MyTechSupport.ca :: Your Computer Technical Resource Headquarters! MyTechSupport.ca :: Your Computer Technical Resource Headquarters!
HOME FORUMS RESOURCES & TOOLS ARTICLES ONLINE STORE ABOUT US
Computer Support Forums arrow Internet & Network Support arrow Security & Viruses arrow Topic: Similar problem...different computer
November 12, 2019, 08:32:54 AM
 

Home Forum Rules Help Search Mobile Version Login Register

Welcome, Guest. Please login or register.
Did you miss your activation email?
November 12, 2019, 08:32:54 AM

Login with username, password and session length
 Featured Sites:
News
New  Check out our improved Download section for tons of software....
  0 Members and 1 Guest are viewing this topic.
Pages: [1] 2  All Go Down Print
Author Topic: Similar problem...different computer  (Read 5374 times)
poyndextr
Full Member
***

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 57


Bookmark and Share

View Profile
« on: July 26, 2004, 04:15:28 PM »

PLEASE SUPPLY RELEVANT INFORMATION:
Operating System Version: XP Prof.
Problem Application Name & Version:
Problem Hardware Make & Model:
Error Messages:



benditup,

i was hoping that i wouldn't have to bug you for help again, but unfortunately another one of our computers is having problems that i don't know how to fix.  the homepage has been reset to:  res://stgnx.dll/index.html#37049 or http://www.msn.com.  pop-ups are a problem and the really anoying thing is that every time a program is started, or a new website is visited, a windows installer box pops up and start trying to install one of the windows programs.  i am assuming that in your vast experience you have encountered something like this.  i have run adaware after modifying the settings in general, scanning, and tweaks, which has helped, but not resolved the problem.  as always, any help that you can give is GREATLY appreciated.  

thank you,

poyndextr
Logged

 
benditup
Hero Member
*****

Karma: +2/-0
Offline Offline

Gender: Male
Posts: 2105


Bookmark and Share

View Profile
« Reply #1 on: July 26, 2004, 04:24:02 PM »

Can I see a hijackthis log please
Important---Create a permanent folder hijackthis
EG---- Open MyDocuments----Right click an empty spot and select NEW---Folder----Name the new folder HJT ---this is where you will want to save Hijackthis too, also, backups will be stored there.
download from
HERE or HERE

This one may be tough, but I'm sure we can get it
Logged

 
poyndextr
Full Member
***

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 57


Bookmark and Share

View Profile
« Reply #2 on: July 26, 2004, 04:37:30 PM »

here is the HJT log:

Logfile of HijackThis v1.98.0
Scan saved at 10:33:02 AM, on 7/26/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\NavNT\rtvscan.exe
C:\Program Files\Common files\WinTools\WToolsS.exe
C:\WINDOWS\ipzc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\NavNT\vptray.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Sharp\Sharpdesk\IndexTray.exe
C:\Program Files\Sharp\Sharpdesk\SharpTray.exe
C:\WINDOWS\system32\addab.exe
C:\Program Files\Common files\WinTools\WToolsA.exe
C:\PROGRA~1\Sharp\SHARPD~1\Indexer.exe
C:\Program Files\Common Files\WinTools\WSup.exe
C:\Pvsw\Bin\W3DBSMGR.EXE
C:\Program Files\Sharp\Sharpdesk\sdFTP.exe
\Cdi05\c$\Program Files\desktop weather\desktopweather_1225103.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\msiexec.exe
\cdisrv01\home\shawnw\HJT\hijackthis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ycomp/defaults/sb/*http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\stgnx.dll/sp.html#37049
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://stgnx.dll/index.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://stgnx.dll/index.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\stgnx.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50039
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr6/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\stgnx.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://stgnx.dll/index.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {FCEBB27B-4E18-DA71-68DF-31397091EAF8} - C:\WINDOWS\javahg.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\ycomp5_3_19_0.dll
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [IndexTray] "C:\Program Files\Sharp\Sharpdesk\IndexTray.exe"
O4 - HKLM\..\Run: [SharpTray] "C:\Program Files\Sharp\Sharpdesk\SharpTray.exe"
O4 - HKLM\..\Run: [addab.exe] C:\WINDOWS\system32\addab.exe
O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe
O4 - HKLM\..\RunOnce: [ipzc.exe] C:\WINDOWS\ipzc.exe
O4 - HKLM\..\RunOnce: [appcs32.exe] C:\WINDOWS\appcs32.exe
O4 - HKLM\..\RunOnce: [javayl32.exe] C:\WINDOWS\system32\javayl32.exe
O4 - HKLM\..\RunOnce: [d3ko.exe] C:\WINDOWS\d3ko.exe
O4 - HKLM\..\RunOnce: [mfcaw.exe] C:\WINDOWS\system32\mfcaw.exe
O4 - HKLM\..\RunOnce: [syszy.exe] C:\WINDOWS\syszy.exe
O4 - HKLM\..\RunOnce: [netdp.exe] C:\WINDOWS\netdp.exe
O4 - HKLM\..\RunOnce: [iejb.exe] C:\WINDOWS\system32\iejb.exe
O4 - HKLM\..\RunOnce: [crbr.exe] C:\WINDOWS\crbr.exe
O4 - HKLM\..\RunOnce: [apiyq32.exe] C:\WINDOWS\apiyq32.exe
O4 - HKLM\..\RunOnce: [apiuu.exe] C:\WINDOWS\system32\apiuu.exe
O4 - HKLM\..\RunOnce: [ipgy.exe] C:\WINDOWS\system32\ipgy.exe
O4 - HKLM\..\RunOnce: [winxp.exe] C:\WINDOWS\winxp.exe
O4 - HKLM\..\RunOnce: [apidd32.exe] C:\WINDOWS\system32\apidd32.exe
O4 - HKLM\..\RunOnce: [atlep.exe] C:\WINDOWS\atlep.exe
O4 - HKLM\..\RunOnce: [winue.exe] C:\WINDOWS\winue.exe
O4 - HKLM\..\RunOnce: [sysea32.exe] C:\WINDOWS\system32\sysea32.exe
O4 - HKLM\..\RunOnce: [d3tp32.exe] C:\WINDOWS\system32\d3tp32.exe
O4 - HKLM\..\RunOnce: [syskb32.exe] C:\WINDOWS\system32\syskb32.exe
O4 - HKLM\..\RunOnce: [iena.exe] C:\WINDOWS\iena.exe
O4 - HKLM\..\RunOnce: [appli32.exe] C:\WINDOWS\appli32.exe
O4 - HKLM\..\RunOnce: [atlxl32.exe] C:\WINDOWS\atlxl32.exe
O4 - HKLM\..\RunOnce: [netjt.exe] C:\WINDOWS\netjt.exe
O4 - HKLM\..\RunOnce: [mszr32.exe] C:\WINDOWS\system32\mszr32.exe
O4 - HKLM\..\RunOnce: [nten.exe] C:\WINDOWS\system32\nten.exe
O4 - HKLM\..\RunOnce: [apite.exe] C:\WINDOWS\apite.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: desktop weather.lnk = Program Files\desktop weather\desktopweather_1225103.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Pervasive.SQL Workgroup Engine.lnk = C:\Pvsw\Bin\W3DBSMGR.EXE
O4 - Global Startup: Start Network Scanner Tool.lnk = C:\Program Files\Sharp\Sharpdesk\sdFTP.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potc_x.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
O16 - DPF: {32322460-3E7D-11D7-ABD8-0001029A9BA6} (FastBid2 Class) - http://www.bxwa.com/fastbid/fastbidx2.cab
O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://www.officeupdate.com/productupdates/content/opuc.cab
O16 - DPF: {91876926-89DC-11D7-B590-00500467786D} (DnldCtrl Control) - http://cosstore.cnsx.com/download/DnldCtrl.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab
O16 - DPF: {C876C44F-F4CF-11D2-BC2A-E5C9894AD505} (FastBid Class) - http://www.bxwa.com/fastbid/fastbidx.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = cdi-services.com
O17 - HKLM\Software\..\Telephony: DomainName = cdi-services.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{9B1964E9-99D7-4C49-9E6E-20DA4C5F6574}: NameServer = 192.168.0.10
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = cdi-services.com
O18 - Protocol: sds - {79E0F14C-9C52-4218-89A7-7C4B0563D121} - C:\Program Files\Sharp\Sharpdesk\ExplorerExtensions.dll
Logged

 
benditup
Hero Member
*****

Karma: +2/-0
Offline Offline

Gender: Male
Posts: 2105


Bookmark and Share

View Profile
« Reply #3 on: July 26, 2004, 05:19:10 PM »

Let's try a couple things to get you clean, you have a couple of infections

Download and unzip to desktop About:Buster
DON'T Run it yet

RESTART your Computer in SAFE MODE

Go to START---RUN---type in "services.msc" without quotes
Find this service on the right---Wintools for IE Service also look for this one and do the same Network Security Service carry on if you don't find it
double click it---Stop the Service---
Set to disabled in the drop down menu

Also enter your task manager and make sure these processes aren't running
msiexec.exe <--not dangerous, but it's the windows installer component
ipzc.exe
addab.exe

Access your Add/Remove Programs via Control Panel and Remove
Wintools

Find and delete this folder
C:\Program Files\Common files\WinTools <--this folder

Next: While still in Safe Mode
Do another Scan with Hijackthis and put a check next to these entries
and then FIX CHECKED when ALL other windows are closed

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ycomp/defaults/sb/*http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\stgnx.dll/sp.html#37049
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://stgnx.dll/index.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://stgnx.dll/index.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\stgnx.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50039
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr6/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\stgnx.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://stgnx.dll/index.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing

O4 - HKLM\..\Run: [addab.exe] C:\WINDOWS\system32\addab.exe
O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe
O4 - HKLM\..\RunOnce: [ipzc.exe] C:\WINDOWS\ipzc.exe
O4 - HKLM\..\RunOnce: [appcs32.exe] C:\WINDOWS\appcs32.exe
O4 - HKLM\..\RunOnce: [javayl32.exe] C:\WINDOWS\system32\javayl32.exe
O4 - HKLM\..\RunOnce: [d3ko.exe] C:\WINDOWS\d3ko.exe
O4 - HKLM\..\RunOnce: [mfcaw.exe] C:\WINDOWS\system32\mfcaw.exe
O4 - HKLM\..\RunOnce: [syszy.exe] C:\WINDOWS\syszy.exe
O4 - HKLM\..\RunOnce: [netdp.exe] C:\WINDOWS\netdp.exe
O4 - HKLM\..\RunOnce: [iejb.exe] C:\WINDOWS\system32\iejb.exe
O4 - HKLM\..\RunOnce: [crbr.exe] C:\WINDOWS\crbr.exe
O4 - HKLM\..\RunOnce: [apiyq32.exe] C:\WINDOWS\apiyq32.exe
O4 - HKLM\..\RunOnce: [apiuu.exe] C:\WINDOWS\system32\apiuu.exe
O4 - HKLM\..\RunOnce: [ipgy.exe] C:\WINDOWS\system32\ipgy.exe
O4 - HKLM\..\RunOnce: [winxp.exe] C:\WINDOWS\winxp.exe
O4 - HKLM\..\RunOnce: [apidd32.exe] C:\WINDOWS\system32\apidd32.exe
O4 - HKLM\..\RunOnce: [atlep.exe] C:\WINDOWS\atlep.exe
O4 - HKLM\..\RunOnce: [winue.exe] C:\WINDOWS\winue.exe
O4 - HKLM\..\RunOnce: [sysea32.exe] C:\WINDOWS\system32\sysea32.exe
O4 - HKLM\..\RunOnce: [d3tp32.exe] C:\WINDOWS\system32\d3tp32.exe
O4 - HKLM\..\RunOnce: [syskb32.exe] C:\WINDOWS\system32\syskb32.exe
O4 - HKLM\..\RunOnce: [iena.exe] C:\WINDOWS\iena.exe
O4 - HKLM\..\RunOnce: [appli32.exe] C:\WINDOWS\appli32.exe
O4 - HKLM\..\RunOnce: [atlxl32.exe] C:\WINDOWS\atlxl32.exe
O4 - HKLM\..\RunOnce: [netjt.exe] C:\WINDOWS\netjt.exe
O4 - HKLM\..\RunOnce: [mszr32.exe] C:\WINDOWS\system32\mszr32.exe
O4 - HKLM\..\RunOnce: [nten.exe] C:\WINDOWS\system32\nten.exe
O4 - HKLM\..\RunOnce: [apite.exe] C:\WINDOWS\apite.exe

Make sure you get them all
After you have FIX CHECKED, close down hijackthis

Double click to run About:buster hit Ok, then Start, then Ok to start the scan. The scan should take a few seconds. Once it is done save the report
Do this a few times, saving the report each time

RESTART back in Normal mode
Don't open a browser yet, instead access Internet Options via Control
Panel
Under the Programs tab "Reset Web Settings"
Under the General tab---Delete files + offline content---Also Reset home page
Do a Disk Cleanup>>>START--RUN---type in "cleanmgr" without quotes

Do another scan with Ad-Aware and RESTART
and post a fresh hijackthis log
along with the about:buster logs
Logged

 
poyndextr
Full Member
***

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 57


Bookmark and Share

View Profile
« Reply #4 on: July 26, 2004, 06:10:55 PM »

i followed all of the steps up until the "Fix Checked" point in HJT.  When I click the "Fix Checked" button i get the following error message:

An unexpected error has occurred at procedure: cmdFix_Click()
Error #75-Path/File access error (71 items in results list)

i don't think that any of the files you had me check were fixed and i wasn't sure if i should proceed with the other steps because of this.
Logged

 
benditup
Hero Member
*****

Karma: +2/-0
Offline Offline

Gender: Male
Posts: 2105


Bookmark and Share

View Profile
« Reply #5 on: July 26, 2004, 06:41:23 PM »

Hi poyndextr, try this

Delete the 'Backups' folder in the same folder as HJT. That should fix the problem.

If not we will have to try going back to version 1.97.7 of hijackthis
Logged

 
poyndextr
Full Member
***

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 57


Bookmark and Share

View Profile
« Reply #6 on: July 26, 2004, 07:04:52 PM »

i deleted the backup file and still got the same error message.  where can i get the older version of HJT and is getting out of safe mode to download it going to mess up the steps that i have already taken?
Logged

 
benditup
Hero Member
*****

Karma: +2/-0
Offline Offline

Gender: Male
Posts: 2105


Bookmark and Share

View Profile
« Reply #7 on: July 26, 2004, 07:14:29 PM »

Try this link, this version you will have to unzip it to a permanent folder
  http://tomcoyote.com/hjt/
If you've already deleted Wintools, make sure you get the entry in
hijackthis 1.97.7

Logged

 
poyndextr
Full Member
***

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 57


Bookmark and Share

View Profile
« Reply #8 on: July 26, 2004, 08:23:19 PM »

okay...i followed all of the steps you suggested and the hompage is somehow still set to res://stgnx.dll/index.html#37049.  i ran about:buster four times, but never saw a way to save it...there was no save button and i didn't have a start bar, so i couldn't save it to notepad or word.  the microsoft install popups are still there too.  here is the new HJT log:

Logfile of HijackThis v1.98.0
Scan saved at 2:19:54 PM, on 7/26/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\ipzc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\NavNT\vptray.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Sharp\Sharpdesk\IndexTray.exe
C:\Program Files\Sharp\Sharpdesk\SharpTray.exe
C:\WINDOWS\system32\addab.exe
C:\PROGRA~1\Sharp\SHARPD~1\Indexer.exe
C:\Pvsw\Bin\W3DBSMGR.EXE
C:\Program Files\Sharp\Sharpdesk\sdFTP.exe
\Cdi05\c$\Program Files\desktop weather\desktopweather_1225103.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\msiexec.exe
\cdisrv01\home\shawnw\HJT\hijackthis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\stgnx.dll/sp.html#37049
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://stgnx.dll/index.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://stgnx.dll/index.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\stgnx.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\stgnx.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://stgnx.dll/index.html#37049
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {FCEBB27B-4E18-DA71-68DF-31397091EAF8} - C:\WINDOWS\javahg.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\ycomp5_3_19_0.dll
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [IndexTray] "C:\Program Files\Sharp\Sharpdesk\IndexTray.exe"
O4 - HKLM\..\Run: [SharpTray] "C:\Program Files\Sharp\Sharpdesk\SharpTray.exe"
O4 - HKLM\..\Run: [addab.exe] C:\WINDOWS\system32\addab.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: desktop weather.lnk = Program Files\desktop weather\desktopweather_1225103.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Pervasive.SQL Workgroup Engine.lnk = C:\Pvsw\Bin\W3DBSMGR.EXE
O4 - Global Startup: Start Network Scanner Tool.lnk = C:\Program Files\Sharp\Sharpdesk\sdFTP.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potc_x.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
O16 - DPF: {32322460-3E7D-11D7-ABD8-0001029A9BA6} (FastBid2 Class) - http://www.bxwa.com/fastbid/fastbidx2.cab
O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://www.officeupdate.com/productupdates/content/opuc.cab
O16 - DPF: {91876926-89DC-11D7-B590-00500467786D} (DnldCtrl Control) - http://cosstore.cnsx.com/download/DnldCtrl.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab
O16 - DPF: {C876C44F-F4CF-11D2-BC2A-E5C9894AD505} (FastBid Class) - http://www.bxwa.com/fastbid/fastbidx.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = cdi-services.com
O17 - HKLM\Software\..\Telephony: DomainName = cdi-services.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{9B1964E9-99D7-4C49-9E6E-20DA4C5F6574}: NameServer = 192.168.0.10
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = cdi-services.com
O18 - Protocol: sds - {79E0F14C-9C52-4218-89A7-7C4B0563D121} - C:\Program Files\Sharp\Sharpdesk\ExplorerExtensions.dll

Logged

 
benditup
Hero Member
*****

Karma: +2/-0
Offline Offline

Gender: Male
Posts: 2105


Bookmark and Share

View Profile
« Reply #9 on: July 26, 2004, 08:37:42 PM »

About:buster should generate a report?

Try this
In Normal Mode
Open your task manager and end process on this
ipzc.exe
addab.exe

Open hijackthis and fix these entries
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\stgnx.dll/sp.html#37049
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://stgnx.dll/index.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://stgnx.dll/index.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\stgnx.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\stgnx.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://stgnx.dll/index.html#37049
R3 - Default URLSearchHook is missing

O2 - BHO: (no name) - {FCEBB27B-4E18-DA71-68DF-31397091EAF8} - C:\WINDOWS\javahg.dll

O4 - HKLM\..\Run: [addab.exe] C:\WINDOWS\system32\addab.exe

Open About:Buster and let it do it's thing
Restart in safe mode
Find and delete these files if they exist
You may have to show hidden files and folders

C:\WINDOWS\ipzc.exe <---this file
C:\WINDOWS\system32\addab.exe <---this file

Run About:buster again, hopefully until you see something like this
About:Buster Version 1.31
Attempted Clean Of Temp folder.
Pages Reset... Done!

Post back with a fresh hijackthis log
and the about:buster logs if you can

Logged

 
poyndextr
Full Member
***

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 57


Bookmark and Share

View Profile
« Reply #10 on: July 26, 2004, 09:31:13 PM »

here is the new HJT log:

Logfile of HijackThis v1.97.7
Scan saved at 3:24:27 PM, on 7/26/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\ipzc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\NavNT\vptray.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Sharp\Sharpdesk\IndexTray.exe
C:\Program Files\Sharp\Sharpdesk\SharpTray.exe
C:\PROGRA~1\Sharp\SHARPD~1\Indexer.exe
C:\Pvsw\Bin\W3DBSMGR.EXE
C:\Program Files\Sharp\Sharpdesk\sdFTP.exe
\Cdi05\c$\Program Files\desktop weather\desktopweather_1225103.exe
C:\WINDOWS\system32\addab.exe
C:\Documents and Settings\shawnw\Local Settings\Temp\Temporary Directory 4 for hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\nrmjn.dll/sp.html#37049
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://nrmjn.dll/index.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://nrmjn.dll/index.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\nrmjn.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://nrmjn.dll/index.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\nrmjn.dll/sp.html#37049
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {FCEBB27B-4E18-DA71-68DF-31397091EAF8} - C:\WINDOWS\javahg.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\ycomp5_3_19_0.dll
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [IndexTray] "C:\Program Files\Sharp\Sharpdesk\IndexTray.exe"
O4 - HKLM\..\Run: [SharpTray] "C:\Program Files\Sharp\Sharpdesk\SharpTray.exe"
O4 - HKLM\..\Run: [addab.exe] C:\WINDOWS\system32\addab.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKLM\..\RunOnce: [ipzc.exe] C:\WINDOWS\ipzc.exe
O4 - HKLM\..\RunOnce: [apiuf.exe] C:\WINDOWS\apiuf.exe
O4 - HKLM\..\RunOnce: [ntap.exe] C:\WINDOWS\ntap.exe
O4 - HKLM\..\RunOnce: [mfcsd32.exe] C:\WINDOWS\mfcsd32.exe
O4 - HKLM\..\RunOnce: [javamj.exe] C:\WINDOWS\system32\javamj.exe
O4 - Startup: desktop weather.lnk = Program Files\desktop weather\desktopweather_1225103.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Pervasive.SQL Workgroup Engine.lnk = C:\Pvsw\Bin\W3DBSMGR.EXE
O4 - Global Startup: Start Network Scanner Tool.lnk = C:\Program Files\Sharp\Sharpdesk\sdFTP.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Yahoo! Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potc_x.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
O16 - DPF: {32322460-3E7D-11D7-ABD8-0001029A9BA6} (FastBid2 Class) - http://www.bxwa.com/fastbid/fastbidx2.cab
O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://www.officeupdate.com/productupdates/content/opuc.cab
O16 - DPF: {91876926-89DC-11D7-B590-00500467786D} (DnldCtrl Control) - http://cosstore.cnsx.com/download/DnldCtrl.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37678.4814814815
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab
O16 - DPF: {C876C44F-F4CF-11D2-BC2A-E5C9894AD505} (FastBid Class) - http://www.bxwa.com/fastbid/fastbidx.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {DF6A0F17-0B1E-11D4-829D-00C04F6843FE} (Microsoft Office Tools on the Web Control) - http://officeupdate.microsoft.com/TemplateGallery/downloads/outc.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = cdi-services.com
O17 - HKLM\Software\..\Telephony: DomainName = cdi-services.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{9B1964E9-99D7-4C49-9E6E-20DA4C5F6574}: NameServer = 192.168.0.10
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = cdi-services.com


I ran about:buster four times and that resulted in exaclty what you said it would look like.  the two files that you told me to delete in safe mode weren't there (even with hidden files and folders showing)  how am i supposed to save the about:buster reports?  i dont see a button to save, it doesn't save automatically (at least i dont think it does), and after i run it my start bar and all of my icons disappear.

Logged

 
benditup
Hero Member
*****

Karma: +2/-0
Offline Offline

Gender: Male
Posts: 2105


Bookmark and Share

View Profile
« Reply #11 on: July 26, 2004, 11:23:59 PM »

Ok, let's try something else
Copy the contents of the 'QUOTE' box to Notepad, and save as GetServices.vbs (make sure you save as type: 'all files' )

Doubleclick GetServices.vbs, and it will produce a list of all active services on your computer; please post that list in your reply.

