1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Trojan

Discussion in 'Earlier Versions of Windows' started by cheesecake, Feb 2, 2005.

Thread Status:
Not open for further replies.
Advertisement
  1. cheesecake

    cheesecake Thread Starter

    Joined:
    Feb 2, 2005
    Messages:
    8
    I believe that I have a Trojan in my PC but I am not really sure I am getting a lot of pop-ups and there seemes to be a lot of activity in my PC that is not coming from what I am doing and my PC freezes up and goes dead from time to time I also get a lot of error messages and there seemes to be a program that I don't recognize ( ISearchTech.ISTsvc ) can you help me :confused:
     
  2. dr20

    dr20

    Joined:
    Apr 11, 2003
    Messages:
    1,649
    Hi download Hijack This from the link below. There's nothing to install, just extract it from the zip folder and click on it. When it opens allow it to scan the system and save a log. Copy and paste the results of the log onto the board and someone will read it for you:

    Hijack This:
    http://www.majorgeeks.com/download.php?det=3155
     
  3. cheesecake

    cheesecake Thread Starter

    Joined:
    Feb 2, 2005
    Messages:
    8
    OK here it is.

    Logfile of HijackThis v1.99.0
    Scan saved at 7:49:47 PM, on 2/2/05
    Platform: Windows 98 SE (Win9x 4.10.2222B)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\PROGRAM FILES\CA\ETRUST EZ ARMOR\ETRUST EZ ANTIVIRUS\ISAFE.EXE
    C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\PTSNOOP.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\SCANJET\PRECISIONSCANLT\HPPWRSAV.EXE
    C:\YYCCFHNX.EXE
    C:\PROGRAM FILES\CA\ETRUST EZ ARMOR\ETRUST EZ ANTIVIRUS\VETMSG.EXE
    C:\PROGRAM FILES\CA\ETRUST EZ ARMOR\ETRUST EZ ANTIVIRUS\VETTRAY.EXE
    C:\PROGRAM FILES\CA\ETRUST EZ ARMOR\ETRUST EZ FIREWALL\CA.EXE
    C:\PROGRAM FILES\BESTPOPUPKILLER\BESTPOPUPKILLER.EXE
    C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\PROGRAM FILES\SLIPSTREAM WEB ACCELERATOR\SLIPACCEL.EXE
    C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\WKCALREM.EXE
    C:\PROGRAM FILES\HP DESKJET 710C SERIES\EREG\REMIND32.EXE
    C:\PROGRAM FILES\ISTSVC\ISTSVC.EXE
    C:\WINDOWS\SYSTEM\RNAAPP.EXE
    C:\WINDOWS\SYSTEM\TAPISRV.EXE
    C:\PROGRAM FILES\CRAZY BROWSER\CRAZY BROWSER.EXE
    C:\WINDOWS\SYSTEM\PSTORES.EXE
    C:\PROGRAM FILES\WINZIP\WINZIP32.EXE
    C:\UNZIPPED\HIJACKTHIS[1]\HIJACKTHIS.EXE

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://10000hits.net/SilverSurfer.aspx?userid=280667
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5400
    F1 - win.ini: load=ptsnoop.exe
    F1 - win.ini: run=hpfsched
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: PBlockHelper Class - {4115122B-85FF-4DD3-9515-F075BEDE5EB5} - C:\PROGRAM FILES\SLIPSTREAM WEB ACCELERATOR\PBHELPER.DLL
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O3 - Toolbar: &Power IE - {437434D2-065E-499D-A337-59657DF3342F} - C:\PROGRA~1\POWERI~1\CTBAND.DLL
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [hppwrsav] C:\SCANJET\PrecisionScanLT\hppwrsav.exe
    O4 - HKLM\..\Run: [AGjHsd] C:\YYCCFHNX.EXE
    O4 - HKLM\..\Run: [Vet Alert] C:\PROGRA~1\CA\ETRUST~1\ETRUST~1\VETMSG.EXE
    O4 - HKLM\..\Run: [VetTray] C:\PROGRA~1\CA\ETRUST~1\ETRUST~1\VETTRAY.EXE
    O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe"
    O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\
    O4 - HKLM\..\Run: [¢‰¸ï0 4Ã4}¤Áœ5]C:\Program Files\ISTsvc\istsvc.exe] C:\YYCCFHNX.EXE
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [CAISafe] C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\isafe.exe
    O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
    O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
    O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup
    O4 - HKCU\..\Run: [BestPopUpKiller] C:\Program Files\BestPopUpKiller\BestPopupKiller.exe /startup
    O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O4 - Startup: SlipStream Accelerator.lnk = C:\Program Files\SlipStream Web Accelerator\slipaccel.exe
    O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
    O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Startup: Reminder-hpc41001.lnk = C:\Program Files\HP DeskJet 710C Series\ereg\Remind32.exe
    O4 - Startup: Event Reminder.lnk = C:\PMG4\PMREMIND.EXE
    O8 - Extra context menu item: Add to Power IE &Block List... - C:\PROGRAM FILES\POWER IE\adblocking.htm
    O8 - Extra context menu item: Show Original Image - res://C:\PROGRAM FILES\SLIPSTREAM WEB ACCELERATOR\SLIPACCEL.EXE/227
    O8 - Extra context menu item: Show All Original Images - res://C:\PROGRAM FILES\SLIPSTREAM WEB ACCELERATOR\SLIPACCEL.EXE/250
    O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
    O16 - DPF: {771A1334-6B08-4A6B-AEDC-CF994BA2CEBE} (Installer Class) - http://www.ysbweb.com/ist/softwares/v4.0/ysb_regular.cab
    O16 - DPF: v3cab - http://searchmiracle.com/cab/v3cab.cab
    O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/CDTInc/ie/bridge-c46.cab
    O16 - DPF: {FC67BB52-AAB6-4282-9D51-2DAFFE73AFD0} - http://download.spyspotter.com/spyspotter/SpSp29952.22opt/SpySpotterInstall.cab
    O16 - DPF: {10C9072D-2FF3-4AF8-882E-7974B1BF2729} (ChatCLientDownloadCtrl Class) - http://download.howudodat.com/chatterbox/download/ccdl.cab
    O18 - Filter: text/html - {D7806F98-C55E-4555-8ACF-A62EB03AB008} - (no file)
     
  4. dr20

    dr20

    Joined:
    Apr 11, 2003
    Messages:
    1,649
    Hi,

    Download and update Adaware but don’t run it yet.

    Adaware:

    http://www.download.com/3000-2144-10045910.html?part=69274&subj=dlpage&tag=button

    You’ll also need to configure Ad-aware the following way:

    Under Ad-aware 6 > Settings (Gear at the top) > Tweak > Scanning Engine:
    check: "Unload recognized processes during scanning."

    Under Ad-aware 6 > Settings (Gear at the top) > Tweak > Cleaning Engine:
    Check: "Let Windows remove files in use at next reboot."

    Press 'Proceed'

    Press 'Start'

    Select option 'Use Custom scanning options'
    Click 'Activate in-depth scan'
    Press 'Select drives\folders to scan' Select the active partition which is usually C:
    Click Customize
    Make the following are all are Checked
    Scan Within Archives'
    Scan Active Processes'
    Scan Registry'
    Deep Scan Registry'
    Scan My IE Favorites For Banned URL'S
    Scan My Hosts File'

    Click Proceed

    Boot into Safe mode.

    How to boot into Safe Mode:

    http://service1.symantec.com/SUPPOR...001052409420406

    While in Safe Mode go ahead and run Ad-aware.

    Now open up Hijack This and check to remove the entries below. Make sure Hijack This is in its own folder and in a permanent location, for example C:\Program Files because it creates a backup of what you take out:


    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5400

    O4 - HKLM\..\Run: [AGjHsd] C:\YYCCFHNX.EXE

    O4 - HKLM\..\Run: [¢‰¸ï0 4Ã_4}¤Á-_œ-5_]C:\Program Files\ISTsvc\istsvc.exe] C:\YYCCFHNX.EXE


    Next unhide all files and folders.

    How to show hidden files:

    Open My Computer from the desktop.

    Select the View Tab then click Folder Options.

    Click the View Tab

    Under Files and Folders/Hidden files select:

    Show all Files

    Click ok.

    Now go to the Start button > Search Files and Folders and type in and delete:

    YYCCFHNX.EXE

    Finally navigate to C:\Program Files and delete the ISTsvc folder.

    When you're finished boot back up into normal mode and post a new log.
     
  5. cheesecake

    cheesecake Thread Starter

    Joined:
    Feb 2, 2005
    Messages:
    8
    OK here is the new scan sorry to have taken so long in getting back to you but I just got in from work.
    I could not delete yyccfhnx.exe because it was being used by windows the system told me.




    Logfile of HijackThis v1.99.0
    Scan saved at 6:29:16 PM, on 2/3/05
    Platform: Windows 98 SE (Win9x 4.10.2222B)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\PROGRAM FILES\CA\ETRUST EZ ARMOR\ETRUST EZ ANTIVIRUS\ISAFE.EXE
    C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\PTSNOOP.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\SCANJET\PRECISIONSCANLT\HPPWRSAV.EXE
    C:\PROGRAM FILES\CA\ETRUST EZ ARMOR\ETRUST EZ ANTIVIRUS\VETMSG.EXE
    C:\PROGRAM FILES\CA\ETRUST EZ ARMOR\ETRUST EZ ANTIVIRUS\VETTRAY.EXE
    C:\PROGRAM FILES\CA\ETRUST EZ ARMOR\ETRUST EZ FIREWALL\CA.EXE
    C:\YYCCFHNX.EXE
    C:\PROGRAM FILES\BESTPOPUPKILLER\BESTPOPUPKILLER.EXE
    C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
    C:\PROGRAM FILES\SLIPSTREAM WEB ACCELERATOR\SLIPACCEL.EXE
    C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\WKCALREM.EXE
    C:\PROGRAM FILES\HP DESKJET 710C SERIES\EREG\REMIND32.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\WINDOWS\SYSTEM\RNAAPP.EXE
    C:\WINDOWS\SYSTEM\TAPISRV.EXE
    C:\PROGRAM FILES\CRAZY BROWSER\CRAZY BROWSER.EXE
    C:\PROGRAM FILES\WINZIP\WINZIP32.EXE
    C:\UNZIPPED\HIJACKTHIS[1]\HIJACKTHIS.EXE

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://10000hits.net/SilverSurfer.aspx?userid=280667
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5400
    F1 - win.ini: load=ptsnoop.exe
    F1 - win.ini: run=hpfsched
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: PBlockHelper Class - {4115122B-85FF-4DD3-9515-F075BEDE5EB5} - C:\PROGRAM FILES\SLIPSTREAM WEB ACCELERATOR\PBHELPER.DLL
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O3 - Toolbar: &Power IE - {437434D2-065E-499D-A337-59657DF3342F} - C:\PROGRA~1\POWERI~1\CTBAND.DLL
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [hppwrsav] C:\SCANJET\PrecisionScanLT\hppwrsav.exe
    O4 - HKLM\..\Run: [Vet Alert] C:\PROGRA~1\CA\ETRUST~1\ETRUST~1\VETMSG.EXE
    O4 - HKLM\..\Run: [VetTray] C:\PROGRA~1\CA\ETRUST~1\ETRUST~1\VETTRAY.EXE
    O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe"
    O4 - HKLM\..\Run: [¢‰¸ï0 4Ã4}¤Áœ5]C:\Program Files\ISTsvc\istsvc.exe] C:\YYCCFHNX.EXE
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [CAISafe] C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\isafe.exe
    O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
    O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
    O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup
    O4 - HKCU\..\Run: [BestPopUpKiller] C:\Program Files\BestPopUpKiller\BestPopupKiller.exe /startup
    O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O4 - Startup: SlipStream Accelerator.lnk = C:\Program Files\SlipStream Web Accelerator\slipaccel.exe
    O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
    O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Startup: Reminder-hpc41001.lnk = C:\Program Files\HP DeskJet 710C Series\ereg\Remind32.exe
    O4 - Startup: Event Reminder.lnk = C:\PMG4\PMREMIND.EXE
    O8 - Extra context menu item: Add to Power IE &Block List... - C:\PROGRAM FILES\POWER IE\adblocking.htm
    O8 - Extra context menu item: Show Original Image - res://C:\PROGRAM FILES\SLIPSTREAM WEB ACCELERATOR\SLIPACCEL.EXE/227
    O8 - Extra context menu item: Show All Original Images - res://C:\PROGRAM FILES\SLIPSTREAM WEB ACCELERATOR\SLIPACCEL.EXE/250
    O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
    O16 - DPF: {771A1334-6B08-4A6B-AEDC-CF994BA2CEBE} (Installer Class) - http://www.ysbweb.com/ist/softwares/v4.0/ysb_regular.cab
    O16 - DPF: v3cab - http://searchmiracle.com/cab/v3cab.cab
    O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/CDTInc/ie/bridge-c46.cab
    O16 - DPF: {FC67BB52-AAB6-4282-9D51-2DAFFE73AFD0} - http://download.spyspotter.com/spyspotter/SpSp29952.22opt/SpySpotterInstall.cab
    O16 - DPF: {10C9072D-2FF3-4AF8-882E-7974B1BF2729} (ChatCLientDownloadCtrl Class) - http://download.howudodat.com/chatterbox/download/ccdl.cab
    O18 - Filter: text/html - {D7806F98-C55E-4555-8ACF-A62EB03AB008} - (no file)
     
  6. dr20

    dr20

    Joined:
    Apr 11, 2003
    Messages:
    1,649
    Hi cheesecake let’s try it this way:

    Download Symantec’s FxIstbar from here:

    FxIstbar
    http://securityresponse.symantec.com/avcenter/FxIstbar.exe

    This is from Symantec’s site to be aware of:

    1.) The date and time displayed will be adjusted to your time zone, if your computer is not set to the Pacific time zone.

    2.) The removal tool may terminate Internet Explorer and Windows Explorer. It is recommended that users save their work and log out of these programs before running the removal tool.

    3.) The removal tool will reset the Internet start page to a blank page. The start page can be modified by clicking on Tools > Internet Options in Internet Explorer.

    4.) The removal tool will not delete some harmless Temporary Internet files, which Adware.Istbar created, in C:\Documents and Setings\Administrator\Local Settings\Temporary Internet Files.

    These can be manually deleted using the following steps:

    a. Start Internet Explorer.
    b. Click Tools > Internet Options.
    c. In the Temporary Internet Files section, then click the Delete Files button.
    d. Check Delete all offline content, and then click OK.

    There’s more info if you’re interested here:
    http://securityresponse.symantec.com/avcenter/venc/data/adware.istbar.html

    After running the tool boot into Safe Mode and unhide System files. Just follow the instructions from my earlier post #4 to do both.

    Open up Hijack This and delete the following entries:


    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5400

    O4 - HKLM\..\Run: [¢‰¸ï0 4Ã_4}¤Á-_œ-5_]C:\Program Files\ISTsvc\istsvc.exe] C:\YYCCFHNX.EXE

    O18 - Filter: text/html - {D7806F98-C55E-4555-8ACF-A62EB03AB008} - (no file)


    Once again go to the Start button > Search Files and Folders and type in and delete the file below if it’s there. Symantec may have removed it already but check again just in case:

    YYCCFHNX.EXE

    When you’re finished reboot and post a new log.
     
  7. cheesecake

    cheesecake Thread Starter

    Joined:
    Feb 2, 2005
    Messages:
    8
    When I tried to download
    httP://securityresponse.symantec.com/avcenter/FxIstbar.exe
    I got the message below.



    Object not found!
    The requested URL was not found on this server. If you entered the URL manually please check your spelling and try again.
    If you think this is a server error, please contact the webmaster
    Error 404
    response.symantic.com
    Fri 04 Feb 2005 02:26:06 PM PST
    Apache/2.0.40 (Red Hat Linux)
     
  8. dr20

    dr20

    Joined:
    Apr 11, 2003
    Messages:
    1,649
  9. cheesecake

    cheesecake Thread Starter

    Joined:
    Feb 2, 2005
    Messages:
    8
    OK it opened for me now I going to download it now and by the way I found out the name of the virus I got.
    It's called Win.32.SillyDI.DR
     
  10. cheesecake

    cheesecake Thread Starter

    Joined:
    Feb 2, 2005
    Messages:
    8
    OK i finally managed it,just one left that I can see.





    Logfile of HijackThis v1.99.0
    Scan saved at 5:25:46 PM, on 2/5/05
    Platform: Windows 98 SE (Win9x 4.10.2222B)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\PROGRAM FILES\CA\ETRUST EZ ARMOR\ETRUST EZ ANTIVIRUS\ISAFE.EXE
    C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\PTSNOOP.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\SCANJET\PRECISIONSCANLT\HPPWRSAV.EXE
    C:\PROGRAM FILES\CA\ETRUST EZ ARMOR\ETRUST EZ ANTIVIRUS\VETMSG.EXE
    C:\PROGRAM FILES\CA\ETRUST EZ ARMOR\ETRUST EZ ANTIVIRUS\VETTRAY.EXE
    C:\PROGRAM FILES\CA\ETRUST EZ ARMOR\ETRUST EZ FIREWALL\CA.EXE
    C:\PROGRAM FILES\BESTPOPUPKILLER\BESTPOPUPKILLER.EXE
    C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
    C:\PROGRAM FILES\SLIPSTREAM WEB ACCELERATOR\SLIPACCEL.EXE
    C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\WKCALREM.EXE
    C:\PROGRAM FILES\HP DESKJET 710C SERIES\EREG\REMIND32.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\WINDOWS\SYSTEM\RNAAPP.EXE
    C:\WINDOWS\SYSTEM\TAPISRV.EXE
    C:\PROGRAM FILES\CRAZY BROWSER\CRAZY BROWSER.EXE
    C:\WINDOWS\SYSTEM\PSTORES.EXE
    C:\PROGRAM FILES\WINZIP\WINZIP32.EXE
    C:\UNZIPPED\HIJACKTHIS[1]\HIJACKTHIS.EXE

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://10000hits.net/SilverSurfer.aspx?userid=280667
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5400
    F1 - win.ini: load=ptsnoop.exe
    F1 - win.ini: run=hpfsched
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: PBlockHelper Class - {4115122B-85FF-4DD3-9515-F075BEDE5EB5} - C:\PROGRAM FILES\SLIPSTREAM WEB ACCELERATOR\PBHELPER.DLL
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O3 - Toolbar: &Power IE - {437434D2-065E-499D-A337-59657DF3342F} - C:\PROGRA~1\POWERI~1\CTBAND.DLL
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [hppwrsav] C:\SCANJET\PrecisionScanLT\hppwrsav.exe
    O4 - HKLM\..\Run: [Vet Alert] C:\PROGRA~1\CA\ETRUST~1\ETRUST~1\VETMSG.EXE
    O4 - HKLM\..\Run: [VetTray] C:\PROGRA~1\CA\ETRUST~1\ETRUST~1\VETTRAY.EXE
    O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe"
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [CAISafe] C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\isafe.exe
    O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
    O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
    O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup
    O4 - HKCU\..\Run: [BestPopUpKiller] C:\Program Files\BestPopUpKiller\BestPopupKiller.exe /startup
    O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O4 - Startup: SlipStream Accelerator.lnk = C:\Program Files\SlipStream Web Accelerator\slipaccel.exe
    O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
    O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Startup: Reminder-hpc41001.lnk = C:\Program Files\HP DeskJet 710C Series\ereg\Remind32.exe
    O4 - Startup: Event Reminder.lnk = C:\PMG4\PMREMIND.EXE
    O8 - Extra context menu item: Add to Power IE &Block List... - C:\PROGRAM FILES\POWER IE\adblocking.htm
    O8 - Extra context menu item: Show Original Image - res://C:\PROGRAM FILES\SLIPSTREAM WEB ACCELERATOR\SLIPACCEL.EXE/227
    O8 - Extra context menu item: Show All Original Images - res://C:\PROGRAM FILES\SLIPSTREAM WEB ACCELERATOR\SLIPACCEL.EXE/250
    O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
    O16 - DPF: {771A1334-6B08-4A6B-AEDC-CF994BA2CEBE} (Installer Class) - http://www.ysbweb.com/ist/softwares/v4.0/ysb_regular.cab
    O16 - DPF: v3cab - http://searchmiracle.com/cab/v3cab.cab
    O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/CDTInc/ie/bridge-c46.cab
    O16 - DPF: {FC67BB52-AAB6-4282-9D51-2DAFFE73AFD0} - http://download.spyspotter.com/spyspotter/SpSp29952.22opt/SpySpotterInstall.cab
    O16 - DPF: {10C9072D-2FF3-4AF8-882E-7974B1BF2729} (ChatCLientDownloadCtrl Class) - http://download.howudodat.com/chatterbox/download/ccdl.cab
     
  11. dr20

    dr20

    Joined:
    Apr 11, 2003
    Messages:
    1,649
    You just need to open Hijack This again and put a check to remove this entry:

    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5400

    Other than that your log looks good now, is it running a little better?
     
  12. cheesecake

    cheesecake Thread Starter

    Joined:
    Feb 2, 2005
    Messages:
    8
    I already went hijack this, but the entry would not remove.
     
  13. dr20

    dr20

    Joined:
    Apr 11, 2003
    Messages:
    1,649
    Ok I wouldn't worry about that entry so much. Your log looks clean now, is it running better?
     
  14. cheesecake

    cheesecake Thread Starter

    Joined:
    Feb 2, 2005
    Messages:
    8
    Yes my PC is running real good now,but let me ask you another question
    how can I keep those tracking bugs from entering my PC while I'm surfing the net,they are such a pain,easy to get rid of but never the less a pain, and thank you for all the help you have given me.
     
  15. dr20

    dr20

    Joined:
    Apr 11, 2003
    Messages:
    1,649
    Spybot Search and Destroy has an immunization feature that helps to keep out over a thousand spyware programs.

    Another site has created a small file you add to the registry that sets the kill bit to prevent installation of many of the pests out there, including ISTsvc which infected your system. Just get the minimal download and click on it. That will protect you from nearly 400 spyware programs:

    SpywareGuide:
    http://www.spywareguide.com/blockfile.php
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/326109

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice