar: Popup Eliminator - {86BCA93E-457B-4054-AFB0-E428DA1563E1} - C:\PROGRAM FILES\POPUP ELIMINATOR\PETOOLBAR401.DLL (file missing)
    O3 - Toolbar: rzillcgthjx - {5996aaf3-5c08-44a9-ac12-1843fd03df0a} - C:\WINDOWS\APPLICATION DATA\CKSTPRLLNQUL.DLL
    What to do:
    If you don't directly recognize a toolbar's name, use TonyK's Toolbar List to find it by the class ID (CLSID, the number between curly brackets) and see if it's good or bad. In the Toolbar List, 'X' means spyware and 'L' means safe.
    If it's not on the list and the name seems a random string of characters and the file is somewhere in a folder named 'Application Data' (like the last one in the examples above), it's definitely bad, and you should have HijackThis fix it.
    --------------------------------------------------------------------------------

    O4 - Autoloading programs from Registry

    What it looks like:
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    What to do:
    Use PacMan's Startup List to find the entry and see if it's good or bad.
    --------------------------------------------------------------------------------

    O5 - IE Options not visible in Control Panel

    What it looks like:
    O5 - control.ini: inetcpl.cpl=no
    What to do:
    Unless you've knowingly hidden the icon from Control Panel, have HijackThis fix it.
    --------------------------------------------------------------------------------

    O6 - IE Options access restricted by Administrator

    What it looks like:
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    What to do:
    Unless you have the Spybot S&D option 'Lock homepage from changes' active, have HijackThis fix this.
    --------------------------------------------------------------------------------

    O7 - Regedit access restricted by Administrator

    What it looks like:
    O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
    What to do:
    Always have HijackThis fix this.
    --------------------------------------------------------------------------------

    O8 - Extra items in IE right-click menu

    What it looks like:
    O8 - Extra context menu item: &Google Search - res://C:\WINDOWS\DOWNLOADED PROGRAM FILES\GOOGLETOOLBAR_EN_1.1.68-DELEON.DLL/cmsearch.html
    O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
    O8 - Extra context menu item: Zoom &In - C:\WINDOWS\WEB\zoomin.htm
    O8 - Extra context menu item: Zoom O&ut - C:\WINDOWS\WEB\zoomout.htm
    What to do:
    If you don't recognize the name of the item in the right-click menu in IE, have HijackThis fix it.
    --------------------------------------------------------------------------------

    O9 - Extra buttons on main IE toolbar, or extra items in IE 'Tools' menu

    What it looks like:
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O9 - Extra button: AIM (HKLM)
    What to do:
    If you don't recognize the name of the button or menuitem, have HijackThis fix it.
    --------------------------------------------------------------------------------

    O10 - Winsock hijackers

    What it looks like:
    O10 - Hijacked Internet access by New.Net
    O10 - Broken Internet access because of LSP provider 'c:\progra~1\common~2\toolbar\cnmib.dll' missing
    O10 - Unknown file in Winsock LSP: c:\program files\newton knows\vmain.dll
    What to do:
    It's best to fix these using LSPFix from Cexx.org, or Spybot S&D from Kolla.de.
    --------------------------------------------------------------------------------

    O11 - Extra group in IE 'Advanced Options' window

    What it looks like:
    O11 - Options group: [CommonName] CommonName
    What to do:
    The only hijacker as of now that adds its own options group to the IE Advanced Options window is CommonName. So you can always have HijackThis fix this.
    --------------------------------------------------------------------------------

    O12 - IE plugins

    What it looks like:
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O12 - Plugin for .PDF: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
    What to do:
    Most of the time these are safe. Only OnFlow adds a plugin here that you don't want (.ofb).
    --------------------------------------------------------------------------------

    O13 - IE DefaultPrefix hijack

    What it looks like:
    O13 - DefaultPrefix: http://www.pixpox.com/cgi-bin/click.pl?url=
    O13 - WWW Prefix: http://prolivation.com/cgi-bin/r.cgi?
    What to do:
    These are always bad. Have HijackThis fix them.
    --------------------------------------------------------------------------------

    O14 - 'Reset Web Settings' hijack

    What it looks like:
    O14 - IERESET.INF: START_PAGE_URL=http://www.searchalot.com
    What to do:
    If the URL is not the provider of your computer or your ISP, have HijackThis fix it.
    --------------------------------------------------------------------------------

    O15 - Unwanted site in Trusted Zone

    What it looks like:
    O15 - Trusted Zone: http://free.aol.com
    What to do:
    So far, only AOL has the tendency to add itself to your Trusted Zone, allowing it to run any ActiveX it wants. Always have HijackThis fix this.
    --------------------------------------------------------------------------------

    O16 - ActiveX Objects (aka Downloaded Program Files)

    What it looks like:
    O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    What to do:
    If you don't recognize the name of the object, or the URL it was downloaded from, have HijackThis fix it. If the name or URL contains words like 'dialer', 'casino', 'free_plugin' etc, definitely fix it.
    --------------------------------------------------------------------------------

    O17 - Lop.com domain hijacks

    What it looks like:
    O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = aoldsl.net
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = W21944.find-quick.com
    O17 - HKLM\Software\..\Telephony: DomainName = W21944.find-quick.com
    O17 - HKLM\System\CCS\Services\Tcpip\..\{D196AB38-4D1F-45C1-9108-46D367F19F7E}: Domain = W21944.find-quick.com
    What to do:
    If the domain is not from your ISP or company network, have HijackThis fix it.
    --------------------------------------------------------------------------------

    O18 - Extra protocols and protocol hijackers

    What it looks like:
    O18 - Protocol: relatedlinks - {5AB65DD4-01FB-44D5-9537-3767AB80F790} - C:\PROGRA~1\COMMON~1\MSIETS\msielink.dll
    O18 - Protocol: mctp - {d7b95390-b1c5-11d0-b111-0080c712fe82}
    O18 - Protocol hijack: http - {66993893-61B8-47DC-B10D-21E0C86DD9C8}
    What to do:
    Only a few hijackers show up here. The known baddies are 'cn' (CommonName), 'ayb' (Lop.com) and 'relatedlinks' (Huntbar), you should have HijackThis fix those.
    Other things that show up are either not confirmed safe yet, or are hijacked by spyware. In the last case, have HijackThis fix it.
    --------------------------------------------------------------------------------

    O19 - User style sheet hijack

    What it looks like:
    O19 - User style sheet: c:\WINDOWS\Java\my.css
    What to do:
    In the case of a browser slowdown and frequent popups, have HijackThis fix this item if it shows up in the log.
     
  3. Styxx

    Styxx Banned

    Joined:
    Sep 8, 2001
    Messages:
    4,888
    Close your internet browser, all other programs, doing the below, restart your computer and then generate your Hijack This log.

    Clear your browser's Cache and key folders before you generate a HJT log:

    Click the Start button; Point to Control Panel, select Internet Options; In the box that opens, click the Clear History; Delete Cookies And Delete Files buttons (tick the box next to, 'Delete all off-line content', each in turn; In the box that opens after activating each button, click the OK button. Click OK to close the Internet Options window.

    Clear the contents of the c:\Windows\Cookies; Temporary Internet Files and Temp folders.


    ***

    You've got way too much running at Windows startup.

    Check your available resources by right-clicking My Computer; clicking Properties; Click the Performance tab. Resources available are displayed as percent there at top. Check it when you get done running the System Configuration Utility mentioned below.

    Click the Start button; Run; type 'msconfig', without the quotation marks, in the Run box and click OK; Then click the Startup tab; Uncheck anything you don't need running in the background. For reference on what's not needed running in the background in the System Configuration Utility, view this website first and print out the list:

    http://www2.whidbey.net/djdenham/Running_items.htm

    It's important that you print out the above mentioned list. The site provides a printer friendly link.

    In the System Configuration Utility (SCU), you can uncheck programs you suspect one at a time and restart your computer. If something doesn't work right, you can always go back into the SCU and re-check it and restart your computer via the Start button. The changes are completely reversible by re-checking an item in SCU or by selecting Normal Startup under the General tab in the SCU and all the programs listed run when Windows starts as it was before you started.

    ***

    You need to be running a firewall like free Sygate from http://download.com - type, sygate, in the Search box, you must be on-line to register Sygate, that is if you're not using a firewalled Router on a Network or, have another third-party firewall like Sygate installed, to protect you and the Internet community from hackers, spammers and terrorist from using your computer for their own illicit needs while you're on-line?


    ***

    Get, install, update and run free Ad-aware (and its HexDump plug-in) from http://www.lavasoftusa.com/software/adaware/

    First in the main window look in the bottom right corner and click on Check for updates now and download the latest referencefiles.

    Make sure the following settings are made and on -------ON=GREEN

    From main window :Click Start then Activate in-depth scan (recommended)

    Click Use Custom Scanning Options' then click Customize' and have these options selected: Under Drives and Folders put a check by Scan Within Archives and below that under Memory and Registry put a check by all the options there.

    Now click on the Tweak button in that same window. Under Scanning engine select: Unload recognized processes during scanning and under Cleaning Engine select: Let windows remove files in use at next reboot

    Click proceed to save your settings.

    Now to scan just click the Next button.

    When the scan is finished mark everything for removal and get rid of it.(Right-click the window and choose select all from the drop down menu and click Next)

    Restart your computer.

    ***

    You might post exactly what programs you have in the Add/Remove Programs Control Panel list box.

    ***

    Go to http://housecall.trendmicro.com or http://www.pandasoftware.com/activescan/com/activescan_principal.htm and click the Scan Now link to run a free on-line virus scan.

    ***

    What anti-virus are you using? If you're running Mcaffee or Norton anti-virus and have not recently paid for a one year subscription to download weekly new virus definitions, you might consider getting free AntiVir 6 from http://free-av.com - Uninstalling Mcaffee; Restarting your computer and installing free AntiVir Anti-virus 6.0.
     
  4. Styxx

    Styxx Banned

    Joined:
    Sep 8, 2001
    Messages:
    4,888
    No need for Zone Alarm usually if you have WinXP Interrnet Connection Firewall (ICF) enabled. You shouldn't have ICF enabled with ZA installed.

    You can use this following explanation to make sure ICF is enabled and if it's not to enable it. If it's not enabled the box will Not be checked, if it is it will be.

    To configure Internet Connection Firewall (ICF) manually for a connection:

    1. Click the Start button

    2. Control Panel

    3. Double-click Networking and Internet Connections

    4. Then click Network Connections

    5. Right-click the connection icon for which you would like to enable ICF

    6. Then click Properties.

    7. On the Advanced tab, (click the box) to select the option to Protect my computer or network.

    8. Click Ok

    9. Click Ok.
     
  5. sicksid

    sicksid Thread Starter

    Joined:
    Apr 24, 2004
    Messages:
    3
    Ok, I think it will take some time to do all you told me. For the momment I have made the first step, cleaning the browser's cache and key folders from both operating systems. I also have removed much more other files... But anyway I had problems deleting (in fact, I couldn't delete them) some things, for example some files in the Temp directory of Windows (for example the file "zlt03467.tmp") and in the Temp and the Internet Temporary Files directory of each Personal Settings folder. I could delete all them if I went to the other Operating System (remember that I have two Windows XP, one in each partition): I suppose that this was because Windows was using them, isn't it? But anyway there was a directory in one of the Personal Settings (and inside Internet Temporay Files) of one of the OS that couldn't be deleted in any manner. It is:

    "C:\Documents and Settings\Sergio\Configuración local\Archivos temporales de Internet\Content.IE5\I9FCLSJ2"

    It is an spanish installation of the Windows XP: "Configuración local" = "Local Settings" and "Archivos temporales de Internet" = "Temporay Internet Files".

    Inside this folder there are four strange files:

    "ͫ"
    "┤"
    "7"
    "ê"

    which I cannot delete from any of the two Windows XP... Do you know what I could do?

    After all this process I have got some more new big amount of free memory on the hard disk, and it seems that the systems go faster.

    Other thing that I wanted to say you is that I have three folders (in addition to that of the Administrator and the users) in Local and Settings that I don't know if I must delete: "NetworkService", "Default USer" and "LocalService". Should I delete them?

    Anyway, now I have installed the Firewall ZoneAlarm and I that from Windows was disabled form before. You think is it necessary to use the Firewall you told me or dan I mantain this? For me it will be better to mantain this, now that I have it installed and I'm used to its operation... If it's not necessary, I will prefer to mantain this one.

    I send you the new HijackThis logs, after deleting all this things and restarting. Maybe you can tell me something new till I make the other tasks you told me. First from one of the Windows:

    --------------------------------------------------------------------------
    Logfile of HijackThis v1.97.7
    Scan saved at 0:18:55, on 26/4/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\WINNT\System32\inetsrv\inetinfo.exe
    C:\Archivos de programa\Archivos comunes\Microsoft Shared\VS7Debug\mdm.exe
    C:\Archivos de programa\National Instruments\Shared\License Manager\Bin\lmgrd.exe
    C:\Archivos de programa\National Instruments\Shared\License Manager\Bin\nilm.exe
    C:\WINNT\System32\tcpsvcs.exe
    C:\WINNT\system32\slserv.exe
    C:\WINNT\System32\snmp.exe
    C:\Archivos de programa\VMware\VMware Workstation\Programs\vmware-authd.exe
    C:\WINNT\System32\vmnetdhcp.exe
    C:\WINNT\system32\vmnat.exe
    C:\WINNT\system32\fxssvc.exe
    C:\WINNT\System32\mqsvc.exe
    C:\WINNT\System32\mqtgsvc.exe
    C:\WINNT\system32\ZONELABS\vsmon.exe
    C:\WINNT\Explorer.EXE
    C:\WINNT\system32\sistray.EXE
    C:\WINNT\System32\khooker.exe
    C:\Archivos de programa\Winamp\Winampa.exe
    C:\WINNT\System32\qttask.exe
    C:\ARCHIV~1\B'SCLI~1\Win2K\BSCLIP.exe
    C:\ARCHIV~1\ZONELA~1\ZONEAL~1\zlclient.exe
    C:\Archivos de programa\Messenger\msmsgs.exe
    C:\Program Files\Microsoft Reference\Bookshelf 98\qshelf98.exe
    C:\Archivos de programa\SpywareGuard\sgmain.exe
    C:\Archivos de programa\Microsoft Encarta\Biblioteca de Consulta Encarta 2004\EDICT.EXE
    C:\Archivos de programa\SpywareGuard\sgbhp.exe
    C:\Archivos de programa\Microsoft Office\Office10\WINWORD.EXE
    C:\WINNT\System32\ctfmon.exe
    C:\Archivos de programa\Archivos comunes\Logox.4.0\Logox4.exe
    E:\Documents and Settings\Administrator\Desktop\Anti-Malware utilities\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus.../*http://www.yahoo.com/ext/search/search.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/ymsgr/*http://www.yahoo.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/customize/ie/defaults/stp/ymsgr*http://my.yahoo.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus.../*http://www.yahoo.com/ext/search/search.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/ymsgr/*http://www.yahoo.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/stp/ymsgr*http://my.yahoo.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr/*http://www.yahoo.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr/*http://www.yahoo.com
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
    O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Archivos de programa\Yahoo!\Common\ycomp5_1_3_0.dll
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Archivos de programa\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Archivos de programa\SpywareGuard\dlprotect.dll
    O2 - BHO: (no name) - {83A30C59-3A50-49E6-9DAF-4923C4EA3C23} - C:\Archivos de programa\Archivos comunes\WebSpeech.4.0\LgxIEBar.dll
    O2 - BHO: (no name) - {B930BA63-9E5A-11D3-A288-0000E80E2EDE} - (no file)
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Archivos de programa\Yahoo!\Common\ycomp5_1_3_0.dll
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [SiS Tray] C:\WINNT\system32\sistray.EXE
    O4 - HKLM\..\Run: [SiS KHooker] C:\WINNT\System32\khooker.exe
    O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
    O4 - HKLM\..\Run: [WinampAgent] "C:\Archivos de programa\Winamp\Winampa.exe"
    O4 - HKLM\..\Run: [QuickTime Task] C:\WINNT\System32\qttask.exe
    O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [CloneCDElbyCDFL] "C:\Archivos de programa\Elaborate Bytes\CloneCD\ElbyCheck.exe" /L ElbyCDFL
    O4 - HKLM\..\Run: [IMAQBoot] C:\Archivos de programa\National Instruments\NI-IMAQ\bin\ImaqBoot.exe
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKLM\..\Run: [B'sCLiP] C:\ARCHIV~1\B'SCLI~1\Win2K\BSCLIP.exe
    O4 - HKLM\..\Run: [Zone Labs Client] C:\ARCHIV~1\ZONELA~1\ZONEAL~1\zlclient.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Archivos de programa\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [918530] rundll32.exe shell32.dll,Control_RunDLL C:\WINNT\918530.cpl
    O4 - HKCU\..\Run: [65836] rundll32.exe shell32.dll,Control_RunDLL C:\WINNT\65836.cpl
    O4 - HKCU\..\Run: [131396] rundll32.exe shell32.dll,Control_RunDLL C:\WINNT\131396.cpl
    O4 - HKCU\..\Run: [65824] rundll32.exe shell32.dll,Control_RunDLL C:\WINNT\65824.cpl
    O4 - HKCU\..\Run: [65882] rundll32.exe shell32.dll,Control_RunDLL C:\WINNT\65882.cpl
    O4 - HKCU\..\Run: [196810] rundll32.exe shell32.dll,Control_RunDLL C:\WINNT\196810.cpl
    O4 - HKCU\..\Run: [196948] rundll32.exe shell32.dll,Control_RunDLL C:\WINNT\196948.cpl
    O4 - HKCU\..\Run: [65904] rundll32.exe shell32.dll,Control_RunDLL C:\WINNT\65904.cpl
    O4 - HKCU\..\Run: [131230] rundll32.exe shell32.dll,Control_RunDLL C:\WINNT\131230.cpl
    O4 - HKCU\..\Run: [262432] rundll32.exe shell32.dll,Control_RunDLL C:\WINNT\262432.cpl
    O4 - HKCU\..\Run: [131318] rundll32.exe shell32.dll,Control_RunDLL C:\WINNT\131318.cpl
    O4 - HKCU\..\Run: [131440] rundll32.exe shell32.dll,Control_RunDLL C:\WINNT\131440.cpl
    O4 - HKCU\..\Run: [262400] rundll32.exe shell32.dll,Control_RunDLL C:\WINNT\262400.cpl
    O4 - HKCU\..\Run: [196908] rundll32.exe shell32.dll,Control_RunDLL C:\WINNT\196908.cpl
    O4 - HKCU\..\Run: [327994] rundll32.exe shell32.dll,Control_RunDLL C:\WINNT\327994.cpl
    O4 - HKCU\..\Run: [65894] rundll32.exe shell32.dll,Control_RunDLL C:\WINNT\65894.cpl
    O4 - HKCU\..\Run: [65854] rundll32.exe shell32.dll,Control_RunDLL C:\WINNT\65854.cpl
    O4 - HKCU\..\Run: [328002] rundll32.exe shell32.dll,Control_RunDLL C:\WINNT\328002.cpl
    O4 - HKCU\..\Run: [65874] rundll32.exe shell32.dll,Control_RunDLL C:\WINNT\65874.cpl
    O4 - HKCU\..\Run: [65906] rundll32.exe shell32.dll,Control_RunDLL C:\WINNT\65906.cpl
    O4 - HKCU\..\Run: [131366] rundll32.exe shell32.dll,Control_RunDLL C:\WINNT\131366.cpl
    O4 - HKCU\..\Run: [196924] rundll32.exe shell32.dll,Control_RunDLL C:\WINNT\196924.cpl
    O4 - HKCU\..\Run: [131346] rundll32.exe shell32.dll,Control_RunDLL C:\WINNT\131346.cpl
    O4 - HKCU\..\Run: [590140] rundll32.exe shell32.dll,Control_RunDLL C:\WINNT\590140.cpl
    O4 - HKCU\..\Run: [131400] rundll32.exe shell32.dll,Control_RunDLL C:\WINNT\131400.cpl
    O4 - HKCU\..\Run: [262396] rundll32.exe shell32.dll,Control_RunDLL C:\WINNT\262396.cpl
    O4 - Startup: SpywareGuard.lnk = C:\Archivos de programa\SpywareGuard\sgmain.exe
    O4 - Global Startup: Qshelf.lnk = C:\Program Files\Microsoft Reference\Bookshelf 98\qshelf98.exe
    O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\ARCHIV~1\MICROS~2\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Archivos de programa\Yahoo!\Common/ycdict.htm
    O8 - Extra context menu item: Yahoo! Search - file:///C:\Archivos de programa\Yahoo!\Common/ycsrch.htm
    O9 - Extra button: WebSpeech (HKLM)
    O9 - Extra 'Tools' menuitem: Seite/Markierung vorlesen (WebSpeech) (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
    O9 - Extra button: Investigador (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    --------------------------------------------------------------------------

    And next for the second Windows:

    --------------------------------------------------------------------------
    Logfile of HijackThis v1.97.7
    Scan saved at 0:52:17, on 26/04/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    D:\WINDOWS\System32\smss.exe
    D:\WINDOWS\system32\csrss.exe
    D:\WINDOWS\system32\winlogon.exe
    D:\WINDOWS\system32\services.exe
    D:\WINDOWS\system32\lsass.exe
    D:\WINDOWS\system32\svchost.exe
    D:\WINDOWS\System32\svchost.exe
    D:\WINDOWS\System32\svchost.exe
    D:\WINDOWS\System32\svchost.exe
    D:\WINDOWS\system32\spoolsv.exe
    D:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
    D:\WINDOWS\System32\Hummingbird\Connectivity\8.00\Inetd\inetd32.exe
    D:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    D:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
    D:\PROGRA~1\SYMANT~1\SYMANT~1\savroam.exe
    D:\WINDOWS\System32\svchost.exe
    D:\WINDOWS\system32\ZoneLabs\vsmon.exe
    D:\WINDOWS\Explorer.EXE
    D:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
    D:\WINDOWS\system32\dla\tfswctrl.exe
    D:\Program Files\Messenger Plus! 2\MsgPlus.exe
    D:\Program Files\Microsoft Office\Office10\WINWORD.EXE
    D:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
    D:\Program Files\Microsoft Office\Office10\WINWORD.EXE
    D:\Program Files\MSN Messenger\msnmsgr.exe
    D:\Program Files\Messenger\msmsgs.exe
    D:\Program Files\AnVir Task Manager\AnVir.exe
    D:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
    D:\Program Files\SpywareGuard\sgmain.exe
    D:\Program Files\SpywareGuard\sgbhp.exe
    D:\Documents and Settings\Administrator\Desktop\Anti-Malware utilities\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wh9.tu-dresden.de/?page=/info/mytraffic.php&PHPSESSID=0b09fecbf19adac910c39501605c7df2
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - D:\Program Files\SpywareGuard\dlprotect.dll
    O2 - BHO: (no name) - {5CA3D70E-1895-11CF-8E15-001234567890} - D:\WINDOWS\system32\dla\tfswshx.dll
    O4 - HKLM\..\Run: [vptray] D:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
    O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
    O4 - HKLM\..\Run: [StorageGuard] "D:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
    O4 - HKLM\..\Run: [dla] D:\WINDOWS\system32\dla\tfswctrl.exe
    O4 - HKLM\..\Run: [MessengerPlus2] "D:\Program Files\Messenger Plus! 2\MsgPlus.exe"
    O4 - HKLM\..\Run: [SpyHunter] D:\Program Files\SpyHunter\SpyHunter.exe /h
    O4 - HKLM\..\Run: [Zone Labs Client] D:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
    O4 - HKLM\..\Run: [THGuard] "D:\Program Files\TrojanHunter 3.8\THGuard.exe"
    O4 - HKCU\..\Run: [MessengerPlus2] "D:\Program Files\Messenger Plus! 2\MsgPlus.exe" /WinStart
    O4 - HKCU\..\Run: [MSMSGS] "D:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [AnVir Task Manager] "D:\Program Files\AnVir Task Manager\AnVir.exe" Minimized
    O4 - HKCU\..\Run: [msnmsgr] "D:\Program Files\MSN Messenger\msnmsgr.exe" /background
    O4 - Startup: SpywareGuard.lnk = D:\Program Files\SpywareGuard\sgmain.exe
    O4 - Global Startup: Acrobat Assistant.lnk = D:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = cern.ch
    O17 - HKLM\Software\..\Telephony: DomainName = cern.ch
    O17 - HKLM\System\CCS\Services\Tcpip\..\{34580E6C-178F-484E-86C9-0E4303E81163}: NameServer = 141.76.120.10
    O17 - HKLM\System\CCS\Services\Tcpip\..\{62C0FF39-C744-4002-8947-9F5EEE85A1F0}: NameServer = 137.138.16.5,137.138.17.5
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = cern.ch
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = cern.ch
    --------------------------------------------------------------------------

    See you,

    SickSid.


    --------------------------------------------------------------------------
    --------------------------------------------------------------------------
    --------------------------------------------------------------------------
     
  6. sicksid

    sicksid Thread Starter

    Joined:
    Apr 24, 2004
    Messages:
    3
    Ah, other thing that I forgot is that I cannot do next:

    "Check your available resources by right-clicking My Computer; clicking Properties; Click the Performance tab."

    Because I haven't any tab of performance there... Any other way to get the information about the performance of the system?

    Greetings,

    SickSid.

     
  7. Styxx

    Styxx Banned

    Joined:
    Sep 8, 2001
    Messages:
    4,888
    Boot to Safe Mode to delete the Temp folder files that were resistive before. Unable to assist you on the WinXP spanish version. If you like Zone Alarm keep it just be sure ICF is disabled.

    For system information (performance tab) in WinXP To open System Information, click Start, and then click Help and Support. Click the Support button on the toolbar, and then, under Tools and Links on the left side of the window, click Advanced System Information. In the details pane, click View detailed system information.

    Do not delete these - "NetworkService", "Default USer" and "LocalService"
     
  8. Styxx

    Styxx Banned

    Joined:
    Sep 8, 2001
    Messages:
    4,888
    you log/posts are too volumious to go over in detail.
     
  9. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/223453

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice