Clean my Desktop - Part 2

vickymustdie · 11-05-2005, 12:29 AM

Hi Guys...

This is referring to my earlier post Clean my Desktop http://www.thinkdigit.com/forum/viewtopic.php?t=19862 for those who didn't read my post.

I'm sincerely thankful to Swatkat and others for the resolutions. BUt I'm still facing problems. I've installed all the Spyware software and scanned my box but now still there are lot of unnecessary programs that taking up my memory.

Dear Swatkat, I've performed all the steps you mentioned but now i'm getting the following popups...

Please help me...

When I boot my system I get this popup

While surfing I get this.

And suddenly while working on my PC online/offline, I get this popup.

And for all your reference.. Here is my new HIJACKTHIS lines...

Logfile of HijackThis v1.99.1
Scan saved at 12:27:29 AM, on 5/11/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\sstray.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\system32\PV92Tray.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\TVR\RecSche.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mimboot.exe
C:\WINDOWS\system32\DRIVERS\CDANTSRV.EXE
C:\WINDOWS\system32\lvhidsvc.exe
C:\Program Files\Alias\Maya6.5\docs\wrapper.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Alias\Maya6.5\docs\jre\bin\java.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\PROGRA~1\KEMailKb\KEMailKb.EXE
C:\Program Files\ISTsvc\istsvc.exe
C:\WINDOWS\egjokul.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\system32\cmd32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mim.exe
C:\Program Files\Yahoo!\Messenger\ypager.exe
C:\wp.exe
C:\PROGRA~1\COMMON~1\wfzf\wfzfm.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
F:\oracle\ora90\BIN\TNSLSNR.exe
C:\Program Files\Silicon Image\SiISATARaid\SATARaid.exe
f:\oracle\ora90\bin\ORACLE.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\notepad.exe
C:\Downloads\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:NavigationFailure
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:NavigationFailure
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:NavigationFailure
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:NavigationFailure
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:NavigationFailure
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:NavigationFailure
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: BHObj Class - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINDOWS\nem220.dll (file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - E:\PROGRA~1\FLASHGET\jccatch.dll
O2 - BHO: (no name) - {A6BC6BED-64A0-41EA-A36D-F81845949767} - C:\WINDOWS\system32\oknkne.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - E:\PROGRA~1\FLASHGET\fgiebar.dll
O3 - Toolbar: (no name) - {86227D9C-0EFE-4f8a-AA55-30386A3F5686} - (no file)
O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [PV92TRAY] PV92Tray.exe
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [WinDVRCtrl] C:\WINDOWS\WDVRCtrl.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\Run: [ScanRegistry] C:\W
O4 - HKLM\..\Run: [RecSche] "C:\Program Files\TVR\RecSche.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [MimBoot] C:\Program Files\Musicmatch\Musicmatch Jukebox\mimboot.exe
O4 - HKLM\..\Run: [KEMailKb] C:\PROGRA~1\KEMailKb\KEMailKb.EXE
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\Run: [MTmm6q] C:\WINDOWS\egjokul.exe
O4 - HKLM\..\Run: [Power Scan] C:\Program Files\Power Scan\powerscan.exe
O4 - HKLM\..\Run: [ControlPanel] C:\WINDOWS\system32\cmd32.exe internat.dll,LoadKeyboardProfile
O4 - HKLM\..\Run: [Security iGuard] C:\Program Files\Security iGuard\Security iGuard.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - HKCU\..\Run: [WindowsFY] c:\wp.exe
O4 - HKCU\..\Run: [wfzf] C:\PROGRA~1\COMMON~1\wfzf\wfzfm.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: SATARaid.lnk = ?
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Save Flash In This Page - C:\PROGRA~1\FLASHS~1.0\save.htm
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Download All by FlashGet - E:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - E:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Flash Saver - {09EA1F80-F40A-11D1-B792-444553540001} - C:\PROGRA~1\FLASHS~1.0\save.htm
O9 - Extra 'Tools' menuitem: Flash Saver - {09EA1F80-F40A-11D1-B792-444553540001} - C:\PROGRA~1\FLASHS~1.0\save.htm
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - E:\PROGRA~1\FLASHGET\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - E:\PROGRA~1\FLASHGET\flashget.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Microsoft AntiSpyware helper - {6455DD65-722B-405A-AAD1-335817486602} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {6455DD65-722B-405A-AAD1-335817486602} - (no file) (HKCU)
O9 - Extra button: Flash Decompiler SWF Capture tool - {86B4FC19-8FA4-4FD3-B243-9AEDB42FA2D5} - C:\PROGRA~1\ELTIMA~1\FLASHD~1\iebt.dll (HKCU)
O9 - Extra 'Tools' menuitem: Flash Decompiler SWF Capture tool menu - {86B4FC19-8FA4-4FD3-B243-9AEDB42FA2D5} - C:\PROGRA~1\ELTIMA~1\FLASHD~1\iebt.dll (HKCU)
O15 - Trusted Zone: *.blazefind.com
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.flingstone.com
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.my-internet.info
O15 - Trusted Zone: *.searchbarcash.com
O15 - Trusted Zone: *.searchmiracle.com
O15 - Trusted Zone: *.skoobidoo.com
O15 - Trusted Zone: *.slotch.com
O15 - Trusted Zone: *.slotchbar.com
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.xxxtoolbar.com
O15 - Trusted Zone: *.ysbweb.com
O15 - Trusted Zone: *.blazefind.com (HKLM)
O15 - Trusted Zone: *.clickspring.net (HKLM)
O15 - Trusted Zone: *.flingstone.com (HKLM)
O15 - Trusted Zone: *.mt-download.com (HKLM)
O15 - Trusted Zone: *.my-internet.info (HKLM)
O15 - Trusted Zone: *.searchbarcash.com (HKLM)
O15 - Trusted Zone: *.searchmiracle.com (HKLM)
O15 - Trusted Zone: *.skoobidoo.com (HKLM)
O15 - Trusted Zone: *.slotch.com (HKLM)
O15 - Trusted Zone: *.slotchbar.com (HKLM)
O15 - Trusted Zone: *.windupdates.com (HKLM)
O15 - Trusted Zone: *.xxxtoolbar.com (HKLM)
O15 - Trusted Zone: *.ysbweb.com (HKLM)
O15 - Trusted IP range: 67.19.185.246
O15 - Trusted IP range: 67.19.185.246 (HKLM)
O16 - DPF: {42F2C9BA-614F-47C0-B3E3-ECFD34EED658} (Installer Class) - http://www.ysbweb.com/ist/softwares/...sb_regular.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{50B67F39-18C1-4A9F-85A2-E8C35EC1DE75}: NameServer = 203.197.38.2 203.197.38.3
O17 - HKLM\System\CCS\Services\Tcpip\..\{87F3CD8D-8CE5-441D-8FD8-D2478ADDE0E5}: NameServer = 203.197.38.2,203.197.38.3
O18 - Filter: text/html - {DF61DCBB-B159-48E4-B01B-0C555BA42670} - C:\WINDOWS\system32\oknkne.dll
O18 - Filter: text/plain - {DF61DCBB-B159-48E4-B01B-0C555BA42670} - C:\WINDOWS\system32\oknkne.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\system32\DRIVERS\CDANTSRV.EXE
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LifeView HID Service (LvHidSvc) - Animation Technologies Inc. - C:\WINDOWS\system32\lvhidsvc.exe
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Maya 6.5 Documentation Server (maya65docserver) - Unknown owner - C:\Program Files\Alias\Maya6.5\docs\wrapper.exe" -s "C:\Program Files\Alias\Maya6.5\docs\Wrapper.conf (file missing)
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: Oracle OLAP 9.0.1.0.1 (OLAPServer) - Oracle Corporation - F:\oracle\ora90\bin\xsolap.exe
O23 - Service: Oracle OLAP Agent - Unknown owner - F:\oracle\ora90\bin\xsaagent.exe
O23 - Service: OracleOraHome90Agent - Oracle Corporation - F:\oracle\ora90\bin\agntsrvc.exe
O23 - Service: OracleOraHome90ClientCache - Unknown owner - F:\oracle\ora90\BIN\ONRSD.EXE
O23 - Service: OracleOraHome90HTTPServer - Unknown owner - F:\oracle\ora90\Apache\Apache\Apache.exe
O23 - Service: OracleOraHome90PagingServer - Unknown owner - F:\oracle\ora90/bin/pagntsrv.exe
O23 - Service: OracleOraHome90SNMPPeerEncapsulator - Unknown owner - F:\oracle\ora90\BIN\ENCSVC.EXE
O23 - Service: OracleOraHome90SNMPPeerMasterAgent - Unknown owner - F:\oracle\ora90\BIN\AGNTSVC.EXE
O23 - Service: OracleOraHome90TNSListener - Unknown owner - F:\oracle\ora90\BIN\TNSLSNR.exe
O23 - Service: OracleServiceANIL - Oracle Corporation - f:\oracle\ora90\bin\ORACLE.EXE
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Visibroker Smart Agent (xsSmartAgent) - Unknown owner - F:\oracle\ora90\bin\osagent.exe

Please helppp....

swatkat · 11-05-2005, 12:44 AM

Hi dont worry, it's Smitfraud.c Deskto Hijacker and OldHomeSp Browser Hiajcker!
Before going to HjackThis, do this:-
Download CW-Shredder.

