Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Can get rid of istsvc


  • Please log in to reply
3 replies to this topic

#1 Simo

Simo

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:09:48 AM

Posted 22 May 2005 - 11:12 AM

Of course I used the spy seach software but still can't seem to get rid of istsvc.

Logfile of HijackThis v1.99.1
Scan saved at 12:06:41 PM, on 5/22/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\LEXBCES.EXE
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\system32\LEXPPS.EXE
D:\WINDOWS\Explorer.EXE
D:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
D:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
D:\WINDOWS\System32\keyboard.exe
D:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
D:\WINDOWS\System32\svchost.exe
C:\Program Files\MessengerPlus! 3\MsgPlus.exe
D:\WINDOWS\sukwxsst.exe
D:\Program Files\Common Files\Real\Update_OB\realsched.exe
D:\Program Files\ISTsvc\istsvc.exe
D:\WINDOWS\seeve.exe
D:\Program Files\Internet Optimizer\optimize.exe
D:\windows\system32\uqfoxfdd.exe
D:\WINDOWS\System32\nsvsvc\nsvsvc.exe
D:\WINDOWS\System32\picsvr\picsvr.exe
D:\Program Files\MSN Messenger\MsnMsgr.Exe
D:\WINDOWS\System32\ctfmon.exe
D:\windows\system32\calc.exe
D:\WINDOWS\System32\wuauclt.exe
D:\Program Files\WinRAR\WinRAR.exe
D:\Program Files\Internet Explorer\IEXPLORE.EXE
D:\Program Files\180Solutions\sais.exe
D:\Program Files\BullsEye Network\bin\bargains.exe
D:\WINDOWS\System32\9628nlaa.exe
D:\DOCUME~1\Mikey\LOCALS~1\Temp\Rar$EX86.232\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.ca/
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: imGiantObj Class - {00000062-2E5F-4AF7-986E-5B64E0951A96} - D:\WINDOWS\imGiant.dll
O2 - BHO: (no name) - {A3FDD654-A057-4971-9844-4ED8E67DBBB8} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - d:\program files\google\googletoolbar1.dll
O2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - D:\WINDOWS\System32\msbe.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - d:\program files\google\googletoolbar1.dll
O3 - Toolbar: YourSiteBar - {86227D9C-0EFE-4f8a-AA55-30386A3F5686} - D:\PROGRA~1\YOURSI~1\ysb.dll
O4 - HKLM\..\Run: [MessengerPlus3] "c:\Program Files\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [7qnyDPr] D:\WINDOWS\sukwxsst.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "D:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [bO²ùð-×y-¯Œ] D:\WINDOWS\sukwxsst.exe
O4 - HKLM\..\Run: [TkBellExe] "D:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [IST Service] D:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\Run: [seeve] D:\WINDOWS\seeve.exe
O4 - HKLM\..\Run: [motoin] D:\WINDOWS\mm15201518.Stub.exe
O4 - HKLM\..\Run: [Internet Optimizer] "D:\Program Files\Internet Optimizer\optimize.exe"
O4 - HKLM\..\Run: [uqfoxfdd] d:\windows\system32\uqfoxfdd.exe
O4 - HKLM\..\Run: [Nsv] D:\WINDOWS\System32\nsvsvc\nsvsvc.exe
O4 - HKLM\..\Run: [picsvr] D:\WINDOWS\System32\picsvr\picsvr.exe
O4 - HKLM\..\Run: [sais] d:\program files\180solutions\sais.exe
O4 - HKLM\..\Run: [Power Scan] D:\Program Files\Power Scan\powerscan.exe
O4 - HKLM\..\Run: [BullsEye Network] D:\Program Files\BullsEye Network\bin\bargains.exe
O4 - HKLM\..\Run: [9628nlaa] D:\WINDOWS\System32\9628nlaa.exe
O4 - HKCU\..\Run: [MsnMsgr] "D:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSMSGS] "D:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [HijackThis startup scan] D:\DOCUME~1\Mikey\LOCALS~1\Temp\Rar$EX00.685\HijackThis.exe /startupscan
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://D:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://D:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://D:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Translate into English - res://D:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: SideFind - {10E42047-DEB9-4535-A118-B3F6EC39B807} - D:\Program Files\SideFind\sidefind.dll
O15 - Trusted Zone: *.media-motor.net
O15 - Trusted Zone: *.popuppers.com
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/MediaAcc...Bridge-c139.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1115313591122
O16 - DPF: {7149E79C-DC19-4C5E-A53C-A54DDF75EEE9} (IObjSafety.DemoCtl) - http://cabs.media-motor.net/cabs/joysaver.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1FE0E767-8EDE-4850-B883-6A3F56E5B5F7}: NameServer = 204.50.251.17 207.107.254.9
O17 - HKLM\System\CS1\Services\Tcpip\..\{1FE0E767-8EDE-4850-B883-6A3F56E5B5F7}: NameServer = 204.50.251.17 207.107.254.9
O20 - AppInit_DLLs: MsgPlusLoader.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Keyboard Service System Files (Keyboard Service) - Unknown owner - D:\WINDOWS\System32\keyboard.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - D:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: ZESOFT - Unknown owner - D:\WINDOWS\zeta.exe

Mod Edit: This will be moved to a more appropriate Forum.

Edited by scarlett, 22 May 2005 - 11:15 AM.


BC AdBot (Login to Remove)

 


#2 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:10:48 AM

Posted 22 May 2005 - 11:35 PM

Hello Simo and welcome to the BC forums. After reviewing your log I see a few items that require our attention. Please print these directions and then proceed with the following steps in order.

Step #1

Download CCleaner and install it but do not run it yet.

Remove installed programs using Add or Remove Programs in the Control Panel:
  • Click Start.
  • Click Control Panel.
  • Double-click Add or Remove Programs.
  • Look in the Currently installed programs box for each program listed below and if it is there:
  • Click on it to select it.
  • Click Change (or Change/Remove) button.
  • If you are prompted to confirm the removal of the program, click Yes.
MessengerPlus! 3
Now we need to remove a service.

Part 1
  • Click Start>Run, type services.msc into the Open editbox and click the Ok button.
  • Locate the Service: Keyboard Service System Files service and click the Stop button.
  • In the Startup type dropdown select Disabled.
  • Click the Apply button and then the Ok button.
  • Repeat the above steps for the ZESOFT service.
  • Close the Services window
Part 2
  • Click Start>Run, type cmd into the Open editbox and click the Ok button.
  • Copy/paste each line below into the Command Prompt window and press the Enter key after each one:
    • sc delete Keyboard Service
      sc delete ZESOFT
  • Close the Command Prompt window
Important
Your copy of HijackThis needs to be in a folder of it's own. If it is run from Temporary folders the backups and HijackThis itself could be accidentally deleted if the Temporary folders are cleaned. If it is run from the desktop then the backup files and folders can clutter up the desktop and be accidentally deleted. If it is run from inside a compressed file then the backups are not created at all.
  • Please open My Computer
  • Double-click on Local Disk (C:)
  • Click on the File menu, point to New and then click on Folder. Name the folder 'HijackThis' or 'HJT'.
  • Unzip to or copy and paste HijackThis.exe to the new folder.
Step #2

Start in Safe Mode Using the F8 method:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until the boot menu appears.
  • Use the arrow keys to select the Safe Mode menu item.
  • Press the Enter key.
Step #3

Start HijackThis and click the Scan button to perform a scan. Look for the following items and click in the checkbox in front of each item to select it:R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: imGiantObj Class - {00000062-2E5F-4AF7-986E-5B64E0951A96} - D:\WINDOWS\imGiant.dll
O2 - BHO: (no name) - {A3FDD654-A057-4971-9844-4ED8E67DBBB8} - (no file)
O2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - D:\WINDOWS\System32\msbe.dll
O3 - Toolbar: YourSiteBar - {86227D9C-0EFE-4f8a-AA55-30386A3F5686} - D:\PROGRA~1\YOURSI~1\ysb.dll
O4 - HKLM\..\Run: [MessengerPlus3] "c:\Program Files\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [7qnyDPr] D:\WINDOWS\sukwxsst.exe
O4 - HKLM\..\Run: [bO²ùð-×y-¯Œ] D:\WINDOWS\sukwxsst.exe
O4 - HKLM\..\Run: [IST Service] D:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\Run: [seeve] D:\WINDOWS\seeve.exe
O4 - HKLM\..\Run: [motoin] D:\WINDOWS\mm15201518.Stub.exe
O4 - HKLM\..\Run: [Internet Optimizer] "D:\Program Files\Internet Optimizer\optimize.exe"
O4 - HKLM\..\Run: [uqfoxfdd] d:\windows\system32\uqfoxfdd.exe
O4 - HKLM\..\Run: [Nsv] D:\WINDOWS\System32\nsvsvc\nsvsvc.exe
O4 - HKLM\..\Run: [picsvr] D:\WINDOWS\System32\picsvr\picsvr.exe
O4 - HKLM\..\Run: [sais] d:\program files\180solutions\sais.exe
O4 - HKLM\..\Run: [Power Scan] D:\Program Files\Power Scan\powerscan.exe
O4 - HKLM\..\Run: [BullsEye Network] D:\Program Files\BullsEye Network\bin\bargains.exe
O4 - HKLM\..\Run: [9628nlaa] D:\WINDOWS\System32\9628nlaa.exe
O4 - HKCU\..\Run: [HijackThis startup scan] D:\DOCUME~1\Mikey\LOCALS~1\Temp\Rar$EX00.685\HijackThis.exe /startupscan
O9 - Extra button: SideFind - {10E42047-DEB9-4535-A118-B3F6EC39B807} - D:\Program Files\SideFind\sidefind.dll
O15 - Trusted Zone: *.media-motor.net
O15 - Trusted Zone: *.popuppers.com
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/MediaAcc...Bridge-c139.cab
O16 - DPF: {7149E79C-DC19-4C5E-A53C-A54DDF75EEE9} (IObjSafety.DemoCtl) - http://cabs.media-motor.net/cabs/joysaver.cab
O20 - AppInit_DLLs: MsgPlusLoader.dll
O23 - Service: Keyboard Service System Files (Keyboard Service) - Unknown owner - D:\WINDOWS\System32\keyboard.exe
O23 - Service: ZESOFT - Unknown owner - D:\WINDOWS\zeta.exe

Now close ALL open windows except HijackThis and click the Fix Checked button to finish the repair.

Step #4

We need to make sure all hidden files are showing so please:
  • Click Start.
  • Open My Computer.
  • Select the Tools menu and click Folder Options.
  • Select the View tab.
  • Under the Hidden files and folders heading select Show hidden files and folders.
  • Uncheck the Hide file extensions for known types option.
  • Uncheck the Hide protected operating system files (recommended) option.
  • Click Yes to confirm.
  • Click OK.
Find the following files/folders and delete them (don't worry if they are already gone):D:\WINDOWS\imGiant.dll
D:\WINDOWS\sukwxsst.exe
D:\WINDOWS\sukwxsst.exe
D:\WINDOWS\seeve.exe
D:\WINDOWS\mm15201518.Stub.exe
D:\WINDOWS\zeta.exe
D:\WINDOWS\System32\msbe.dll
d:\windows\system32\uqfoxfdd.exe
D:\WINDOWS\System32\nsvsvc\ <--folder
D:\WINDOWS\System32\picsvr\ <--folder
D:\WINDOWS\System32\9628nlaa.exe
D:\WINDOWS\System32\keyboard.exe
D:\PROGRAM FILES\YOURSITEBAR\ <--folder
c:\Program Files\MessengerPlus! 3\ <--folder
D:\Program Files\ISTsvc\ <--folder
D:\Program Files\Internet Optimizer\ <--folder
d:\program files\180solutions\ <--folder
D:\Program Files\Power Scan\ <--folder
D:\Program Files\BullsEye Network\ <--folder
D:\Program Files\SideFind\ <--folder

Step #5

Start CCleaner and click on the Run Cleaner button in the lower right-hand corner. When it is finished close CCleaner.

Step #6

Reboot normally and run at least 2 of the following on-line virus scans:Trend Micro Housecall
BitDefender On-Line Virus Scan
Panda ActiveScan
eTrust Antivirus Web Scanner
Make sure that you choose "fix" or "clean".

Step #7

AdAware SE

Download, install, update, configure and run a scan with Ad-aware SE:
  • Download and Install AdAware SE Personal, keeping the default options. However, some of the settings will need to be changed before your first scan.
  • Close ALL windows except Ad-Aware SE.
  • Click on the‘world’ icon at the top right of the Ad-Aware SE window and let AdAware SE update the reference list for the adware and malware.
  • Once the update is finished click on the ‘Gear’ icon (second from the left at the top of the window) to access the preferences/settings window:
    • In the ‘General’ window make sure the following are selected in green:
      • Under Safety:
        • Automatically save log-file
      • Automatically quarantine objects prior to removal
      • Safe Mode (always request confirmation)
    • Under Definitions:
      • Prompt to update outdated definitions - set the number of days
  • Click on the ‘Scanning’ button on the left and select in green:
    • Under Driver, Folders & Files:
      • Scan Within Archives
    • Under Select drives & folders to scan:
      • choose all hard drives
    • Under Memory & Registry: all green
      • Scan Active Processes
      • Scan Registry
      • Deep Scan Registry
      • Scan my IE favorites for banned URL’s
      • Scan my Hosts file
  • Click on the ‘Advanced’ button on the left and select in green:
    • Under Shell Integration:
      • Move deleted files to recycle bin
    • Under Logfile Detail Level: all green
      • include addtional object information
      • DESELECT - include negligible objects information
      • include environment information
    • Under Alternate Data Streams:
      • Don't log streams smaller than 0 bytes
      • Don't log ADS with the following names: CA_INOCULATEIT
  • Click the ‘Tweak’ button and select in green:
    • Under ‘Scanning Engine’:
      • Unload recognized processes during scanning
      • Scan registry for all users instead of current user only
    • Under ‘Cleaning Engine’:
      • Let Windows remove files in use at next reboot
    • Under Log Files:
      • Include basic Ad-aware SE settings in logfile
      • Include additional Ad-aware SE settings in logfile
      • Please do not check: Include Module list in logfile
  • Click on ‘Proceed’ to save the settings.
  • Click ‘Start’
  • Choose 'Perform Full System Scan'
  • DESELECT "Search for negligible risk entries", as negligible risk entries (MRU's) are not considered to be a threat.
  • Click ‘Next’ and Ad-Aware SE will scan your hard drive(s) with the options you have selected and clean automatically.
  • If Ad-Aware SE finds bad entries, you will receive a list of what it found in the window
  • Save the log file when it asks and then click ‘Finish’
  • REBOOT to complete the removal of what Ad-Aware SE found.
Step #8

OK. Reboot your computer normally, start HijackThis and perform a new scan. Use the Add Reply button to post your new log file back here along with details of any problems you encountered performing the above steps and I will review it when it comes in.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#3 Simo

Simo
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:09:48 AM

Posted 23 May 2005 - 04:02 PM

Whew...well I went through the steps you gave me and a couple things a had difficulty with or a concern.

1. When I tried to stop the keyboard service system files...that didn't work...which lead to when I tried to type it into the command prompt...it didn't delete.

2. On the first Hijackthis scan I only found a few of the listed things you said to delete...(I don't think thats a problem is it?)

