View Full Version : Registry Issue? HJT Log
Hello,
I have run Spybot and found it can't remove something in particular, which I suspect to be a regisrty issue. The spyware is called Holistyc, and after a restart other issues come about like additional spyware.
Here is a HJT log and if someone could have a look I'd really appreciate it.
Many thanks
Logfile of HijackThis v1.99.1
Scan saved at 6:06:18 p.m., on 16/05/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\sstray.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\PROGRA~1\ACDSYS~1\DEVDET~1\DEVDET~1.EXE
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\GSICON.EXE
C:\WINDOWS\system32\DSLAGENT.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Starlyte\Desktop\Nic\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = res://C:\WINDOWS\System32\shdoclc.dll/dnserror.htm
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Xtra
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Camera Detector] C:\PROGRA~1\ACDSYS~1\DEVDET~1\DEVDET~1.EXE -autorun
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [GSICONEXE] GSICON.EXE
O4 - HKLM\..\Run: [DSLAGENTEXE] DSLAGENT.EXE PCI
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZNxmk181YYUS
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.05p.com (HKLM)
O15 - Trusted Zone: *.scoobidoo.com (HKLM)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: EpsonBidirectionalService - Unknown owner - C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
chiaz
16 May 2006, 10:05am
Hi, I will be helping you.
Download and run CWShredder from its own folder:
http://cwshredder.net/bin/CWShredder.exe
Click Fix and then Next, let it fix everything it asks about.
Then download
AboutBuster (http://www.malwarebytes.org/AboutBuster.zip).
Credits go to RubbeR DuckY aka Marcin Kleczynski.
Double click the AboutBuster folder, then double click the
AboutBuster.exe inside.
Click "Extract all" in the box that pops up, then "Next"
Choose the location you would like to install AboutBuster, such as
My Documents.
Make sure "Show extracted files" is checked, then click "Finish".
Reboot to safe mode by continually tapping the F8 key as the
computer begins to boot.
Open AboutBuster and click the "Begin Removal" button. AboutBuster will finish and open a new page. Follow the instructions for protection on that page. It will shut down all Explorer windows (if open) while it works.
It will begin to check your computer for malicious files. If it
asks if you would like to do a second pass, allow it to do so.
When it has finished, click Save Log and save it to somewhere convenient. If your problem is not fixed, a Malware Removal Expert might need to see this log.
Reboot your computer into safe mode again
Run about:buster again following the same instructions as above,
this time without the restart at the end
Note: If you receive any error messages please open the readme file in the AboutBuster folder and follow the directions provided for correcting that error.
Next download the attached zip file and unzip it to your desktop.
http://www.mvps.org/winhelp2002/DelDomains.inf
Right-click on the deldomains.inf file and select 'Install'.
Then restart your computer again. Rescan with HijackThis and post the fresh log in your next reply.
Did all that you asked, and here is the HJT log.
Aboutbuster removed something, whereas CWShredder didn't find what it was looking for.
Search and Destroy still picks up the Hotsyik or whatever it is named.
Logfile of HijackThis v1.99.1
Scan saved at 11:12:42 a.m., on 17/05/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\userinit.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\sstray.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\PROGRA~1\ACDSYS~1\DEVDET~1\DEVDET~1.EXE
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\GSICON.EXE
C:\WINDOWS\system32\DSLAGENT.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Starlyte\Desktop\Nic\HijackThis.exe
C:\WINDOWS\system32\wuauclt.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = res://C:\WINDOWS\System32\shdoclc.dll/dnserror.htm
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Xtra
O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Camera Detector] C:\PROGRA~1\ACDSYS~1\DEVDET~1\DEVDET~1.EXE -autorun
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [GSICONEXE] GSICON.EXE
O4 - HKLM\..\Run: [DSLAGENTEXE] DSLAGENT.EXE PCI
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZNxmk181YYUS
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: EpsonBidirectionalService - Unknown owner - C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
AboutBuster 6.01
Scan started on [17/05/2006] at [10:35:45 a.m.]
-------------------------------------------------------------
Internet Explorer Instances Terminated!
HomeSearch Service stopped if present
-------------------------------------------------------------
Removed Stream! C:\WINDOWS\bvbkv.txt:anbsgy
Removed Stream! C:\WINDOWS\bvbkv.txt:moyclv
Removed Stream! C:\WINDOWS\chgxm.txt:uqiasr
Removed Stream! C:\WINDOWS\duyoj.txt:wwrndq
Removed Stream! C:\WINDOWS\eqbhw.txt:owksfa
Removed Stream! C:\WINDOWS\fcpaa.log:fbnrkp
Removed Stream! C:\WINDOWS\fcpaa.log:teuirx
Removed Stream! C:\WINDOWS\fcpaa.log:ucdlo
Removed Stream! C:\WINDOWS\hfrog.txt:ldcryy
Removed Stream! C:\WINDOWS\hfrog.txt:lspljo
Removed Stream! C:\WINDOWS\huglq.log:cwcoun
Removed Stream! C:\WINDOWS\huglq.log:tkdhtb
Removed Stream! C:\WINDOWS\iirbc.txt:alxkyf
Removed Stream! C:\WINDOWS\iirbc.txt:hkadfl
Removed Stream! C:\WINDOWS\iirbc.txt:lwrwes
Removed Stream! C:\WINDOWS\iirbc.txt:uecykg
Removed Stream! C:\WINDOWS\iirbc.txt:zysfuy
Removed Stream! C:\WINDOWS\lqrxl.log:llxqqe
Removed Stream! C:\WINDOWS\lqrxl.log:yfudhm
Removed Stream! C:\WINDOWS\lqrxl.log:zcamld
Removed Stream! C:\WINDOWS\objkv.log:qiuvzp
Removed Stream! C:\WINDOWS\objkv.log:tlssqp
Removed Stream! C:\WINDOWS\qqibr.dat:jflmqw
Removed Stream! C:\WINDOWS\qqibr.dat:lugtlc
Removed Stream! C:\WINDOWS\qqibr.dat:nlynos
Removed Stream! C:\WINDOWS\rtvtl.txt:cmmno
Removed Stream! C:\WINDOWS\rtvtl.txt:owgem
Removed Stream! C:\WINDOWS\rtvtl.txt:rddrxr
Removed Stream! C:\WINDOWS\rtvtl.txt:xpxgvv
Removed Stream! C:\WINDOWS\SchedLgU.Txt:ilyzdg
Removed Stream! C:\WINDOWS\SchedLgU.Txt:vgkxdc
Removed Stream! C:\WINDOWS\Sti_Trace.log:tqgsgn
Removed Stream! C:\WINDOWS\Sti_Trace.log:usujtg
Removed Stream! C:\WINDOWS\Sti_Trace.log:wschh
Removed Stream! C:\WINDOWS\taknp.txt:lrrxax
Removed Stream! C:\WINDOWS\ujmeu.log:eskcca
Removed Stream! C:\WINDOWS\uliqr.log:axzdl
Removed Stream! C:\WINDOWS\uliqr.log:emxrny
Removed Stream! C:\WINDOWS\uliqr.log:huglqz
Removed Stream! C:\WINDOWS\uliqr.log:rpbqaq
Removed Stream! C:\WINDOWS\uliqr.log:wksuoz
Removed Stream! C:\WINDOWS\uliqr.log:xwgpde
Removed Stream! C:\WINDOWS\wiaservc.log:gjtxxs
Removed Stream! C:\WINDOWS\wiaservc.log:yujph
Removed Stream! C:\WINDOWS\WindowsUpdate.log:nsxoqn
Removed Stream! C:\WINDOWS\WindowsUpdate.log:qvuhml
Removed Stream! C:\WINDOWS\winnt.bmp:jpzfvd
Removed Stream! C:\WINDOWS\winnt256.bmp:fspusx
Removed Stream! C:\WINDOWS\winnt256.bmp:lybcml
Removed Stream! C:\WINDOWS\winnt256.bmp:rlhgz
Removed Stream! C:\WINDOWS\winnt256.bmp:xnzgo
Removed Stream! C:\WINDOWS\winnt256.bmp:xwkyww
Removed Stream! C:\WINDOWS\wvoap.txt:culowt
Removed Stream! C:\WINDOWS\wvoap.txt:hslnbv
Removed Stream! C:\WINDOWS\wvoap.txt:kvucnc
Removed Stream! C:\WINDOWS\wvoap.txt:vstlrn
Removed Stream! C:\WINDOWS\wvoap.txt:xirubc
Removed Stream! C:\WINDOWS\xnsoy.dat:csjfuw
Removed Stream! C:\WINDOWS\xnsoy.dat:ghydhz
Removed Stream! C:\WINDOWS\xnsoy.dat:ooptyq
Removed Stream! C:\WINDOWS\xnsoy.dat:psmdns
Removed Stream! C:\WINDOWS\yvcco.dat:asfiqc
Removed Stream! C:\WINDOWS\yvcco.dat:dtxpmm
Removed Stream! C:\WINDOWS\yvcco.dat:hoiysa
Removed Stream! C:\WINDOWS\yvcco.dat:txyzal
-------------------------------------------------------------
Removed File! : C:\WINDOWS\bvbkv.txt
Removed File! : C:\WINDOWS\chgxm.txt
Removed File! : C:\WINDOWS\duyoj.txt
Removed File! : C:\WINDOWS\eqbhw.txt
Removed File! : C:\WINDOWS\fcpaa.log
Removed File! : C:\WINDOWS\hfrog.txt
Removed File! : C:\WINDOWS\huglq.log
Removed File! : C:\WINDOWS\iirbc.txt
Removed File! : C:\WINDOWS\lqrxl.log
Removed File! : C:\WINDOWS\objkv.log
Removed File! : C:\WINDOWS\qqibr.dat
Removed File! : C:\WINDOWS\rtvtl.txt
Removed File! : C:\WINDOWS\taknp.txt
Removed File! : C:\WINDOWS\ujmeu.log
Removed File! : C:\WINDOWS\uliqr.log
Removed File! : C:\WINDOWS\wvoap.txt
Removed File! : C:\WINDOWS\xnsoy.dat
Removed File! : C:\WINDOWS\yvcco.dat
Removed File! : C:\WINDOWS\system32\addxz.exe
Removed File! : C:\WINDOWS\system32\amnke.dat
Removed File! : C:\WINDOWS\system32\bflvw.dat
Removed File! : C:\WINDOWS\system32\bjyow.dat
Removed File! : C:\WINDOWS\system32\bxfbf.dat
Removed File! : C:\WINDOWS\system32\colwp.log
Removed File! : C:\WINDOWS\system32\cqkli.log
Removed File! : C:\WINDOWS\system32\desjx.txt
Removed File! : C:\WINDOWS\system32\dhbqg.txt
Removed File! : C:\WINDOWS\system32\dhxfc.dat
Removed File! : C:\WINDOWS\system32\dvfxq.txt
Removed File! : C:\WINDOWS\system32\dzhcy.dat
Removed File! : C:\WINDOWS\system32\eahqs.log
Removed File! : C:\WINDOWS\system32\eboze.dat
Removed File! : C:\WINDOWS\system32\elhhx.log
Removed File! : C:\WINDOWS\system32\ellnf.log
Removed File! : C:\WINDOWS\system32\ephkf.dat
Removed File! : C:\WINDOWS\system32\ezgtv.dat
Removed File! : C:\WINDOWS\system32\ffvkx.log
Removed File! : C:\WINDOWS\system32\ficgf.dat
Removed File! : C:\WINDOWS\system32\fyaij.dat
Removed File! : C:\WINDOWS\system32\fzovz.log
Removed File! : C:\WINDOWS\system32\gfsqi.txt
Removed File! : C:\WINDOWS\system32\ghdxw.dat
Removed File! : C:\WINDOWS\system32\hndfo.log
Removed File! : C:\WINDOWS\system32\holij.txt
Removed File! : C:\WINDOWS\system32\hpjgd.log
Removed File! : C:\WINDOWS\system32\hwnfv.dat
Removed File! : C:\WINDOWS\system32\ijnai.txt
Removed File! : C:\WINDOWS\system32\imqxp.txt
Removed File! : C:\WINDOWS\system32\jctrx.log
Removed File! : C:\WINDOWS\system32\jhjsy.dat
Removed File! : C:\WINDOWS\system32\jivyv.dat
Removed File! : C:\WINDOWS\system32\jxara.txt
Removed File! : C:\WINDOWS\system32\kanzv.log
Removed File! : C:\WINDOWS\system32\kuvak.txt
Removed File! : C:\WINDOWS\system32\letrq.log
Removed File! : C:\WINDOWS\system32\lpnvf.txt
Removed File! : C:\WINDOWS\system32\matwl.log
Removed File! : C:\WINDOWS\system32\mhmbp.log
Removed File! : C:\WINDOWS\system32\msugx.dat
Removed File! : C:\WINDOWS\system32\nanhc.dat
Removed File! : C:\WINDOWS\system32\nbkwq.dat
Removed File! : C:\WINDOWS\system32\nbuxf.txt
Removed File! : C:\WINDOWS\system32\netnm.exe
Removed File! : C:\WINDOWS\system32\nizdf.dat
Removed File! : C:\WINDOWS\system32\nkxmu.dat
Removed File! : C:\WINDOWS\system32\ogvcf.txt
Removed File! : C:\WINDOWS\system32\orsdt.txt
Removed File! : C:\WINDOWS\system32\otogw.dat
Removed File! : C:\WINDOWS\system32\pesmu.log
Removed File! : C:\WINDOWS\system32\qhywi.txt
Removed File! : C:\WINDOWS\system32\rcwth.txt
Removed File! : C:\WINDOWS\system32\rhaxp.dat
Removed File! : C:\WINDOWS\system32\ruwut.dat
Removed File! : C:\WINDOWS\system32\szziz.dat
Removed File! : C:\WINDOWS\system32\tfntq.txt
Removed File! : C:\WINDOWS\system32\timjg.dat
Removed File! : C:\WINDOWS\system32\tukbk.log
Removed File! : C:\WINDOWS\system32\tzzvg.txt
Removed File! : C:\WINDOWS\system32\uyixz.log
Removed File! : C:\WINDOWS\system32\vsyab.log
Removed File! : C:\WINDOWS\system32\vwxuk.dat
Removed File! : C:\WINDOWS\system32\wwjmz.log
Removed File! : C:\WINDOWS\system32\zaqqg.log
Removed File! : C:\WINDOWS\system32\zbmbd.log
Removed File! : C:\WINDOWS\system32\zgkch.txt
Removed File! : C:\WINDOWS\system32\zlpko.dat
Removed File! : C:\WINDOWS\system32\zomrc.txt
-------------------------------------------------------------
Removed Temp Files
Internet Explorer Settings Reset!
-------------------------------------------------------------
Scan was COMPLETED SUCCESSFULLY at 10:53:47 a.m.
AboutBuster 6.01
Scan started on [17/05/2006] at [10:56:48 a.m.]
-------------------------------------------------------------
Internet Explorer Instances Terminated!
HomeSearch Service stopped if present
-------------------------------------------------------------
No Ads Found!
-------------------------------------------------------------
No Files Found!
-------------------------------------------------------------
Scan was COMPLETED SUCCESSFULLY at 10:58:51 a.m.
chiaz
17 May 2006, 07:42am
Please launch HijackThis and check the following entries:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = res://C:\WINDOWS\System32\shdoclc.dll/dnserror.htm
Close all other windows except HijackThis and press "Fix Checked". Then close HijackThis and restart the computer.
Now rescan with Spybot Search and Destroy. I believe it produces a logfile, if possible, please post it here for me to have a look. :)
S & D still finds the problem.
Holistyc: User settings (Registry key, fixing failed)
HKEY_USERS\S-1-5-21-1123561945-1275210071-839522115-1004\Software\Local AppWizard-Generated Applications\holi4529796
Holistyc: User settings (Registry key, fixing failed)
HKEY_USERS\S-1-5-21-1123561945-1275210071-839522115-1004\Software\Local AppWizard-Generated Applications\holi3109562
--- Spybot - Search && Destroy version: 1.3 ---
2006-05-19 Includes\Cookies.sbi
2006-05-19 Includes\Dialer.sbi
2006-05-19 Includes\Hijackers.sbi
2006-05-19 Includes\Keyloggers.sbi
2004-11-29 Includes\LSP.sbi
2006-05-19 Includes\Malware.sbi
2006-05-19 Includes\PUPS.sbi
2006-05-19 Includes\Revision.sbi
2006-05-19 Includes\Security.sbi
2006-05-19 Includes\Spybots.sbi
2005-02-17 Includes\Tracks.uti
2006-05-19 Includes\Trojans.sbi
Logfile of HijackThis v1.99.1
Scan saved at 8:54:35 p.m., on 20/05/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\sstray.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\PROGRA~1\ACDSYS~1\DEVDET~1\DEVDET~1.EXE
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\GSICON.EXE
C:\WINDOWS\system32\DSLAGENT.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Starlyte\Desktop\Nic\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Xtra
O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Camera Detector] C:\PROGRA~1\ACDSYS~1\DEVDET~1\DEVDET~1.EXE -autorun
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [GSICONEXE] GSICON.EXE
O4 - HKLM\..\Run: [DSLAGENTEXE] DSLAGENT.EXE PCI
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZNxmk181YYUS
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: EpsonBidirectionalService - Unknown owner - C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
chiaz
20 May 2006, 04:18pm
Please run Notepad and paste the following text into a new file:
REGEDIT4
[-HKEY_USERS\S-1-5-21-1123561945-1275210071-839522115-1004\Software\Local AppWizard-Generated Applications\holi4529796]
[-HKEY_USERS\S-1-5-21-1123561945-1275210071-839522115-1004\Software\Local AppWizard-Generated Applications\holi3109562]
Save the file to the desktop as fix.reg and make sure the "Save as Type" field says "All Files". Then please go to the desktop and double-click on fix.reg, and click Yes to merge it with the registry.
Rescan with Spybot S&D. Does it still detect these two registry keys?
S&D no longer finds anything. I'm in the safe then?
chiaz
21 May 2006, 09:08am
Let's have a final check with Panda ActiveScan (http://www.pandasoftware.com/products/activescan.htm).
Once you are on the Panda site click the Scan your PC button
A new window will open...click the Check Now button
Enter your Country
Enter your State/Province
Enter your e-mail address and click send
Select either Home User or Company
Click the big Scan Now button
If it wants to install an ActiveX component allow it
It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
When download is complete, click on My Computer to start the scan
When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report, along with a new HijackThis log. Hopefully you should be all cleaned up by now.
Thanks for your help & sorry for the late reply. Panda scan came up sweet.
:)
chiaz
28 May 2006, 10:13am
Sweet! Your computer appears clean now.
Click Start, click All Programs, click Accessories, click System Tools, and then click System Restore. Click to add a check mark beside Turn off System Restore on all Drives, and click Apply. When you are warned that all existing Restore Points will be deleted, click Yes to continue. All system restore points are deleted. Now you should manually create a restore point. Click Start, click All Programs, click Accessories, click System Tools, and then click System Restore.
Click Create a Restore Point, and then click Next. Name your restore point. (I use the date as well as a descriptive term such as "Clean system.")
Here are a number of recommendations for additional protection to help prevent any malware infections in the future. These few simple steps can stave off the vast majority of spyware problems.
You may have already taken some of these steps:
1. Watch what you download!
Do not download just anything you see on the web. Some may have spyware bundled into them.
2. Try not to use peer-to-peer programs.
P2P programs like Grokster, Imesh, Kazaa and others are amongst the most notorious, come with an enormous amount of bundled spyware that will eat system resources, slow down your system, clash with other installed software, or just plain crash your browser or even Windows itself. If you insist on using a P2P program, please read this article (http://www.spywareinfo.com/articles/p2p/) written by Mike Healan of Spywareinfo.com fame. It is an updated and comprehensive article that gives in-depth detail about which P2P programs are "safe" to use.
3. Visit Windows Update:
Make sure that you have all the Critical Updates recommended for your operating system and IE. The first defense against infection is a properly patched OS.
Windows Update: http://v4.windowsupdate.microsoft.com/en/default.asp
We recommend checking for Windows updates monthly.
4. Adjust your security settings for ActiveX:
Go to Internet Options/Security/Internet, press 'default level', then OK.
Now press "Custom Level."
In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to 'prompt', and 'Initialize and Script ActiveX controls not marked as safe" to 'disable'.
So why is ActiveX so dangerous that you have to increase the security for it?
When your browser runs an activex control, it is running an executable program. It's no different from doubleclicking an exe file on your hard drive.
Would you run just any random file downloaded off a web site without knowing what it is and what it does?
5. Download and install the following free programs:
a. SpywareBlaster: http://www.javacoolsoftware.com/spywareblaster.html
b. SpywareGuard: http://www.javacoolsoftware.com/spywareguard.html
Periodically check for updates.
6. Keep your antivirus software up to date. If you don't have one, I recommend the free AVG (http://free.grisoft.com/softw/70free/setup/avg71free_371a669.exe).
7. Use a firewall. If you don't have a firewall, I recommend the free version of ZoneAlarm (http://www.zonelabs.com/store/content/company/products/znalm/freeDownload.jsp)
A tutorial on understanding and using firewalls may be found here (http://www.bleepingcomputer.com/forums/tutorial60.html)
8. IE-SPYAD (https://netfiles.uiuc.edu/ehowes/www/resource.htm) puts over 5000 sites in your restricted zone, so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all. Another good hosts program is mvpshosts (http://www.mvps.org/winhelp2002/hosts.zip). This little program packs a powerful punch as it block ads, banners, 3rd party Cookies, 3rd party page counters, web bugs, and many hijackers. For information on how to download and install, please read this tutorial (http://www.mvps.org/winhelp2002/hosts.htm).
9. You might consider installing Mozilla / Firefox, which is much safer than Internet Explorer.
http://www.mozilla.org/
10. Install spyware detection and removal programs:
Ad-aware: http://www.snapfiles.com/get/adaware.html
Spybot S&D:
http://www.safer-networking.org
Use these programs to regularly scan your system for and remove many forms of spyware/malware.
11. Microsoft now offers their own anti-spyware product. Windows® Defender (Beta 2) (http://www.microsoft.com/downloads/details.aspx?FamilyID=435bfce7-da2b-4a6a-afa4-f7f14e605a0d&DisplayLang=en) improves Internet browsing safety by guarding over fifty (50) ways spyware can enter your PC. This is a BETA for XP/2000 only.
12. Before using or purchasing any Spyware/Malware protection/removal program, always check the Rogue/Suspect Spyware List. It will save you a lot of grief, as well as money if you are thinking of purchasing. Here is the link: http://www.spywarewarrior.com/rogue_anti-spyware.htm
If you want to know just how effective your anti-spyware program is, or how well any of the "rogue" programs listed at the above link work, check this for an independent comparison of several anti-spyware programs: http://www.spywarewarrior.com/asw-test-guide.htm
Let us know if we have not resolved your problem. Otherwise, you are good to go.
Happy and Safe Surfing! :D
vBulletin® v3.7.3, Copyright ©2000-2009, Jelsoft Enterprises Ltd.