Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

HIJACKER.COSTRAT.E

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

HIJACKER.COSTRAT.E

Unread postby bnkrldy » September 3rd, 2006, 12:46 am

There are 3 users on the puter, and we run Win XP PRO. These symptoms are affecting only ONE user (the other users are ok so far):

-the desktop background and screen saver preference were wiped out. I am able to go to "properties" on the desktop, but the changes are not stored in memory. When I tried CleanDeskTop.Exe, a message said "Loading your setting exe failed. Access is denied"

-the home page is changed to About:Blank; and attempts to correct it are not remembered.

-I cannot download ANYTHING (such as Kaspersky, desktoptab.reg, ETC). It seems as if the Internet Security settings were changed but I cannot fix them.

-the start menu items are deleted, and attempts to put them back are not remembered.

-SpywareBlaster will not enable protection
-Cleanup! will not run

-scans with Spybot, Ad-Aware, A2, and McAfee showed nothing

-Ewido found Hijacker.costrate.e

Here is the HiJackThis Log

Logfile of HijackThis v1.99.1
Scan saved at 9:44:05 PM, on 9/2/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLACSD.EXE
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\Documents and Settings\Leanna\Desktop\Ewido\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\WINDOWS\system32\imapi.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
c:\PROGRA~1\mcafee.com\vso\OasClnt.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\vssvc.exe
C:\WINDOWS\system32\svchost.exe
c:\program files\mcafee.com\vso\mcvsshld.exe
C:\WINDOWS\System32\dmadmin.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\WINDOWS\system32\mqsvc.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Documents and Settings\Leanna\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O15 - ProtocolDefaults: '@ivt' protocol is in My Computer Zone, should be Intranet Zone
O15 - ProtocolDefaults: 'file' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'ftp' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'https' protocol is in My Computer Zone, should be Internet Zone
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://wdownload.weatherbug.com/minibug ... porter.cab?
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/share ... insctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/share ... cgdmgr.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Documents and Settings\Leanna\Desktop\Ewido\ewido anti-spyware 4.0\guard.exe
bnkrldy
Regular Member
 
Posts: 35
Joined: July 8th, 2006, 1:43 am
Advertisement
Register to Remove

Unread postby whisperer » September 3rd, 2006, 12:05 pm

Hi bnkrldy and welcome to the Malware Removal forums. My name is Whisperer and I will be pleased to help you with your problem.

  1. I note that you are running HijackThis from the Desktop, it is important that it runs from within its own folder because it makes backups of the repairs in case there is a need for reversal of any procedure, these are stored in that folder. To move HijackThis:
    • Open Windows Explorer and click on the C drive
    • From the menu select New then Folder
    • Right-click the folder and rename it to HijackThis or HJT
    • Place the HijackThis.exe file there.
  2. The log does look a little sparse so when you have moved it would you please open msconfig
    • Click Start and select Run
    • Type msconfig in to the run box and press OK
    • Select the Startup tab and make a note of any programs that do/do not have a tick against them, whichever is easiest for you
    • Click the Enable All button and then OK
    • Reboot the computer to Normal mode to allow the changes to take effect.
  3. Please do a rescan with HijackThis and save the log
  4. Finally, I would like you to produce a list of installed programs to assist me in any cleanup. To do this open your HijackThis
    1. Click on Open the Misc Tools section or Config… button, depending on how you are set up.
    2. If you used the Config... option then click the Misc Tools tab
    3. Select Open Uninstall Manager , a list of your installed programs will be displayed.
    4. Select the Save List… button and save the file to your desktop.
  5. Please post a copy of this list in your reply together with the new HijackThis log

GT ;)
User avatar
whisperer
Retired Graduate
 
Posts: 615
Joined: May 28th, 2005, 6:00 am
Location: Cornwall

Unread postby bnkrldy » September 3rd, 2006, 12:53 pm

Thank you so much for your time and patience! Here is the list of INSTALLED PROGRAMS:

ACS495
Ad-Aware SE Personal
Adobe Download Manager 2.0 (Remove Only)
Adobe Flash Player 9 ActiveX
Adobe Photoshop Elements 2.0
Adobe Reader 7.0.5
America Online (Choose which version to remove)
AOL Coach Version 1.0(Build:20040229.1 en)
AOL Connectivity Services
ATI mach64 Display Driver
Bookmark Express
Canon Camera Window for ZoomBrowser EX
Canon EOS Kiss REBEL 300D WIA Driver
Canon PhotoRecord
Canon RAW Image Task for ZoomBrowser EX
Canon RemoteCapture Task for ZoomBrowser EX
Canon Utilities File Viewer Utility 1.3
Canon Utilities PhotoStitch 3.1
Canon Utilities RemoteCapture 2.7
Canon Utilities ZoomBrowser EX
CCleaner (remove only)
CleanUp!
EPSON Printer Software
EPSON Status Monitor 2
ewido anti-spyware 4.0
HijackThis 1.99.1
HP Image Zone 3.5
HP Photosmart Cameras 3.5
HP Software Update
IBM Rapid Access Keyboard
Java 2 Runtime Environment, SE v1.4.1_07
Java Web Start
Macromedia Shockwave Player
McAfee Personal Firewall Plus
McAfee SecurityCenter
McAfee VirusScan
Memories Disc Creator 2.0
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB886903)
Microsoft Data Access Components KB870669
Microsoft IntelliPoint
Microsoft Office 97, Professional Edition
Microsoft Publisher 97
PaperPort 6.5
QuickTime
RealPlayer
Rescue Disk
Shockwave
Spybot - Search & Destroy 1.4
SpywareBlaster v3.5.1
Visioneer 3300 Scanner Driver
Windows Defender
Windows Defender Signatures
Windows Genuine Advantage v1.3.0254.0
Windows Media Format Runtime
Windows Media Player 10
Windows XP Uninstall


and here is the new HIJACKTHIS log:

Logfile of HijackThis v1.99.1
Scan saved at 9:51:40 AM, on 9/3/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLACSD.EXE
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\Documents and Settings\Leanna\Desktop\Ewido\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\WINDOWS\system32\imapi.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\vssvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\dmadmin.exe
C:\WINDOWS\system32\mqsvc.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [PCPitstop Optimize Registration Reminder] C:\Documents and Settings\Gale\Desktop\Optimize\Reminder.exe
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [ClamWin] "C:\Program Files\ClamWin\bin\ClamTray.exe" --logon
O4 - HKLM\..\Run: [asp4tray] asp4tray.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: EPSON Background Monitor.lnk = C:\ESM2\Stms.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O15 - ProtocolDefaults: '@ivt' protocol is in My Computer Zone, should be Intranet Zone
O15 - ProtocolDefaults: 'file' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'ftp' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'https' protocol is in My Computer Zone, should be Internet Zone
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} - http://wdownload.weatherbug.com/minibug ... porter.cab?
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/share ... insctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/share ... cgdmgr.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Documents and Settings\Leanna\Desktop\Ewido\ewido anti-spyware 4.0\guard.exe
bnkrldy
Regular Member
 
Posts: 35
Joined: July 8th, 2006, 1:43 am

Unread postby whisperer » September 3rd, 2006, 3:29 pm

A bit more information please.

Are you accessing the internet from your account or are you using one of the other accounts?

Do you have just the one partition on your computer?

If you still have it please post the Ewido log OR please carry out another Ewido scan and post that log instead.

I will now look at your log in more detail.

GT :thumbup:
User avatar
whisperer
Retired Graduate
 
Posts: 615
Joined: May 28th, 2005, 6:00 am
Location: Cornwall

Unread postby bnkrldy » September 3rd, 2006, 8:49 pm

Yes, I am accessing the internet through the account with problems. If I need to d/l anything, I have to go to another account, then switch back and access the d/l through Explorer.

Sorry, I am not sure what a partition is. The only thing I can tell you about the system configuration is when I upgraded from Win 98 to XP PRO, I created the 3 accounts.

I did not save the original Ewido log, and a new scan reveals nothing:

--------------------------------------------------------
ewido anti-spyware - Scan Report
---------------------------------------------------------

+ Created at: 5:42:47 PM 9/3/2006

+ Scan result:



Nothing found.



::Report end
bnkrldy
Regular Member
 
Posts: 35
Joined: July 8th, 2006, 1:43 am

Unread postby whisperer » September 4th, 2006, 10:58 am

Thanks for the answers. For your information a computer can be fitted with more than one hard disk drive, similarly any one hard drive can be split into electronic sub-divisions each of which is known as a partition.

We have a few things to correct within your current log, but to clear your computer of any malware we are going to have to check each user account that you have, we will concentrate on each in turn, starting with your 'bad' one, and there will be more questions as we progress. :) If at any time you have any questions about any fixes then please ask, the only dumb question is the one that is not asked.

If you have names for each account then that will remove possible confusion later, please advise accordingly.

We will start with the download for this session – at the time of writing subratam's site is down, please persevere with the download but let me know if you are unable to achieve it within a sensible time-frame and we will try a different tack.

  1. Please download this file and save it somewhere so that you can access it from your bad user account.
  2. You have Real player installed on your computer. There was a time when Real Player was one of the most wanted programs to be installed on every computer, nowadays the new version is one of the ones not to have.
    1. If it is RealOne Player then I would recommend its removal.
    2. If you prefer to keep it OR it is the Real Player Classic then I suggest you navigate to C:\Program Files\Common Files\Real\Update_OB\ and rename the Realsched.exe file to Realsched.exe.old.
    3. To assist you further have a look at this post
  3. To ensure that Ewido does not block any fixes, please open Ewido and select the Shield option from the top menu, ensure that the Resident Shield is inactive.
  4. Start your HijackThis and click on Scan
    1. Click in the check-box to the left of each of the following entries, if found
      • R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
      • R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
      • R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
      • R3 - Default URLSearchHook is missing
      • O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
      • O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} - http://wdownload.weatherbug.com/minibug ... porter.cab?
    2. With all windows closed except HijackThis, select Fix Checked
  5. We will fix the O15 entries in your log with the download that you made earlier (I hope you succeeded)
    1. Locate and run the Fix-Protocol-zones-ranges.reg file
    2. Answer yes to any prompts.
    3. Open your Spybot S&D and click the Immunize shield to restore its protection
  6. Now reboot your computer back to Normal mode
  7. The obligatory question: You have a program installed called Bookmark Express, this could either be an Adware program or a genuine Bookmarks Manager program, please tell me what you know about it.
  8. Please post:
    • A new HijackThis log
    • Any known information about Bookmark Express
    • Any observations about the computers behaviour

GT :thumbup:
User avatar
whisperer
Retired Graduate
 
Posts: 615
Joined: May 28th, 2005, 6:00 am
Location: Cornwall

Unread postby bnkrldy » September 4th, 2006, 1:30 pm

The three names on the computer are Leanna (the "bad" account), Gale, and Rich.

I was not able to d/l the link from subratam, so could not fix the 015 entires.

I am using the free version of Ewido, so the shield option is inactive.

I did the Hijackthis fix.

As for Bookmark Manager, it has been here since I have had the computer (since 1997~oldie but goodie), and as far as I know, we have never used the program. It can stay or it can go. Just let me know.

With just the little hijackthis fix, the puter seems to be running alot faster! Here is the new log:

Logfile of HijackThis v1.99.1
Scan saved at 10:22:32 AM, on 9/4/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLACSD.EXE
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\WINDOWS\system32\imapi.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
c:\PROGRA~1\mcafee.com\vso\OasClnt.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
c:\program files\mcafee.com\vso\mcvsshld.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\WINDOWS\System32\vssvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\dmadmin.exe
C:\WINDOWS\system32\mqsvc.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\inetsrv\DavCData.exe
C:\WINDOWS\system32\winlogon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [asp4tray] asp4tray.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: EPSON Background Monitor.lnk = C:\ESM2\Stms.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O15 - ProtocolDefaults: '@ivt' protocol is in My Computer Zone, should be Intranet Zone
O15 - ProtocolDefaults: 'file' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'ftp' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'https' protocol is in My Computer Zone, should be Internet Zone
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/ka ... nicode.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/share ... insctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/share ... cgdmgr.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Documents and Settings\Leanna\Desktop\Ewido\ewido anti-spyware 4.0\guard.exe
bnkrldy
Regular Member
 
Posts: 35
Joined: July 8th, 2006, 1:43 am

Unread postby whisperer » September 4th, 2006, 2:55 pm

Glad to hear that we are making progress. This post is going to be short in the hope I can get a reply before it is time to crash out – you have about 3 hours :D

There are some modern malware programs that are capable of hiding their presence from HijackThis but not clever enough to hide from a renamed file. Please navigate to the HijackThis.exe file, right-click and select rename – make the name "Check.exe" and then do another scan for me please before carrying out the next two fixes.

We will now remove the O15 entries with HijackThis so please start your HijackThis and click on Scan
  1. Click in the check-box to the left of each of the following entries, if found
    • O15 - ProtocolDefaults: '@ivt' protocol is in My Computer Zone, should be Intranet Zone
    • O15 - ProtocolDefaults: 'file' protocol is in My Computer Zone, should be Internet Zone
    • O15 - ProtocolDefaults: 'ftp' protocol is in My Computer Zone, should be Internet Zone
    • O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone
    • O15 - ProtocolDefaults: 'https' protocol is in My Computer Zone, should be Internet Zone
  2. With all windows closed except HijackThis, select Fix Checked

There is a small hint that you have a Cool Web Search (CWS) infection in one of the O15, it may not be so but no harm will be done by running a fix.

Download CWShredder from here and save it to your desktop. A tutorial is available here if required. Click on the CWShredder icon on your desktop
  1. Select the Check For Update button
  2. The next screen will advise requirements for update, if available click the Download and open update
  3. When finished click the Fix button
  4. You will be kept advised of the results of the scan and a report will be generated when you click Next
  5. If you were infected then you are recommended to select the How do I prevent re-infection? option
  6. Click Exit
Please reboot the computer and then post
  • The HijackThis log prior to the fixes but after the rename
  • A copy of the CWS report
  • A second HijackThis log after the fixes
  • A check whether you are still unable to change the home page away from About:Blank

GT :thumbup:
User avatar
whisperer
Retired Graduate
 
Posts: 615
Joined: May 28th, 2005, 6:00 am
Location: Cornwall

Unread postby bnkrldy » September 4th, 2006, 4:42 pm

Here is the HIJACKTHIS log after name change, prior to fix:
Logfile of HijackThis v1.99.1
Scan saved at 1:11:30 PM, on 9/4/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLACSD.EXE
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\Documents and Settings\Leanna\Desktop\Ewido\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\WINDOWS\system32\imapi.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\vssvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\dmadmin.exe
C:\WINDOWS\system32\mqsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\mqtgsvc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Hijackthis\check.exe.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [asp4tray] asp4tray.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: EPSON Background Monitor.lnk = C:\ESM2\Stms.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O15 - ProtocolDefaults: '@ivt' protocol is in My Computer Zone, should be Intranet Zone
O15 - ProtocolDefaults: 'file' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'ftp' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'https' protocol is in My Computer Zone, should be Internet Zone
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/ka ... nicode.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/share ... insctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/share ... cgdmgr.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Documents and Settings\Leanna\Desktop\Ewido\ewido anti-spyware 4.0\guard.exe


CWSHREDDER didn't find any infection, but here is the report:

RUN: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
RUN: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
RUN: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
RUN: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\McUpdate.exe
RUN: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
RUN: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
RUN: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
RUN: [MsmqIntCert] regsvr32 /s mqrt.dll
RUN: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
RUN: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
RUN: [asp4tray] asp4tray.exe
RUN: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe


**** Browser Helper Objects ****



**** IE Toolbars ****

TOOLBAR: [McAfee VirusScan] c:\progra~1\mcafee.com\vso\mcvsshl.dll


**** IE Extensions ****

IEExt: []


**** Hosts File Entries ****

HOSTS: 127.0.0.1 localhost
HOSTS:
HOSTS: 127.0.0.1 localhost
HOSTS: 127.0.0.1 localhost
HOSTS: 127.0.0.1 localhost


**** IE Settings ****

Default Page: http://www.microsoft.com/isapi/redir.dl ... ar=msnhome
Default Search: http://www.microsoft.com/isapi/redir.dl ... r=iesearch


**** IE Context Menu (Right click) ****



**** Layered Service Providers ****

LSP: MSAFD Tcpip [TCP/IP]
LSP: MSAFD Tcpip [UDP/IP]
LSP: RSVP UDP Service Provider
LSP: RSVP TCP Service Provider
LSP: MSAFD nwlnkipx [IPX]
LSP: MSAFD nwlnkspx [SPX]
LSP: MSAFD nwlnkspx [SPX] [Pseudo Stream]
LSP: MSAFD nwlnkspx [SPX II]
LSP: MSAFD nwlnkspx [SPX II] [Pseudo Stream]
LSP: MSAFD NetBIOS [\Device\NwlnkNb] SEQPACKET 9
LSP: MSAFD NetBIOS [\Device\NwlnkNb] DATAGRAM 9
LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip6_{ACBEB740-3DDF-4DF4-BE30-5AE078A78D38}] SEQPACKET 6
LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip6_{ACBEB740-3DDF-4DF4-BE30-5AE078A78D38}] DATAGRAM 6
LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip6_{DE715CB6-CB8C-4548-9BB0-B4A3BFB80F60}] SEQPACKET 7
LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip6_{DE715CB6-CB8C-4548-9BB0-B4A3BFB80F60}] DATAGRAM 7
LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip6_{4CEA8E50-69FA-4DB7-8D2D-82764086D60B}] SEQPACKET 8
LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip6_{4CEA8E50-69FA-4DB7-8D2D-82764086D60B}] DATAGRAM 8
LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{ACBEB740-3DDF-4DF4-BE30-5AE078A78D38}] SEQPACKET 0
LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{ACBEB740-3DDF-4DF4-BE30-5AE078A78D38}] DATAGRAM 0
LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{DE715CB6-CB8C-4548-9BB0-B4A3BFB80F60}] SEQPACKET 1
LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{DE715CB6-CB8C-4548-9BB0-B4A3BFB80F60}] DATAGRAM 1
LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{548CA941-2631-4BEE-8F2F-15E9D64D77B8}] SEQPACKET 2
LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{548CA941-2631-4BEE-8F2F-15E9D64D77B8}] DATAGRAM 2
LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{FCFE1370-11F3-4279-9BFC-6AC495423C57}] SEQPACKET 3
LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{FCFE1370-11F3-4279-9BFC-6AC495423C57}] DATAGRAM 3
LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{5904B90E-BD37-4AC2-A125-79229908C5B5}] SEQPACKET 4
LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{5904B90E-BD37-4AC2-A125-79229908C5B5}] DATAGRAM 4
LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{CFEFBD7D-E246-410B-8C6B-F16572EDE048}] SEQPACKET 5
LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{CFEFBD7D-E246-410B-8C6B-F16572EDE048}] DATAGRAM 5


**** Blocked Control Panel Items ****

BLOCKED: [ncpa.cpl] No
BLOCKED: [odbccp32.cpl] No


**** Downloaded Program Files ****

DirectAnimation Java Classes []
Microsoft XML Parser for Java []
{0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} [http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab]
{3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} [http://office.microsoft.com/officeupdate/content/opuc3.cab] C:\WINDOWS\opuc.dll
{4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} [http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab]
{5F8469B4-B055-49DD-83F7-62B522420ECC} [http://upload.facebook.com/controls/FacebookPhotoUploader.cab] C:\WINDOWS\Downloaded Program Files\FacebookPhotoUploader.ocx
{BCC0FF27-31D9-4614-A68E-C18E1ADA4389} [http://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab]
{CAFEEFAC-0014-0001-0001-ABCDEFFEDCBA} [http://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab]
{D27CDB6E-AE6D-11CF-96B8-444553540000} [http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab]


**** Windows Services ****

[6to4] %SystemRoot%\system32\svchost.exe -k netsvcs
[Alerter] %SystemRoot%\system32\svchost.exe -k LocalService
[ALG] %SystemRoot%\System32\alg.exe
[AOL ACS] C:\PROGRA~1\COMMON~1\AOL\ACS\AOLACSD.EXE
[AppMgmt] %SystemRoot%\system32\svchost.exe -k netsvcs
[AudioSrv] %SystemRoot%\System32\svchost.exe -k netsvcs
[BITS] %SystemRoot%\system32\svchost.exe -k netsvcs
[Browser] %SystemRoot%\system32\svchost.exe -k netsvcs
[cisvc] C:\WINDOWS\system32\cisvc.exe
[ClipSrv] %SystemRoot%\system32\clipsrv.exe
[COMSysApp] C:\WINDOWS\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
[CryptSvc] %SystemRoot%\system32\svchost.exe -k netsvcs
[DcomLaunch] %SystemRoot%\system32\svchost -k DcomLaunch
[Dhcp] %SystemRoot%\system32\svchost.exe -k netsvcs
[dmadmin] %SystemRoot%\System32\dmadmin.exe /com
[dmserver] %SystemRoot%\System32\svchost.exe -k netsvcs
[Dnscache] %SystemRoot%\system32\svchost.exe -k NetworkService
[ERSvc] %SystemRoot%\System32\svchost.exe -k netsvcs
[Eventlog] %SystemRoot%\system32\services.exe
[EventSystem] C:\WINDOWS\system32\svchost.exe -k netsvcs
[ewido anti-spyware 4.0 guard] C:\Documents and Settings\Leanna\Desktop\Ewido\ewido anti-spyware 4.0\guard.exe
[FastUserSwitchingCompatibility] %SystemRoot%\System32\svchost.exe -k netsvcs
[helpsvc] %SystemRoot%\System32\svchost.exe -k netsvcs
[HidServ] %SystemRoot%\System32\svchost.exe -k netsvcs
[HTTPFilter] %SystemRoot%\System32\svchost.exe -k HTTPFilter
[IISADMIN] C:\WINDOWS\system32\inetsrv\inetinfo.exe
[ImapiService] C:\WINDOWS\system32\imapi.exe
[Iprip] %SystemRoot%\System32\svchost.exe -k netsvcs
[lanmanserver] %SystemRoot%\system32\svchost.exe -k netsvcs
[lanmanworkstation] %SystemRoot%\system32\svchost.exe -k netsvcs
[LmHosts] %SystemRoot%\system32\svchost.exe -k LocalService
[LPDSVC] %SystemRoot%\system32\tcpsvcs.exe
[McShield] c:\PROGRA~1\mcafee.com\vso\mcshield.exe
[mcupdmgr.exe] C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
[Messenger] %SystemRoot%\system32\svchost.exe -k netsvcs
[mnmsrvc] C:\WINDOWS\system32\mnmsrvc.exe
[MpfService] C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
[MSDTC] C:\WINDOWS\system32\msdtc.exe
[MSFtpsvc] %SystemRoot%\system32\inetsrv\inetinfo.exe
[MSIServer] C:\WINDOWS\system32\msiexec.exe /V
[MSMQ] C:\WINDOWS\system32\mqsvc.exe
[MSMQTriggers] C:\WINDOWS\system32\mqtgsvc.exe
[NetDDE] %SystemRoot%\system32\netdde.exe
[NetDDEdsdm] %SystemRoot%\system32\netdde.exe
[Netlogon] %SystemRoot%\system32\lsass.exe
[Netman] %SystemRoot%\System32\svchost.exe -k netsvcs
[Nla] %SystemRoot%\system32\svchost.exe -k netsvcs
[NtLmSsp] %SystemRoot%\system32\lsass.exe
[NtmsSvc] %SystemRoot%\system32\svchost.exe -k netsvcs
[p2pgasvc] %SystemRoot%\system32\svchost.exe -k p2psvc
[p2pimsvc] %SystemRoot%\system32\svchost.exe -k p2psvc
[p2psvc] %SystemRoot%\system32\svchost.exe -k p2psvc
[PlugPlay] %SystemRoot%\system32\services.exe
[PNRPSvc] %SystemRoot%\system32\svchost.exe -k p2psvc
[PolicyAgent] %SystemRoot%\system32\lsass.exe
[ProtectedStorage] %SystemRoot%\system32\lsass.exe
[RasAuto] %SystemRoot%\system32\svchost.exe -k netsvcs
[RasMan] %SystemRoot%\system32\svchost.exe -k netsvcs
[RDSessMgr] C:\WINDOWS\system32\sessmgr.exe
[RemoteAccess] %SystemRoot%\system32\svchost.exe -k netsvcs
[RemoteRegistry] %SystemRoot%\system32\svchost.exe -k LocalService
[RpcLocator] %SystemRoot%\system32\locator.exe
[RpcSs] %SystemRoot%\system32\svchost -k rpcss
[RSVP] %SystemRoot%\system32\rsvp.exe
[SamSs] %SystemRoot%\system32\lsass.exe
[SCardSvr] %SystemRoot%\System32\SCardSvr.exe
[Schedule] %SystemRoot%\System32\svchost.exe -k netsvcs
[seclogon] %SystemRoot%\System32\svchost.exe -k netsvcs
[SENS] %SystemRoot%\system32\svchost.exe -k netsvcs
[ShellHWDetection] %SystemRoot%\System32\svchost.exe -k netsvcs
[SimpTcp] %SystemRoot%\system32\tcpsvcs.exe
[SMTPSVC] C:\WINDOWS\system32\inetsrv\inetinfo.exe
[SNMP] %SystemRoot%\System32\snmp.exe
[SNMPTRAP] %SystemRoot%\System32\snmptrap.exe
[Spooler] %SystemRoot%\system32\spoolsv.exe
[srservice] %SystemRoot%\system32\svchost.exe -k netsvcs
[SSDPSRV] %SystemRoot%\system32\svchost.exe -k LocalService
[stisvc] %SystemRoot%\system32\svchost.exe -k imgsvc
[SwPrv] C:\WINDOWS\system32\dllhost.exe /Processid:{F7D7EC3A-CA8A-4D3C-9359-E95CD96DB9D1}
[SysmonLog] %SystemRoot%\system32\smlogsvc.exe
[TapiSrv] %SystemRoot%\System32\svchost.exe -k netsvcs
[TermService] %SystemRoot%\System32\svchost -k DComLaunch
[Themes] %SystemRoot%\System32\svchost.exe -k netsvcs
[TlntSvr] C:\WINDOWS\system32\tlntsvr.exe
[TrkWks] %SystemRoot%\system32\svchost.exe -k netsvcs
[UMWdf] C:\WINDOWS\system32\wdfmgr.exe
[upnphost] %SystemRoot%\system32\svchost.exe -k LocalService
[UPS] %SystemRoot%\System32\ups.exe
[VSS] %SystemRoot%\System32\vssvc.exe
[W32Time] %SystemRoot%\System32\svchost.exe -k netsvcs
[W3SVC] %SystemRoot%\system32\inetsrv\inetinfo.exe
[WebClient] %SystemRoot%\system32\svchost.exe -k LocalService
[WinDefend] "C:\Program Files\Windows Defender\MsMpEng.exe"
[winmgmt] %systemroot%\system32\svchost.exe -k netsvcs
[WmdmPmSN] %SystemRoot%\System32\svchost.exe -k netsvcs
[Wmi] %SystemRoot%\System32\svchost.exe -k netsvcs
[WmiApSrv] C:\WINDOWS\system32\wbem\wmiapsrv.exe
[wscsvc] %SystemRoot%\System32\svchost.exe -k netsvcs
[wuauserv] %systemroot%\system32\svchost.exe -k netsvcs
[WZCSVC] %SystemRoot%\System32\svchost.exe -k netsvcs
[xmlprov] %SystemRoot%\System32\svchost.exe -k netsvcs


**** Custom IE Search Items ****

SEARCH: [SearchAssistant] http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
SEARCH: [CustomizeSearch] http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm


**** Complete IE Options ****

IEOPT: [Default_Page_URL] http://www.microsoft.com/isapi/redir.dl ... ar=msnhome
IEOPT: [Default_Search_URL] http://www.microsoft.com/isapi/redir.dl ... r=iesearch
IEOPT: [Search Page] http://www.microsoft.com/isapi/redir.dl ... r=iesearch
IEOPT: [Enable_Disk_Cache] yes
IEOPT: [Cache_Percent_of_Disk]
IEOPT: [Delete_Temp_Files_On_Exit] yes
IEOPT: [Local Page] C:\WINDOWS\SYSTEM32\blank.htm
IEOPT: [Anchor_Visitation_Horizon]
IEOPT: [Use_Async_DNS] yes
IEOPT: [Placeholder_Width]
IEOPT: [Placeholder_Height]
IEOPT: [Start Page] about:blank
IEOPT: [Update_Check_Page] http://www.microsoft.com/isapi/redir.dl ... =ie5update
IEOPT: [Update_Check_Interval]
IEOPT: [Wizard_Version] 6.0.2600.0000
IEOPT: [FullScreen] no
IEOPT: [Window Title] Microsoft Internet Explorer provided by Comcast High-Speed Internet
IEOPT: [Check_Associations] no
IEOPT: [CompanyName] Microsoft Corporation
IEOPT: [Custom_Key] MICROSO
IEOPT: [Use_DlgBox_Colors] yes

a Second HIJACKTHIS log after fixes:

Logfile of HijackThis v1.99.1
Scan saved at 1:40:36 PM, on 9/4/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLACSD.EXE
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\Documents and Settings\Leanna\Desktop\Ewido\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\WINDOWS\system32\imapi.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
c:\PROGRA~1\mcafee.com\vso\OasClnt.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe
c:\program files\mcafee.com\vso\mcvsshld.exe
C:\WINDOWS\system32\dllhost.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\WINDOWS\System32\vssvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\dmadmin.exe
C:\WINDOWS\system32\mqsvc.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Hijackthis\check.exe.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [asp4tray] asp4tray.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: EPSON Background Monitor.lnk = C:\ESM2\Stms.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O15 - ProtocolDefaults: '@ivt' protocol is in My Computer Zone, should be Intranet Zone
O15 - ProtocolDefaults: 'file' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'ftp' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'https' protocol is in My Computer Zone, should be Internet Zone
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/ka ... nicode.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/share ... insctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/share ... cgdmgr.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Documents and Settings\Leanna\Desktop\Ewido\ewido anti-spyware 4.0\guard.exe


and I am still unable to change the home page from About:Blank. Well, I can CHANGE it, but the change is not remembered.
bnkrldy
Regular Member
 
Posts: 35
Joined: July 8th, 2006, 1:43 am

Unread postby bnkrldy » September 4th, 2006, 4:42 pm

Here is the HIJACKTHIS log after name change, prior to fix:
Logfile of HijackThis v1.99.1
Scan saved at 1:11:30 PM, on 9/4/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLACSD.EXE
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\Documents and Settings\Leanna\Desktop\Ewido\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\WINDOWS\system32\imapi.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\vssvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\dmadmin.exe
C:\WINDOWS\system32\mqsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\mqtgsvc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Hijackthis\check.exe.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [asp4tray] asp4tray.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: EPSON Background Monitor.lnk = C:\ESM2\Stms.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O15 - ProtocolDefaults: '@ivt' protocol is in My Computer Zone, should be Intranet Zone
O15 - ProtocolDefaults: 'file' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'ftp' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'https' protocol is in My Computer Zone, should be Internet Zone
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/ka ... nicode.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/share ... insctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/share ... cgdmgr.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Documents and Settings\Leanna\Desktop\Ewido\ewido anti-spyware 4.0\guard.exe


CWSHREDDER didn't find any infection, but here is the report:

RUN: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
RUN: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
RUN: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
RUN: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\McUpdate.exe
RUN: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
RUN: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
RUN: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
RUN: [MsmqIntCert] regsvr32 /s mqrt.dll
RUN: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
RUN: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
RUN: [asp4tray] asp4tray.exe
RUN: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe


**** Browser Helper Objects ****



**** IE Toolbars ****

TOOLBAR: [McAfee VirusScan] c:\progra~1\mcafee.com\vso\mcvsshl.dll


**** IE Extensions ****

IEExt: []


**** Hosts File Entries ****

HOSTS: 127.0.0.1 localhost
HOSTS:
HOSTS: 127.0.0.1 localhost
HOSTS: 127.0.0.1 localhost
HOSTS: 127.0.0.1 localhost


**** IE Settings ****

Default Page: http://www.microsoft.com/isapi/redir.dl ... ar=msnhome
Default Search: http://www.microsoft.com/isapi/redir.dl ... r=iesearch


**** IE Context Menu (Right click) ****



**** Layered Service Providers ****

LSP: MSAFD Tcpip [TCP/IP]
LSP: MSAFD Tcpip [UDP/IP]
LSP: RSVP UDP Service Provider
LSP: RSVP TCP Service Provider
LSP: MSAFD nwlnkipx [IPX]
LSP: MSAFD nwlnkspx [SPX]
LSP: MSAFD nwlnkspx [SPX] [Pseudo Stream]
LSP: MSAFD nwlnkspx [SPX II]
LSP: MSAFD nwlnkspx [SPX II] [Pseudo Stream]
LSP: MSAFD NetBIOS [\Device\NwlnkNb] SEQPACKET 9
LSP: MSAFD NetBIOS [\Device\NwlnkNb] DATAGRAM 9
LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip6_{ACBEB740-3DDF-4DF4-BE30-5AE078A78D38}] SEQPACKET 6
LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip6_{ACBEB740-3DDF-4DF4-BE30-5AE078A78D38}] DATAGRAM 6
LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip6_{DE715CB6-CB8C-4548-9BB0-B4A3BFB80F60}] SEQPACKET 7
LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip6_{DE715CB6-CB8C-4548-9BB0-B4A3BFB80F60}] DATAGRAM 7
LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip6_{4CEA8E50-69FA-4DB7-8D2D-82764086D60B}] SEQPACKET 8
LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip6_{4CEA8E50-69FA-4DB7-8D2D-82764086D60B}] DATAGRAM 8
LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{ACBEB740-3DDF-4DF4-BE30-5AE078A78D38}] SEQPACKET 0
LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{ACBEB740-3DDF-4DF4-BE30-5AE078A78D38}] DATAGRAM 0
LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{DE715CB6-CB8C-4548-9BB0-B4A3BFB80F60}] SEQPACKET 1
LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{DE715CB6-CB8C-4548-9BB0-B4A3BFB80F60}] DATAGRAM 1
LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{548CA941-2631-4BEE-8F2F-15E9D64D77B8}] SEQPACKET 2
LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{548CA941-2631-4BEE-8F2F-15E9D64D77B8}] DATAGRAM 2
LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{FCFE1370-11F3-4279-9BFC-6AC495423C57}] SEQPACKET 3
LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{FCFE1370-11F3-4279-9BFC-6AC495423C57}] DATAGRAM 3
LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{5904B90E-BD37-4AC2-A125-79229908C5B5}] SEQPACKET 4
LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{5904B90E-BD37-4AC2-A125-79229908C5B5}] DATAGRAM 4
LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{CFEFBD7D-E246-410B-8C6B-F16572EDE048}] SEQPACKET 5
LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{CFEFBD7D-E246-410B-8C6B-F16572EDE048}] DATAGRAM 5


**** Blocked Control Panel Items ****

BLOCKED: [ncpa.cpl] No
BLOCKED: [odbccp32.cpl] No


**** Downloaded Program Files ****

DirectAnimation Java Classes []
Microsoft XML Parser for Java []
{0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} [http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab]
{3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} [http://office.microsoft.com/officeupdate/content/opuc3.cab] C:\WINDOWS\opuc.dll
{4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} [http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab]
{5F8469B4-B055-49DD-83F7-62B522420ECC} [http://upload.facebook.com/controls/FacebookPhotoUploader.cab] C:\WINDOWS\Downloaded Program Files\FacebookPhotoUploader.ocx
{BCC0FF27-31D9-4614-A68E-C18E1ADA4389} [http://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab]
{CAFEEFAC-0014-0001-0001-ABCDEFFEDCBA} [http://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab]
{D27CDB6E-AE6D-11CF-96B8-444553540000} [http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab]


**** Windows Services ****

[6to4] %SystemRoot%\system32\svchost.exe -k netsvcs
[Alerter] %SystemRoot%\system32\svchost.exe -k LocalService
[ALG] %SystemRoot%\System32\alg.exe
[AOL ACS] C:\PROGRA~1\COMMON~1\AOL\ACS\AOLACSD.EXE
[AppMgmt] %SystemRoot%\system32\svchost.exe -k netsvcs
[AudioSrv] %SystemRoot%\System32\svchost.exe -k netsvcs
[BITS] %SystemRoot%\system32\svchost.exe -k netsvcs
[Browser] %SystemRoot%\system32\svchost.exe -k netsvcs
[cisvc] C:\WINDOWS\system32\cisvc.exe
[ClipSrv] %SystemRoot%\system32\clipsrv.exe
[COMSysApp] C:\WINDOWS\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
[CryptSvc] %SystemRoot%\system32\svchost.exe -k netsvcs
[DcomLaunch] %SystemRoot%\system32\svchost -k DcomLaunch
[Dhcp] %SystemRoot%\system32\svchost.exe -k netsvcs
[dmadmin] %SystemRoot%\System32\dmadmin.exe /com
[dmserver] %SystemRoot%\System32\svchost.exe -k netsvcs
[Dnscache] %SystemRoot%\system32\svchost.exe -k NetworkService
[ERSvc] %SystemRoot%\System32\svchost.exe -k netsvcs
[Eventlog] %SystemRoot%\system32\services.exe
[EventSystem] C:\WINDOWS\system32\svchost.exe -k netsvcs
[ewido anti-spyware 4.0 guard] C:\Documents and Settings\Leanna\Desktop\Ewido\ewido anti-spyware 4.0\guard.exe
[FastUserSwitchingCompatibility] %SystemRoot%\System32\svchost.exe -k netsvcs
[helpsvc] %SystemRoot%\System32\svchost.exe -k netsvcs
[HidServ] %SystemRoot%\System32\svchost.exe -k netsvcs
[HTTPFilter] %SystemRoot%\System32\svchost.exe -k HTTPFilter
[IISADMIN] C:\WINDOWS\system32\inetsrv\inetinfo.exe
[ImapiService] C:\WINDOWS\system32\imapi.exe
[Iprip] %SystemRoot%\System32\svchost.exe -k netsvcs
[lanmanserver] %SystemRoot%\system32\svchost.exe -k netsvcs
[lanmanworkstation] %SystemRoot%\system32\svchost.exe -k netsvcs
[LmHosts] %SystemRoot%\system32\svchost.exe -k LocalService
[LPDSVC] %SystemRoot%\system32\tcpsvcs.exe
[McShield] c:\PROGRA~1\mcafee.com\vso\mcshield.exe
[mcupdmgr.exe] C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
[Messenger] %SystemRoot%\system32\svchost.exe -k netsvcs
[mnmsrvc] C:\WINDOWS\system32\mnmsrvc.exe
[MpfService] C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
[MSDTC] C:\WINDOWS\system32\msdtc.exe
[MSFtpsvc] %SystemRoot%\system32\inetsrv\inetinfo.exe
[MSIServer] C:\WINDOWS\system32\msiexec.exe /V
[MSMQ] C:\WINDOWS\system32\mqsvc.exe
[MSMQTriggers] C:\WINDOWS\system32\mqtgsvc.exe
[NetDDE] %SystemRoot%\system32\netdde.exe
[NetDDEdsdm] %SystemRoot%\system32\netdde.exe
[Netlogon] %SystemRoot%\system32\lsass.exe
[Netman] %SystemRoot%\System32\svchost.exe -k netsvcs
[Nla] %SystemRoot%\system32\svchost.exe -k netsvcs
[NtLmSsp] %SystemRoot%\system32\lsass.exe
[NtmsSvc] %SystemRoot%\system32\svchost.exe -k netsvcs
[p2pgasvc] %SystemRoot%\system32\svchost.exe -k p2psvc
[p2pimsvc] %SystemRoot%\system32\svchost.exe -k p2psvc
[p2psvc] %SystemRoot%\system32\svchost.exe -k p2psvc
[PlugPlay] %SystemRoot%\system32\services.exe
[PNRPSvc] %SystemRoot%\system32\svchost.exe -k p2psvc
[PolicyAgent] %SystemRoot%\system32\lsass.exe
[ProtectedStorage] %SystemRoot%\system32\lsass.exe
[RasAuto] %SystemRoot%\system32\svchost.exe -k netsvcs
[RasMan] %SystemRoot%\system32\svchost.exe -k netsvcs
[RDSessMgr] C:\WINDOWS\system32\sessmgr.exe
[RemoteAccess] %SystemRoot%\system32\svchost.exe -k netsvcs
[RemoteRegistry] %SystemRoot%\system32\svchost.exe -k LocalService
[RpcLocator] %SystemRoot%\system32\locator.exe
[RpcSs] %SystemRoot%\system32\svchost -k rpcss
[RSVP] %SystemRoot%\system32\rsvp.exe
[SamSs] %SystemRoot%\system32\lsass.exe
[SCardSvr] %SystemRoot%\System32\SCardSvr.exe
[Schedule] %SystemRoot%\System32\svchost.exe -k netsvcs
[seclogon] %SystemRoot%\System32\svchost.exe -k netsvcs
[SENS] %SystemRoot%\system32\svchost.exe -k netsvcs
[ShellHWDetection] %SystemRoot%\System32\svchost.exe -k netsvcs
[SimpTcp] %SystemRoot%\system32\tcpsvcs.exe
[SMTPSVC] C:\WINDOWS\system32\inetsrv\inetinfo.exe
[SNMP] %SystemRoot%\System32\snmp.exe
[SNMPTRAP] %SystemRoot%\System32\snmptrap.exe
[Spooler] %SystemRoot%\system32\spoolsv.exe
[srservice] %SystemRoot%\system32\svchost.exe -k netsvcs
[SSDPSRV] %SystemRoot%\system32\svchost.exe -k LocalService
[stisvc] %SystemRoot%\system32\svchost.exe -k imgsvc
[SwPrv] C:\WINDOWS\system32\dllhost.exe /Processid:{F7D7EC3A-CA8A-4D3C-9359-E95CD96DB9D1}
[SysmonLog] %SystemRoot%\system32\smlogsvc.exe
[TapiSrv] %SystemRoot%\System32\svchost.exe -k netsvcs
[TermService] %SystemRoot%\System32\svchost -k DComLaunch
[Themes] %SystemRoot%\System32\svchost.exe -k netsvcs
[TlntSvr] C:\WINDOWS\system32\tlntsvr.exe
[TrkWks] %SystemRoot%\system32\svchost.exe -k netsvcs
[UMWdf] C:\WINDOWS\system32\wdfmgr.exe
[upnphost] %SystemRoot%\system32\svchost.exe -k LocalService
[UPS] %SystemRoot%\System32\ups.exe
[VSS] %SystemRoot%\System32\vssvc.exe
[W32Time] %SystemRoot%\System32\svchost.exe -k netsvcs
[W3SVC] %SystemRoot%\system32\inetsrv\inetinfo.exe
[WebClient] %SystemRoot%\system32\svchost.exe -k LocalService
[WinDefend] "C:\Program Files\Windows Defender\MsMpEng.exe"
[winmgmt] %systemroot%\system32\svchost.exe -k netsvcs
[WmdmPmSN] %SystemRoot%\System32\svchost.exe -k netsvcs
[Wmi] %SystemRoot%\System32\svchost.exe -k netsvcs
[WmiApSrv] C:\WINDOWS\system32\wbem\wmiapsrv.exe
[wscsvc] %SystemRoot%\System32\svchost.exe -k netsvcs
[wuauserv] %systemroot%\system32\svchost.exe -k netsvcs
[WZCSVC] %SystemRoot%\System32\svchost.exe -k netsvcs
[xmlprov] %SystemRoot%\System32\svchost.exe -k netsvcs


**** Custom IE Search Items ****

SEARCH: [SearchAssistant] http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
SEARCH: [CustomizeSearch] http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm


**** Complete IE Options ****

IEOPT: [Default_Page_URL] http://www.microsoft.com/isapi/redir.dl ... ar=msnhome
IEOPT: [Default_Search_URL] http://www.microsoft.com/isapi/redir.dl ... r=iesearch
IEOPT: [Search Page] http://www.microsoft.com/isapi/redir.dl ... r=iesearch
IEOPT: [Enable_Disk_Cache] yes
IEOPT: [Cache_Percent_of_Disk]
IEOPT: [Delete_Temp_Files_On_Exit] yes
IEOPT: [Local Page] C:\WINDOWS\SYSTEM32\blank.htm
IEOPT: [Anchor_Visitation_Horizon]
IEOPT: [Use_Async_DNS] yes
IEOPT: [Placeholder_Width]
IEOPT: [Placeholder_Height]
IEOPT: [Start Page] about:blank
IEOPT: [Update_Check_Page] http://www.microsoft.com/isapi/redir.dl ... =ie5update
IEOPT: [Update_Check_Interval]
IEOPT: [Wizard_Version] 6.0.2600.0000
IEOPT: [FullScreen] no
IEOPT: [Window Title] Microsoft Internet Explorer provided by Comcast High-Speed Internet
IEOPT: [Check_Associations] no
IEOPT: [CompanyName] Microsoft Corporation
IEOPT: [Custom_Key] MICROSO
IEOPT: [Use_DlgBox_Colors] yes

a Second HIJACKTHIS log after fixes:

Logfile of HijackThis v1.99.1
Scan saved at 1:40:36 PM, on 9/4/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLACSD.EXE
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\Documents and Settings\Leanna\Desktop\Ewido\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\WINDOWS\system32\imapi.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
c:\PROGRA~1\mcafee.com\vso\OasClnt.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe
c:\program files\mcafee.com\vso\mcvsshld.exe
C:\WINDOWS\system32\dllhost.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\WINDOWS\System32\vssvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\dmadmin.exe
C:\WINDOWS\system32\mqsvc.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Hijackthis\check.exe.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [asp4tray] asp4tray.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: EPSON Background Monitor.lnk = C:\ESM2\Stms.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O15 - ProtocolDefaults: '@ivt' protocol is in My Computer Zone, should be Intranet Zone
O15 - ProtocolDefaults: 'file' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'ftp' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'https' protocol is in My Computer Zone, should be Internet Zone
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/ka ... nicode.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/share ... insctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/share ... cgdmgr.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Documents and Settings\Leanna\Desktop\Ewido\ewido anti-spyware 4.0\guard.exe


and I am still unable to change the home page from About:Blank. Well, I can CHANGE it, but the change is not remembered.
bnkrldy
Regular Member
 
Posts: 35
Joined: July 8th, 2006, 1:43 am

Unread postby whisperer » September 5th, 2006, 2:30 am

Thanks bnkrldy,

we did not get any further with that run as the O15 entries are still there as well as the R's. I would like to have a look at the other users logs, so please post one for Gale and one for Rich as well in your next post.

We will try a different tool to remove the O15 entires, please download Deldomains to your desktop.
  • Right-click DelDomains.inf and select: Install (no need to restart)
  • You may not see any noticeable changes or prompts; this is normal.
Note: The DelDomains.inf file will remove ALL entries in the Trusted, Restricted, and Enhanced Security Configuration Zones. Any entries that you had will need to be entered again. You will have to reimmunize with SpywareBlaster, and/or Spybot after doing this, and reinstall IESpyads if you use any of these programs.

I would then like you to repeat the HijackThis fix from within Safe mode, it would be nice if the O15's were not there…. :)

Reboot the computer into safe mode using a clean boot sequence as follows.
  1. Select the Start button and then Turn Off Computer
  2. From the options, select Turn Off and, when the computer has shut down, switch off the power supply.
  3. After 30 seconds, restore the power supply and switch on the computer
  4. Some computers have a progress bar that refers to the word BIOS. Others may not let you know what is happening.
  5. As soon as the BIOS loads, or a single Beep is heard then begin tapping the F8 key on your keyboard. Do so until the Windows Advanced Options menu appears.
  6. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. If this happens, restart the computer and try again.
  7. Using the arrow keys on the keyboard, select Safe mode and then press Enter.
  8. When in Safe mode you will have your Desktop with the word Safe Mode in the 4 corners.