3. On step 6 I ran two online virus scarn programs. The Trend Micro Housecall and the BitDefender on-line Virus Scan. Now the first online scan ran (Trend Micro) found 14 viruses...all of them were deleted except one which i admit is pretty scary when I read about it. Its called "WORM_RBOT.GEN" How would I go about deleting that?

Other than that...thats about it...I haven't really checked to see if everything is working ok but im going to do that now. You help to me was very thourough...I really appreciate it. Here is my new Hijackthis scan log.

Logfile of HijackThis v1.99.1
Scan saved at 4:40:51 PM, on 5/23/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\logonui.exe
D:\WINDOWS\system32\LEXBCES.EXE
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\system32\LEXPPS.EXE
D:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
D:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
D:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\Common Files\Real\Update_OB\realsched.exe
D:\WINDOWS\System32\system.exe
D:\Program Files\MSN Messenger\MsnMsgr.Exe
D:\WINDOWS\System32\ctfmon.exe
D:\WINDOWS\System32\wuauclt.exe
D:\WINDOWS\System32\wuauclt.exe
D:\Program Files\Internet Explorer\IEXPLORE.EXE
D:\Program Files\WinRAR\WinRAR.exe
D:\DOCUME~1\Mikey\LOCALS~1\Temp\Rar$EX00.556\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.ca/
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - d:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - d:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [AdaptecDirectCD] "D:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [TkBellExe] "D:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Windows] system.exe
O4 - HKLM\..\RunServices: [Windows] system.exe
O4 - HKCU\..\Run: [MsnMsgr] "D:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSMSGS] "D:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://D:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://D:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://D:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Translate into English - res://D:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1115313591122
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1FE0E767-8EDE-4850-B883-6A3F56E5B5F7}: NameServer = 204.50.251.17 207.107.254.9
O17 - HKLM\System\CS1\Services\Tcpip\..\{1FE0E767-8EDE-4850-B883-6A3F56E5B5F7}: NameServer = 204.50.251.17 207.107.254.9
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - D:\WINDOWS\system32\LEXBCES.EXE

#4 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:10:48 AM

Posted 23 May 2005 - 05:16 PM

Hi Simo. That looks much better. We have a couple of new items so let's remove them.

Step #1

Important
Your copy of HijackThis is still being run from the zipped file and needs to be in a folder of it's own. If it is run from Temporary folders the backups and HijackThis itself could be accidentally deleted if the Temporary folders are cleaned. If it is run from the desktop then the backup files and folders can clutter up the desktop and be accidentally deleted. If it is run from inside a compressed file then the backups are not created at all.
  • Please open My Computer
  • Double-click on Local Disk (C:)
  • Click on the File menu, point to New and then click on Folder. Name the folder 'HijackThis' or 'HJT'.
  • Unzip to or copy and paste HijackThis.exe to the new folder.
Step #2

Start HijackThis and follow these steps:
  • Click on Config button
  • Click on the Misc Tools button
  • Click on the Open Process Manager button
Find the following items and click on each one to select it and then click on the Kill Process button to stop the process.:D:\WINDOWS\System32\system.exe
Step #3

Now click the Back button and then click the Scan button to perform a scan. Look for the following items and click in the checkbox in front of each item to select it:O4 - HKLM\..\Run: [Windows] system.exe
O4 - HKLM\..\RunServices: [Windows] system.exe

Now close ALL open windows except HijackThis and click the Fix Checked button to finish the repair.

Step #4

Find the following files/folders and delete them (don't worry if they are already gone):D:\WINDOWS\System32\system.exe
Step #5

Your operating system is extremely out of date. By not keeping your OS updated you leave yourself open to many of the infections that cannot be installed on a properly updated system. I strongly recommend that you go to the Windows Update site and install Service Pack 2. Once that is done, go back to the Windows Update site and install all available Critical Updates. This will patch your system with the most current security fixes and plug all the known holes which your present system has open.

Step #6

OK. Reboot your computer normally, start HijackThis and perform a new scan. Use the Add Reply button to post your new log file back here along with details of any problems you encountered performing the above steps and I will review it when it comes in.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users