Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Help with a log


  • This topic is locked This topic is locked
22 replies to this topic

#1 GWGRAY

GWGRAY

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:11:24 AM

Posted 08 January 2005 - 08:16 PM

I have two issues. My browser is being redirected from Google to Win-ect.com/hp.htm?ID=9 which take me to here4search.com. Also Spysweeper keeps warning me that Hot as Hell istsvc.exe is running on my system, but does not seem to be able to remove it. I have run HijackThis and attached the log. Please help me to clear up my problem. Thanks.

BC AdBot (Login to Remove)

 


m

#2 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:09:24 AM

Posted 08 January 2005 - 09:50 PM

It looks like your log got lost. :flowers: Please do the following before posting it again.

Let's start by running some scans and seeing what they come up with. :thumbsup:

-------------------------------------------------------------------------
Please download, update and run (one at a time of course!) Spybot 1.3 and
Adaware SE

Fix whatever they suggest.

-------------------------------------------------------------------------
If you need help running these tools, here are some helpful tutorials.
Spybot 1.3 Tutorial
Adaware SE Tutorial

-------------------------------------------------------------------------

Be sure to run Adaware SE with a Full Scan in the Safe Mode.

How to Reboot into Safe Mode
tap F8 key during reboot, until the boot menu appears...use the arrow keys to choose "Safe Mode" from the menu......,then press the "Enter" key.


The following explains how to set Ad-aware's settings to perform a "Full Scan."

In Ad-aware click the Gear to go to the Settings area.

The following items should be on a green check, not on a red X.

Under the Scanning button:
Scan within archives
Under Memory & Registry, Check EVERYTHING
In Check Drives & Folders, make sure all of your hard drives are selected

Under the Advanced button, check ALL under Log detail level.

Under the Tweak button...

Some of these may not be an available option, depending on your version of Ad-aware and your version of Windows. Do not be concerned if you cannot select a certain item.

In Scanning Engine:
Unload recognized processes during scanning
Include info about ignored objects in logfile, if detected in scan
Include basic Ad-aware settings in logfile
Include additional Ad-aware settings in logfile
Include used command line parameters in logfile

In Cleaning Engine:
XP/2000: Allow unloading explorer to unload shell extensions prior to deletion
Let Windows remove files in use at next reboot
UNCHECK: Automatically try to unregister objects prior to deletion

Click Proceed to save these settings. When you would like to perform a "Full Scan," switch the scan mode from SmartScan to Custom.


-------------------------------------------------------------------------
Please download, update and run the free A2 (A squared) anti-trojan

Let it fix whatever it wants to.

-------------------------------------------------------------------------
I know you may have anti-virus software, but sometimes its definitions are corrupted due to malware. Online scans are the best resort in this case.
Run this pc through the Panda Scan Online virus scanner
or
Trend Micro Housecall Online virus scanner

-------------------------------------------------------------------------
Next, reboot and post a fresh HijackThis log to this thread.

Make sure Hijackthis is version 1.99 and is in its own folder (C:\Hijackthis), not on the desktop or temp file.

Edited by SifuMike, 08 January 2005 - 09:51 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 GWGRAY

GWGRAY
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:11:24 AM

Posted 09 January 2005 - 03:53 PM

I ran the programs as you instructed. Here is the log from HijackThis (I am also attaching it to the message). Let me know what I need to do next. Thank you.

Logfile of HijackThis v1.99.0
Scan saved at 3:40:40 PM, on 1/9/05
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\SYMANTEC_CLIENT_SECURITY\SYMANTEC ANTIVIRUS\RTVSCN95.EXE
C:\PROGRAM FILES\SYMANTEC_CLIENT_SECURITY\SYMANTEC ANTIVIRUS\DEFWATCH.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\SYMANTEC_CLIENT_SECURITY\SYMANTEC ANTIVIRUS\VPTRAY.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\REAL\REALPLAYER\REALPLAY.EXE
C:\GSVWY.EXE
C:\PROGRAM FILES\WEBROOT\SPY SWEEPER\SPYSWEEPER.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.EXE
C:\PROGRAM FILES\AMERICA ONLINE 7.0\AOLTRAY.EXE
C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\DISTILLR\ACROTRAY.EXE
C:\PROGRAM FILES\FRANKLIN COVEY\PLANNER\COMPASS.EXE
C:\PROGRAM FILES\FRANKLIN COVEY\PLANNER\PALM\HOTSYNC.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\WINDOWS\TEMP\GAQPYJ.EXE
C:\PROGRAM FILES\ISTSVC\ISTSVC.EXE
C:\HIJACKTHIS\HIJACKTHIS.EXE

O2 - BHO: (no name) - {467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E} - C:\WINDOWS\SYSTEM\2KLLSP~1.DLL (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [TCASUTIEXE] TCAUDIAG -off
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [GCKb] C:\GSVWY.EXE
O4 - HKLM\..\Run: [0 44}5]C:\Program Files\ISTsvc\istsvc.exe] C:\GSVWY.EXE
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\Run: [Control handler] C:\WINDOWS\SYSTEM\W90D86BTFITHD.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [rtvscn95] C:\PROGRA~1\SYMANT~1\SYMANT~1\rtvscn95.exe
O4 - HKLM\..\RunServices: [defwatch] C:\PROGRA~1\SYMANT~1\SYMANT~1\defwatch.exe
O4 - HKCU\..\Run: [romahere3] C:\WINDOWS\SYSTEM\307OKNRT1UFOX.EXE
O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Startup: America Online 7.0 Tray Icon.lnk = C:\Program Files\America Online 7.0\aoltray.exe
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Startup: Weekly Compass.lnk = C:\Program Files\Franklin Covey\Planner\Compass.exe
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Franklin Covey\Planner\Palm\HotSync.exe
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/200404...meInstaller.exe
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = misshalls
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 172.16.5.102

Attached Files



#4 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:09:24 AM

Posted 09 January 2005 - 04:32 PM

Please post the logs from your Adaware SE and Spybot 1.3 last scan, as I need to check some of the running processes. :thumbsup:

You can get the log by opening Spybot 1.3> select Mode> Advanced > Tools> View Report> copy and paste the report to your reply.

The fastest way to get the Adaware SE log is to navigate to your Ad-aware SE folder: C:\Documents and Settings\USER NAME\Application Data\Lavasoft\Ad-Aware\Logs.

Open this folder and find the correct log.
The logs are named "Ad-Aware-log ##-##-##.txt (the #'s will be the date of the scan). Highlight all of the text in the logfile with your mouse.
On your keyboard, press Ctrl + C, which will copy the text to your clipboard. Now be online, logged in and ready to post your logfile.
Press Ctl and V and that will copy your logfile to the post!

If you cannot find the Adaware Log file by the above method then you will have to run it.
Open Adaware SE,

1) Run the WebUpdate feature.

2) Set up the Configurations as follows:

General Button
Safety:
Check (Green) all three.

Advanced Button
Logfile Detail Level:
All options under this should be checked (Green).

Tweak Button
Check (Green) the following:
Log Files
Include basic Ad-Aware settings in logfile:
Include additional Ad-Aware settings in logfile:
Please do not check (Green): Include Module list in logfile:

Click on "Proceed"

3) Click on "Scan Now"

4) Please deselect "Search for negligible risk entries", as negligible risk entries (MRU's) are not considered to be a threat.

5) Run the scanner using the Full Scan (Perform full system scan) mode.
A full scan is the in-depth scan mode that scans your whole computer for Spyware infections. When performing a full scan the following scan settings are used:

- Full Memory Scan is performed
- Registry Scan is performed
- Deep Registry scan is performed
- Cookie-Scan is performed
- Favorites are scanned
- Hosts file is scanned
- Conditional scans are performed
- Archive files are scaned
- All fixed drives are scanned

6) When the scan has completed, do not quarantine or remove anything at this time.
Start your own topic in the appropriate forum.
Click "Show Logfile".
Copy/paste the complete log file in your own topic that you just created.
Remember to post the complete logfile.
You will know you are at the end when you see the "Summary of this scan".
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 GWGRAY

GWGRAY
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:11:24 AM

Posted 10 January 2005 - 05:40 PM

Here are the logs you wanted to view. What is next? BTW, your directions are very clear and easy to follow. Thanks!


Ad-Aware SE Build 1.05
Logfile Created on:Sunday, January 09, 2005 12:06:49 PM
Created with Ad-Aware SE Personal, free for private use.
Using definitions file:SE1R24 29.12.2004


References detected during the scan:

CoolWebSearch(TAC index:10):42 total references
istbar(TAC index:6):11 total references
MRU List(TAC index:0):4 total references
Possible Browser Hijack attempt(TAC index:3):7 total references


Definition File:
=========================
Definitions File Loaded:
Reference Number : SE1R24 29.12.2004
Internal build : 29
File location : C:\PROGRAM FILES\LAVASOFT\AD-AWARE SE PERSONAL\defs.ref
File size : 416382 Bytes
Total size : 1313453 Bytes
Signature data size : 1283765 Bytes
Reference data size : 29176 Bytes
Signatures total : 36484
Fingerprints total : 610
Fingerprints size : 23044 Bytes
Target categories : 15
Target families : 633


Memory + processor status:
==========================
Number of processors : 1
Processor architecture : Non Intel
Memory available:16 %
Total physical memory:32288 kb
Available physical memory:1276 kb
Total page file size:2064860 kb
Available on page file:2042576 kb
Total virtual memory:2093056 kb
Available virtual memory:2046912 kb
OS:

Ad-Aware SE Settings
===========================
Set : Search for negligible risk entries
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep-scan registry
Set : Scan my IE Favorites for banned URLs
Set : Scan within archives
Set : Scan my Hosts file

Extended Ad-Aware SE Settings
===========================
Set : Unload recognized processes & modules during scan
Set : Scan registry for all users instead of current user only
Set : Always try to unload modules before deletion
Set : Let Windows remove files in use at next reboot
Set : Delete quarantined objects after restoring
Set : Include basic Ad-Aware settings in log file
Set : Include additional Ad-Aware settings in log file
Set : Include reference summary in log file
Set : Include alternate data stream details in log file
Set : Play sound at scan completion if scan locates critical objects


1-9-05 12:06:49 PM - Scan started. (Custom mode)

Listing running processes


#:1 [KERNEL32.DLL]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4291791465
Threads : 4
Priority : High
FileVersion : 4.10.1998
ProductVersion : 4.10.1998
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Win32 Kernel core component
InternalName : KERNEL32
LegalCopyright : Copyright © Microsoft Corp. 1991-1998
OriginalFilename : KERNEL32.DLL

#:2 [MSGSRV32.EXE]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4294958733
Threads : 1
Priority : Normal
FileVersion : 4.10.1998
ProductVersion : 4.10.1998
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Windows 32-bit VxD Message Server
InternalName : MSGSRV32
LegalCopyright : Copyright © Microsoft Corp. 1992-1998
OriginalFilename : MSGSRV32.EXE

#:3 [SPOOL32.EXE]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4294956789
Threads : 2
Priority : Normal
FileVersion : 4.10.1998
ProductVersion : 4.10.1998
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Spooler Sub System Process
InternalName : spool32
LegalCopyright : Copyright © Microsoft Corp. 1994 - 1998
OriginalFilename : spool32.exe

#:4 [MPREXE.EXE]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4294966785
Threads : 1
Priority : Normal
FileVersion : 4.10.1998
ProductVersion : 4.10.1998
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : WIN32 Network Interface Service Process
InternalName : MPREXE
LegalCopyright : Copyright © Microsoft Corp. 1993-1998
OriginalFilename : MPREXE.EXE

#:5 [EXPLORER.EXE]
FilePath : C:\WINDOWS\
ProcessID : 4294847905
Threads : 4
Priority : Normal
FileVersion : 4.72.3110.1
ProductVersion : 4.72.3110.1
ProductName : Microsoft® Windows NT® Operating System
CompanyName : Microsoft Corporation
FileDescription : Windows Explorer
InternalName : explorer
LegalCopyright : Copyright © Microsoft Corp. 1981-1997
OriginalFilename : EXPLORER.EXE

#:6 [AD-AWARE.EXE]
FilePath : C:\PROGRAM FILES\LAVASOFT\AD-AWARE SE PERSONAL\
ProcessID : 4294898825
Threads : 3
Priority : Normal
FileVersion : 6.2.0.206
ProductVersion : VI.Second Edition
ProductName : Lavasoft Ad-Aware SE
CompanyName : Lavasoft Sweden
FileDescription : Ad-Aware SE Core application
InternalName : Ad-Aware.exe
LegalCopyright : Copyright Lavasoft Sweden
OriginalFilename : Ad-Aware.exe
Comments : All Rights Reserved

Memory scan result:

New critical objects: 0
Objects found so far: 0


Started registry scan


CoolWebSearch Object Recognized!
Type : Regkey
Data :
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : typelib\{444a5674-ff85-45d4-9ae2-4199d8d70c85}

CoolWebSearch Object Recognized!
Type : Regkey
Data :
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : redalert.here.1

CoolWebSearch Object Recognized!
Type : Regkey
Data :
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : redalert.here

CoolWebSearch Object Recognized!
Type : Regkey
Data :
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : plugin6.dnserrobj.1

CoolWebSearch Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : plugin6.dnserrobj.1
Value :

CoolWebSearch Object Recognized!
Type : Regkey
Data :
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : plugin6.dnserrobj

CoolWebSearch Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : plugin6.dnserrobj
Value :

CoolWebSearch Object Recognized!
Type : Regkey
Data :
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : interface\{0d721150-aef3-457b-b03a-5097b623ce45}

CoolWebSearch Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : interface\{0d721150-aef3-457b-b03a-5097b623ce45}
Value :

CoolWebSearch Object Recognized!
Type : Regkey
Data :
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : clsid\{467faeb2-5f5b-4c81-bae0-2a4752ca7f4e}

CoolWebSearch Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : clsid\{467faeb2-5f5b-4c81-bae0-2a4752ca7f4e}
Value :

CoolWebSearch Object Recognized!
Type : Regkey
Data :
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\windows\currentversion\explorer\browser helper objects\{467faeb2-5f5b-4c81-bae0-2a4752ca7f4e}

CoolWebSearch Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\windows\currentversion\explorer\browser helper objects\{467faeb2-5f5b-4c81-bae0-2a4752ca7f4e}
Value :

CoolWebSearch Object Recognized!
Type : Regkey
Data :
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\windows\currentversion\explorer\cassandra

CoolWebSearch Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\windows\currentversion\explorer\cassandra
Value : data3

CoolWebSearch Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\windows\currentversion\explorer\cassandra
Value : data2

istbar Object Recognized!
Type : Regkey
Data :
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : .DEFAULT\software\ist

istbar Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : .DEFAULT\software\ist
Value : Recover

istbar Object Recognized!
Type : Regkey
Data :
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\istsvc

istbar Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\istsvc
Value : version

istbar Object Recognized!
Type : Regkey
Data :
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\windows\currentversion\uninstall\istsvc

istbar Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\windows\currentversion\uninstall\istsvc
Value : DisplayName

istbar Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\windows\currentversion\uninstall\istsvc
Value : UninstallString

istbar Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\windows\currentversion\uninstall\istsvc
Value : NoModify

CoolWebSearch Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment : "TODO_Item_Data3_2"
Rootkey : HKEY_USERS
Object : .DEFAULT\software\microsoft\internet explorer\settings
Value : TODO_Item_Data3_2

CoolWebSearch Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment : "TODO_Item_Data3_1"
Rootkey : HKEY_USERS
Object : .DEFAULT\software\microsoft\internet explorer\settings
Value : TODO_Item_Data3_1

CoolWebSearch Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment : "TODO_Item_Data2_2"
Rootkey : HKEY_USERS
Object : .DEFAULT\software\microsoft\internet explorer\settings
Value : TODO_Item_Data2_2

CoolWebSearch Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment : "TODO_Item_Data2_1"
Rootkey : HKEY_USERS
Object : .DEFAULT\software\microsoft\internet explorer\settings
Value : TODO_Item_Data2_1

CoolWebSearch Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment : "TODO_Item_Data1_2"
Rootkey : HKEY_USERS
Object : .DEFAULT\software\microsoft\internet explorer\settings
Value : TODO_Item_Data1_2

CoolWebSearch Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment : "TODO_Item_Data1_1"
Rootkey : HKEY_USERS
Object : .DEFAULT\software\microsoft\internet explorer\settings
Value : TODO_Item_Data1_1

CoolWebSearch Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment : "TODO_Count"
Rootkey : HKEY_USERS
Object : .DEFAULT\software\microsoft\internet explorer\settings
Value : TODO_Count

istbar Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment : "IST Service"
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\windows\currentversion\run
Value : IST Service

Registry Scan result:

New critical objects: 32
Objects found so far: 32


Started deep registry scan

Possible Browser Hijack attempt : .DEFAULT\Software\Microsoft\Internet Explorer\MainSearch Pagewin-eto.com

Possible Browser Hijack attempt Object Recognized!
Type : RegData
Data : "http://win-eto.com/sp.htm?id=9"
Category : Malware
Comment : Possible Browser Hijack attempt
Rootkey : HKEY_USERS
Object : .DEFAULT\Software\Microsoft\Internet Explorer\Main
Value : Search Page
Data : "http://win-eto.com/sp.htm?id=9"
Possible Browser Hijack attempt : .DEFAULT\Software\Microsoft\Internet Explorer\MainSearch Barwin-eto.com

Possible Browser Hijack attempt Object Recognized!
Type : RegData
Data : "http://win-eto.com/sp.htm?id=9"
Category : Malware
Comment : Possible Browser Hijack attempt
Rootkey : HKEY_USERS
Object : .DEFAULT\Software\Microsoft\Internet Explorer\Main
Value : Search Bar
Data : "http://win-eto.com/sp.htm?id=9"
Possible Browser Hijack attempt : .DEFAULT\Software\Microsoft\Internet Explorer\SearchSearchAssistantwin-eto.com

Possible Browser Hijack attempt Object Recognized!
Type : RegData
Data : "http://win-eto.com/sp.htm?id=9"
Category : Malware
Comment : Possible Browser Hijack attempt
Rootkey : HKEY_USERS
Object : .DEFAULT\Software\Microsoft\Internet Explorer\Search
Value : SearchAssistant
Data : "http://win-eto.com/sp.htm?id=9"
Possible Browser Hijack attempt : .DEFAULT\Software\Microsoft\Internet ExplorerSearchURLwin-eto.com

Possible Browser Hijack attempt Object Recognized!
Type : RegData
Data : "http://win-eto.com/sp.htm?id=9"
Category : Malware
Comment : Possible Browser Hijack attempt
Rootkey : HKEY_USERS
Object : .DEFAULT\Software\Microsoft\Internet Explorer
Value : SearchURL
Data : "http://win-eto.com/sp.htm?id=9"

CoolWebSearch Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment : "Control handler"
Rootkey : HKEY_LOCAL_MACHINE
Object : Software\Microsoft\Windows\CurrentVersion\Run
Value : Control handler

CoolWebSearch Object Recognized!
Type : File
Data : rpxhl99hif57mothd.exe
Category : Malware
Comment :
Object : c:\windows\system\
FileVersion : 1, 0, 31, 0
ProductVersion : 1, 0, 31, 0
ProductName : Cassandra
CompanyName : Melkosoft Corporation
LegalCopyright : Copyright © 2004


Deep registry scan result:

New critical objects: 5
Objects found so far: 38

MRU List Object Recognized!
Location: : .DEFAULT\software\nico mak computing\winzip\filemenu
Description : winzip recently used archives


MRU List Object Recognized!
Location: : .DEFAULT\software\microsoft\internet explorer
Description : last download directory used in microsoft internet explorer


MRU List Object Recognized!
Location: : .DEFAULT\software\microsoft\internet explorer\typedurls
Description : list of recently entered addresses in microsoft internet explorer


MRU List Object Recognized!
Location: : .DEFAULT\software\microsoft\windows\currentversion\explorer\doc find spec mru
Description : list of recently used search terms for locating files using the microsoft windows operating system



Started Tracking Cookie scan



Tracking cookie scan result:

New critical objects: 0
Objects found so far: 42



Deep scanning and examining files (C:)


CoolWebSearch Object Recognized!
Type : File
Data : 2dp62kmdy0zydd.dll
Category : Malware
Comment :
Object : C:\WINDOWS\SYSTEM\
FileVersion : 1, 0, 31, 0
ProductVersion : 1, 0, 31, 0
ProductName : Cassandra
CompanyName : Melkosoft Corporation
LegalCopyright : Copyright © 2004


CoolWebSearch Object Recognized!
Type : File
Data : f5l7p4oo1mtow.dll
Category : Malware
Comment :
Object : C:\WINDOWS\SYSTEM\
FileVersion : 1, 0, 31, 0
ProductVersion : 1, 0, 31, 0
ProductName : Cassandra
CompanyName : Melkosoft Corporation
LegalCopyright : Copyright © 2004


CoolWebSearch Object Recognized!
Type : File
Data : stop.00009_4[1].exe
Category : Malware
Comment :
Object : C:\WINDOWS\Temporary Internet Files\Content.IE5\G8JFVE6W\



CoolWebSearch Object Recognized!
Type : File
Data : main[1].exe
Category : Malware
Comment :
Object : C:\WINDOWS\Temporary Internet Files\Content.IE5\SV8BMPKJ\
FileVersion : 1, 0, 31, 0
ProductVersion : 1, 0, 31, 0
ProductName : Cassandra
CompanyName : Melkosoft Corporation
LegalCopyright : Copyright © 2004


CoolWebSearch Object Recognized!
Type : File
Data : tl09w5tlgs.exe
Category : Malware
Comment :
Object : C:\WINDOWS\
FileVersion : 1, 0, 31, 0
ProductVersion : 1, 0, 31, 0
ProductName : Cassandra
CompanyName : Melkosoft Corporation
LegalCopyright : Copyright © 2004


CoolWebSearch Object Recognized!
Type : File
Data : stop.00009_4.exe
Category : Malware
Comment :
Object : C:\WINDOWS\



Disk Scan Result for C:\

New critical objects: 0
Objects found so far: 48

Disk Scan Result for C:\~MSSETUP.T\

New critical objects: 0
Objects found so far: 48

Disk Scan Result for C:\epson\

New critical objects: 0
Objects found so far: 48

Disk Scan Result for C:\hijackthis\

New critical objects: 0
Objects found so far: 48

Disk Scan Result for C:\LXK1000\

New critical objects: 0
Objects found so far: 48

Disk Scan Result for C:\My Documents\

New critical objects: 0
Objects found so far: 48

Disk Scan Result for C:\My Music\

New critical objects: 0
Objects found so far: 48

Disk Scan Result for C:\Program Files\

New critical objects: 0
Objects found so far: 48

Disk Scan Result for C:\QUICKENW\

New critical objects: 0
Objects found so far: 48

Disk Scan Result for C:\RECYCLED\

New critical objects: 0
Objects found so far: 48

Disk Scan Result for C:\VCPERS\

New critical objects: 0
Objects found so far: 48

Disk Scan Result for C:\WINDOWS\

New critical objects: 0
Objects found so far: 48

Possible Browser Hijack attempt Object Recognized!
Type : File
Data : free xxx pics & movies.url
Category : Misc
Comment : Problematic URL discovered: http://gotosex4all.com
Object : C:\WINDOWS\Favorites\



Possible Browser Hijack attempt Object Recognized!
Type : File
Data : web anal sex.url
Category : Misc
Comment : Problematic URL discovered: http://webanalsex.com
Object : C:\WINDOWS\Favorites\



Possible Browser Hijack attempt Object Recognized!
Type : File
Data : all crazy sex.url
Category : Misc
Comment : Problematic URL discovered: http://allcrazyporn.com/
Object : C:\WINDOWS\Favorites\




Performing conditional scans...


CoolWebSearch Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\microsoft\internet explorer\settings
Value : GUID

CoolWebSearch Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\microsoft\internet explorer\settings
Value : Control Date

CoolWebSearch Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\microsoft\internet explorer\search
Value : SearchAssistant

CoolWebSearch Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\microsoft\internet explorer\main
Value : Search Bar

CoolWebSearch Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : .default\software\microsoft\internet explorer\settings
Value : GUID

CoolWebSearch Object Recognized!
Type : File
Data : mssys.exe
Category : Malware
Comment :
Object : C:\WINDOWS\



CoolWebSearch Object Recognized!
Type : File
Data : image.dll
Category : Malware
Comment :
Object : C:\WINDOWS\



CoolWebSearch Object Recognized!
Type : File
Data : dllhelp.exe
Category : Malware
Comment :
Object : C:\WINDOWS\



CoolWebSearch Object Recognized!
Type : File
Data : ieengine.exe
Category : Malware
Comment :
Object : C:\Program Files\internet explorer\



CoolWebSearch Object Recognized!
Type : File
Data : free xxx pics & movies.url
Category : Malware
Comment :
Object : C:\WINDOWS\Favorites\



CoolWebSearch Object Recognized!
Type : File
Data : all crazy sex.url
Category : Malware
Comment :
Object : C:\WINDOWS\Favorites\



istbar Object Recognized!
Type : Folder
Category : Malware
Comment :
Object : C:\Program Files\ISTsvc

istbar Object Recognized!
Type : File
Data : istsvc.exe
Category : Malware
Comment :
Object : C:\Program Files\istsvc\
FileVersion : 1, 0, 0, 2
ProductVersion : 1, 0, 0, 2
ProductName : istsvc
FileDescription : istsvc
InternalName : istsvc
LegalCopyright : Copyright 2004
OriginalFilename : istsvc.exe


Conditional scan result:

New critical objects: 13
Objects found so far: 64

12:13:53 PM Scan Complete

Summary Of This Scan

Total scanning time:00:07:04.30
Objects scanned:62272
Objects identified:60
Objects ignored:0
New critical objects:60



--- Search result list ---

--- Spybot - Search && Destroy version: 1.3 ---
2004-05-12 Includes\Cookies.sbi
2004-05-12 Includes\Dialer.sbi
2004-05-12 Includes\Hijackers.sbi
2004-05-12 Includes\Keyloggers.sbi
2004-05-12 Includes\LSP.sbi
2004-05-12 Includes\Malware.sbi
2004-05-12 Includes\Revision.sbi
2004-05-12 Includes\Security.sbi
2004-05-12 Includes\Spybots.sbi
2004-05-12 Includes\Tracks.uti
2004-05-12 Includes\Trojans.sbi


--- System information ---
Windows 98 (Build: 1998)


--- Startup entries list ---
Located: HK_LM:Run, 0 44}5]C:\Program Files\ISTsvc\istsvc.exe
command: C:\GSVWY.EXE
file: C:\GSVWY.EXE
size: 6144
MD5: ab81e56ac786c5c1fbb9f19ee8a2fe1d

Located: HK_LM:Run, Control handler
command: C:\WINDOWS\SYSTEM\W90D86BTFITHD.EXE

Located: HK_LM:Run, GCKb
command: C:\GSVWY.EXE
file: C:\GSVWY.EXE
size: 6144
MD5: ab81e56ac786c5c1fbb9f19ee8a2fe1d

Located: HK_LM:Run, IST Service
command: C:\Program Files\ISTsvc\istsvc.exe
file: C:\Program Files\ISTsvc\istsvc.exe
size: 12288
MD5: 5abeb6014b05c416443ff1406034797e

Located: HK_LM:Run, LoadPowerProfile
command: Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
file: C:\WINDOWS\Rundll32.exe
size: 24576
MD5: 9ef36c1b50cb6f80deb943c622604fda

Located: HK_LM:Run, QuickTime Task
command: "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
file: C:\WINDOWS\SYSTEM\QTTASK.EXE
size: 98304
MD5: 76a3a30b58405c2c6d833895253a51a9

Located: HK_LM:Run, RealTray
command: C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

Located: HK_LM:Run, ScanRegistry
command: C:\WINDOWS\scanregw.exe /autorun
file: C:\WINDOWS\scanregw.exe
size: 86016
MD5: 661d6dc4707b0110bfd7d4da4ccb86cc

Located: HK_LM:Run, SystemTray
command: SysTray.Exe
file: C:\WINDOWS\SYSTEM\SysTray.Exe
size: 36864
MD5: 503b4ba97c91913fca701290cbdf58a2

Located: HK_LM:Run, TaskMonitor
command: C:\WINDOWS\taskmon.exe
file: C:\WINDOWS\taskmon.exe
size: 28672
MD5: e3638df27264132f18b43802c96efbba

Located: HK_LM:Run, TCASUTIEXE
command: TCAUDIAG -off
file: C:\WINDOWS\SYSTEM\TCAUDIAG.exe
size: 1093632
MD5: 7d038d6b843f84a877114e1c1d2d0c5a

Located: HK_LM:Run, vptray
command: C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
file: C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
size: 77824
MD5: 2c2c5c662e71a1ebec6569bd05911237

Located: HK_LM:RunServices, defwatch
command: C:\PROGRA~1\SYMANT~1\SYMANT~1\defwatch.exe
file: C:\PROGRA~1\SYMANT~1\SYMANT~1\defwatch.exe
size: 32768
MD5: f4ceed318f6669820a198b9498a88159

Located: HK_LM:RunServices, LoadPowerProfile
command: Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
file: C:\WINDOWS\Rundll32.exe
size: 24576
MD5: 9ef36c1b50cb6f80deb943c622604fda

Located: HK_LM:RunServices, rtvscn95
command: C:\PROGRA~1\SYMANT~1\SYMANT~1\rtvscn95.exe
file: C:\PROGRA~1\SYMANT~1\SYMANT~1\rtvscn95.exe
size: 548864
MD5: 61b0acc60fe3a5088b44eb3b3d063850

Located: HK_LM:RunOnce, SpySweeper_BT01
command: "C:\Program Files\Webroot\Spy Sweeper\Bt01.exe" /SpySweeper_BT01
file: C:\Program Files\Webroot\Spy Sweeper\Bt01.exe
size: 263168
MD5: 6af688a4d71d0a96e2fc8526a6a22f63

Located: HK_CU:Run, romahere3
command: C:\WINDOWS\SYSTEM\307OKNRT1UFOX.EXE

Located: HK_CU:Run, SpySweeper
command: C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0

Located: Startup (user), Acrobat Assistant.lnk
command: C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
file: C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
size: 49254
MD5: 0e6e43d31ac16bcf682eb5f63178c492

Located: Startup (user), America Online 7.0 Tray Icon.lnk
command: C:\Program Files\America Online 7.0\aoltray.exe
file: C:\Program Files\America Online 7.0\aoltray.exe
size: 32842
MD5: c2650a5ffe7bacfb3abb3ddfaf190c2c

Located: Startup (user), HotSync Manager.lnk
command: C:\Program Files\Franklin Covey\Planner\Palm\HotSync.exe
file: C:\Program Files\Franklin Covey\Planner\Palm\HotSync.exe
size: 282624
MD5: 423f81e5f8bd871e4d9ccb13ed18f64d

Located: Startup (user), Microsoft Find Fast.lnk
command: C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
file: C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
size: 122880
MD5: 866c337eaa0b12efd3a4be11234015b0

Located: Startup (user), Office Startup.lnk
command: C:\Program Files\Microsoft Office\Office\OSA.EXE
file: C:\Program Files\Microsoft Office\Office\OSA.EXE
size: 51984
MD5: d06276d4cad46cdceabefdeb1a0d3c0d

Located: Startup (user), Weekly Compass.lnk
command: C:\Program Files\Franklin Covey\Planner\Compass.exe
file: C:\Program Files\Franklin Covey\Planner\Compass.exe
size: 49152
MD5: f16e045d5dad7fb7193717f28172a74d

Located: Startup (user), WinZip Quick Pick.lnk
command: C:\Program Files\WinZip\WZQKPICK.EXE
file: C:\Program Files\WinZip\WZQKPICK.EXE
size: 118784
MD5: 67b2e7b6ae3b400d832f0456068ea83d



--- Browser helper object list ---
{467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E} ()
BHO name:
CLSID name:



--- ActiveX list ---
Microsoft XML Parser for Java (Microsoft XML Parser for Java)
DPF name: Microsoft XML Parser for Java
CLSID name:
description:
classification: Legitimate
known filename: %WINDIR%\Java\classes\xmldso.cab
info link:
info source: Patrick M. Kolla

DirectAnimation Java Classes (DirectAnimation Java Classes)
DPF name: DirectAnimation Java Classes
CLSID name:
description:
classification: Legitimate
known filename: %WINDIR%\Java\classes\dajava.cab
info link:
info source: Patrick M. Kolla

Internet Explorer Classes for Java (Internet Explorer Classes for Java)
DPF name: Internet Explorer Classes for Java
CLSID name:
description:
classification: Legitimate
known filename: %WINDIR%\Java\classes\iejava.cab
info link:
info source: Patrick M. Kolla

{166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control)
DPF name:
CLSID name: Shockwave ActiveX Control
description: Macromedia ShockWave Flash Player 7
classification: Unknown
known filename: SWDIR.DLL
info link:
info source: Patrick M. Kolla
Path: C:\WINDOWS\SYSTEM\MACROMED\DIRECTOR\
Long name: SWDIR.DLL
Short name:
Date (created): 6/24/04 2:31:12 PM
Date (last access): 1/10/05
Date (last write): 5/28/04 1:38:00 AM
Filesize: 54480
Attributes: archive
MD5: 408F53722D9C1280BF4EDD70341EA7F2
CRC32: 4EB8819E
Version: 0.10.0.0

{62475759-9E84-458E-A1AB-5D2C442ADFDE} ()
DPF name:
CLSID name:

{D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object)
DPF name:
CLSID name: Shockwave Flash Object
description: Macromedia Shockwave Flash Player
classification: Legitimate
known filename:
info link:
info source: Patrick M. Kolla
Path: C:\WINDOWS\SYSTEM\MACROMED\FLASH\
Long name: Flash.ocx
Short name: FLASH.OCX
Date (created): 6/9/04 3:59:26 PM
Date (last access): 1/10/05
Date (last write): 6/9/04 3:59:26 PM
Filesize: 939224
Attributes:
MD5: FC3E17E12C2E31FAC34B416B3DAB829F
CRC32: D1CF3A57
Version: 0.7.0.0

{33564D57-0000-0010-8000-00AA00389B71} ()
DPF name:
CLSID name:



--- Process list ---
Spybot - Search && Destroy process list report, 1/10/05 7:00:24 AM

PID: 4290978189 (4294796041) C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\SPYBOTSD.EXE
PID: 4291152205 (4294796041) C:\PROGRAM FILES\FRANKLIN COVEY\PLANNER\PLANNER.EXE
PID: 4291804269 (2124881341) C:\WINDOWS\SYSTEM\KERNEL32.DLL
PID: 4294581437 (4294796041) C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
PID: 4294641609 (4294796041) C:\PROGRAM FILES\AMERICA ONLINE 7.0\AOLTRAY.EXE
PID: 4294653665 (4294796041) C:\PROGRAM FILES\FRANKLIN COVEY\PLANNER\PALM\HOTSYNC.EXE
PID: 4294656509 (4294796041) C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\DISTILLR\ACROTRAY.EXE
PID: 4294669177 (4294796041) C:\PROGRAM FILES\FRANKLIN COVEY\PLANNER\COMPASS.EXE
PID: 4294712709 (4294745057) C:\PROGRAM FILES\ISTSVC\ISTSVC.EXE
PID: 4294723485 (4294796041) C:\WINDOWS\SYSTEM\QTTASK.EXE
PID: 4294729105 (4294796041) C:\PROGRAM FILES\SYMANTEC_CLIENT_SECURITY\SYMANTEC ANTIVIRUS\VPTRAY.EXE
PID: 4294745057 (4294796041) C:\GSVWY.EXE
PID: 4294760033 (4294796041) C:\PROGRAM FILES\WEBROOT\SPY SWEEPER\SPYSWEEPER.EXE
PID: 4294765533 (4294796041) C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.EXE
PID: 4294796041 (4294953097) C:\WINDOWS\EXPLORER.EXE
PID: 4294819953 (4294796041) C:\WINDOWS\TASKMON.EXE
PID: 4294835185 (4294796041) C:\WINDOWS\SYSTEM\SYSTRAY.EXE
PID: 4294854841 (4294967065) C:\PROGRAM FILES\SYMANTEC_CLIENT_SECURITY\SYMANTEC ANTIVIRUS\RTVSCN95.EXE
PID: 4294871385 (4294967065) C:\PROGRAM FILES\SYMANTEC_CLIENT_SECURITY\SYMANTEC ANTIVIRUS\DEFWATCH.EXE
PID: 4294953097 (4291804269) C:\WINDOWS\SYSTEM\MSGSRV32.EXE
PID: 4294967065 (4294953097) C:\WINDOWS\SYSTEM\MPREXE.EXE


--- Browser start & search pages list ---
Spybot - Search && Destroy browser pages report, 1/10/05 7:00:24 AM

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchURL
http://ie.search.msn.com
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Local Page
C:\WINDOWS\SYSTEM\blank.htm
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Search Page
http://ie.search.msn.com
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start Page
http://www.google.com
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Local Page
C:\WINDOWS\SYSTEM\blank.htm
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Search Page
http://ie.search.msn.com
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Start Page
http://www.google.com
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Default_Page_URL
http://www.msn.com
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Default_Search_URL
http://ie.search.msn.com
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\SearchAssistant
http://ie.search.msn.com
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\CustomizeSearch
http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm


--- Winsock Layered Service Provider list ---
Protocol 0: MS.w95.spi.osp
GUID: {FF017DE1-CAE9-11CF-8A99-00AA0062C609}
Filename: C:\WINDOWS\SYSTEM\mswsosp.dll
Description: Microsoft Windows 9x*Grinler name space provider
DB filename: %windir%\system\mswsosp.dll
DB protocol: MS.w95.spi.*

Protocol 1: MS.w95.spi.tcp
GUID: {FF017DE0-CAE9-11CF-8A99-00AA0062C609}
Filename: C:\WINDOWS\SYSTEM\msafd.dll
Description: Microsoft Windows 9x*Grinler network protocol
DB filename: %windir%\system\msafd.dll
DB protocol: MS.w95.spi.*

Protocol 2: MS.w95.spi.udp
GUID: {FF017DE0-CAE9-11CF-8A99-00AA0062C609}
Filename: C:\WINDOWS\SYSTEM\msafd.dll
Description: Microsoft Windows 9x*Grinler network protocol
DB filename: %windir%\system\msafd.dll
DB protocol: MS.w95.spi.*

Protocol 3: MS.w95.spi.raw
GUID: {FF017DE0-CAE9-11CF-8A99-00AA0062C609}
Filename: C:\WINDOWS\SYSTEM\msafd.dll
Description: Microsoft Windows 9x*Grinler network protocol
DB filename: %windir%\system\msafd.dll
DB protocol: MS.w95.spi.*

Protocol 4: MS.w95.spi.rsvptcp
GUID: {ECBDCBA0-334A-11D0-BD88-0000C082E69A}
Filename: C:\WINDOWS\SYSTEM\rsvpsp.dll
Description: Microsoft Windows 9x*Grinler network protocol
DB filename: %windir%\system\rsvoso.dll
DB protocol: MS.w95.spi.*

Protocol 5: MS.w95.spi.rsvpudp
GUID: {ECBDCBA0-334A-11D0-BD88-0000C082E69A}
Filename: C:\WINDOWS\SYSTEM\rsvpsp.dll
Description: Microsoft Windows 9x*Grinler network protocol
DB filename: %windir%\system\rsvoso.dll
DB protocol: MS.w95.spi.*

Namespace Provider 0: DNS Name Space Provider.
GUID: {FF017DE2-CAE9-11CF-8A99-00AA0062C609}
Filename: C:\WINDOWS\SYSTEM\rnr20.dll
Description: Microsoft Windows 9x*Grinler name space provider
DB filename: %windir%\system\rnr20.dll
DB protocol: DNS Name Space Provider.

#6 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:09:24 AM

Posted 10 January 2005 - 05:57 PM

Hello,
Would you run another Hijackthis log and post it. The last one was several days ago and I need it current. :thumbsup: Thanks.

Edited by SifuMike, 10 January 2005 - 05:58 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 GWGRAY

GWGRAY
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:11:24 AM

Posted 10 January 2005 - 11:42 PM

Here is the new HijackThis log.

Logfile of HijackThis v1.99.0
Scan saved at 11:36:58 PM, on 1/10/05
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\SYMANTEC_CLIENT_SECURITY\SYMANTEC ANTIVIRUS\RTVSCN95.EXE
C:\PROGRAM FILES\SYMANTEC_CLIENT_SECURITY\SYMANTEC ANTIVIRUS\DEFWATCH.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\SYMANTEC_CLIENT_SECURITY\SYMANTEC ANTIVIRUS\VPTRAY.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\REAL\REALPLAYER\REALPLAY.EXE
C:\GSVWY.EXE
C:\PROGRAM FILES\WEBROOT\SPY SWEEPER\SPYSWEEPER.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.EXE
C:\PROGRAM FILES\AMERICA ONLINE 7.0\AOLTRAY.EXE
C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\DISTILLR\ACROTRAY.EXE
C:\PROGRAM FILES\FRANKLIN COVEY\PLANNER\COMPASS.EXE
C:\PROGRAM FILES\FRANKLIN COVEY\PLANNER\PALM\HOTSYNC.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\PROGRAM FILES\ISTSVC\ISTSVC.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\HIJACKTHIS\HIJACKTHIS.EXE

O2 - BHO: (no name) - {467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E} - C:\WINDOWS\SYSTEM\2KLLSP~1.DLL (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [TCASUTIEXE] TCAUDIAG -off
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [GCKb] C:\GSVWY.EXE
O4 - HKLM\..\Run: [0 44}5]C:\Program Files\ISTsvc\istsvc.exe] C:\GSVWY.EXE
O4 - HKLM\..\Run: [Control handler] C:\WINDOWS\SYSTEM\W90D86BTFITHD.EXE
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [rtvscn95] C:\PROGRA~1\SYMANT~1\SYMANT~1\rtvscn95.exe
O4 - HKLM\..\RunServices: [defwatch] C:\PROGRA~1\SYMANT~1\SYMANT~1\defwatch.exe
O4 - HKLM\..\RunOnce: [SpySweeper_BT01] "C:\Program Files\Webroot\Spy Sweeper\Bt01.exe" /SpySweeper_BT01
O4 - HKCU\..\Run: [romahere3] C:\WINDOWS\SYSTEM\307OKNRT1UFOX.EXE
O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Startup: America Online 7.0 Tray Icon.lnk = C:\Program Files\America Online 7.0\aoltray.exe
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Startup: Weekly Compass.lnk = C:\Program Files\Franklin Covey\Planner\Compass.exe
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Franklin Covey\Planner\Palm\HotSync.exe
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/200404...meInstaller.exe
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = misshalls
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 172.16.5.102

#8 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:09:24 AM

Posted 11 January 2005 - 01:07 AM

Hello GWGRAY,

You have a CWS infection, as well as the ISTbar infection. :flowers:
Lets get rid of them. :thumbsup:

*****************************************************

Download CWSHREDDER 2.1 from http://www.intermute.com/spysubtract/cwshr...r_download.html
Open CWShredder and with ALL other windows closed, click fix.
Let me know if it deleted any CWS malware.

*****************************************************

To get rid of the ISTBar , lets try the removal tool.
Go to Adware.Istbar Removal Tool, download it , read the instructions and run it.
http://securityresponse.symantec.com/avcen...are.istbar.html
Copy and paste the resulting report to this thread.

*****************************************************

After it completes, go to http://security.symantec.com/sscv6/default...id=ie&venid=sym and run the Symantec Virus Checker. Tell me if it detects anything.

*****************************************************

Go into Hijack This->Config->Misc. Tools->Open process manager. Select the following and click Kill process for each one (You must kill them one at a time)
.
C:\GSVWY.EXE
C:\PROGRAM FILES\ISTSVC\ISTSVC.EXE


*****************************************************

Please boot into safe mode and select the following with HijackThis.
With all windows (including this one!) closed (close browser/explorer windows), please select "fix.

How to Reboot into Safe Mode
tap F8 key during reboot, until the boot menu appears...use the arrow keys to choose "Safe Mode" from the menu......,then press the "Enter" key.


O2 - BHO: (no name) - {467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E} - C:\WINDOWS\SYSTEM\2KLLSP~1.DLL (file missing)
O4 - HKLM\..\Run: [GCKb] C:\GSVWY.EXE
O4 - HKLM\..\Run: [0 44}5]C:\Program Files\ISTsvc\istsvc.exe] C:\GSVWY.EXE
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\Run: [Control handler] C:\WINDOWS\SYSTEM\W90D86BTFITHD.EXE
O4 - HKCU\..\Run: [romahere3] C:\WINDOWS\SYSTEM\307OKNRT1UFOX.EXE
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/200404...meInstaller.exe


*****************************************************

Next, we're going on a file hunt.
Go to My Computer and double-click C.
Go to the Tools menu and select 'Folder Options'.
On the 'View' tab select 'show hidden files and folders' and deselect 'hide protected operating system files (recommended)'.

Find and delete each of the following. If you can't delete an item, right-click it and click properties. Make sure 'read-only' is unchecked.
If you still can't delete something, right-click it and rename it to a random word. Then drag the item to a different location. Try deleting it now. If you still can't, be sure to let me know.

Delete the following files/folders in bold:

C:\WINDOWS\SYSTEM\2KLLSP~1.DLL <===file
C:\GSVWY.EXE <===file
C:\Program Files\ISTsvc\ <===folder
C:\WINDOWS\SYSTEM\W90D86BTFITHD.EXE <===file
C:\WINDOWS\SYSTEM\307OKNRT1UFOX.EXE <===file

*****************************************************

Download CCleaner from http://www.ccleaner.com/
Open it, and go to its Window Tab, then press the Run Cleaner button. Do not use its Issues Tab or Applications Tab.

*****************************************************

Finally, reboot and post a new Hijackthis log, and tell me how your computer is running.

Edited by SifuMike, 11 January 2005 - 01:13 AM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 GWGRAY

GWGRAY
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:11:24 AM

Posted 12 January 2005 - 08:37 PM

I ran CWSHREDDER 2.1 which found nothing.

I ran Adware.Istbar Removal Tool, was not able to make a copy of the report but it reported 2 files removed. I clicked OK and the report disappeared. I ran the program a second time and the report said no problems found. When I rebooted, Spysweeper detected the shut down the IstBar.

I tried to run Symantic Virus Checker, but the link you provided took me to a page on the Symantec site that said this was a dead link.

No problem removing the two files with the Hijack Kill Process, then went into safe mode and fixed the seven items in the Hijack log

Doing the file hunt, I could only find and remove two of the five files/folders. I could not find:

C:\WINDOWS\SYSTEM\2KLLSP~1.DLL
C:\WINDOWS\SYSTEM\W90D86BTFITHD.EXE
C:\WINDOWS\SYSTEM\303OKNRT1UFOX.EXE

CCleaner ran fine.

There is a definate imporvement in the speed my computer is now running.

Here is the new Hijackthis log:

Logfile of HijackThis v1.99.0
Scan saved at 8:09:18 PM, on 1/12/05
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\SYMANTEC_CLIENT_SECURITY\SYMANTEC ANTIVIRUS\RTVSCN95.EXE
C:\PROGRAM FILES\SYMANTEC_CLIENT_SECURITY\SYMANTEC ANTIVIRUS\DEFWATCH.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\SYMANTEC_CLIENT_SECURITY\SYMANTEC ANTIVIRUS\VPTRAY.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\REAL\REALPLAYER\REALPLAY.EXE
C:\PROGRAM FILES\WEBROOT\SPY SWEEPER\SPYSWEEPER.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.EXE
C:\PROGRAM FILES\AMERICA ONLINE 7.0\AOLTRAY.EXE
C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\DISTILLR\ACROTRAY.EXE
C:\PROGRAM FILES\FRANKLIN COVEY\PLANNER\COMPASS.EXE
C:\PROGRAM FILES\FRANKLIN COVEY\PLANNER\PALM\HOTSYNC.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\MSOFFICE.EXE
C:\HIJACKTHIS\HIJACKTHIS.EXE

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [TCASUTIEXE] TCAUDIAG -off
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [0 44}5]C:\Program Files\ISTsvc\istsvc.exe] C:\GSVWY.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [rtvscn95] C:\PROGRA~1\SYMANT~1\SYMANT~1\rtvscn95.exe
O4 - HKLM\..\RunServices: [defwatch] C:\PROGRA~1\SYMANT~1\SYMANT~1\defwatch.exe
O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Startup: America Online 7.0 Tray Icon.lnk = C:\Program Files\America Online 7.0\aoltray.exe
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Startup: Weekly Compass.lnk = C:\Program Files\Franklin Covey\Planner\Compass.exe
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Franklin Covey\Planner\Palm\HotSync.exe
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Startup: Microsoft Office Shortcut Bar.lnk = C:\Program Files\Microsoft Office\Office\MSOFFICE.EXE
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = misshalls
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 172.16.5.102

#10 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:09:24 AM

Posted 12 January 2005 - 10:42 PM

Hello GWGRAY,

You have a variant of the ISTbar, and it is very difficult to remove.

O4 - HKLM\..\Run: [0 44}5]C:\Program Files\ISTsvc\istsvc.exe] C:\GSVWY.EXE


Better turn off Spyweeper until you are done cleaning with Adaware SE, as it may interfer with its cleaning.

I have previously had success using Adaware SE, so lets try that method.

1. Clean out temp folder.
You can use CCleaner http://ccleaner.com/ to do this.
After you download it, install it and go to the Windows Tab; then press the Run Cleaner button. Do not run anything under the other two Tabs (Issues Tab and Applications Tab).

2. Clean out Temporary Internet Files folder. Go to IE> Tools> Internet Options> Delete Files> delete all offline files>press OK

3. Empty your Recycle Bin

4. Run Hijackthis and post the log. This will be a benchmark, that is, before running Adaware SE.
When you post the log, be sure to tell me the log is before running Adaware SE.

5. Open Adaware SE, go to the top and click the Gear, click on the Tweak, go to the Cleaning Engine, and make sure you have "Let Windows remove all files in use at next reboot" checked (should be a green check next to it).
Then update and run Adaware SE.

6. After it completes, run another Adaware SE (this should delete the reloaded ISTbar).

7. Then Reboot and run Adaware SE again. It should be clean.

8. Run Hijackthis log and we will see how it did. Tell me that is the "after Adaware" run. :thumbsup:

Edited by SifuMike, 13 January 2005 - 01:55 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#11 GWGRAY

GWGRAY
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:11:24 AM

Posted 13 January 2005 - 10:49 PM

Here is the Hijackthis log before running Adaware:

Logfile of HijackThis v1.99.0
Scan saved at 9:44:17 PM, on 1/13/05
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\SYMANTEC_CLIENT_SECURITY\SYMANTEC ANTIVIRUS\RTVSCN95.EXE
C:\PROGRAM FILES\SYMANTEC_CLIENT_SECURITY\SYMANTEC ANTIVIRUS\DEFWATCH.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\SYMANTEC_CLIENT_SECURITY\SYMANTEC ANTIVIRUS\VPTRAY.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\REAL\REALPLAYER\REALPLAY.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.EXE
C:\PROGRAM FILES\AMERICA ONLINE 7.0\AOLTRAY.EXE
C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\DISTILLR\ACROTRAY.EXE
C:\PROGRAM FILES\FRANKLIN COVEY\PLANNER\COMPASS.EXE
C:\PROGRAM FILES\FRANKLIN COVEY\PLANNER\PALM\HOTSYNC.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\WINDOWS\DESKTOP\SPYWARE\HIJACKTHIS.EXE

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [TCASUTIEXE] TCAUDIAG -off
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [0 44}5]C:\Program Files\ISTsvc\istsvc.exe] C:\GSVWY.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [rtvscn95] C:\PROGRA~1\SYMANT~1\SYMANT~1\rtvscn95.exe
O4 - HKLM\..\RunServices: [defwatch] C:\PROGRA~1\SYMANT~1\SYMANT~1\defwatch.exe
O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Startup: America Online 7.0 Tray Icon.lnk = C:\Program Files\America Online 7.0\aoltray.exe
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Startup: Weekly Compass.lnk = C:\Program Files\Franklin Covey\Planner\Compass.exe
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Franklin Covey\Planner\Palm\HotSync.exe
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = misshalls
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 172.16.5.102

Here is the log after running adaware:


Logfile of HijackThis v1.99.0
Scan saved at 10:39:45 PM, on 1/13/05
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\SYMANTEC_CLIENT_SECURITY\SYMANTEC ANTIVIRUS\RTVSCN95.EXE
C:\PROGRAM FILES\SYMANTEC_CLIENT_SECURITY\SYMANTEC ANTIVIRUS\DEFWATCH.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\SYMANTEC_CLIENT_SECURITY\SYMANTEC ANTIVIRUS\VPTRAY.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\REAL\REALPLAYER\REALPLAY.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.EXE
C:\PROGRAM FILES\AMERICA ONLINE 7.0\AOLTRAY.EXE
C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\DISTILLR\ACROTRAY.EXE
C:\PROGRAM FILES\FRANKLIN COVEY\PLANNER\COMPASS.EXE
C:\PROGRAM FILES\FRANKLIN COVEY\PLANNER\PALM\HOTSYNC.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\WINDOWS\DESKTOP\SPYWARE\HIJACKTHIS.EXE

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [TCASUTIEXE] TCAUDIAG -off
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [0 44}5]C:\Program Files\ISTsvc\istsvc.exe] C:\GSVWY.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [rtvscn95] C:\PROGRA~1\SYMANT~1\SYMANT~1\rtvscn95.exe
O4 - HKLM\..\RunServices: [defwatch] C:\PROGRA~1\SYMANT~1\SYMANT~1\defwatch.exe
O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Startup: America Online 7.0 Tray Icon.lnk = C:\Program Files\America Online 7.0\aoltray.exe
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Startup: Weekly Compass.lnk = C:\Program Files\Franklin Covey\Planner\Compass.exe
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Franklin Covey\Planner\Palm\HotSync.exe
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = misshalls
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 172.16.5.102


After rebooting I ran Adaware again and nothing was found.

#12 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:09:24 AM

Posted 14 January 2005 - 12:34 AM

After rebooting I ran Adaware again and nothing was found.


You lost me. :thumbsup:
Did you run Adaware SE 3 times and reboot each run?
If you forgot to reboot, then it will not work, and if you did not run it 3 times it will not work.

You have to follow the directions exactly as I gave in my previous message or it will not work.

By "nothing was found" do you mean Adaware scan was clean and no ISTbar was found? Or do you mean you think your log is clean?

Your last log still has ISTbar

O4 - HKLM\..\Run: [0 44}5]C:\Program Files\ISTsvc\istsvc.exe] C:\GSVWY.EXE

:flowers:

Let try uninstalling it. Do the following:

Click Start>Settings>Control Panel.
Double-click on Add/Remove Programs.
Look for ISTsvc, and click Add/Remove.
Click Yes in the popup window.
Close Add/Remove Programs.

Then reboot and run a new Hijackthis log.

Edited by SifuMike, 14 January 2005 - 12:50 AM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#13 GWGRAY

GWGRAY
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:11:24 AM

Posted 14 January 2005 - 07:52 PM

I did not realize I needed to reboot each time before running Adaware. I repeated your previous directions, I hope this time correctly.

Here is the Hijackthis log before running Adaware:

Logfile of HijackThis v1.99.0
Scan saved at 2:54:27 PM, on 1/14/05
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\SYMANTEC_CLIENT_SECURITY\SYMANTEC ANTIVIRUS\RTVSCN95.EXE
C:\PROGRAM FILES\SYMANTEC_CLIENT_SECURITY\SYMANTEC ANTIVIRUS\DEFWATCH.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\SYMANTEC_CLIENT_SECURITY\SYMANTEC ANTIVIRUS\VPTRAY.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.EXE
C:\PROGRAM FILES\AMERICA ONLINE 7.0\AOLTRAY.EXE
C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\DISTILLR\ACROTRAY.EXE
C:\PROGRAM FILES\FRANKLIN COVEY\PLANNER\COMPASS.EXE
C:\PROGRAM FILES\FRANKLIN COVEY\PLANNER\PALM\HOTSYNC.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\DESKTOP\SPYWARE\HIJACKTHIS.EXE

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [TCASUTIEXE] TCAUDIAG -off
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [0 44}5]C:\Program Files\ISTsvc\istsvc.exe] C:\GSVWY.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [rtvscn95] C:\PROGRA~1\SYMANT~1\SYMANT~1\rtvscn95.exe
O4 - HKLM\..\RunServices: [defwatch] C:\PROGRA~1\SYMANT~1\SYMANT~1\defwatch.exe
O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Startup: America Online 7.0 Tray Icon.lnk = C:\Program Files\America Online 7.0\aoltray.exe
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Startup: Weekly Compass.lnk = C:\Program Files\Franklin Covey\Planner\Compass.exe
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Franklin Covey\Planner\Palm\HotSync.exe
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = misshalls
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 172.16.5.102

This is the log after running Adaware the third time:


Logfile of HijackThis v1.99.0
Scan saved at 5:39:43 PM, on 1/14/05
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\SYMANTEC_CLIENT_SECURITY\SYMANTEC ANTIVIRUS\RTVSCN95.EXE
C:\PROGRAM FILES\SYMANTEC_CLIENT_SECURITY\SYMANTEC ANTIVIRUS\DEFWATCH.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\SYMANTEC_CLIENT_SECURITY\SYMANTEC ANTIVIRUS\VPTRAY.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\REAL\REALPLAYER\REALPLAY.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.EXE
C:\PROGRAM FILES\AMERICA ONLINE 7.0\AOLTRAY.EXE
C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\DISTILLR\ACROTRAY.EXE
C:\PROGRAM FILES\FRANKLIN COVEY\PLANNER\COMPASS.EXE
C:\PROGRAM FILES\FRANKLIN COVEY\PLANNER\PALM\HOTSYNC.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\WINDOWS\DESKTOP\SPYWARE\HIJACKTHIS.EXE

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [TCASUTIEXE] TCAUDIAG -off
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [0 44}5]C:\Program Files\ISTsvc\istsvc.exe] C:\GSVWY.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [rtvscn95] C:\PROGRA~1\SYMANT~1\SYMANT~1\rtvscn95.exe
O4 - HKLM\..\RunServices: [defwatch] C:\PROGRA~1\SYMANT~1\SYMANT~1\defwatch.exe
O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Startup: America Online 7.0 Tray Icon.lnk = C:\Program Files\America Online 7.0\aoltray.exe
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Startup: Weekly Compass.lnk = C:\Program Files\Franklin Covey\Planner\Compass.exe
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Franklin Covey\Planner\Palm\HotSync.exe
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = misshalls
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 172.16.5.102

I also followed your most recent instructions to attempt remove ISTSVC using the Add/Remove Programs control panel. However, ISTSVC did not appear in the list of programs in the Add/Remove Programs window.

My computer appears to be running well. Please let me know if there is anything else I need to do. Thank you for your help!

#14 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:09:24 AM

Posted 14 January 2005 - 10:33 PM

O4 - HKLM\..\Run: [0 44}5]C:\Program Files\ISTsvc\istsvc.exe] C:\GSVWY.EXE


Looks like it is still there. :thumbsup: It is a very stubborn little bugger. :flowers:

Lets try this:

Please boot into safe mode and select the following with HijackThis.
With all windows (including this one!) closed (close browser/explorer windows), please select "fix.

How to Reboot into Safe Mode 
tap F8 key during reboot, until the boot menu appears...use the arrow keys to choose "Safe Mode" from the menu......,then press the "Enter" key.


O4 - HKLM\..\Run: [0 44}5]C:\Program Files\ISTsvc\istsvc.exe] C:\GSVWY.EXE

Next, we're going on a file hunt.
Go to My Computer and double-click C.
Go to the Tools menu and select 'Folder Options'.
On the 'View' tab select 'show hidden files and folders' and deselect 'hide protected operating system files (recommended)'.

Find and delete each of the following. If you can't delete an item, right-click it and click properties. Make sure 'read-only' is unchecked.
If you still can't delete something, right-click it and rename it to a random word. Then drag the item to a different location. Try deleting it now. If you still can't, be sure to let me know.

Delete the following files/folders in bold:
C:\GSVWY.EXE <== file
C:\Program Files\ISTsvc\ <==folder

Tell me if you find the files and folder.

Run CCleaner and press the Run Cleaner button.

Finally, reboot and post a new Hijackthis log, and tell me how your computer is running.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#15 GWGRAY

GWGRAY
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:11:24 AM

Posted 19 January 2005 - 09:05 PM

I ran the fix with HijackThis in Safe Mode. Still in Safe Mode I searched for the file (GSVWY.EXE) and the folder (ISTsvc) you listed. I could not find either on my C: drive. After rebooting I got the following log:

Logfile of HijackThis v1.99.0
Scan saved at 8:56:37 PM, on 1/19/05
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\SYMANTEC_CLIENT_SECURITY\SYMANTEC ANTIVIRUS\RTVSCN95.EXE
C:\PROGRAM FILES\SYMANTEC_CLIENT_SECURITY\SYMANTEC ANTIVIRUS\DEFWATCH.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\SYMANTEC_CLIENT_SECURITY\SYMANTEC ANTIVIRUS\VPTRAY.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\WEBROOT\SPY SWEEPER\SPYSWEEPER.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.EXE
C:\PROGRAM FILES\AMERICA ONLINE 7.0\AOLTRAY.EXE
C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\DISTILLR\ACROTRAY.EXE
C:\PROGRAM FILES\FRANKLIN COVEY\PLANNER\COMPASS.EXE
C:\PROGRAM FILES\FRANKLIN COVEY\PLANNER\PALM\HOTSYNC.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\WINDOWS\DESKTOP\SPYWARE\HIJACKTHIS.EXE

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [TCASUTIEXE] TCAUDIAG -off
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [0 44}5]C:\Program Files\ISTsvc\istsvc.exe] C:\GSVWY.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [rtvscn95] C:\PROGRA~1\SYMANT~1\SYMANT~1\rtvscn95.exe
O4 - HKLM\..\RunServices: [defwatch] C:\PROGRA~1\SYMANT~1\SYMANT~1\defwatch.exe
O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Startup: America Online 7.0 Tray Icon.lnk = C:\Program Files\America Online 7.0\aoltray.exe
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Startup: Weekly Compass.lnk = C:\Program Files\Franklin Covey\Planner\Compass.exe
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Franklin Covey\Planner\Palm\HotSync.exe
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = misshalls
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 172.16.5.102




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users