Download SpSeHjfix and then
right click a blank part of Desktop & select new folder, call it spfix and unzip the file into that folder.
Disconnect from the net and Close ALL OPEN PROGRAMS.
Run SpSeHjfix and click on "Start Disinfection". When it's finished it will reboot your machine to finish the cleaning process. The tool creates a log of the fix which will appear in the folder.
Now run the CWShredder and click Fix button.

Reboot and post a fresh HJT log and the log that was created by 'SpSeHjfix'.

vickymustdie · 11-05-2005, 03:11 PM

Hi swatkat,

I did what u said and here is the new log file from SPSeHjFix...

(5/11/05 1:05:07 PM) SPSeHjFix started v1.1.2
(5/11/05 1:05:07 PM) OS: WinXP Service Pack 2 (5.1.2600)
(5/11/05 1:05:07 PM) Language: english
(5/11/05 1:05:07 PM) Win-Path: C:\WINDOWS
(5/11/05 1:05:07 PM) System-Path: C:\WINDOWS\system32
(5/11/05 1:05:07 PM) Temp-Path: C:\DOCUME~1\owner\LOCALS~1\Temp\
(5/11/05 1:05:11 PM) Disinfection started
(5/11/05 1:05:11 PM) Bad-Dll(IEP): (not found)
(5/11/05 1:05:11 PM) Bad-Dll(IEP) in BHO: (not found)
(5/11/05 1:05:11 PM) Searchassistant Uninstaller found: regsvr32 /s /u C:\WINDOWS\system32\oknkne.dll
(5/11/05 1:05:11 PM) Searchassistant Uninstaller - Keys Deleted
(5/11/05 1:05:11 PM) UBF: 7 - UBB: 6 - UBR: 22
(5/11/05 1:05:11 PM) FilterKey: HKCR\text/html (deleted)
(5/11/05 1:05:11 PM) FilterKey: HKCR\CLSID\{DF61DCBB-B159-48E4-B01B-0C555BA42670} (deleted)
(5/11/05 1:05:11 PM) FilterKey: HKLM\SOFTWARE\Classes\text/html (error while deleting)
(5/11/05 1:05:11 PM) FilterKey: HKCR\text/plain (deleted)
(5/11/05 1:05:11 PM) FilterKey: HKCR\CLSID\{DF61DCBB-B159-48E4-B01B-0C555BA42670} (error while deleting)
(5/11/05 1:05:11 PM) FilterKey: HKLM\SOFTWARE\Classes\text/plain (error while deleting)
(5/11/05 1:05:11 PM) BHO-Key: HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\Browser Helper Objects\{A6BC6BED-64A0-41EA-A36D-F81845949767} (deleted)
(5/11/05 1:05:11 PM) BHO-Key: HKCR\CLSID\{A6BC6BED-64A0-41EA-A36D-F81845949767} (deleted)
(5/11/05 1:05:11 PM) UBF: 5 - UBB: 5 - UBR: 22
(5/11/05 1:05:11 PM) Bad IE-pages:
deleted: HKCU\Software\Microsoft\Internet Explorer\Main, Start Page: about:blank
deleted: HKCU\Software\Microsoft\Internet Explorer\Main, HomeOldSP: about:blank
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Start Page: about:blank
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, HomeOldSP: about:blank
(5/11/05 1:05:11 PM) Stealth-String not found
(5/11/05 1:05:11 PM) File added to delete: c:\windows\system32\oknkne.dll
(5/11/05 1:05:11 PM) Reboot

(5/11/05 1:08:41 PM) SPSeHjFix started v1.1.2
(5/11/05 1:08:41 PM) OS: WinXP Service Pack 2 (5.1.2600)
(5/11/05 1:08:41 PM) Language: english
(5/11/05 1:08:41 PM) Win-Path: C:\WINDOWS
(5/11/05 1:08:41 PM) System-Path: C:\WINDOWS\system32
(5/11/05 1:08:41 PM) Temp-Path: C:\DOCUME~1\owner\LOCALS~1\Temp\
(5/11/05 1:09:12 PM) Disinfection started
(5/11/05 1:09:12 PM) Bad-Dll(IEP): (not found)
(5/11/05 1:09:12 PM) Bad-Dll(IEP) in BHO: (not found)
(5/11/05 1:09:12 PM) UBF: 5 - UBB: 5 - UBR: 22
(5/11/05 1:09:12 PM) UBF: 5 - UBB: 5 - UBR: 22
(5/11/05 1:09:12 PM) Bad IE-pages: (none)
(5/11/05 1:09:12 PM) Stealth-String not found
(5/11/05 1:09:12 PM) Not infected->END

Please help.......

vysakh · 11-05-2005, 04:30 PM

problems found in your hijackthis logfile are marked in red

Quote:

Originally Posted by vickymustdie

Logfile of HijackThis v1.99.1
Scan saved at 12:27:29 AM, on 5/11/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\sstray.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\system32\PV92Tray.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\TVR\RecSche.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mimboot.exe
C:\WINDOWS\system32\DRIVERS\CDANTSRV.EXE
C:\WINDOWS\system32\lvhidsvc.exe
C:\Program Files\Alias\Maya6.5\docs\wrapper.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Alias\Maya6.5\docs\jre\bin\java.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\PROGRA~1\KEMailKb\KEMailKb.EXE
C:\Program Files\ISTsvc\istsvc.exe
C:\WINDOWS\egjokul.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\system32\cmd32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mim.exe
C:\Program Files\Yahoo!\Messenger\ypager.exe
C:\wp.exe
C:\PROGRA~1\COMMON~1\wfzf\wfzfm.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
F:\oracle\ora90\BIN\TNSLSNR.exe
C:\Program Files\Silicon Image\SiISATARaid\SATARaid.exe
f:\oracle\ora90\bin\ORACLE.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\notepad.exe
C:\Downloads\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:NavigationFailure
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:NavigationFailure
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:NavigationFailure
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:NavigationFailure
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:NavigationFailure
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:NavigationFailure
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: BHObj Class - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINDOWS\nem220.dll (file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - E:\PROGRA~1\FLASHGET\jccatch.dll
O2 - BHO: (no name) - {A6BC6BED-64A0-41EA-A36D-F81845949767} - C:\WINDOWS\system32\oknkne.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - E:\PROGRA~1\FLASHGET\fgiebar.dll
O3 - Toolbar: (no name) - {86227D9C-0EFE-4f8a-AA55-30386A3F5686} - (no file)
O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [PV92TRAY] PV92Tray.exe
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [WinDVRCtrl] C:\WINDOWS\WDVRCtrl.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\Run: [ScanRegistry] C:\W
O4 - HKLM\..\Run: [RecSche] "C:\Program Files\TVR\RecSche.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [MimBoot] C:\Program Files\Musicmatch\Musicmatch Jukebox\mimboot.exe
O4 - HKLM\..\Run: [KEMailKb] C:\PROGRA~1\KEMailKb\KEMailKb.EXE
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\Run: [MTmm6q] C:\WINDOWS\egjokul.exe
O4 - HKLM\..\Run: [Power Scan] C:\Program Files\Power Scan\powerscan.exe
O4 - HKLM\..\Run: [ControlPanel] C:\WINDOWS\system32\cmd32.exe internat.dll,LoadKeyboardProfile
O4 - HKLM\..\Run: [Security iGuard] C:\Program Files\Security iGuard\Security iGuard.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - HKCU\..\Run: [WindowsFY] c:\wp.exe
O4 - HKCU\..\Run: [wfzf] C:\PROGRA~1\COMMON~1\wfzf\wfzfm.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: SATARaid.lnk = ?
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Save Flash In This Page - C:\PROGRA~1\FLASHS~1.0\save.htm
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Download All by FlashGet - E:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - E:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Flash Saver - {09EA1F80-F40A-11D1-B792-444553540001} - C:\PROGRA~1\FLASHS~1.0\save.htm
O9 - Extra 'Tools' menuitem: Flash Saver - {09EA1F80-F40A-11D1-B792-444553540001} - C:\PROGRA~1\FLASHS~1.0\save.htm
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - E:\PROGRA~1\FLASHGET\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - E:\PROGRA~1\FLASHGET\flashget.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Microsoft AntiSpyware helper - {6455DD65-722B-405A-AAD1-335817486602} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {6455DD65-722B-405A-AAD1-335817486602} - (no file) (HKCU)
O9 - Extra button: Flash Decompiler SWF Capture tool - {86B4FC19-8FA4-4FD3-B243-9AEDB42FA2D5} - C:\PROGRA~1\ELTIMA~1\FLASHD~1\iebt.dll (HKCU)
O9 - Extra 'Tools' menuitem: Flash Decompiler SWF Capture tool menu - {86B4FC19-8FA4-4FD3-B243-9AEDB42FA2D5} - C:\PROGRA~1\ELTIMA~1\FLASHD~1\iebt.dll (HKCU)
O15 - Trusted Zone: *.blazefind.com
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.flingstone.com
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.my-internet.info
O15 - Trusted Zone: *.searchbarcash.com
O15 - Trusted Zone: *.searchmiracle.com
O15 - Trusted Zone: *.skoobidoo.com
O15 - Trusted Zone: *.slotch.com
O15 - Trusted Zone: *.slotchbar.com
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.xxxtoolbar.com
O15 - Trusted Zone: *.ysbweb.com
O15 - Trusted Zone: *.blazefind.com (HKLM)
O15 - Trusted Zone: *.clickspring.net (HKLM)
O15 - Trusted Zone: *.flingstone.com (HKLM)
O15 - Trusted Zone: *.mt-download.com (HKLM)
O15 - Trusted Zone: *.my-internet.info (HKLM)
O15 - Trusted Zone: *.searchbarcash.com (HKLM)
O15 - Trusted Zone: *.searchmiracle.com (HKLM)
O15 - Trusted Zone: *.skoobidoo.com (HKLM)
O15 - Trusted Zone: *.slotch.com (HKLM)
O15 - Trusted Zone: *.slotchbar.com (HKLM)
O15 - Trusted Zone: *.windupdates.com (HKLM)
O15 - Trusted Zone: *.xxxtoolbar.com (HKLM)
O15 - Trusted Zone: *.ysbweb.com (HKLM)
O15 - Trusted IP range: 67.19.185.246
O15 - Trusted IP range: 67.19.185.246 (HKLM)
O16 - DPF: {42F2C9BA-614F-47C0-B3E3-ECFD34EED658} (Installer Class) - http://www.ysbweb.com/ist/softwares/...sb_regular.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{50B67F39-18C1-4A9F-85A2-E8C35EC1DE75}: NameServer = 203.197.38.2 203.197.38.3
O17 - HKLM\System\CCS\Services\Tcpip\..\{87F3CD8D-8CE5-441D-8FD8-D2478ADDE0E5}: NameServer = 203.197.38.2,203.197.38.3
O18 - Filter: text/html - {DF61DCBB-B159-48E4-B01B-0C555BA42670} - C:\WINDOWS\system32\oknkne.dll
O18 - Filter: text/plain - {DF61DCBB-B159-48E4-B01B-0C555BA42670} - C:\WINDOWS\system32\oknkne.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\system32\DRIVERS\CDANTSRV.EXE
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LifeView HID Service (LvHidSvc) - Animation Technologies Inc. - C:\WINDOWS\system32\lvhidsvc.exe
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Maya 6.5 Documentation Server (maya65docserver) - Unknown owner - C:\Program Files\Alias\Maya6.5\docs\wrapper.exe" -s "C:\Program Files\Alias\Maya6.5\docs\Wrapper.conf (file missing)
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: Oracle OLAP 9.0.1.0.1 (OLAPServer) - Oracle Corporation - F:\oracle\ora90\bin\xsolap.exe
O23 - Service: Oracle OLAP Agent - Unknown owner - F:\oracle\ora90\bin\xsaagent.exe
O23 - Service: OracleOraHome90Agent - Oracle Corporation - F:\oracle\ora90\bin\agntsrvc.exe
O23 - Service: OracleOraHome90ClientCache - Unknown owner - F:\oracle\ora90\BIN\ONRSD.EXE
O23 - Service: OracleOraHome90HTTPServer - Unknown owner - F:\oracle\ora90\Apache\Apache\Apache.exe
O23 - Service: OracleOraHome90PagingServer - Unknown owner - F:\oracle\ora90/bin/pagntsrv.exe
O23 - Service: OracleOraHome90SNMPPeerEncapsulator - Unknown owner - F:\oracle\ora90\BIN\ENCSVC.EXE
O23 - Service: OracleOraHome90SNMPPeerMasterAgent - Unknown owner - F:\oracle\ora90\BIN\AGNTSVC.EXE
O23 - Service: OracleOraHome90TNSListener - Unknown owner - F:\oracle\ora90\BIN\TNSLSNR.exe
O23 - Service: OracleServiceANIL - Oracle Corporation - f:\oracle\ora90\bin\ORACLE.EXE
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Visibroker Smart Agent (xsSmartAgent) - Unknown owner - F:\oracle\ora90\bin\osagent.exe

Please helppp....

swatkat · 11-05-2005, 07:25 PM

Hi vicky,
Dont delete anything in HijackThis now!
Old HijackThis Log file you posted first will not help, you have to scan again and post a new log.

Also, go to Start> Run and type regedit and press ENTER.
Then navigate to this key HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Policies by using the "+" symbol infront of the keys. Then click on that key to select it, and go File Menu, and click "Export". Then type a filename as UserWP and save it. Exit from RegEdit.
Open NotePad, and go to File> Open, here choose All Files (*.*) from the Show files of type dropdown box, then select the file UserWP.reg and open it. Copy the contents of the file and post it here.

vickymustdie · 12-05-2005, 12:31 AM

Hi Swatkat, this is my new HIJACKTHIS logfile.......

Logfile of HijackThis v1.99.1
Scan saved at 12:27:06 AM, on 5/12/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\DRIVERS\CDANTSRV.EXE
C:\WINDOWS\system32\lvhidsvc.exe
C:\Program Files\Alias\Maya6.5\docs\wrapper.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\Program Files\Alias\Maya6.5\docs\jre\bin\java.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ISTsvc\istsvc.exe
C:\WINDOWS\egjokul.exe
C:\WINDOWS\system32\cmd32.exe
C:\PROGRA~1\COMMON~1\wfzf\wfzfm.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\COMMON~1\wfzf\wfzfa.exe
F:\oracle\ora90\BIN\TNSLSNR.exe
f:\oracle\ora90\bin\ORACLE.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Downloads\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:NavigationFailure
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:NavigationFailure
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:NavigationFailure
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:NavigationFailure
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:NavigationFailure
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:NavigationFailure
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: BHObj Class - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINDOWS\nem220.dll (file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - E:\PROGRA~1\FLASHGET\jccatch.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - E:\PROGRA~1\FLASHGET\fgiebar.dll
O3 - Toolbar: (no name) - {86227D9C-0EFE-4f8a-AA55-30386A3F5686} - (no file)
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\Run: [Ã?Â³#Â*L"h'Ã¾9Ã“Å“Ã°3rÃ…WC:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\egjokul.exe
O4 - HKLM\..\Run: [ControlPanel] C:\WINDOWS\system32\cmd32.exe internat.dll,LoadKeyboardProfile
O4 - HKCU\..\Run: [wfzf] C:\PROGRA~1\COMMON~1\wfzf\wfzfm.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Save Flash In This Page - C:\PROGRA~1\FLASHS~1.0\save.htm
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Download All by FlashGet - E:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - E:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Flash Saver - {09EA1F80-F40A-11D1-B792-444553540001} - C:\PROGRA~1\FLASHS~1.0\save.htm
O9 - Extra 'Tools' menuitem: Flash Saver - {09EA1F80-F40A-11D1-B792-444553540001} - C:\PROGRA~1\FLASHS~1.0\save.htm
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - E:\PROGRA~1\FLASHGET\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - E:\PROGRA~1\FLASHGET\flashget.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Microsoft AntiSpyware helper - {6455DD65-722B-405A-AAD1-335817486602} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {6455DD65-722B-405A-AAD1-335817486602} - (no file) (HKCU)
O9 - Extra button: Flash Decompiler SWF Capture tool - {86B4FC19-8FA4-4FD3-B243-9AEDB42FA2D5} - C:\PROGRA~1\ELTIMA~1\FLASHD~1\iebt.dll (HKCU)
O9 - Extra 'Tools' menuitem: Flash Decompiler SWF Capture tool menu - {86B4FC19-8FA4-4FD3-B243-9AEDB42FA2D5} - C:\PROGRA~1\ELTIMA~1\FLASHD~1\iebt.dll (HKCU)
O15 - Trusted Zone: *.blazefind.com
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.flingstone.com
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.my-internet.info
O15 - Trusted Zone: *.searchbarcash.com
O15 - Trusted Zone: *.searchmiracle.com
O15 - Trusted Zone: *.skoobidoo.com
O15 - Trusted Zone: *.slotch.com
O15 - Trusted Zone: *.slotchbar.com
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.xxxtoolbar.com
O15 - Trusted Zone: *.ysbweb.com
O15 - Trusted Zone: *.blazefind.com (HKLM)
O15 - Trusted Zone: *.clickspring.net (HKLM)
O15 - Trusted Zone: *.flingstone.com (HKLM)
O15 - Trusted Zone: *.mt-download.com (HKLM)
O15 - Trusted Zone: *.my-internet.info (HKLM)
O15 - Trusted Zone: *.searchbarcash.com (HKLM)
O15 - Trusted Zone: *.searchmiracle.com (HKLM)
O15 - Trusted Zone: *.skoobidoo.com (HKLM)
O15 - Trusted Zone: *.slotch.com (HKLM)
O15 - Trusted Zone: *.slotchbar.com (HKLM)
O15 - Trusted Zone: *.windupdates.com (HKLM)
O15 - Trusted Zone: *.xxxtoolbar.com (HKLM)
O15 - Trusted Zone: *.ysbweb.com (HKLM)
O15 - Trusted IP range: 67.19.185.246
O15 - Trusted IP range: 67.19.185.246 (HKLM)
O16 - DPF: {42F2C9BA-614F-47C0-B3E3-ECFD34EED658} (Installer Class) - http://www.ysbweb.com/ist/softwares/...sb_regular.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{50B67F39-18C1-4A9F-85A2-E8C35EC1DE75}: NameServer = 203.197.38.2 203.197.38.3
O17 - HKLM\System\CCS\Services\Tcpip\..\{87F3CD8D-8CE5-441D-8FD8-D2478ADDE0E5}: NameServer = 203.197.38.2,203.197.38.3
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\system32\DRIVERS\CDANTSRV.EXE
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LifeView HID Service (LvHidSvc) - Animation Technologies Inc. - C:\WINDOWS\system32\lvhidsvc.exe
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Maya 6.5 Documentation Server (maya65docserver) - Unknown owner - C:\Program Files\Alias\Maya6.5\docs\wrapper.exe" -s "C:\Program Files\Alias\Maya6.5\docs\Wrapper.conf (file missing)
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: Oracle OLAP 9.0.1.0.1 (OLAPServer) - Oracle Corporation - F:\oracle\ora90\bin\xsolap.exe
O23 - Service: Oracle OLAP Agent - Unknown owner - F:\oracle\ora90\bin\xsaagent.exe
O23 - Service: OracleOraHome90Agent - Oracle Corporation - F:\oracle\ora90\bin\agntsrvc.exe
O23 - Service: OracleOraHome90ClientCache - Unknown owner - F:\oracle\ora90\BIN\ONRSD.EXE
O23 - Service: OracleOraHome90HTTPServer - Unknown owner - F:\oracle\ora90\Apache\Apache\Apache.exe
O23 - Service: OracleOraHome90PagingServer - Unknown owner - F:\oracle\ora90/bin/pagntsrv.exe
O23 - Service: OracleOraHome90SNMPPeerEncapsulator - Unknown owner - F:\oracle\ora90\BIN\ENCSVC.EXE
O23 - Service: OracleOraHome90SNMPPeerMasterAgent - Unknown owner - F:\oracle\ora90\BIN\AGNTSVC.EXE
O23 - Service: OracleOraHome90TNSListener - Unknown owner - F:\oracle\ora90\BIN\TNSLSNR.exe
O23 - Service: OracleServiceANIL - Oracle Corporation - f:\oracle\ora90\bin\ORACLE.EXE
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Visibroker Smart Agent (xsSmartAgent) - Unknown owner - F:\oracle\ora90\bin\osagent.exe
===============================================

And my REGEDIT notepad file

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Policies]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Policies\AMeOpt]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Policies\Explorer]
"NoDriveTypeAutoRun"=dword:00000091
"NoActiveDesktopChanges"=dword:00000001

[HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Policies\System]
"WallpaperStyle"=dword:00000000
"NoDispBackgroundPage"=dword:00000001
"NoDispAppearancePage"=dword:00000001
"Wallpaper"="c:\\wp.bmp"

===============================================

And now while accesing any EXE file, I'm getting this problem.

I think My system is seriously having a major problem and so such things are happening.. I request you all Suggestions and HELP

swatkat · 12-05-2005, 01:00 AM

You can save this webpage, so that you can look at this page to mark the entries to be deleted while you are in safe mode.
Download these tools:-
CCleaner
AdAware
SpyBot SnD
TrojanHunter Trial
SpywareBlaster

Reboot in safe mode.

Go to Add/Remove Programs in Control Panel. Then uninstall this entry if you find it:-
Wind Updates

Run HijackThis and click "Do a System scan only". Then select these entries in HijackThis:-

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:NavigationFailure
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:NavigationFailure
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:NavigationFailure
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:NavigationFailure
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:NavigationFailure
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:NavigationFailure
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: BHObj Class - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINDOWS\nem220.dll (file missing)
O3 - Toolbar: (no name) - {86227D9C-0EFE-4f8a-AA55-30386A3F5686} - (no file)
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\Run: [Ã?Â³#Â*L"h'Ã¾9Ã“œÃ°3rÃ…WC:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\egjokul.exe
O4 - HKLM\..\Run: [ControlPanel] C:\WINDOWS\system32\cmd32.exe internat.dll,LoadKeyboardProfile
O4 - HKCU\..\Run: [wfzf] C:\PROGRA~1\COMMON~1\wfzf\wfzfm.exe
O15 - Trusted Zone: *.blazefind.com
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.flingstone.com
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.my-internet.info
O15 - Trusted Zone: *.searchbarcash.com
O15 - Trusted Zone: *.searchmiracle.com
O15 - Trusted Zone: *.skoobidoo.com
O15 - Trusted Zone: *.slotch.com
O15 - Trusted Zone: *.slotchbar.com
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.xxxtoolbar.com
O15 - Trusted Zone: *.ysbweb.com
O15 - Trusted Zone: *.blazefind.com (HKLM)
O15 - Trusted Zone: *.clickspring.net (HKLM)
O15 - Trusted Zone: *.flingstone.com (HKLM)
O15 - Trusted Zone: *.mt-download.com (HKLM)
O15 - Trusted Zone: *.my-internet.info (HKLM)
O15 - Trusted Zone: *.searchbarcash.com (HKLM)
O15 - Trusted Zone: *.searchmiracle.com (HKLM)
O15 - Trusted Zone: *.skoobidoo.com (HKLM)
O15 - Trusted Zone: *.slotch.com (HKLM)
O15 - Trusted Zone: *.slotchbar.com (HKLM)
O15 - Trusted Zone: *.windupdates.com (HKLM)
O15 - Trusted Zone: *.xxxtoolbar.com (HKLM)
O15 - Trusted Zone: *.ysbweb.com (HKLM)
O15 - Trusted IP range: 67.19.185.246
O15 - Trusted IP range: 67.19.185.246 (HKLM)
O16 - DPF: {42F2C9BA-614F-47C0-B3E3-ECFD34EED658} (Installer Class) - http://www.ysbweb.com/ist/softwares/...sb_regular.cab

Then close all other open programs, and click "Fix Checked" in HijackThis.

Exit from HijackThis, and delete these files:-
C:\WINDOWS\nem220.dll
C:\Program Files\ISTsvc\istsvc.exe
C:\WINDOWS\egjokul.exe
C:\WINDOWS\system32\cmd32.exe
C:\PROGRA~1\COMMON~1\wfzf\wfzfm.exe

And delete these folders:-
C:\Program Files\ISTsvc
C:\PROGRA~1\COMMON~1\wfzf

Run these tools:-
CCleaner --> Click "Options" button and here go to "Settings" tab and uncheck the option "Only delete files in Windows Temp folder older than 48 hours". Click OK to exit from the Options. Finally click "Run Cleaner".

AdAware --> Click "Scan Now" button in the left pane and select the radio button "Perform full system scan" and click "Start".

SpyBot SnD --> Go to "Mode" menu and click "Advanced". Then "Settings" tab in the left pane, and click "File Sets" and here select the file set named "Usage Tracking" and "Tracks.uti". Then click "SpyBot S&D" button in the left pane and click "Check For Problems".

TrojanHunter --> Select all the Hard Disk partitions and click "Full Scan".

SpywareBlaster --> Run it, and click "Enable All Protection" and close.

After the above steps, copy the below text in Quotes to NotePad, and go to File> Save As and type the filename as Fix.reg and save it. Then exit from NotePad, and double click on the file Fix.reg, click OK to merge it to the Registry.

Quote:

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Policies\Explorer]
"NoActiveDesktopChanges"=dword:00000000

[HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Policies\System]
"NoDispBackgroundPage"=dword:00000000
"NoDispAppearancePage"=dword:00000000
"Wallpaper"=-

Then delete this file:-
C:\wp.bmp

Restart to normal mode and post a new HijackThis log.

swatkat · 12-05-2005, 01:02 AM

Hi,
First perform the above mentioned steps, later the Autoexec.nt error can be taken care of.

rajas · 12-05-2005, 01:12 AM

Try this for the Autoexec.nt

swatkat · 12-05-2005, 01:27 AM

Install a Firewall, you can go for ZoneAlarm Free Version, it's simple and effective.

vickymustdie · 12-05-2005, 05:23 PM

Hi Swatkat..

Thanks for the reply and the resolutions...

But the biggest problem I'm facing now is BOOTING IN SAFE MODE... I'm unable to boot in Safemode... Pressing F5 or F8 takes me to the safemode screen but after selecting it... it reads some drivers and then stucks...

I've tried several times but all in vain...

Can I perform your steps in Normal mode.....

swatkat · 12-05-2005, 06:35 PM

Hi,
Yes, you can do that in normal mode, but before fixing in HijackThis, kill these processes using Task Manager (CTRL-ALT-DEL):-
C:\Program Files\ISTsvc\istsvc.exe
C:\WINDOWS\egjokul.exe
C:\WINDOWS\system32\cmd32.exe
C:\PROGRA~1\COMMON~1\wfzf\wfzfm.exe
C:\PROGRA~1\COMMON~1\wfzf\wfzfa.exe

For killing the processes, you can also use HijackThis's Process Viewer.

Popular Categories

Popular Articles

Content Categories

Sister Sites

Follow Us

Facebook Channels

Digit Magazine