Jump to content

Build Theme!
  •  
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 93101 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

Browser Hijacked (Log Inside with details by me)


  • This topic is locked This topic is locked
14 replies to this topic

#1 Kuval

Kuval

    New Member

  • Authentic Member
  • Pip
  • 11 posts

Posted 10 December 2005 - 02:28 PM

Hello,

I'm brand new to these forums, but in an extensive search I have found that Hijackthis is the biggest anti-hijack company out there.

I was surfing the web one day and I clicked a link and a popup came with a blank bookmark window that had some pretty harmless text... looked like a simple java script. I don't remember where I was, because it was during some research for school. Anyways... after closing this bookmark window 5 times *it kept popping up* my browser closed. I tried to re-open it and I got "The application failed to initialize properly (0xc0000005). Click OK to terminate the application." I can take a screen shot if needed. I am running windows 2000. I have since run Hijackthis, Xoftspy (self proclaimed best anti-spyware program), InoculateIT and Microsoft AntiSpyware.

I caught a lot of data miners... little cookies and things, but nothing harmful. I even caught a few trojans, deleted all of those, but my error still exists. My log is as follows:

Logfile of HijackThis v1.99.1
Scan saved at 1:11:11 PM, on 12/10/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
G:\WINNT\System32\smss.exe
G:\WINNT\system32\winlogon.exe
G:\WINNT\system32\services.exe
G:\WINNT\system32\lsass.exe
G:\WINNT\system32\Ati2evxx.exe
G:\WINNT\system32\svchost.exe
G:\WINNT\system32\spoolsv.exe
G:\WINNT\SYSTEM32\DWRCS.EXE
G:\WINNT\System32\svchost.exe
G:\Program Files\Computer Associates\InoculateIT\InoRpc.exe
G:\Program Files\Computer Associates\InoculateIT\InoRT.exe
G:\Program Files\Computer Associates\InoculateIT\InoTask.exe
G:\WINNT\system32\regsvc.exe
G:\WINNT\system32\MSTask.exe
G:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
G:\WINNT\system32\stisvc.exe
G:\WINNT\system32\ZoneLabs\vsmon.exe
G:\WINNT\System32\WBEM\WinMgmt.exe
G:\WINNT\system32\svchost.exe
G:\WINNT\system32\Ati2evxx.exe
G:\WINNT\Explorer.EXE
G:\Program Files\Computer Associates\InoculateIT\realmon.exe
G:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
G:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
G:\Program Files\iTunes\iTunesHelper.exe
G:\Program Files\Microsoft AntiSpyware\gcasServ.exe
G:\Program Files\iPod\bin\iPodService.exe
G:\Program Files\Microsoft Office\Office\FINDFAST.EXE
G:\Program Files\Microsoft Office\Office\OSA.EXE
G:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
G:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
G:\Program Files\Mozilla Firefox\firefox.exe
G:\WINNT\system32\wuauclt.exe
G:\Program Files\Yahoo!\Messenger\YPager.exe
G:\Program Files\MSN Messenger\msnmsgr.exe
G:\Hijack This\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp...rch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - G:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - G:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - G:\Program Files\Yahoo!\Common\YIeTagBm.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - G:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - G:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [PRONoMgr.exe] G:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [Realtime Monitor] "G:\Program Files\Computer Associates\InoculateIT\realmon.exe"
O4 - HKLM\..\Run: [ATIPTA] "G:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] G:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [Zmzgbj] C:\Program Files\Lyhmf\Cssicr.exe
O4 - HKLM\..\Run: [iTunesHelper] "G:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "G:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [XoftSpy] G:\Program Files\XoftSpy\XoftSpy.exe -s
O4 - HKLM\..\Run: [gcasServ] "G:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = G:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Find Fast.lnk = G:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Office Startup.lnk = G:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: ZoneAlarm Pro.lnk = G:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
O8 - Extra context menu item: &Yahoo! Search - file:///G:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///G:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///G:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///G:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - G:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - G:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - G:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - G:\Program Files\AIM95\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - G:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - G:\Program Files\PartyPoker\PartyPoker.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...kr.cab31267.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - G:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplane...DC_2.1.0.69.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/...ro.cab34246.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - G:\WINNT\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - G:\WINNT\system32\ati2sgag.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - G:\WINNT\System32\dmadmin.exe
O23 - Service: DameWare Mini Remote Control (DWMRCS) - DameWare Development - G:\WINNT\SYSTEM32\DWRCS.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - G:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InoculateIT RPC Server (InoRPC) - Computer Associates International, Inc. - G:\Program Files\Computer Associates\InoculateIT\InoRpc.exe
O23 - Service: InoculateIT Realtime Server (InoRT) - Computer Associates International, Inc. - G:\Program Files\Computer Associates\InoculateIT\InoRT.exe
O23 - Service: InoculateIT Job Server (InoTask) - Computer Associates International, Inc. - G:\Program Files\Computer Associates\InoculateIT\InoTask.exe
O23 - Service: iPodService - Apple Computer, Inc. - G:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MySQL - Unknown owner - C:\mysql\bin\mysqld-nt.exe (file missing)
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - G:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - G:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - G:\WINNT\system32\ZoneLabs\vsmon.exe

Please get back to me as soon as possible, thanks :D.
-Dave

    Advertisements

Register to Remove


#2 Kuval

Kuval

    New Member

  • Authentic Member
  • Pip
  • 11 posts

Posted 10 December 2005 - 02:34 PM

Oh yeah, just to add: There is a critical update that it says to do, and every time I do it, and reboot, the same update exists. I have tried uninstalling and re-installing IE, no success. This same silly vanilly update is there.

#3 Kuval

Kuval

    New Member

  • Authentic Member
  • Pip
  • 11 posts

Posted 10 December 2005 - 06:26 PM

bump

#4 Kuval

Kuval

    New Member

  • Authentic Member
  • Pip
  • 11 posts

Posted 11 December 2005 - 12:02 AM

bump again... :ph34r: looks like im not gonna get a response

#5 Kuval

Kuval

    New Member

  • Authentic Member
  • Pip
  • 11 posts

Posted 11 December 2005 - 01:14 PM

Hello,

I'm brand new to these forums, but in an extensive search I have found that Hijackthis is the biggest anti-hijack company out there.

I was surfing the web one day and I clicked a link and a popup came with a blank bookmark window that had some pretty harmless text... looked like a simple java script. I don't remember where I was, because it was during some research for school. Anyways... after closing this bookmark window 5 times *it kept popping up* my browser closed. I tried to re-open it and I got "The application failed to initialize properly (0xc0000005). Click OK to terminate the application." I can take a screen shot if needed. I am running windows 2000. I have since run Hijackthis, Xoftspy (self proclaimed best anti-spyware program), InoculateIT and Microsoft AntiSpyware.

I caught a lot of data miners... little cookies and things, but nothing harmful. I even caught a few trojans, deleted all of those, but my error still exists. The other problem that might be related, is there is a critical update always getting noticed by windows critical update manager or whatever for IE, and it reads as follows:
Cumulative Security Update for Outlook Express 6 SP1 (KB823353)
Size: 1.9 MB

A vulnerability exists in Outlook Express that could allow an attacker to cause Outlook Express to fail. You can help protect your computer by installing this update. After you install this update you may need to restart your computer.

Anyways.... No matter how many times I reinstall that update, its still there before I even reboot. I hope this helps.
My log is as follows:

Logfile of HijackThis v1.99.1
Scan saved at 1:11:11 PM, on 12/10/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
G:\WINNT\System32\smss.exe
G:\WINNT\system32\winlogon.exe
G:\WINNT\system32\services.exe
G:\WINNT\system32\lsass.exe
G:\WINNT\system32\Ati2evxx.exe
G:\WINNT\system32\svchost.exe
G:\WINNT\system32\spoolsv.exe
G:\WINNT\SYSTEM32\DWRCS.EXE
G:\WINNT\System32\svchost.exe
G:\Program Files\Computer Associates\InoculateIT\InoRpc.exe
G:\Program Files\Computer Associates\InoculateIT\InoRT.exe
G:\Program Files\Computer Associates\InoculateIT\InoTask.exe
G:\WINNT\system32\regsvc.exe
G:\WINNT\system32\MSTask.exe
G:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
G:\WINNT\system32\stisvc.exe
G:\WINNT\system32\ZoneLabs\vsmon.exe
G:\WINNT\System32\WBEM\WinMgmt.exe
G:\WINNT\system32\svchost.exe
G:\WINNT\system32\Ati2evxx.exe
G:\WINNT\Explorer.EXE
G:\Program Files\Computer Associates\InoculateIT\realmon.exe
G:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
G:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
G:\Program Files\iTunes\iTunesHelper.exe
G:\Program Files\Microsoft AntiSpyware\gcasServ.exe
G:\Program Files\iPod\bin\iPodService.exe
G:\Program Files\Microsoft Office\Office\FINDFAST.EXE
G:\Program Files\Microsoft Office\Office\OSA.EXE
G:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
G:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
G:\Program Files\Mozilla Firefox\firefox.exe
G:\WINNT\system32\wuauclt.exe
G:\Program Files\Yahoo!\Messenger\YPager.exe
G:\Program Files\MSN Messenger\msnmsgr.exe
G:\Hijack This\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp...rch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - G:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - G:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - G:\Program Files\Yahoo!\Common\YIeTagBm.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - G:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - G:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [PRONoMgr.exe] G:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [Realtime Monitor] "G:\Program Files\Computer Associates\InoculateIT\realmon.exe"
O4 - HKLM\..\Run: [ATIPTA] "G:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] G:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [Zmzgbj] C:\Program Files\Lyhmf\Cssicr.exe
O4 - HKLM\..\Run: [iTunesHelper] "G:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "G:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [XoftSpy] G:\Program Files\XoftSpy\XoftSpy.exe -s
O4 - HKLM\..\Run: [gcasServ] "G:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = G:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Find Fast.lnk = G:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Office Startup.lnk = G:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: ZoneAlarm Pro.lnk = G:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
O8 - Extra context menu item: &Yahoo! Search - file:///G:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///G:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///G:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///G:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - G:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - G:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - G:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - G:\Program Files\AIM95\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - G:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - G:\Program Files\PartyPoker\PartyPoker.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...kr.cab31267.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - G:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplane...DC_2.1.0.69.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/...ro.cab34246.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - G:\WINNT\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - G:\WINNT\system32\ati2sgag.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - G:\WINNT\System32\dmadmin.exe
O23 - Service: DameWare Mini Remote Control (DWMRCS) - DameWare Development - G:\WINNT\SYSTEM32\DWRCS.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - G:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InoculateIT RPC Server (InoRPC) - Computer Associates International, Inc. - G:\Program Files\Computer Associates\InoculateIT\InoRpc.exe
O23 - Service: InoculateIT Realtime Server (InoRT) - Computer Associates International, Inc. - G:\Program Files\Computer Associates\InoculateIT\InoRT.exe
O23 - Service: InoculateIT Job Server (InoTask) - Computer Associates International, Inc. - G:\Program Files\Computer Associates\InoculateIT\InoTask.exe
O23 - Service: iPodService - Apple Computer, Inc. - G:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MySQL - Unknown owner - C:\mysql\bin\mysqld-nt.exe (file missing)
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - G:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - G:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - G:\WINNT\system32\ZoneLabs\vsmon.exe

Please get back to me as soon as possible, thanks.

#6 Kuval

Kuval

    New Member

  • Authentic Member
  • Pip
  • 11 posts

Posted 11 December 2005 - 05:14 PM

Even if there is no answer, can I at least be told that I have to wipe my drive and start over before I keep going? Thanks

#7 Kuval

Kuval

    New Member

  • Authentic Member
  • Pip
  • 11 posts

Posted 11 December 2005 - 09:38 PM

One more bump until tomorrow... and then I'll repost again I guess.

#8 Kuval

Kuval

    New Member

  • Authentic Member
  • Pip
  • 11 posts

Posted 12 December 2005 - 12:20 PM

Hello,

I'm brand new to these forums, but in an extensive search I have found that Hijackthis is the biggest anti-hijack company out there.

I was surfing the web one day and I clicked a link and a popup came with a blank bookmark window that had some pretty harmless text... looked like a simple java script. I don't remember where I was, because it was during some research for school. Anyways... after closing this bookmark window 5 times *it kept popping up* my browser closed. I tried to re-open it and I got "The application failed to initialize properly (0xc0000005). Click OK to terminate the application." I can take a screen shot if needed. I am running windows 2000. I have since run Hijackthis, Xoftspy (self proclaimed best anti-spyware program), InoculateIT and Microsoft AntiSpyware.

I caught a lot of data miners... little cookies and things, but nothing harmful. I even caught a few trojans, deleted all of those, but my error still exists. The other problem that might be related, is there is a critical update always getting noticed by windows critical update manager or whatever for IE, and it reads as follows:
Cumulative Security Update for Outlook Express 6 SP1 (KB823353)
Size: 1.9 MB

A vulnerability exists in Outlook Express that could allow an attacker to cause Outlook Express to fail. You can help protect your computer by installing this update. After you install this update you may need to restart your computer.

Anyways.... No matter how many times I reinstall that update, its still there before I even reboot. I hope this helps.
My log is as follows:

Logfile of HijackThis v1.99.1
Scan saved at 1:11:11 PM, on 12/10/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
G:\WINNT\System32\smss.exe
G:\WINNT\system32\winlogon.exe
G:\WINNT\system32\services.exe
G:\WINNT\system32\lsass.exe
G:\WINNT\system32\Ati2evxx.exe
G:\WINNT\system32\svchost.exe
G:\WINNT\system32\spoolsv.exe
G:\WINNT\SYSTEM32\DWRCS.EXE
G:\WINNT\System32\svchost.exe
G:\Program Files\Computer Associates\InoculateIT\InoRpc.exe
G:\Program Files\Computer Associates\InoculateIT\InoRT.exe
G:\Program Files\Computer Associates\InoculateIT\InoTask.exe
G:\WINNT\system32\regsvc.exe
G:\WINNT\system32\MSTask.exe
G:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
G:\WINNT\system32\stisvc.exe
G:\WINNT\system32\ZoneLabs\vsmon.exe
G:\WINNT\System32\WBEM\WinMgmt.exe
G:\WINNT\system32\svchost.exe
G:\WINNT\system32\Ati2evxx.exe
G:\WINNT\Explorer.EXE
G:\Program Files\Computer Associates\InoculateIT\realmon.exe
G:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
G:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
G:\Program Files\iTunes\iTunesHelper.exe
G:\Program Files\Microsoft AntiSpyware\gcasServ.exe
G:\Program Files\iPod\bin\iPodService.exe
G:\Program Files\Microsoft Office\Office\FINDFAST.EXE
G:\Program Files\Microsoft Office\Office\OSA.EXE
G:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
G:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
G:\Program Files\Mozilla Firefox\firefox.exe
G:\WINNT\system32\wuauclt.exe
G:\Program Files\Yahoo!\Messenger\YPager.exe
G:\Program Files\MSN Messenger\msnmsgr.exe
G:\Hijack This\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp...rch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - G:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - G:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - G:\Program Files\Yahoo!\Common\YIeTagBm.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - G:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - G:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [PRONoMgr.exe] G:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [Realtime Monitor] "G:\Program Files\Computer Associates\InoculateIT\realmon.exe"
O4 - HKLM\..\Run: [ATIPTA] "G:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] G:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [Zmzgbj] C:\Program Files\Lyhmf\Cssicr.exe
O4 - HKLM\..\Run: [iTunesHelper] "G:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "G:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [XoftSpy] G:\Program Files\XoftSpy\XoftSpy.exe -s
O4 - HKLM\..\Run: [gcasServ] "G:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = G:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Find Fast.lnk = G:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Office Startup.lnk = G:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: ZoneAlarm Pro.lnk = G:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
O8 - Extra context menu item: &Yahoo! Search - file:///G:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///G:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///G:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///G:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - G:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - G:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - G:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - G:\Program Files\AIM95\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - G:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - G:\Program Files\PartyPoker\PartyPoker.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...kr.cab31267.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - G:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplane...DC_2.1.0.69.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/...ro.cab34246.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - G:\WINNT\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - G:\WINNT\system32\ati2sgag.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - G:\WINNT\System32\dmadmin.exe
O23 - Service: DameWare Mini Remote Control (DWMRCS) - DameWare Development - G:\WINNT\SYSTEM32\DWRCS.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - G:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InoculateIT RPC Server (InoRPC) - Computer Associates International, Inc. - G:\Program Files\Computer Associates\InoculateIT\InoRpc.exe
O23 - Service: InoculateIT Realtime Server (InoRT) - Computer Associates International, Inc. - G:\Program Files\Computer Associates\InoculateIT\InoRT.exe
O23 - Service: InoculateIT Job Server (InoTask) - Computer Associates International, Inc. - G:\Program Files\Computer Associates\InoculateIT\InoTask.exe
O23 - Service: iPodService - Apple Computer, Inc. - G:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MySQL - Unknown owner - C:\mysql\bin\mysqld-nt.exe (file missing)
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - G:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - G:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - G:\WINNT\system32\ZoneLabs\vsmon.exe

Please get back to me as soon as possible, thanks.

#9 Kuval

Kuval

    New Member

  • Authentic Member
  • Pip
  • 11 posts

Posted 13 December 2005 - 08:43 PM

:ph34r: bump

#10 ken545

ken545

    Forum God

  • Retired Classroom Teacher
  • 23,225 posts
  • Interests:Fighting Malware and cooking some great Italian and TexMex food
  • MVP

Posted 14 December 2005 - 08:37 AM

Kuval,

Welcome to the forum, please reply to this thread only by useing the Reply Button and not start a NEW Thread Button. Be advised that we are all volunteers and we do this out of the goodness of our hearts, the amount of posts being posted everyday goes into the hundreds and at times we don't get to logs as fast as we would like to. Another point is that all our Malware fighters look for logs with ZERO replies, by replying to yourself, you took yourself out of that catagory.

If you have not resolved your issue and still need my assisstance, post a new HJT log please.

Ken

 
 
The forum is staffed by volunteers who donate their time and expertise.
If you feel you have been helped, please consider a donation.
donate.gif
 
Find us on Facebook
Please LIKE and SHARE
 
 
Just a reminder that threads will be closed if no reply in 3 days.

#11 Kuval

Kuval

    New Member

  • Authentic Member
  • Pip
  • 11 posts

Posted 21 December 2005 - 09:09 PM

Hey :D,

Great to get a reply. I might have had it sooner but misread, my bad :(.

New HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 8:08:01 PM, on 12/21/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
G:\WINNT\System32\smss.exe
G:\WINNT\system32\winlogon.exe
G:\WINNT\system32\services.exe
G:\WINNT\system32\lsass.exe
G:\WINNT\system32\Ati2evxx.exe
G:\WINNT\system32\svchost.exe
G:\WINNT\system32\spoolsv.exe
G:\WINNT\SYSTEM32\DWRCS.EXE
G:\WINNT\System32\svchost.exe
G:\Program Files\Computer Associates\InoculateIT\InoRpc.exe
G:\Program Files\Computer Associates\InoculateIT\InoRT.exe
G:\Program Files\Computer Associates\InoculateIT\InoTask.exe
G:\WINNT\system32\regsvc.exe
G:\WINNT\system32\MSTask.exe
G:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
G:\WINNT\system32\stisvc.exe
G:\WINNT\system32\ZoneLabs\vsmon.exe
G:\WINNT\System32\WBEM\WinMgmt.exe
G:\WINNT\system32\svchost.exe
G:\WINNT\system32\Ati2evxx.exe
G:\WINNT\Explorer.EXE
G:\Program Files\Computer Associates\InoculateIT\realmon.exe
G:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
G:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
G:\Program Files\Microsoft AntiSpyware\gcasServ.exe
G:\Program Files\Microsoft Office\Office\FINDFAST.EXE
G:\Program Files\Microsoft Office\Office\OSA.EXE
G:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
G:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
G:\WINNT\system32\wuauclt.exe
G:\Program Files\Yahoo!\Messenger\YPager.exe
G:\Program Files\MSN Messenger\msnmsgr.exe
G:\WINNT\System32\svchost.exe
G:\Program Files\Mozilla Firefox\firefox.exe
G:\Hijack This\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - G:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [Realtime Monitor] "G:\Program Files\Computer Associates\InoculateIT\realmon.exe"
O4 - HKLM\..\Run: [ATIPTA] "G:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] G:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [XoftSpy] G:\Program Files\XoftSpy\XoftSpy.exe -s
O4 - HKLM\..\Run: [gcasServ] "G:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - Global Startup: Adobe Reader Speed Launch.lnk = G:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Find Fast.lnk = G:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Office Startup.lnk = G:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: ZoneAlarm Pro.lnk = G:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - G:\WINNT\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - G:\WINNT\system32\ati2sgag.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - G:\WINNT\System32\dmadmin.exe
O23 - Service: DameWare Mini Remote Control (DWMRCS) - DameWare Development - G:\WINNT\SYSTEM32\DWRCS.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - G:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InoculateIT RPC Server (InoRPC) - Computer Associates International, Inc. - G:\Program Files\Computer Associates\InoculateIT\InoRpc.exe
O23 - Service: InoculateIT Realtime Server (InoRT) - Computer Associates International, Inc. - G:\Program Files\Computer Associates\InoculateIT\InoRT.exe
O23 - Service: InoculateIT Job Server (InoTask) - Computer Associates International, Inc. - G:\Program Files\Computer Associates\InoculateIT\InoTask.exe
O23 - Service: iPodService - Apple Computer, Inc. - G:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - G:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - G:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - G:\WINNT\system32\ZoneLabs\vsmon.exe

#12 ken545

ken545

    Forum God

  • Retired Classroom Teacher
  • 23,225 posts
  • Interests:Fighting Malware and cooking some great Italian and TexMex food
  • MVP

Posted 22 December 2005 - 08:03 AM

Kuval,

This program used to be on the Rogue Spyware Programs list, G:\Program Files\XoftSpy they seemed to have cleaned up there act a little but they are still somewhere in the gray area. The programs we use and endorse are free and do a much better job getting rid of spyware. So I would suggest uninstalling this program, but its your call. You can remove it from the Add-Remove Programs in the Control Panel. If you do uninstall it, open HJT Scan Only, close your browser and all open windows, put a checkmark in this entry and click on Fix Checked.

O4 - HKLM\..\Run: [XoftSpy] G:\Program Files\XoftSpy\XoftSpy.exe -s

Outside of that, you log is not showing any evidence of any Malware or Viruses, not to say with the garbage these idiots are writting nowadays that something could be hidden. I am going to have you download and install a few programs, the first two are free and the third Spy Sweeper is the trial version. Its important that after you scan your system with one program, you need to reboot your system before you run the other. After you run the scans, I am going to have you clean up your system a little. At that point, if we deem that your system is free of Malware or Viruses, then it may be a windows Issue and then I can recommend some sites that specialize in that sort of problem.

Please use the links in my signature to download and install both of the following free programs that are highly respected from the people in the Malware Removal Community.

Spybot Search and Destroy 1.4

* If you have the older version 1.3, remove it via ADD-REMOVE PROGRAMS in the Control Panel.

Go to Start/ Control Panel/ Add-Remove Programs scroll to that program and click on Remove.

* During Installation, just follow all the defaults.
* Go to Mode and click on Advanced Mode
* Then to Updates Search for Updates
* If you get a Bad Checksum Error, just choose a different download location.
* Then to Settings/ File Sets and take the checkmark out of Usage Tracks
* Then to Tools/ Hosts Files click on Add Spybot S&D Hosts Files.
* Then to Tools/ IE Tweeks and put a checkmark in Lock the Hosts Files
* Then to Immunize. Up at the top by the GREEN SIGN, click on Immunize.
* Then to Search and Destroy/ Check for Problems
* Let it scan your system
* Then to Fix Problems and fix all it finds.

RE-BOOT your computer.



AD-AWARE SE PERSONAL 1.06

If you have an older version of Ad-Aware, no need to uninstall it, it will prompt you to uninstall it during
the set up process

* During installation, follow all the defaults.
* Start the program and Check for Updates
* Choose Perform a Full System Scan
* Take the checkmark out of Search for Negligable Files
* Run the scan
* When it is done, Right Click on One of the Entries/ Select All/ Next and let it remove all that if finds.


Reboot your computer



Download the trial version of Spy Sweeper from Here
Scroll to the bottom of the page and intall the 4.5 trial and not the free online scan.
Install it using the Standard Install option. (You will be asked for your e-mail address,
it is safe to give it. If you receive alerts from your firewall, allow all activities for Spy Sweeper)

You will be prompted to check for updated definitions, please do so.
(This may take several minutes)

Click on Options > Sweep Options and check Sweep all Folders on Selected drives. Check Local Disc C.
Under What to Sweep, check every box.

Click on Sweep and allow it to fully scan your system.When the sweep has finished, click Remove. Click Select All and then Next

From 'Results', select the Session Log tab. Click Save to File and save the log somewhere convenient.

Exit Spy Sweeper.


Download and install Clean Up

* Click on Options
* Move the slider to Custom Scan
* Put a checkmark in the following ONLY


* Empty Recycle Bins
* Delete Cookies
* Delete Prefetch files
* Cleanup! All Users




Restart your computer, and then please copy and paste the SpySweeper log into this thread, along with a new HJT log. If something is hidden on your system, it will show up here.

Ken :D

 
 
The forum is staffed by volunteers who donate their time and expertise.
If you feel you have been helped, please consider a donation.
donate.gif
 
Find us on Facebook
Please LIKE and SHARE
 
 
Just a reminder that threads will be closed if no reply in 3 days.

#13 Kuval

Kuval

    New Member

  • Authentic Member
  • Pip
  • 11 posts

Posted 22 December 2005 - 06:09 PM

Xoftspy is anti-spyware material that I paid money for, and it has removed many spyware utlities from my computer. I've had it for a year, and this IE problem is recent. I doubt the problem lies in Xoft.

Still can't use IE, followed all instructions, heres the updated logs:

********
4:20 PM: | Start of Session, Thursday, December 22, 2005 |
4:20 PM: Spy Sweeper started
4:20 PM: Sweep initiated using definitions version 589
4:20 PM: Starting Memory Sweep
4:22 PM: Memory Sweep Complete, Elapsed Time: 00:01:37
4:22 PM: Starting Registry Sweep
4:22 PM: Found Adware: ist slotchbar
4:22 PM: HKLM\software\classes\typelib\{8c752c5e-3c10-4076-af0a-ffc69fa20d10}\ (9 subtraces) (ID = 141839)
4:22 PM: HKCR\typelib\{8c752c5e-3c10-4076-af0a-ffc69fa20d10}\ (9 subtraces) (ID = 141844)
4:22 PM: Registry Sweep Complete, Elapsed Time:00:00:08
4:22 PM: Starting Cookie Sweep
4:22 PM: Found Spy Cookie: atwola cookie
4:22 PM: david@atwola[1].txt (ID = 2255)
4:22 PM: Cookie Sweep Complete, Elapsed Time: 00:00:00
4:22 PM: Starting File Sweep
4:26 PM: Found Adware: networkessentials
4:26 PM: nsdtmp09.dll (ID = 71040)
4:27 PM: Found Adware: zestyfind desktop links
4:27 PM: iconz.exe (ID = 119139)
4:34 PM: Warning: Failed to read from disk: Data error (cyclic redundancy check)
4:34 PM: Warning: Failed to read from disk: Data error (cyclic redundancy check)
4:34 PM: Warning: Failed to read from disk: Data error (cyclic redundancy check)
4:34 PM: Warning: Failed to read from disk: Data error (cyclic redundancy check)
4:34 PM: Warning: Failed to read from disk: Data error (cyclic redundancy check)
4:34 PM: Warning: Failed to read from disk: Data error (cyclic redundancy check)
4:34 PM: Warning: Failed to read from disk: Data error (cyclic redundancy check)
4:34 PM: Warning: Failed to read from disk: Data error (cyclic redundancy check)
4:34 PM: Warning: Failed to read from disk: Data error (cyclic redundancy check)
4:34 PM: Warning: Failed to read from disk: Data error (cyclic redundancy check)
4:34 PM: Warning: Failed to read from disk: Data error (cyclic redundancy check)
4:34 PM: Warning: Failed to read from disk: Data error (cyclic redundancy check)
4:35 PM: Warning: Failed to read from disk: Data error (cyclic redundancy check)
4:35 PM: Warning: Failed to read from disk: Data error (cyclic redundancy check)
4:35 PM: Warning: Failed to read from disk: Data error (cyclic redundancy check)
4:35 PM: Warning: Failed to read from disk: Data error (cyclic redundancy check)
4:35 PM: Warning: Failed to read from disk: Data error (cyclic redundancy check)
4:35 PM: Warning: Failed to read from disk: Data error (cyclic redundancy check)
4:35 PM: Warning: Failed to read from disk: Data error (cyclic redundancy check)
4:35 PM: Warning: Failed to read MFT entry 7409
4:37 PM: Warning: Failed to open file "g:\my downloads\ mpg, divx, ######, sex, nud". The system cannot find the file specified
4:40 PM: Warning: Failed to open file "g:\my downloads\umshot blowjob rear anal lesbian dildo cunt porno porn dick hardcore". The system cannot find the file specified
4:40 PM: Warning: Failed to open file "g:\my downloads\ith cock in ###### and sucks french cumshot (blowjob) rear anal lesbian dildo cunt porno ". The system cannot find the file specified
4:42 PM: Warning: Failed to open file "g:\my downloads\and sucks french cumshot (blowjo". The system cannot find the file specified
4:42 PM: Warning: Failed to open file "g:\my downloads\teen lesbians boobs tits orgasm ". The system cannot find the file specified
4:42 PM: Warning: Failed to open file "g:\my downloads\john holmes ron jeremy ginger ly". The system cannot find the file specified
4:42 PM: Warning: Failed to open file "g:\my downloads\i porno teen xxx movie sex blonde redhead gangbang cumshot(3).mpgt ????angbang cumshot(3).mpgt ?????
4:43 PM: File Sweep Complete, Elapsed Time: 00:20:59
4:43 PM: Full Sweep has completed. Elapsed time 00:22:46
4:43 PM: Traces Found: 23
4:45 PM: Removal process initiated
4:45 PM: Quarantining All Traces: ist slotchbar
4:45 PM: Quarantining All Traces: networkessentials
4:45 PM: Quarantining All Traces: zestyfind desktop links
4:45 PM: Quarantining All Traces: atwola cookie
4:45 PM: Removal process completed. Elapsed time 00:00:01
********
4:18 PM: | Start of Session, Thursday, December 22, 2005 |
4:18 PM: Spy Sweeper started
4:19 PM: Your spyware definitions have been updated.
4:20 PM: | End of Session, Thursday, December 22, 2005 |


And the updated HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 5:06:55 PM, on 12/22/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
G:\WINNT\System32\smss.exe
G:\WINNT\system32\winlogon.exe
G:\WINNT\system32\services.exe
G:\WINNT\system32\lsass.exe
G:\WINNT\system32\Ati2evxx.exe
G:\WINNT\system32\svchost.exe
G:\WINNT\system32\spoolsv.exe
G:\WINNT\SYSTEM32\DWRCS.EXE
G:\WINNT\System32\svchost.exe
G:\Program Files\Computer Associates\InoculateIT\InoRpc.exe
G:\Program Files\Computer Associates\InoculateIT\InoRT.exe
G:\Program Files\Computer Associates\InoculateIT\InoTask.exe
G:\WINNT\system32\regsvc.exe
G:\WINNT\system32\MSTask.exe
G:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
G:\WINNT\system32\stisvc.exe
G:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
G:\WINNT\system32\ZoneLabs\vsmon.exe
G:\WINNT\System32\WBEM\WinMgmt.exe
G:\WINNT\system32\svchost.exe
G:\WINNT\system32\Ati2evxx.exe
G:\WINNT\Explorer.EXE
G:\Program Files\Computer Associates\InoculateIT\realmon.exe
G:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
G:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
G:\Program Files\Microsoft AntiSpyware\gcasServ.exe
G:\Program Files\Microsoft Office\Office\FINDFAST.EXE
G:\Program Files\Microsoft Office\Office\OSA.EXE
G:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
G:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
G:\Program Files\Mozilla Firefox\firefox.exe
G:\WINNT\system32\wuauclt.exe
G:\Hijack This\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - G:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - G:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [Realtime Monitor] "G:\Program Files\Computer Associates\InoculateIT\realmon.exe"
O4 - HKLM\..\Run: [ATIPTA] "G:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] G:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [XoftSpy] G:\Program Files\XoftSpy\XoftSpy.exe -s
O4 - HKLM\..\Run: [gcasServ] "G:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - Global Startup: Adobe Reader Speed Launch.lnk = G:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Find Fast.lnk = G:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Office Startup.lnk = G:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: ZoneAlarm Pro.lnk = G:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - G:\Program Files\AIM95\aim.exe
O20 - Winlogon Notify: WRNotifier - G:\WINNT\SYSTEM32\WRLogonNTF.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - G:\WINNT\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - G:\WINNT\system32\ati2sgag.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - G:\WINNT\System32\dmadmin.exe
O23 - Service: DameWare Mini Remote Control (DWMRCS) - DameWare Development - G:\WINNT\SYSTEM32\DWRCS.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - G:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InoculateIT RPC Server (InoRPC) - Computer Associates International, Inc. - G:\Program Files\Computer Associates\InoculateIT\InoRpc.exe
O23 - Service: InoculateIT Realtime Server (InoRT) - Computer Associates International, Inc. - G:\Program Files\Computer Associates\InoculateIT\InoRT.exe
O23 - Service: InoculateIT Job Server (InoTask) - Computer Associates International, Inc. - G:\Program Files\Computer Associates\InoculateIT\InoTask.exe
O23 - Service: iPodService - Apple Computer, Inc. - G:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - G:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - G:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - G:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - G:\WINNT\system32\ZoneLabs\vsmon.exe


Thx again Ken

#14 ken545

ken545

    Forum God

  • Retired Classroom Teacher
  • 23,225 posts
  • Interests:Fighting Malware and cooking some great Italian and TexMex food
  • MVP

Posted 22 December 2005 - 06:38 PM

Kuval,

If your happy with Xoftspy, then by all means keep it. I was just trying to make you aware that there are better programs out that are free and do just as well or better. You can read these two articles if you like.

http://www.infopacke...ate_or_scam.htm

http://www.reviewcen...views75821.html



Your Java is out of date and it is leaving your system vunerable. you can get the updates from Sun Microsystems HERE
Scroll to the middle of the page and download Download JRE 5.0 Update 6
After it is installed, you can VERIFY the installtion.



I dont see any evidence of Malware or a Virus on your system that would be causing you the problems that you are having. Here is another site with windows information

http://www.microsoft...s/IEtopten.mspx



Here are some sites that specialize in windows problems, we have an excellent forum right here at Tom Coyote. Just post with your problem and be sure to mention that you posted in this forum and that your HJT log was clean.

Tom Coyote
Windows Helpnet
Hardwareguys

Here are some free programs and tips for keeping your system up to date, and to help keep all the riff raff out of your system.

Now that your clean, we need to erase all possible older infected files that may still be lurking on your system.
* Clean out your TEMP FILES
* This procedure should be run from SAFEMODE for better results.

To Enter SAFEMODE

* Go to START/ SHUT OF YOUR COMPUTER/ RESTART
* As the computer starts to boot-up, Tap the F8 KEY somewhat rapidly, this will bring up a menu.
* Use the UP AND DOWN ARROW KEYS to scroll up to SAFEMODE
* Then press the ENTER KEY ON YOUR KEYBOARD

* Go to My Computer/ C: Drive/ Documents and Settings/ Local Settings/ Every User on this Computer
and delete all the contents of the Temp Folder

* Go to My Computer/ C:/ Windows/ Temp and delete all the contents of the Temp Folder

* Go to My Computer/ C:/ Windows/ Prefetch and remove all the contents of the Prefetch Folder.
But not the Prefetch folder itself.

NOW RE-BOOT NORMALLY


* Open INTERNET EXPLORER
* Click on the TOOLS MENU
* Then INTERNET OPTIONS
* At the GENERAL TAB (which should be the first tab you are currently on),
* click on the DELETE FILES BUTTON and put a checkmark in DELETE ALL OFFLINE CONTENT.
* Then press the OK BUTTON . This may take quite a while, so do not be alarmed with how long it takes.
* When it is done, your Temporary Internet Files will now be deleted.

Now Empty your Recycle Bin

System Restore makes regular backups of all your settings, if you ever had to use this program to restore your
system to a previous date, you will be infected all over again so we need to clean out the previous Restore Points

Turn off System Restore.

* Right-click My Computer.
* Click Properties.
* Click the System Restore tab.
* Check Turn off System Restore on all Drives.
* Click Apply, and then click OK.

Reboot your System

Turn ON System Restore.

* Right-click My Computer.
* ClickProperties.
* Click the System Restore tab.
* UN-Check Turn off System Restore on all Drives.
* Click Apply, and then click OK.

* Go to Start/ Control Panel/ Performance and Maintenance/ System Restore/ Create a New Restore Point
You can name the restore point anything you like, something that you can remember

* Make sure that your ANTI-VIRUS SOFTWARE is up to date and run a full scan at least once aweek.

* Here are Free Anti-Virus Programs if you need one

AVG Free Edition
AntVir Personal Edition


* Spybot Search and Destroy 1.4
Check for Updates/ Immunize and run a Full System Scan on a regular basis.

* Ad-Aware SE Personal 1.06
Check for Updates and run a Full System Scan on a regular basis.

* Spyware Blaster It will prevent most spyware from ever being installed.

* Spyware Guard It offers realtime protection from spyware installation attempts.

* Win Patrol This program will warn you when any changes are being made to your system and
give you the option to deny the change.

* IE- Spyad IE-Spyad places over 4000 web sites and domains
in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (cookies etc) from the sites listed,
although you will still be able to connect to the sites.

* Firefox Browser
It has more features and is a lot more secure than IE. It is a very easy and painless download and install, it will no way interfere with IE, you can use
them both. When it asks you if you want it to be your default browser, say NO and take the checkmark out of the box to ask you again. After you use this
for awhile, you will want to make it your default.

* Thunderbird Mail There companion mail program was highly favored in PCWorld Magazine,
this has a good spam filter and is more secure than Outlook Express.

* Zone Alarm Here is a free Firewall from Zone Labs, I wouldn't
access the internet without it.

* WINDOWS UPDATES - Enable Automatic Updates
Right click on MY COMPUTER/Click on PROPERTIES/ AUTOMATIC UPDATES and put a mark in the radio button
DOWNLOAD UPDATES FOR ME BUT LET ME CHOOSE WHEN TO INSTALL THEM.

* Go to START/ CONTROL PANEL> PERFROMANCE AND MAINTENANCE> REARRANGE ITEMS ON YOUR HARD DISK TO MAKE PROGRAMS RUN FASTER
This is the Windows Disk Defragger, run this maybe once or twice a month to keep your system running good. The first time you run it, it may take awhile.


I hope you find the answers to your problems, this forum is for the removal of Malware so I cant help you any further, we just do malware and virus removal.

Thanks for using Tom Coyote

Ken :D

 
 
The forum is staffed by volunteers who donate their time and expertise.
If you feel you have been helped, please consider a donation.
donate.gif
 
Find us on Facebook
Please LIKE and SHARE
 
 
Just a reminder that threads will be closed if no reply in 3 days.

#15 ken545

ken545

    Forum God

  • Retired Classroom Teacher
  • 23,225 posts
  • Interests:Fighting Malware and cooking some great Italian and TexMex food
  • MVP

Posted 08 January 2006 - 06:49 PM

Glad we could be of assistance. This topic is now closed. If you wish it reopened, please send us an email (Click for address) with a link to your thread.

Do not bother contacting us if you are not the topic starter. A valid, working link to the closed topic is required along with the user name used. If the user name does not match the one in the thread linked, the email will be deleted.
Make sure you use proper prevention to keep from having problems occur to your computer in the future.

Coyote's Installed programs for prevention:

http://forums.tomcoy...showtopic=31418

The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Visit the CoyoteStore http://TomCoyote.org/coyotestore.php

 
 
The forum is staffed by volunteers who donate their time and expertise.
If you feel you have been helped, please consider a donation.
donate.gif
 
Find us on Facebook
Please LIKE and SHARE
 
 
Just a reminder that threads will be closed if no reply in 3 days.

Related Topics



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users