Please now start your HijackThis and click on Scan
  1. Click in the check-box to the left of each of the following entries, if found
    • R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
    • R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    • R3 - Default URLSearchHook is missing
    • O15 - ProtocolDefaults: '@ivt' protocol is in My Computer Zone, should be Intranet Zone
    • O15 - ProtocolDefaults: 'file' protocol is in My Computer Zone, should be Internet Zone
    • O15 - ProtocolDefaults: 'ftp' protocol is in My Computer Zone, should be Internet Zone
    • O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone
    • O15 - ProtocolDefaults: 'https' protocol is in My Computer Zone, should be Internet Zone
  2. With all windows closed except HijackThis, select Fix Checked

EDIT: Please take the second .exe off of the renamed HijackThis file so that it reads "Check.exe" :)

Reboot back to Normal mode and post the new HijackThis logs.
GT :thumbup:
User avatar
whisperer
Retired Graduate
 
Posts: 615
Joined: May 28th, 2005, 6:00 am
Location: Cornwall

Unread postby bnkrldy » September 5th, 2006, 8:23 pm

I have to get to safemode by using the System Configuration Utility---it won't let me use the F8 button, but I hope it gets the result you were looking for. Also, when I was in safe mode, I was only able to log onto GALE and ADMINISTRATOR. Those scans did not show the 015 listings.

Here is Gale's Log:

Logfile of HijackThis v1.99.1
Scan saved at 5:02:52 PM, on 9/5/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLACSD.EXE
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\AWS\WeatherBug\Weather.exe
C:\WINDOWS\system32\dllhost.exe
C:\Documents and Settings\Leanna\Desktop\Ewido\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\WINDOWS\system32\imapi.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\vssvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\dmadmin.exe
C:\WINDOWS\system32\mqsvc.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Gale\Desktop\check.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
c:\program files\mcafee.com\agent\mcagent.exe
C:\WINDOWS\system32\drwtsn32.exe

O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [asp4tray] asp4tray.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: EPSON Background Monitor.lnk = C:\ESM2\Stms.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/ka ... nicode.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/share ... insctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/share ... cgdmgr.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Documents and Settings\Leanna\Desktop\Ewido\ewido anti-spyware 4.0\guard.exe


Here is RICH's log:

Logfile of HijackThis v1.99.1
Scan saved at 5:11:23 PM, on 9/5/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLACSD.EXE
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\Documents and Settings\Leanna\Desktop\Ewido\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\WINDOWS\system32\imapi.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\vssvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\dmadmin.exe
C:\WINDOWS\system32\mqsvc.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\AWS\WeatherBug\Weather.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\SYSTEM32\notepad.exe
C:\Hijackthis\check.exe

O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [asp4tray] asp4tray.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: EPSON Background Monitor.lnk = C:\ESM2\Stms.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/ka ... nicode.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/share ... insctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/share ... cgdmgr.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Documents and Settings\Leanna\Desktop\Ewido\ewido anti-spyware 4.0\guard.exe

AND here is LEANNA'S log, still showing the 015's:

Logfile of HijackThis v1.99.1
Scan saved at 5:21:30 PM, on 9/5/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLACSD.EXE
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\Documents and Settings\Leanna\Desktop\Ewido\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\WINDOWS\system32\imapi.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\vssvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\dmadmin.exe
C:\WINDOWS\system32\mqsvc.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\inetsrv\DavCData.exe
C:\Hijackthis\check.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [asp4tray] asp4tray.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: EPSON Background Monitor.lnk = C:\ESM2\Stms.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O15 - ProtocolDefaults: '@ivt' protocol is in My Computer Zone, should be Intranet Zone
O15 - ProtocolDefaults: 'file' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'ftp' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'https' protocol is in My Computer Zone, should be Internet Zone
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/ka ... nicode.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/share ... insctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/share ... cgdmgr.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Documents and Settings\Leanna\Desktop\Ewido\ewido anti-spyware 4.0\guard.exe
bnkrldy
Regular Member
 
Posts: 35
Joined: July 8th, 2006, 1:43 am

Unread postby whisperer » September 6th, 2006, 3:59 am

Thanks for the logs bnkridy,

These O15 entries are possibly the root cause of your problems so we must try to get rid of them. I assume that you had no problems using deldomains so we must try another tack to get rid of the stubborn entries.

Please download Fix_Protocol_zones_ranges.reg from here and save the zip file to your Desktop
  • Locate FixP.xip and click to open
  • Select the Extract . button and extract to the Desktop
  • Right-click the Fix_Protocol_zones_ranges.reg file and select: Merge (Ok the prompt)


Please post another HijackThis log for Leanna's account.

GT :thumbup:
User avatar
whisperer
Retired Graduate
 
Posts: 615
Joined: May 28th, 2005, 6:00 am
Location: Cornwall

Unread postby bnkrldy » September 6th, 2006, 7:49 pm

I d/l deldomains from Gale's account, then switched to Leanna's and installed it with no problem. When I tried the same thing with the Fix_Protocol_zones_ranges.reg, however, it would not let me install it on Leanna's account. The message said "cannot import C:/windoes/temp/temporary directory 1 for Fixp.zip/fix_Protocal_zones_ranges.reg: error accessing the directory.

For what it's worth, here is an updated HJL for Leanna:

Logfile of HijackThis v1.99.1
Scan saved at 4:44:58 PM, on 9/6/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLACSD.EXE
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\Documents and Settings\Leanna\Desktop\Ewido\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\WINDOWS\system32\imapi.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe
c:\PROGRA~1\mcafee.com\vso\OasClnt.exe
C:\WINDOWS\system32\dllhost.exe
c:\program files\mcafee.com\vso\mcvsshld.exe
C:\WINDOWS\System32\vssvc.exe
c:\program files\mcafee.com\agent\mcagent.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\dmadmin.exe
C:\WINDOWS\system32\mqsvc.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\inetsrv\DavCData.exe
C:\Hijackthis\check.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [asp4tray] asp4tray.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: EPSON Background Monitor.lnk = C:\ESM2\Stms.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O15 - ProtocolDefaults: '@ivt' protocol is in My Computer Zone, should be Intranet Zone
O15 - ProtocolDefaults: 'file' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'ftp' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'https' protocol is in My Computer Zone, should be Internet Zone
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/ka ... nicode.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/share ... insctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/share ... cgdmgr.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Documents and Settings\Leanna\Desktop\Ewido\ewido anti-spyware 4.0\guard.exe

Are we having fun yet? =o)
bnkrldy
Regular Member
 
Posts: 35
Joined: July 8th, 2006, 1:43 am

Unread postby whisperer » September 7th, 2006, 4:05 am

Hi bnkridy,

Do not despair we are getting there as each clue fills in another piece of the jigsaw puzzle.

The probable reason why you could not run the reg file was because you were running from a temp/zipped directory? We will try two methods to rectify that problem.

Method 1. Please locate the original FixP.zip file and copy it across to your Desktop, then extract the file to your Desktop. It should then merge quite happily into your system.

Method 2. This is to extract the file to a common location to all accounts, switch back to Leanna's and then either run the file from its new location or copy it across to Leanna's Desktop and run it from there.

I have other experts looking at your logs and one question is "What file was being flagged as infected by hijacker.costrat.e?"

Please boot in to Safe mode to run Ewido again, and then please post a new HijackThis log, any information about the infected file and the Ewido log

GT :thumbup:
User avatar
whisperer
Retired Graduate
 
Posts: 615
Joined: May 28th, 2005, 6:00 am
Location: Cornwall
Advertisement
Register to Remove

Next

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 286 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware