Clint's Computer

Gnimsh · March 7, 2005

This is from the computer of a friend of mine who has been having a terrible time, particularly w/ bullseye network.

Logfile of HijackThis v1.99.1

Scan saved at 6:43:59 PM, on 3/7/2005

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe

C:\WINDOWS\system32\slserv.exe

C:\WINDOWS\System32\wltrysvc.exe

C:\WINDOWS\System32\bcmwltry.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Windows AdTools\WinAdTools.exe

C:\temp\salm.exe

C:\Program Files\BullsEye Network\bin\bargains.exe

C:\Program Files\DeskAd Service\DeskAdServ.exe

C:\Program Files\Windows AdTools\WinRatchet.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Yahoo!\Messenger\ypager.exe

C:\Program Files\DeskAd Service\DeskAdKeep.exe

C:\Program Files\LimeWire\LimeWire 4.2.6\LimeWire.exe

C:\Program Files\mIRC\mirc.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\WINDOWS\system32\sahAgent.exe

E:\Trillian\trillian.exe

C:\Program Files\WinRAR\WinRAR.exe

C:\program files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.isearch.com/index.php?app=SE&af...ODQ6NTo5&Terms=

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/...rch/search.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.averatec.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/...rch/search.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.isearch.com/index.php?app=SE&af...ODQ6NTo5&Terms=

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.averatec.com/

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1

R3 - URLSearchHook: (no name) - _{269B6797-664E-48AA-B283-B012BDF6E525} - (no file)

R3 - URLSearchHook: (no name) - {20EC3D2D-33C1-4C9D-BC37-C2D500688DA2} - (no file)

O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: ohb Class - {086CEFD5-A88D-4981-8915-D51F04360ED1} - C:\WINDOWS\System32\winhot32.dll

O2 - BHO: (no name) - {1D7E3B41-23CE-469B-BE1B-A64B877923E1} - C:\PROGRA~1\SEARCH~2\SEARCH~1.DLL

O2 - BHO: PowerSearch - {4E7BD74F-2B8D-469E-C8FB-FC6DA787AD2D} - C:\PROGRA~1\POWERS~2\Toolbar\pwrsacez.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: BAHelper Class - {A3FDD654-A057-4971-9844-4ED8E67DBBB8} - C:\Program Files\SideFind\sfbho.dll

O2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINDOWS\system32\msbe.dll

O3 - Toolbar: PowerSearch - {4E7BD74F-2B8D-469E-C8FB-FC6DA787AD2D} - C:\PROGRA~1\POWERS~2\Toolbar\pwrsacez.dll

O3 - Toolbar: HotSearchBar.com Bar - {8B224779-3B0E-4FEA-8AE1-B66C20DD840F} - C:\WINDOWS\System32\winhot32.dll

O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll

O4 - HKLM\..\Run: [Windows AdTools] C:\Program Files\Windows AdTools\WinAdTools.exe

O4 - HKLM\..\Run: [salm] c:\temp\salm.exe

O4 - HKLM\..\Run: [zsj] C:\WINDOWS\zsj.exe

O4 - HKLM\..\Run: [sAHAgent] C:\WINDOWS\system32\SahAgent.exe

O4 - HKLM\..\Run: [bullsEye Network] C:\Program Files\BullsEye Network\bin\bargains.exe

O4 - HKLM\..\Run: [DeskAd Service] C:\Program Files\DeskAd Service\DeskAdServ.exe

O4 - HKLM\..\RunOnce: [sahUpgrade] C:\DOCUME~1\Bryan\LOCALS~1\Temp\SahUpdate\upgrade.exe iteration3 -setup4003 -2000

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet

O4 - Global Startup: LimeWire 4.2.6.lnk = C:\Program Files\LimeWire\LimeWire 4.2.6\LimeWire.exe

O8 - Extra context menu item: &iSearch The Web - res://C:\WINDOWS\System32\toolbar.dll/SEARCH.HTML

O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000

O8 - Extra context menu item: SirSearch - file://C:\Program Files\PWRSACEZ\Cache\SelectedContextSearch.htm

O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm

O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm

O9 - Extra button: SideFind - {10E42047-DEB9-4535-A118-B3F6EC39B807} - C:\Program Files\SideFind\sidefind.dll

O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll

O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll

O9 - Extra button: Acez.com - Download Free Screen Savers - {88E50F1D-4790-4C6B-BEE3-D54E46B6EEF6} - C:\WINDOWS\acezlink.htm

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O14 - IERESET.INF: START_PAGE_URL=http://www.averatec.com

O16 - DPF: {01D76E36-D5ED-132D-BAFA-4AD54AFD2FE1} - http://66.117.42.151/1/gdnUS243.exe

O16 - DPF: {1C78AB3F-A857-482E-80C0-3A1E5238A565} - http://toolbar.isearch.com/general/initial.cab

O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540000} (CInstall Class) - http://www.spywarestormer.com/files2/Install.cab

O16 - DPF: {386A771C-E96A-421F-8BA7-32F1B706892F} (Installer Class) - http://www.xxxtoolbar.com/ist/softwares/v4...006_regular.cab

O16 - DPF: {4F5E4276-C120-11D6-A1FD-00508B9D48EA} (dldisplay Class) - http://www.gamehouse.com/ghdlctl.cab

O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/200312...meInstaller.exe

O16 - DPF: {771A1334-6B08-4A6B-AEDC-CF994BA2CEBE} (Installer Class) - http://www.ysbweb.com/ist/softwares/v4.0/ysb_regular.cab

O16 - DPF: {88D758A3-D33B-45FD-91E3-67749B4057FA} (Sinstaller Class) - http://dm.screensavers.com/dm/installers/si/1/sinstaller.cab

O16 - DPF: {99802379-7362-40E2-9D28-8A3B9AF880B7} (iiittt Class) - http://hotsearchbar.com/toolbar2/winhot32.cab

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe

O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe

O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

O23 - Service: ZESOFT - Unknown owner - C:\WINDOWS\zeta.exe

Dragon · March 8, 2005

bad news and good news

which do you want first??/

ok bad news, CWS in this machine

Good news, its cleanable

Please Download CWShredder from http://cwshredder.net/bin/CWShredder.exel and run the Program twice. Press the "Fix Button" Let it fix all variants.

Next, please look over the Following Entries I have listed, run Hijack This again and check them and then, making sure you have No Internet Explorer Windows open, including this one, Press the "Fix Checked" Button with HijackThis.

Reboot If I have specified below, and Post a Fresh HijackThis log.

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.isearch.com/index.php?app=SE&af...ODQ6NTo5&Terms=

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/...rch/search.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/...rch/search.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.isearch.com/index.php?app=SE&af...ODQ6NTo5&Terms=

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com

R3 - URLSearchHook: (no name) - _{269B6797-664E-48AA-B283-B012BDF6E525} - (no file)

R3 - URLSearchHook: (no name) - {20EC3D2D-33C1-4C9D-BC37-C2D500688DA2} - (no file)

O2 - BHO: ohb Class - {086CEFD5-A88D-4981-8915-D51F04360ED1} - C:\WINDOWS\System32\winhot32.dll

O2 - BHO: (no name) - {1D7E3B41-23CE-469B-BE1B-A64B877923E1} - C:\PROGRA~1\SEARCH~2\SEARCH~1.DLL

O2 - BHO: PowerSearch - {4E7BD74F-2B8D-469E-C8FB-FC6DA787AD2D} - C:\PROGRA~1\POWERS~2\Toolbar\pwrsacez.dll

O2 - BHO: BAHelper Class - {A3FDD654-A057-4971-9844-4ED8E67DBBB8} - C:\Program Files\SideFind\sfbho.dll

O2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINDOWS\system32\msbe.dll

O3 - Toolbar: PowerSearch - {4E7BD74F-2B8D-469E-C8FB-FC6DA787AD2D} - C:\PROGRA~1\POWERS~2\Toolbar\pwrsacez.dll

O3 - Toolbar: HotSearchBar.com Bar - {8B224779-3B0E-4FEA-8AE1-B66C20DD840F} - C:\WINDOWS\System32\winhot32.dll

O4 - HKLM\..\Run: [Windows AdTools] C:\Program Files\Windows AdTools\WinAdTools.exe

O4 - HKLM\..\Run: [salm] c:\temp\salm.exe

O4 - HKLM\..\Run: [zsj] C:\WINDOWS\zsj.exe

O4 - HKLM\..\Run: [sAHAgent] C:\WINDOWS\system32\SahAgent.exe

O4 - HKLM\..\Run: [bullsEye Network] C:\Program Files\BullsEye Network\bin\bargains.exe

O4 - HKLM\..\Run: [DeskAd Service] C:\Program Files\DeskAd Service\DeskAdServ.exe

O4 - HKLM\..\RunOnce: [sahUpgrade] C:\DOCUME~1\Bryan\LOCALS~1\Temp\SahUpdate\upgrade.exe iteration3 -setup4003 -2000

O4 - Global Startup: LimeWire 4.2.6.lnk = C:\Program Files\LimeWire\LimeWire 4.2.6\LimeWire.exe

O8 - Extra context menu item: &iSearch The Web - res://C:\WINDOWS\System32\toolbar.dll/SEARCH.HTML

O9 - Extra button: SideFind - {10E42047-DEB9-4535-A118-B3F6EC39B807} - C:\Program Files\SideFind\sidefind.dll

O16 - DPF: {01D76E36-D5ED-132D-BAFA-4AD54AFD2FE1} - http://66.117.42.151/1/gdnUS243.exe

O16 - DPF: {1C78AB3F-A857-482E-80C0-3A1E5238A565} - http://toolbar.isearch.com/general/initial.cab

O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540000} (CInstall Class) - http://www.spywarestormer.com/files2/Install.cab

O16 - DPF: {386A771C-E96A-421F-8BA7-32F1B706892F} (Installer Class) - http://www.xxxtoolbar.com/ist/softwares/v4...006_regular.cab

O16 - DPF: {771A1334-6B08-4A6B-AEDC-CF994BA2CEBE} (Installer Class) - http://www.ysbweb.com/ist/softwares/v4.0/ysb_regular.cab

O16 - DPF: {88D758A3-D33B-45FD-91E3-67749B4057FA} (Sinstaller Class) - http://dm.screensavers.com/dm/installers/si/1/sinstaller.cab

O16 - DPF: {99802379-7362-40E2-9D28-8A3B9AF880B7} (iiittt Class) - http://hotsearchbar.com/toolbar2/winhot32.cab

O23 - Service: ZESOFT - Unknown owner - C:\WINDOWS\zeta.exe

After this, Reboot and Delete the following files:

C:\Program Files\Windows AdTools\WinAdTools.exe

C:\temp\salm.exe

C:\Program Files\BullsEye Network

C:\Program Files\DeskAd Service

C:\Program Files\Windows AdTools

C:\WINDOWS\system32\sahAgent.exe

C:\WINDOWS\System32\winhot32.dll

C:\Program Files\SideFind

C:\WINDOWS\system32\msbe.dll

C:\PROGRA~1\SEARCH~2

c:\temp\salm.exe

C:\WINDOWS\zsj.ex

C:\WINDOWS\system32\SahAgent.exe

C:\DOCUME~1\Bryan\LOCALS~1\Temp\SahUpdate

C:\Program Files\LimeWire

C:\WINDOWS\zeta.exe

Note: Make sure you have Set Windows to show Hidden Files & Folders before you Start Sending Them to us For Analysis, or you're deleting them. This can be done by looking at the instructions at This Webpage http://www.xtra.co.nz/help/0,,4155-1916458,00.html

To Delete These Files/Folders, You Will need to Boot into Safe Mode. This can be done by tapping F8 while your machine restarts.

Gnimsh · March 8, 2005

New Log: