kRaZyPsYkO Posted January 19, 2005 Report Share Posted January 19, 2005 My girlfriend was on my computer and accidentally clicked on a popup. This sent tons of spy and adware into my computer. I removed almost all of it with Spybot S&D, and Webroot Spy Sweeper, but I still have 2 files which are said to be "Embedded" in my System32 file. I have Windows2000, and I really need these off my computer, because they wont let me install anything and they're forcing my memory to run low.The files are named:mac80ex.idfnetut80ex.vxdI know these are associated with "Bargain Buddy" And something else, but I don't know how to remove them and I don't want my system to mess up. Please help me out, and by the way, I don't understand a lot of techie lingo, so speak english to me. I'm a newb ;DThanks Link to post Share on other sites
mikex Posted January 19, 2005 Report Share Posted January 19, 2005 Welcome to Besttechie.I don't have much time right now, found this at pest patrol.com.Down the page a bit is manual removal instructions.Post back.M Link to post Share on other sites
Dan Posted January 19, 2005 Report Share Posted January 19, 2005 If that does not work, read "Posting a Correct HijackThis Log" from http://www.besttechie.net/forums/index.php?showtopic=1455, and post a log in the forums.Thanks,dk Link to post Share on other sites
kRaZyPsYkO Posted January 20, 2005 Author Report Share Posted January 20, 2005 (edited) POST HAS BEEN MERGEDLogfile of HijackThis v1.99.0Scan saved at 10:24:29 PM, on 1/19/2005Platform: Windows 2000 SP2 (WinNT 5.00.2195)MSIE: Internet Explorer v6.00 (6.00.2600.0000)Running processes:C:\WINNT\System32\smss.exeC:\WINNT\system32\csrss.exeC:\WINNT\SYSTEM32\winlogon.exeC:\WINNT\system32\services.exeC:\WINNT\system32\lsass.exeC:\WINNT\system32\svchost.exeC:\WINNT\system32\spoolsv.exeC:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exeC:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exeC:\WINNT\System32\svchost.exeC:\Program Files\ewido\security suite\ewidoctrl.exeC:\WINNT\system32\regsvc.exeC:\WINNT\system32\MSTask.exeC:\WINNT\system32\ZoneLabs\vsmon.exeC:\WINNT\System32\WBEM\WinMgmt.exeC:\WINNT\System32\mspmspsv.exeC:\WINNT\Explorer.EXEC:\WINNT\System32\hkcmd.exeC:\Program Files\Zone Labs\ZoneAlarm\zlclient.exeC:\WINNT\loadqm.exeC:\Program Files\Winamp\winampa.exeC:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exeC:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-ca\msnappau.exeC:\WINNT\System32\internat.exeC:\Program Files\MSN Messenger\MsnMsgr.ExeC:\Program Files\Logitech\MouseWare\system\em_exec.exeC:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exeC:\Program Files\Webroot\Spy Sweeper\SpySweeper.exeC:\Program Files\Internet Explorer\iexplore.exeC:\Program Files\Ares\Ares.exeD:\Documents and Settings\Administrator\Desktop\HJT\HijackThis.exeR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blankR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.caR0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.caR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by GE Capital CanadaR1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 3.120.88.*;3.120.92.*;3.120.96.*;3.120.196.*;3.120.252.*;3.58.248.*;*.capital.ge.com;localhostO2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocxO2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.02.3000.1001\en-xu\stmain.dllO2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dllO3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dllO4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logonO4 - HKLM\..\Run: [igfxTray] C:\WINNT\System32\igfxtray.exeO4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exeO4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"O4 - HKLM\..\Run: [LoadQM] loadqm.exeO4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exeO4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUPO4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-ca\msnappau.exe"O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.ExeO4 - HKCU\..\Run: [internat.exe] internat.exeO4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /backgroundO4 - HKCU\..\Run: [steam] C:\Program Files\Valve\Steam\Steam.exe -silentO4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exeO4 - HKCU\..\Run: [spySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exeO6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions presentO6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel presentO9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htmO9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htmO12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dllO16 - DPF: Yahoo! Graffiti - http://download.games.yahoo.com/games/clients/y/grt5_x.cabO16 - DPF: Yahoo! Pyramids - http://download.games.yahoo.com/games/clients/y/pyt1_x.cabO16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cabO16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cabO16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab31267.cabO16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cabO16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cabO16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cabO16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zone.msn.com/binary/Bankshot.cab31267.cabO16 - DPF: {DA758BB1-5F89-4465-975F-8D7179A4BCF3} (WheelofFortune Object) - http://messenger.zone.msn.com/binary/WoF.cab31267.cabO16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/web_...aploader_v6.cabO16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zone.msn.com/binary/Chess.cab31267.cabO16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab31267.cabO23 - Service: AVG7 Alert Manager Server - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exeO23 - Service: AVG7 Update Service - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exeO23 - Service: Logical Disk Manager Administrative Service - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exeO23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exeO23 - Service: PictureTaker - LANovation - C:\WINNT\System32\PCTKRNT.SYSO23 - Service: TrueVector Internet Monitor - Zone Labs Inc. - C:\WINNT\system32\ZoneLabs\vsmon.exeO23 - Service: ZESOFT - Unknown - C:\WINNT\zeta.exe (file missing)Hope you can help me! Thanks Edited January 27, 2005 by dknoppix Link to post Share on other sites
kRaZyPsYkO Posted January 20, 2005 Author Report Share Posted January 20, 2005 I got HijackThis, and I have a log in the HijackThis Log Board, so check it out, and let me know what's up.I really appreciate it. Link to post Share on other sites
Dan Posted January 20, 2005 Report Share Posted January 20, 2005 Hi!I am looking at your log and will post a responce soon!dk Link to post Share on other sites
kRaZyPsYkO Posted January 20, 2005 Author Report Share Posted January 20, 2005 Thanks a lot. I'm really glad you're helping me. Thanks again! Link to post Share on other sites
Dan Posted January 20, 2005 Report Share Posted January 20, 2005 Have you ran AdAware SE? If not download it from: http://www.lavasoftusa.com/support/download/Open it up, and most likely it will ask to search for updates. If it does not, click the globe in the upper-right corner and download them. Run it, and delete all of the critical objects found.Post a new log for me.dk Link to post Share on other sites
kRaZyPsYkO Posted January 21, 2005 Author Report Share Posted January 21, 2005 Ok, Got it. Here's the log:Logfile of HijackThis v1.99.0Scan saved at 9:53:13 PM, on 1/20/2005Platform: Windows 2000 SP2 (WinNT 5.00.2195)MSIE: Internet Explorer v6.00 (6.00.2600.0000)Running processes:C:\WINNT\System32\smss.exeC:\WINNT\system32\csrss.exeC:\WINNT\SYSTEM32\winlogon.exeC:\WINNT\system32\services.exeC:\WINNT\system32\lsass.exeC:\WINNT\system32\svchost.exeC:\WINNT\system32\spoolsv.exeC:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exeC:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exeC:\WINNT\System32\svchost.exeC:\Program Files\ewido\security suite\ewidoctrl.exeC:\WINNT\system32\regsvc.exeC:\WINNT\system32\MSTask.exeC:\WINNT\system32\ZoneLabs\vsmon.exeC:\WINNT\System32\WBEM\WinMgmt.exeC:\WINNT\System32\mspmspsv.exeC:\WINNT\Explorer.EXEC:\WINNT\System32\hkcmd.exeC:\Program Files\Zone Labs\ZoneAlarm\zlclient.exeC:\WINNT\loadqm.exeC:\Program Files\Winamp\winampa.exeC:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exeC:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-ca\msnappau.exeC:\WINNT\System32\internat.exeC:\Program Files\MSN Messenger\MsnMsgr.ExeC:\Program Files\Logitech\MouseWare\system\em_exec.exeC:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exeC:\Program Files\Webroot\Spy Sweeper\SpySweeper.exeC:\Program Files\Internet Explorer\IEXPLORE.EXED:\Documents and Settings\Administrator\Desktop\HJT\HijackThis.exeR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blankR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.caR0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.caR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by GE Capital CanadaR1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 3.120.88.*;3.120.92.*;3.120.96.*;3.120.196.*;3.120.252.*;3.58.248.*;*.capital.ge.com;localhostO2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocxO2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.02.3000.1001\en-xu\stmain.dllO2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dllO3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dllO4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logonO4 - HKLM\..\Run: [igfxTray] C:\WINNT\System32\igfxtray.exeO4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exeO4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"O4 - HKLM\..\Run: [LoadQM] loadqm.exeO4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exeO4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUPO4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-ca\msnappau.exe"O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.ExeO4 - HKCU\..\Run: [internat.exe] internat.exeO4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /backgroundO4 - HKCU\..\Run: [steam] C:\Program Files\Valve\Steam\Steam.exe -silentO4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exeO4 - HKCU\..\Run: [spySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exeO6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions presentO6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel presentO9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htmO9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htmO12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dllO16 - DPF: Yahoo! Graffiti - http://download.games.yahoo.com/games/clients/y/grt5_x.cabO16 - DPF: Yahoo! Pyramids - http://download.games.yahoo.com/games/clients/y/pyt1_x.cabO16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cabO16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cabO16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab31267.cabO16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cabO16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cabO16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cabO16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zone.msn.com/binary/Bankshot.cab31267.cabO16 - DPF: {DA758BB1-5F89-4465-975F-8D7179A4BCF3} (WheelofFortune Object) - http://messenger.zone.msn.com/binary/WoF.cab31267.cabO16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/web_...aploader_v6.cabO16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zone.msn.com/binary/Chess.cab31267.cabO16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab31267.cabO23 - Service: AVG7 Alert Manager Server - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exeO23 - Service: AVG7 Update Service - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exeO23 - Service: Logical Disk Manager Administrative Service - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exeO23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exeO23 - Service: PictureTaker - LANovation - C:\WINNT\System32\PCTKRNT.SYSO23 - Service: TrueVector Internet Monitor - Zone Labs Inc. - C:\WINNT\system32\ZoneLabs\vsmon.exeO23 - Service: ZESOFT - Unknown - C:\WINNT\zeta.exe (file missing)Hope you can do it again :\ Link to post Share on other sites
kRaZyPsYkO Posted January 21, 2005 Author Report Share Posted January 21, 2005 Scanned again, Here's the newer log file.------------------------------------------------------------------------------------------------Ad-Aware SE Build 1.05Logfile Created on:Thursday, January 20, 2005 11:06:27 PMCreated with Ad-Aware SE Personal, free for private use.Using definitions file:SE1R25 11.01.2005»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»References detected during the scan:»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»MRU List(TAC index:0):23 total references»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»Ad-Aware SE Settings===========================Set : Search for negligible risk entriesSet : Safe mode (always request confirmation)Set : Scan active processesSet : Scan registrySet : Deep-scan registrySet : Scan my IE Favorites for banned URLsSet : Scan my Hosts fileExtended Ad-Aware SE Settings===========================Set : Unload recognized processes & modules during scanSet : Scan registry for all users instead of current user onlySet : Always try to unload modules before deletionSet : During removal, unload Explorer and IE if necessarySet : Let Windows remove files in use at next rebootSet : Delete quarantined objects after restoringSet : Include basic Ad-Aware settings in log fileSet : Include additional Ad-Aware settings in log fileSet : Include reference summary in log fileSet : Include alternate data stream details in log fileSet : Play sound at scan completion if scan locates critical objects1-20-2005 11:06:27 PM - Scan started. (Full System Scan) MRU List Object Recognized! Location: : S-1-5-21-1497578746-523591631-1555591014-500\software\microsoft\windows\currentversion\explorer\comdlg32\opensavemru Description : list of recently saved files, stored according to file extension MRU List Object Recognized! Location: : S-1-5-21-1497578746-523591631-1555591014-500\software\microsoft\windows\currentversion\explorer\comdlg32\lastvisitedmru Description : list of recent programs opened MRU List Object Recognized! Location: : S-1-5-21-1497578746-523591631-1555591014-500\software\microsoft\windows\currentversion\applets\wordpad\recent file list Description : list of recent files opened using wordpad MRU List Object Recognized! Location: : S-1-5-21-1497578746-523591631-1555591014-500\software\microsoft\windows\currentversion\applets\regedit Description : last key accessed using the microsoft registry editor MRU List Object Recognized! Location: : S-1-5-21-1497578746-523591631-1555591014-500\software\microsoft\windows\currentversion\applets\paint\recent file list Description : list of files recently opened using microsoft paint MRU List Object Recognized! Location: : S-1-5-21-1497578746-523591631-1555591014-500\software\microsoft\office\9.0\excel\recent files Description : list of recent files used by microsoft excel MRU List Object Recognized! Location: : S-1-5-21-1497578746-523591631-1555591014-500\software\microsoft\office\9.0\common\open find\microsoft word\settings\save as\file name mru Description : list of recent documents saved by microsoft word MRU List Object Recognized! Location: : S-1-5-21-1497578746-523591631-1555591014-500\software\microsoft\office\9.0\common\open find\microsoft word\settings\open\file name mru Description : list of recent documents opened by microsoft word MRU List Object Recognized! Location: : S-1-5-21-1497578746-523591631-1555591014-500\software\microsoft\microsoft management console\recent file list Description : list of recent snap-ins used in the microsoft management console MRU List Object Recognized! Location: : S-1-5-21-1497578746-523591631-1555591014-500\software\microsoft\mediaplayer\preferences Description : last playlist loaded in microsoft windows media player MRU List Object Recognized! Location: : S-1-5-21-1497578746-523591631-1555591014-500\software\microsoft\mediaplayer\player\settings Description : last open directory used in jasc paint shop pro MRU List Object Recognized! Location: : S-1-5-21-1497578746-523591631-1555591014-500\software\microsoft\mediaplayer\player\recentfilelist Description : list of recently used files in microsoft windows media player MRU List Object Recognized! Location: : S-1-5-21-1497578746-523591631-1555591014-500\software\microsoft\internet explorer Description : last download directory used in microsoft internet explorer MRU List Object Recognized! Location: : S-1-5-21-1497578746-523591631-1555591014-500\software\microsoft\directinput\mostrecentapplication Description : most recent application to use microsoft directinput MRU List Object Recognized! Location: : S-1-5-21-1497578746-523591631-1555591014-500\software\microsoft\directinput\mostrecentapplication Description : most recent application to use microsoft directinput MRU List Object Recognized! Location: : software\microsoft\directdraw\mostrecentapplication Description : most recent application to use microsoft directdraw MRU List Object Recognized! Location: : S-1-5-21-1497578746-523591631-1555591014-500\software\microsoft\direct3d\mostrecentapplication Description : most recent application to use microsoft direct3d MRU List Object Recognized! Location: : software\microsoft\direct3d\mostrecentapplication Description : most recent application to use microsoft direct3d MRU List Object Recognized! Location: : S-1-5-21-1497578746-523591631-1555591014-500\software\microsoft\direct3d\mostrecentapplication Description : most recent application to use microsoft direct X MRU List Object Recognized! Location: : software\microsoft\direct3d\mostrecentapplication Description : most recent application to use microsoft direct X MRU List Object Recognized! Location: : S-1-5-21-1497578746-523591631-1555591014-500\software\microsoft\windows media\wmsdk\general Description : windows media sdk MRU List Object Recognized! Location: : D:\Documents and Settings\Administrator\recent Description : list of recently opened documents MRU List Object Recognized! Location: : D:\Documents and Settings\Administrator\Application Data\microsoft\office\recent Description : list of recently opened documents using microsoft officeListing running processes»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»#:1 [smss.exe] FilePath : \SystemRoot\System32\ ProcessID : 160 ThreadCreationTime : 1-20-2005 7:03:22 PM BasePriority : Normal#:2 [csrss.exe] FilePath : \??\C:\WINNT\system32\ ProcessID : 184 ThreadCreationTime : 1-20-2005 7:03:31 PM BasePriority : Normal#:3 [winlogon.exe] FilePath : \??\C:\WINNT\SYSTEM32\ ProcessID : 204 ThreadCreationTime : 1-20-2005 7:03:33 PM BasePriority : High#:4 [services.exe] FilePath : C:\WINNT\system32\ ProcessID : 232 ThreadCreationTime : 1-20-2005 7:03:34 PM BasePriority : Normal FileVersion : 5.00.2195.2780 ProductVersion : 5.00.2195.2780 ProductName : Microsoft® Windows ® 2000 Operating System CompanyName : Microsoft Corporation FileDescription : Services and Controller app InternalName : services.exe LegalCopyright : Copyright © Microsoft Corp. 1981-1999 OriginalFilename : services.exe#:5 [lsass.exe] FilePath : C:\WINNT\system32\ ProcessID : 244 ThreadCreationTime : 1-20-2005 7:03:34 PM BasePriority : Normal FileVersion : 5.00.2195.2964 ProductVersion : 5.00.2195.2964 ProductName : Microsoft® Windows ® 2000 Operating System CompanyName : Microsoft Corporation FileDescription : LSA Executable and Server DLL (Export Version) InternalName : lsasrv.dll and lsass.exe LegalCopyright : Copyright © Microsoft Corp. 1981-1999 OriginalFilename : lsasrv.dll and lsass.exe#:6 [svchost.exe] FilePath : C:\WINNT\system32\ ProcessID : 408 ThreadCreationTime : 1-20-2005 7:03:38 PM BasePriority : Normal FileVersion : 5.00.2134.1 ProductVersion : 5.00.2134.1 ProductName : Microsoft® Windows ® 2000 Operating System CompanyName : Microsoft Corporation FileDescription : Generic Host Process for Win32 Services InternalName : svchost.exe LegalCopyright : Copyright © Microsoft Corp. 1981-1999 OriginalFilename : svchost.exe#:7 [spoolsv.exe] FilePath : C:\WINNT\system32\ ProcessID : 456 ThreadCreationTime : 1-20-2005 7:03:40 PM BasePriority : Normal FileVersion : 5.00.2161.1 ProductVersion : 5.00.2161.1 ProductName : Microsoft® Windows ® 2000 Operating System CompanyName : Microsoft Corporation FileDescription : Spooler SubSystem App InternalName : spoolss.exe LegalCopyright : Copyright © Microsoft Corp. 1981-1999 OriginalFilename : spoolss.exe#:8 [avgamsvr.exe] FilePath : C:\PROGRA~1\Grisoft\AVGFRE~1\ ProcessID : 492 ThreadCreationTime : 1-20-2005 7:03:43 PM BasePriority : Normal FileVersion : 7,1,0,299 ProductVersion : 7.1.0.299 ProductName : AVG Anti-Virus System CompanyName : GRISOFT, s.r.o. FileDescription : AVG Alert Manager InternalName : avgamsvr LegalCopyright : Copyright © 2004, GRISOFT, s.r.o. OriginalFilename : avgamsvr.EXE#:9 [avgupsvc.exe] FilePath : C:\PROGRA~1\Grisoft\AVGFRE~1\ ProcessID : 524 ThreadCreationTime : 1-20-2005 7:03:45 PM BasePriority : Normal FileVersion : 7,1,0,285 ProductVersion : 7.1.0.285 ProductName : AVG 7.0 Anti-Virus System CompanyName : GRISOFT, s.r.o. FileDescription : AVG Update Service InternalName : avgupsvc LegalCopyright : Copyright © 2004, GRISOFT, s.r.o. OriginalFilename : avgupdsvc.EXE#:10 [svchost.exe] FilePath : C:\WINNT\System32\ ProcessID : 544 ThreadCreationTime : 1-20-2005 7:03:45 PM BasePriority : Normal FileVersion : 5.00.2134.1 ProductVersion : 5.00.2134.1 ProductName : Microsoft® Windows ® 2000 Operating System CompanyName : Microsoft Corporation FileDescription : Generic Host Process for Win32 Services InternalName : svchost.exe LegalCopyright : Copyright © Microsoft Corp. 1981-1999 OriginalFilename : svchost.exe#:11 [ewidoctrl.exe] FilePath : C:\Program Files\ewido\security suite\ ProcessID : 560 ThreadCreationTime : 1-20-2005 7:03:45 PM BasePriority : Normal FileVersion : 3, 0, 0, 1 ProductVersion : 3, 0, 0, 1 ProductName : ewido control CompanyName : ewido networks FileDescription : ewido control InternalName : ewido control LegalCopyright : Copyright © 2004 OriginalFilename : ewidoctrl.exe#:12 [regsvc.exe] FilePath : C:\WINNT\system32\ ProcessID : 620 ThreadCreationTime : 1-20-2005 7:03:47 PM BasePriority : Normal FileVersion : 5.00.2195.2104 ProductVersion : 5.00.2195.2104 ProductName : Microsoft® Windows ® 2000 Operating System CompanyName : Microsoft Corporation FileDescription : Remote Registry Service InternalName : regsvc LegalCopyright : Copyright © Microsoft Corp. 1981-1999 OriginalFilename : REGSVC.EXE#:13 [mstask.exe] FilePath : C:\WINNT\system32\ ProcessID : 636 ThreadCreationTime : 1-20-2005 7:03:48 PM BasePriority : Normal FileVersion : 4.71.2195.1 ProductVersion : 4.71.2195.1 ProductName : Microsoft® Windows® Task Scheduler CompanyName : Microsoft Corporation FileDescription : Task Scheduler Engine InternalName : TaskScheduler LegalCopyright : Copyright © Microsoft Corp. 1997 OriginalFilename : mstask.exe#:14 [vsmon.exe] FilePath : C:\WINNT\system32\ZoneLabs\ ProcessID : 704 ThreadCreationTime : 1-20-2005 7:03:49 PM BasePriority : Normal FileVersion : 5.5.062.004 ProductVersion : 5.5.062.004 ProductName : TrueVector Service CompanyName : Zone Labs Inc. FileDescription : TrueVector Service InternalName : vsmon LegalCopyright : Copyright © 1998-2004, Zone Labs Inc. OriginalFilename : vsmon.exe#:15 [winmgmt.exe] FilePath : C:\WINNT\System32\WBEM\ ProcessID : 828 ThreadCreationTime : 1-20-2005 7:04:03 PM BasePriority : Normal FileVersion : 1.50.1085.0029 ProductVersion : 1.50.1085.0029 ProductName : Windows Management Instrumentation CompanyName : Microsoft Corporation FileDescription : Windows Management Instrumentation InternalName : WINMGMT LegalCopyright : Copyright © Microsoft Corp. 1995-1999#:16 [mspmspsv.exe] FilePath : C:\WINNT\System32\ ProcessID : 848 ThreadCreationTime : 1-20-2005 7:04:05 PM BasePriority : Normal FileVersion : 7.01.00.3055 ProductVersion : 7.01.00.3055 ProductName : Microsoft ® DRM CompanyName : Microsoft Corporation FileDescription : WMDM PMSP Service InternalName : MSPMSPSV.EXE LegalCopyright : Copyright © Microsoft Corp. 1981-2000 OriginalFilename : MSPMSPSV.EXE#:17 [explorer.exe] FilePath : C:\WINNT\ ProcessID : 960 ThreadCreationTime : 1-20-2005 7:04:14 PM BasePriority : Normal FileVersion : 5.00.3315.2846 ProductVersion : 5.00.3315.2846 ProductName : Microsoft® Windows ® 2000 Operating System CompanyName : Microsoft Corporation FileDescription : Windows Explorer InternalName : explorer LegalCopyright : Copyright © Microsoft Corp. 1981-1999 OriginalFilename : EXPLORER.EXE#:18 [hkcmd.exe] FilePath : C:\WINNT\System32\ ProcessID : 1068 ThreadCreationTime : 1-20-2005 7:04:29 PM BasePriority : Normal FileVersion : 3,0,0,1517 ProductVersion : 7,0,0,1517 ProductName : Intel® Common User Interface CompanyName : Intel Corporation FileDescription : hkcmd Module InternalName : HKCMD LegalCopyright : Copyright 1999-2001, Intel Corporation OriginalFilename : HKCMD.EXE#:19 [zlclient.exe] FilePath : C:\Program Files\Zone Labs\ZoneAlarm\ ProcessID : 1084 ThreadCreationTime : 1-20-2005 7:04:29 PM BasePriority : Normal FileVersion : 5.5.062.004 ProductVersion : 5.5.062.004 ProductName : Zone Labs Client CompanyName : Zone Labs Inc. FileDescription : Zone Labs Client InternalName : zlclient LegalCopyright : Copyright © 1998-2004, Zone Labs Inc. OriginalFilename : zlclient.exe#:20 [loadqm.exe] FilePath : C:\WINNT\ ProcessID : 1096 ThreadCreationTime : 1-20-2005 7:04:29 PM BasePriority : Normal FileVersion : 5.4.1103.3 ProductVersion : 5.4.1103.3 ProductName : QMgr Loader CompanyName : Microsoft Corporation FileDescription : Microsoft QMgr InternalName : LOADQM.EXE LegalCopyright : Copyright © Microsoft Corp. 1981-1999 OriginalFilename : LOADQM.EXE#:21 [winampa.exe] FilePath : C:\Program Files\Winamp\ ProcessID : 1108 ThreadCreationTime : 1-20-2005 7:04:30 PM BasePriority : Normal#:22 [avgcc.exe] FilePath : C:\PROGRA~1\Grisoft\AVGFRE~1\ ProcessID : 1120 ThreadCreationTime : 1-20-2005 7:04:30 PM BasePriority : Normal FileVersion : 7,1,0,298 ProductVersion : 7.1.0.298 ProductName : AVG Anti-Virus System CompanyName : GRISOFT, s.r.o. FileDescription : AVG Control Center InternalName : AvgCC LegalCopyright : Copyright © 2004, GRISOFT, s.r.o. OriginalFilename : AvgCC.EXE#:23 [msnappau.exe] FilePath : C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-ca\ ProcessID : 316 ThreadCreationTime : 1-20-2005 7:04:31 PM BasePriority : Normal#:24 [internat.exe] FilePath : C:\WINNT\System32\ ProcessID : 1128 ThreadCreationTime : 1-20-2005 7:04:31 PM BasePriority : Normal FileVersion : 5.00.2920.0000 ProductVersion : 5.00.2920.0000 ProductName : Microsoft® Windows ® 2000 Operating System CompanyName : Microsoft Corporation FileDescription : Keyboard Language Indicator Applet InternalName : INTERNAT LegalCopyright : Copyright © Microsoft Corp. 1994-1999 OriginalFilename : INTERNAT.EXE#:25 [msnmsgr.exe] FilePath : C:\Program Files\MSN Messenger\ ProcessID : 1136 ThreadCreationTime : 1-20-2005 7:04:32 PM BasePriority : Normal FileVersion : 6.2.0137 ProductVersion : Version 6.2 ProductName : MSN Messenger CompanyName : Microsoft Corporation FileDescription : MSN Messenger InternalName : msnmsgr LegalCopyright : Copyright © Microsoft Corporation 1997-2004 LegalTrademarks : Microsoft® is a registered trademark of Microsoft Corporation in the U.S. and/or other countries. OriginalFilename : msnmsgr.exe#:26 [em_exec.exe] FilePath : C:\Program Files\Logitech\MouseWare\system\ ProcessID : 1148 ThreadCreationTime : 1-20-2005 7:04:33 PM BasePriority : Normal FileVersion : 9.80.019 ProductVersion : 9.80.019 ProductName : MouseWare CompanyName : Logitech Inc. FileDescription : Logitech Events Handler Application InternalName : Em_Exec LegalCopyright : © 1987-2004 Logitech. All rights reserved. LegalTrademarks : Logitech® and MouseWare® are registered trademarks of Logitech Inc. OriginalFilename : Em_Exec.exe Comments : Created by the MouseWare team#:27 [backweb-8876480.exe] FilePath : C:\Program Files\Logitech\Desktop Messenger\8876480\Program\ ProcessID : 1184 ThreadCreationTime : 1-20-2005 7:04:35 PM BasePriority : Normal#:28 [spysweeper.exe] FilePath : C:\Program Files\Webroot\Spy Sweeper\ ProcessID : 1216 ThreadCreationTime : 1-20-2005 7:04:36 PM BasePriority : Normal FileVersion : 3.0.0.129 ProductVersion : 3.0i ProductName : Spy Sweeper CompanyName : Webroot Software, Inc. FileDescription : Spy Sweeper LegalCopyright : Copyright © 2001-2004 Webroot Software, Inc. LegalTrademarks : Spy Sweeper is a trademark of Webroot Software, Inc.#:29 [ad-aware.exe] FilePath : C:\Program Files\Lavasoft\Ad-Aware SE Personal\ ProcessID : 1468 ThreadCreationTime : 1-21-2005 4:05:50 AM BasePriority : Normal FileVersion : 6.2.0.206 ProductVersion : VI.Second Edition ProductName : Lavasoft Ad-Aware SE CompanyName : Lavasoft Sweden FileDescription : Ad-Aware SE Core application InternalName : Ad-Aware.exe LegalCopyright : Copyright © Lavasoft Sweden OriginalFilename : Ad-Aware.exe Comments : All Rights ReservedMemory scan result:»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»New critical objects: 0Objects found so far: 23Started registry scan»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»Registry Scan result:»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»New critical objects: 0Objects found so far: 23Started deep registry scan»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»Deep registry scan result:»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»New critical objects: 0Objects found so far: 23Started Tracking Cookie scan»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»Tracking cookie scan result:»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»New critical objects: 0Objects found so far: 23Deep scanning and examining files (C:)»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»Disk Scan Result for C:\»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»New critical objects: 0Objects found so far: 23Deep scanning and examining files (D:)»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»Disk Scan Result for D:\»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»New critical objects: 0Objects found so far: 23Scanning Hosts file......Hosts file location:"C:\WINNT\system32\drivers\etc\hosts".»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»Hosts file scan result:»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»710 entries scanned.New critical objects:0Objects found so far: 23Performing conditional scans...»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»Conditional scan result:»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»New critical objects: 0Objects found so far: 2311:08:13 PM Scan CompleteSummary Of This Scan»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»Total scanning time:00:01:46.142Objects scanned:58040Objects identified:0Objects ignored:0New critical objects:0------------------------------------------------------------------------------------------------There you go :\ Thanks Link to post Share on other sites
Dan Posted January 21, 2005 Report Share Posted January 21, 2005 Can you please post a new HijackThis log! Sorry about the messy instructions.dk Link to post Share on other sites
kRaZyPsYkO Posted January 21, 2005 Author Report Share Posted January 21, 2005 The instructions are fine, whatever you need to figure it out Im willing to do.Here's the new HiJackThis log.-------------------------------------------------------------------------------------------------------Logfile of HijackThis v1.99.0Scan saved at 8:21:49 AM, on 1/21/2005Platform: Windows 2000 SP2 (WinNT 5.00.2195)MSIE: Internet Explorer v6.00 (6.00.2600.0000)Running processes:C:\WINNT\System32\smss.exeC:\WINNT\system32\csrss.exeC:\WINNT\SYSTEM32\winlogon.exeC:\WINNT\system32\services.exeC:\WINNT\system32\lsass.exeC:\WINNT\system32\svchost.exeC:\WINNT\system32\spoolsv.exeC:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exeC:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exeC:\WINNT\System32\svchost.exeC:\Program Files\ewido\security suite\ewidoctrl.exeC:\WINNT\system32\regsvc.exeC:\WINNT\system32\MSTask.exeC:\WINNT\system32\ZoneLabs\vsmon.exeC:\WINNT\System32\WBEM\WinMgmt.exeC:\WINNT\System32\mspmspsv.exeC:\WINNT\Explorer.EXEC:\WINNT\System32\hkcmd.exeC:\Program Files\Zone Labs\ZoneAlarm\zlclient.exeC:\WINNT\loadqm.exeC:\Program Files\Winamp\winampa.exeC:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exeC:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-ca\msnappau.exeC:\WINNT\System32\internat.exeC:\Program Files\MSN Messenger\MsnMsgr.ExeC:\Program Files\Logitech\MouseWare\system\em_exec.exeC:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exeC:\Program Files\Webroot\Spy Sweeper\SpySweeper.exeC:\WINNT\System32\MsiExec.exeD:\Documents and Settings\Administrator\Desktop\HJT\HijackThis.exeR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blankR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.caR0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.caR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by GE Capital CanadaR1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 3.120.88.*;3.120.92.*;3.120.96.*;3.120.196.*;3.120.252.*;3.58.248.*;*.capital.ge.com;localhostO2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocxO2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.02.3000.1001\en-xu\stmain.dllO2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dllO3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dllO4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logonO4 - HKLM\..\Run: [igfxTray] C:\WINNT\System32\igfxtray.exeO4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exeO4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"O4 - HKLM\..\Run: [LoadQM] loadqm.exeO4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exeO4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUPO4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-ca\msnappau.exe"O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.ExeO4 - HKCU\..\Run: [internat.exe] internat.exeO4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /backgroundO4 - HKCU\..\Run: [steam] C:\Program Files\Valve\Steam\Steam.exe -silentO4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exeO4 - HKCU\..\Run: [spySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exeO6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions presentO6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel presentO9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htmO9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htmO12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dllO16 - DPF: Yahoo! Graffiti - http://download.games.yahoo.com/games/clients/y/grt5_x.cabO16 - DPF: Yahoo! Pyramids - http://download.games.yahoo.com/games/clients/y/pyt1_x.cabO16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cabO16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cabO16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab31267.cabO16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cabO16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cabO16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cabO16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zone.msn.com/binary/Bankshot.cab31267.cabO16 - DPF: {DA758BB1-5F89-4465-975F-8D7179A4BCF3} (WheelofFortune Object) - http://messenger.zone.msn.com/binary/WoF.cab31267.cabO16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/web_...aploader_v6.cabO16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zone.msn.com/binary/Chess.cab31267.cabO16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab31267.cabO23 - Service: AVG7 Alert Manager Server - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exeO23 - Service: AVG7 Update Service - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exeO23 - Service: Logical Disk Manager Administrative Service - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exeO23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exeO23 - Service: PictureTaker - LANovation - C:\WINNT\System32\PCTKRNT.SYSO23 - Service: TrueVector Internet Monitor - Zone Labs Inc. - C:\WINNT\system32\ZoneLabs\vsmon.exeO23 - Service: ZESOFT - Unknown - C:\WINNT\zeta.exe (file missing)------------------------------------------------------------------------------------------------------Anyways, Hope that's enough. Link to post Share on other sites
Dan Posted January 22, 2005 Report Share Posted January 22, 2005 Hi kRaZyPsYkO,Close all windows except HijackThis, and check the following items:R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blankR1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 3.120.88.*;3.120.92.*;3.120.96.*;3.120.196.*;3.120.252.*;3.58.248.*;*.capital.ge.com;localhostO9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htmO9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htmO23 - Service: ZESOFT - Unknown - C:\WINNT\zeta.exe (file missing)These should not be here except if your administrator set them on purpose or if you used Spybots Home Page and Option Lock down features in the Immunize section of Spybot.O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions presentO6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel presentClose all windows except HijackThis and click the "Fix Checked" button. Reboot and go to this site: http://www.kaspersky.com/scanforvirus.Where it says "Browse" find the following file: C:\WINNT\System32\internat.exeTell me if it says that the file is legit or malware. Post back with an answer to that and a new HijackThis log.dk Link to post Share on other sites
kRaZyPsYkO Posted January 24, 2005 Author Report Share Posted January 24, 2005 O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions presentO6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel presentI bought my computer from General Electric, my aunt's company, so they probably had restrictions on Internet Explorer so that the employees wouldn't fool around when they should be working or so the employees could cover their tracks when they were fooling around. Anyways, I'm in the process of doing what you said. Thanks a lot for the help. Link to post Share on other sites
kRaZyPsYkO Posted January 24, 2005 Author Report Share Posted January 24, 2005 Ok, that website said I was clean, so I guess that file is fine.Here's the log before I deleted those things:Logfile of HijackThis v1.99.0Scan saved at 10:42:04 PM, on 1/23/2005Platform: Windows 2000 SP2 (WinNT 5.00.2195)MSIE: Internet Explorer v6.00 (6.00.2600.0000)Running processes:C:\WINNT\System32\smss.exeC:\WINNT\system32\csrss.exeC:\WINNT\SYSTEM32\winlogon.exeC:\WINNT\system32\services.exeC:\WINNT\system32\lsass.exeC:\WINNT\system32\svchost.exeC:\WINNT\system32\spoolsv.exeC:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exeC:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exeC:\WINNT\System32\svchost.exeC:\Program Files\ewido\security suite\ewidoctrl.exeC:\WINNT\system32\regsvc.exeC:\WINNT\system32\MSTask.exeC:\WINNT\system32\ZoneLabs\vsmon.exeC:\WINNT\System32\WBEM\WinMgmt.exeC:\WINNT\System32\mspmspsv.exeC:\WINNT\Explorer.EXEC:\WINNT\System32\hkcmd.exeC:\Program Files\Zone Labs\ZoneAlarm\zlclient.exeC:\WINNT\loadqm.exeC:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exeC:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-ca\msnappau.exeC:\WINNT\System32\internat.exeC:\Program Files\Logitech\MouseWare\system\em_exec.exeC:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exeC:\Program Files\Webroot\Spy Sweeper\SpySweeper.exeC:\Program Files\Internet Explorer\iexplore.exeD:\Documents and Settings\Administrator\Desktop\HJT\HijackThis.exeR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blankR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.caR0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.caR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by GE Capital CanadaR1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 3.120.88.*;3.120.92.*;3.120.96.*;3.120.196.*;3.120.252.*;3.58.248.*;*.capital.ge.com;localhostO2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocxO2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.02.3000.1001\en-xu\stmain.dllO2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dllO3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dllO4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logonO4 - HKLM\..\Run: [igfxTray] C:\WINNT\System32\igfxtray.exeO4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exeO4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"O4 - HKLM\..\Run: [LoadQM] loadqm.exeO4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exeO4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUPO4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-ca\msnappau.exe"O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.ExeO4 - HKCU\..\Run: [internat.exe] internat.exeO4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /backgroundO4 - HKCU\..\Run: [steam] C:\Program Files\Valve\Steam\Steam.exe -silentO4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exeO4 - HKCU\..\Run: [spySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exeO6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions presentO6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel presentO9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htmO9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htmO12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dllO16 - DPF: Yahoo! Graffiti - http://download.games.yahoo.com/games/clients/y/grt5_x.cabO16 - DPF: Yahoo! Pyramids - http://download.games.yahoo.com/games/clients/y/pyt1_x.cabO16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cabO16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cabO16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab31267.cabO16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cabO16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cabO16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cabO16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zone.msn.com/binary/Bankshot.cab31267.cabO16 - DPF: {DA758BB1-5F89-4465-975F-8D7179A4BCF3} (WheelofFortune Object) - http://messenger.zone.msn.com/binary/WoF.cab31267.cabO16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/web_...aploader_v6.cabO16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zone.msn.com/binary/Chess.cab31267.cabO16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab31267.cabO23 - Service: AVG7 Alert Manager Server - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exeO23 - Service: AVG7 Update Service - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exeO23 - Service: Logical Disk Manager Administrative Service - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exeO23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exeO23 - Service: PictureTaker - LANovation - C:\WINNT\System32\PCTKRNT.SYSO23 - Service: TrueVector Internet Monitor - Zone Labs Inc. - C:\WINNT\system32\ZoneLabs\vsmon.exeO23 - Service: ZESOFT - Unknown - C:\WINNT\zeta.exe (file missing)---------------------------------------------------------------------------------------------------------And after:Logfile of HijackThis v1.99.0Scan saved at 10:59:18 PM, on 1/23/2005Platform: Windows 2000 SP2 (WinNT 5.00.2195)MSIE: Internet Explorer v6.00 (6.00.2600.0000)Running processes:C:\WINNT\System32\smss.exeC:\WINNT\system32\csrss.exeC:\WINNT\SYSTEM32\winlogon.exeC:\WINNT\system32\services.exeC:\WINNT\system32\lsass.exeC:\WINNT\system32\svchost.exeC:\WINNT\system32\spoolsv.exeC:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exeC:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exeC:\WINNT\System32\svchost.exeC:\Program Files\ewido\security suite\ewidoctrl.exeC:\WINNT\system32\regsvc.exeC:\WINNT\system32\MSTask.exeC:\WINNT\system32\ZoneLabs\vsmon.exeC:\WINNT\System32\WBEM\WinMgmt.exeC:\WINNT\System32\mspmspsv.exeC:\WINNT\Explorer.EXEC:\WINNT\System32\hkcmd.exeC:\Program Files\Zone Labs\ZoneAlarm\zlclient.exeC:\WINNT\loadqm.exeC:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exeC:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-ca\msnappau.exeC:\WINNT\System32\internat.exeC:\Program Files\Logitech\MouseWare\system\em_exec.exeC:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exeC:\Program Files\Webroot\Spy Sweeper\SpySweeper.exeC:\Program Files\Internet Explorer\iexplore.exeD:\Documents and Settings\Administrator\Desktop\HJT\HijackThis.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.caR0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.caR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by GE Capital CanadaR1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhostO2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocxO2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.02.3000.1001\en-xu\stmain.dllO2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dllO3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dllO4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logonO4 - HKLM\..\Run: [igfxTray] C:\WINNT\System32\igfxtray.exeO4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exeO4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"O4 - HKLM\..\Run: [LoadQM] loadqm.exeO4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exeO4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUPO4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-ca\msnappau.exe"O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.ExeO4 - HKCU\..\Run: [internat.exe] internat.exeO4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /backgroundO4 - HKCU\..\Run: [steam] C:\Program Files\Valve\Steam\Steam.exe -silentO4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exeO4 - HKCU\..\Run: [spySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exeO6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions presentO6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel presentO12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dllO16 - DPF: Yahoo! Graffiti - http://download.games.yahoo.com/games/clients/y/grt5_x.cabO16 - DPF: Yahoo! Pyramids - http://download.games.yahoo.com/games/clients/y/pyt1_x.cabO16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cabO16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cabO16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab31267.cabO16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cabO16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cabO16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cabO16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zone.msn.com/binary/Bankshot.cab31267.cabO16 - DPF: {DA758BB1-5F89-4465-975F-8D7179A4BCF3} (WheelofFortune Object) - http://messenger.zone.msn.com/binary/WoF.cab31267.cabO16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/web_...aploader_v6.cabO16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zone.msn.com/binary/Chess.cab31267.cabO16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab31267.cabO23 - Service: AVG7 Alert Manager Server - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exeO23 - Service: AVG7 Update Service - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exeO23 - Service: Logical Disk Manager Administrative Service - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exeO23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exeO23 - Service: PictureTaker - LANovation - C:\WINNT\System32\PCTKRNT.SYSO23 - Service: TrueVector Internet Monitor - Zone Labs Inc. - C:\WINNT\system32\ZoneLabs\vsmon.exe--------------------------------------------------------------------------------------------------------------Hope that did something Thanks again Link to post Share on other sites
kRaZyPsYkO Posted January 24, 2005 Author Report Share Posted January 24, 2005 BTW, I went back to that Kaspersky Lab site, and decided to enter the infected files I stated in my first post:C:\WINNT\System32\mac80ex.idfAnd it brought up this:mac80ex.idf/C:/WINNT/System32/vx1.nls - OKmac80ex.idf/C:/WINNT/System32/vx1x.nls - OKmac80ex.idfC:/WINNT/System32/msbe.dll - infected by not-a-virus:AdWare.BargainBuddy.l mac80ex.idfC:/Program Files/BullsEye Network/Uninstall.exe/stream/data0001 - OKmac80ex.idfC:/Program Files/BullsEye Network/Uninstall.exe/stream/data0002 - OKmac80ex.idfC:/Program Files/BullsEye Network/Uninstall.exe/stream/data0003 - OKmac80ex.idfC:/Program Files/BullsEye Network/Uninstall.exe/stream/data0004 - OKmac80ex.idfC:/Program Files/BullsEye Network/Uninstall.exe/stream/data0005 - OKmac80ex.idfC:/Program Files/BullsEye Network/Uninstall.exe/stream/data0006 - OKmac80ex.idfC:/Program Files/BullsEye Network/Uninstall.exe/stream/data0007 - OKmac80ex.idfC:/Program Files/BullsEye Network/Uninstall.exe/stream - OKmac80ex.idf/C:/Program Files/BullsEye Network/Uninstall.exe - OK~s/BullsEye Network/bin/bargains.exe - infected by not-a-virus:AdWare.BargainBuddy.n ~ Files/BullsEye Network/bin/adv.exe - infected by not-a-virus:AdWare.BargainBuddy.n ~ Files/BullsEye Network/bin/adx.exe - infected by not-a-virus:AdWare.BargainBuddy.n And for the second one:C:\WINNT\System32\netut80ex.vxdIt brought up this:netut80ex.vxd/C:/WINNT/System32/vx0.nls - OKnetut80ex.vxdC:/WINNT/System32/exdl.exe - infected by not-a-virus:AdWare.BargainBuddy.n netut80ex.vxdC:/WINNT/System32/mqexdlm.srg - infected by not-a-virus:AdWare.BargainBuddy.n netut80ex.vxdC:/WINNT/System32/exul.exe - infected by not-a-virus:AdWare.BargainBuddy.q netut80ex.vxdC:/WINNT/System32/javexulm.vxd - infected by not-a-virus:AdWare.BargainBuddy.q netut80ex.vxd/C:/WINNT/System32/bbchk.exe - OKnetut80ex.vxd/C:/WINNT/System32/msexreg.exe - OK~/WINNT/System32/instsrv.exe - infected by not-a-virus:RiskWare.Tool.ServiceRunner.f netut80ex.vxd/C:/WINNT/System32/exclean.exe/stream - OKnetut80ex.vxd/C:/WINNT/System32/exclean.exe - OKnetut80ex.vxd/C:/WINNT/System32/basexinfo.txt - OKThe mac80ex one seems like I can uninstall it if you look at what was scanned. I'm not going to do it until recommended by one of you 'professionals' ;D.So, please do let me know what I should do about these ones, and maybe what I did was smart Let me know Link to post Share on other sites
Dan Posted January 24, 2005 Report Share Posted January 24, 2005 You seem to have BarginBuddy on your system. Please Download MicroSoft AntiSpyware from http://www.microsoft.com/downloads/details...&displaylang=enInstall it, update it as it moves through the setup screens after you launch it. Decide to do a full system scan. Delete all it finds.Reboot and post a new log.dk Link to post Share on other sites
kRaZyPsYkO Posted January 27, 2005 Author Report Share Posted January 27, 2005 I can't install it, the virus must be interfering or something. Link to post Share on other sites
Dan Posted January 27, 2005 Report Share Posted January 27, 2005 You say you have trouble installing it? Does it give an error message or anything?dk Link to post Share on other sites
kRaZyPsYkO Posted January 28, 2005 Author Report Share Posted January 28, 2005 Nope, it just closes the install wizard, after it goes through all the steps of where to put it and such. It sucks. Link to post Share on other sites
Dan Posted January 29, 2005 Report Share Posted January 29, 2005 Download Spybot Search and Destroy from http://www.safer-networking.org/index.php?page=mirrors.Install it, update it, and run it.Post a new log. Link to post Share on other sites
kRaZyPsYkO Posted February 6, 2005 Author Report Share Posted February 6, 2005 I already had it, so I scanned again. Deleted one problem called DS Exploit, which goes through IE. Here's the HJT log:Logfile of HijackThis v1.99.0Scan saved at 3:15:00 PM, on 2/6/2005Platform: Windows 2000 SP2 (WinNT 5.00.2195)MSIE: Internet Explorer v6.00 (6.00.2600.0000)Running processes:C:\WINNT\System32\smss.exeC:\WINNT\system32\csrss.exeC:\WINNT\SYSTEM32\winlogon.exeC:\WINNT\system32\services.exeC:\WINNT\system32\lsass.exeC:\WINNT\system32\svchost.exeC:\WINNT\system32\spoolsv.exeC:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exeC:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exeC:\WINNT\System32\svchost.exeC:\Program Files\ewido\security suite\ewidoctrl.exeC:\WINNT\system32\regsvc.exeC:\WINNT\system32\MSTask.exeC:\WINNT\system32\ZoneLabs\vsmon.exeC:\WINNT\System32\WBEM\WinMgmt.exeC:\WINNT\System32\mspmspsv.exeC:\WINNT\Explorer.EXEC:\WINNT\System32\hkcmd.exeC:\Program Files\Zone Labs\ZoneAlarm\zlclient.exeC:\WINNT\loadqm.exeC:\Program Files\Winamp\winampa.exeC:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exeC:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-ca\msnappau.exeC:\WINNT\System32\internat.exeC:\Program Files\MSN Messenger\MsnMsgr.ExeC:\Program Files\Logitech\MouseWare\system\em_exec.exeC:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exeC:\Program Files\Webroot\Spy Sweeper\SpySweeper.exeC:\Program Files\Ares\Ares.exeC:\Program Files\Internet Explorer\IEXPLORE.EXED:\Documents and Settings\Administrator\Desktop\HJT\HijackThis.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.caR0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.caR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by GE Capital CanadaR1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhostO2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocxO2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.02.3000.1001\en-xu\stmain.dllO2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dllO3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dllO4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logonO4 - HKLM\..\Run: [igfxTray] C:\WINNT\System32\igfxtray.exeO4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exeO4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"O4 - HKLM\..\Run: [LoadQM] loadqm.exeO4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exeO4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUPO4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-ca\msnappau.exe"O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.ExeO4 - HKCU\..\Run: [internat.exe] internat.exeO4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /backgroundO4 - HKCU\..\Run: [steam] C:\Program Files\Valve\Steam\Steam.exe -silentO4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exeO4 - HKCU\..\Run: [spySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exeO6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions presentO6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel presentO12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dllO16 - DPF: Yahoo! Graffiti - http://download.games.yahoo.com/games/clients/y/grt5_x.cabO16 - DPF: Yahoo! Pyramids - http://download.games.yahoo.com/games/clients/y/pyt1_x.cabO16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cabO16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cabO16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=34738&clcid=0x409O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab31267.cabO16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cabO16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cabO16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cabO16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zone.msn.com/binary/Bankshot.cab31267.cabO16 - DPF: {DA758BB1-5F89-4465-975F-8D7179A4BCF3} (WheelofFortune Object) - http://messenger.zone.msn.com/binary/WoF.cab31267.cabO16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/web_...aploader_v6.cabO16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zone.msn.com/binary/Chess.cab31267.cabO16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab31267.cabO23 - Service: AVG7 Alert Manager Server - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exeO23 - Service: AVG7 Update Service - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exeO23 - Service: Logical Disk Manager Administrative Service - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exeO23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exeO23 - Service: PictureTaker - LANovation - C:\WINNT\System32\PCTKRNT.SYSO23 - Service: TrueVector Internet Monitor - Zone Labs Inc. - C:\WINNT\system32\ZoneLabs\vsmon.exe Link to post Share on other sites
Dan Posted February 8, 2005 Report Share Posted February 8, 2005 Hi, your log looks clean. Are you having any trouble with your computer?dk Link to post Share on other sites
kRaZyPsYkO Posted February 14, 2005 Author Report Share Posted February 14, 2005 Tons. I can't install a lot of things, like, the install option will show up, I'll choose it, and nothing will happen. The box just won't come up. It's getting REALLY annoying, and I just want this crap off my computer. Is there anyway to just go into the system32 file, and delete these? Or...would that just mess me up even more?I hate this Link to post Share on other sites
Dan Posted February 14, 2005 Report Share Posted February 14, 2005 Hmm... It could be:O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions presentO6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel presentSome types of malware install this, even though it might not solve your problem. If things come to worse, I might have to email you the files for the installs. Try this (If you haven't done this before)Run these scans in Internet Explorer:http://housecall.trendmicro.com/housecall/start_corp.asphttp://www.pandasoftware.com/activescan/ac...ef=EN-PR-AS-107Post a new log.dk Link to post Share on other sites
Recommended Posts