If you have script blocking installed, you will get a warning when you try to run the script. Please allow it to run. It is only collecting information

 
quote:
set objIdDictionary = CreateObject("Scripting.Dictionary")
strComputer = "."
Set objWMIService = GetObject("winmgmts:" _
& "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")
Set colServices = objWMIService.ExecQuery _
("Select * from Win32_Service Where State <> 'Stopped'")
For Each objService in colServices
If objIdDictionary.Exists(objService.ProcessID) Then
Else
objIdDictionary.Add objService.ProcessID, objService.ProcessID
End If
Next
colProcessIDs = objIdDictionary.Items
For i = 0 to objIdDictionary.Count - 1
Set colServices = objWMIService.ExecQuery _
("Select * from Win32_Service Where ProcessID = '" & _
colProcessIDs(i) & "'")

For Each objService in colServices
msg = msg & vbcrlf & " " & Ucase(objService.DisplayName) & ":" & " " & objService.Name & vbcrlf & objService.PathName & vbcrlf

Next
Next
Dim fso, Services,Wshshell
Set Wshshell = Wscript.CreateObject("Wscript.Shell")
Set fso = Wscript.CreateObject("Scripting.FileSystemObject")
Set Services = fso.CreateTextFile("Active.txt",true)
Services.Write "These are the Current Active Services:"
Services.WriteLine
Services.Write msg
Services.Close
Wshshell.Run "Active.txt"
Logged

 
poyndextr
Full Member
***

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 57


Bookmark and Share

View Profile
« Reply #12 on: July 27, 2004, 04:22:18 PM »

here is what it got when i ran GetServices.vbs:

These are the Current Active Services:

 WINDOWS AUDIO: AudioSrv
C:\WINDOWS\System32\svchost.exe -k netsvcs

 COMPUTER BROWSER: Browser
C:\WINDOWS\System32\svchost.exe -k netsvcs

 CRYPTOGRAPHIC SERVICES: CryptSvc
C:\WINDOWS\system32\svchost.exe -k netsvcs

 DHCP CLIENT: Dhcp
C:\WINDOWS\System32\svchost.exe -k netsvcs

 LOGICAL DISK MANAGER: dmserver
C:\WINDOWS\System32\svchost.exe -k netsvcs

 ERROR REPORTING SERVICE: ERSvc
C:\WINDOWS\System32\svchost.exe -k netsvcs

 COM+ EVENT SYSTEM: EventSystem
C:\WINDOWS\System32\svchost.exe -k netsvcs

 HELP AND SUPPORT: helpsvc
C:\WINDOWS\System32\svchost.exe -k netsvcs

 SERVER: lanmanserver
C:\WINDOWS\System32\svchost.exe -k netsvcs

 WORKSTATION: lanmanworkstation
C:\WINDOWS\System32\svchost.exe -k netsvcs

 MESSENGER: Messenger
C:\WINDOWS\System32\svchost.exe -k netsvcs

 NETWORK CONNECTIONS: Netman
C:\WINDOWS\System32\svchost.exe -k netsvcs

 NETWORK LOCATION AWARENESS (NLA): Nla
C:\WINDOWS\System32\svchost.exe -k netsvcs

 REMOTE ACCESS CONNECTION MANAGER: RasMan
C:\WINDOWS\System32\svchost.exe -k netsvcs

 TASK SCHEDULER: Schedule
C:\WINDOWS\System32\svchost.exe -k netsvcs

 SECONDARY LOGON: seclogon
C:\WINDOWS\System32\svchost.exe -k netsvcs

 SYSTEM EVENT NOTIFICATION: SENS
C:\WINDOWS\system32\svchost.exe -k netsvcs

 SHELL HARDWARE DETECTION: ShellHWDetection
C:\WINDOWS\System32\svchost.exe -k netsvcs

 SYSTEM RESTORE SERVICE: srservice
C:\WINDOWS\System32\svchost.exe -k netsvcs

 TELEPHONY: TapiSrv
C:\WINDOWS\System32\svchost.exe -k netsvcs

 TERMINAL SERVICES: TermService
C:\WINDOWS\System32\svchost.exe -k netsvcs

 THEMES: Themes
C:\WINDOWS\System32\svchost.exe -k netsvcs

 DISTRIBUTED LINK TRACKING CLIENT: TrkWks
C:\WINDOWS\system32\svchost.exe -k netsvcs

 UPLOAD MANAGER: uploadmgr
C:\WINDOWS\System32\svchost.exe -k netsvcs

 WINDOWS TIME: W32Time
C:\WINDOWS\System32\svchost.exe -k netsvcs

 WINDOWS MANAGEMENT INSTRUMENTATION: winmgmt
C:\WINDOWS\system32\svchost.exe -k netsvcs

 AUTOMATIC UPDATES: wuauserv
C:\WINDOWS\system32\svchost.exe -k netsvcs

 WIRELESS ZERO CONFIGURATION: WZCSVC
C:\WINDOWS\System32\svchost.exe -k netsvcs

 DEFWATCH: DefWatch
C:\Program Files\NavNT\defwatch.exe

 DNS CLIENT: Dnscache
C:\WINDOWS\System32\svchost.exe -k NetworkService

 EVENT LOG: Eventlog
C:\WINDOWS\system32\services.exe

 PLUG AND PLAY: PlugPlay
C:\WINDOWS\system32\services.exe

 TCP/IP NETBIOS HELPER: LmHosts
C:\WINDOWS\System32\svchost.exe -k LocalService

 REMOTE REGISTRY: RemoteRegistry
C:\WINDOWS\system32\svchost.exe -k LocalService

 SSDP DISCOVERY SERVICE: SSDPSRV
C:\WINDOWS\System32\svchost.exe -k LocalService

 WEBCLIENT: WebClient
C:\WINDOWS\System32\svchost.exe -k LocalService

 MACHINE DEBUG MANAGER: MDM
"C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe"

 WINDOWS INSTALLER: MSIServer
C:\WINDOWS\System32\msiexec.exe /V

 NET LOGON: Netlogon
C:\WINDOWS\System32\lsass.exe

 IPSEC SERVICES: PolicyAgent
C:\WINDOWS\System32\lsass.exe

 PROTECTED STORAGE: ProtectedStorage
C:\WINDOWS\system32\lsass.exe

 SECURITY ACCOUNTS MANAGER: SamSs
C:\WINDOWS\system32\lsass.exe

 NORTON ANTIVIRUS CLIENT: Norton AntiVirus Server
C:\Program Files\NavNT\rtvscan.exe

 REMOTE PROCEDURE CALL (RPC): RpcSs
C:\WINDOWS\system32\svchost -k rpcss

 PRINT SPOOLER: Spooler
C:\WINDOWS\system32\spoolsv.exe

 REMOTE PROCEDURE CALL (RPC) HELPER:
Logged

 
benditup
Hero Member
*****

Karma: +2/-0
Offline Offline

Gender: Male
Posts: 2105


Bookmark and Share

View Profile
« Reply #13 on: July 27, 2004, 06:08:28 PM »

Well, take a look at what that exposed

 REMOTE PROCEDURE CALL (RPC) HELPER:
Logged

 
poyndextr
Full Member
***

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 57


Bookmark and Share

View Profile
« Reply #14 on: July 27, 2004, 09:02:36 PM »

i found the file in service.msc, stopped it and disabled it, but as soon as i clicked on the link you gave me for trendmicro, it did it again.  i went back into service.msc and it was started and set to automatic.  i stopped it again and disabled it again, but it isn't working...it still keeps coming back.  i ran the online av software, shich found seven things, dekleted them and ran HJT.  Here is the new log:

Logfile of HijackThis v1.97.7
Scan saved at 2:54:40 PM, on 7/27/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\NavNT\vptray.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Sharp\Sharpdesk\IndexTray.exe
C:\Program Files\Sharp\Sharpdesk\SharpTray.exe
C:\PROGRA~1\Sharp\SHARPD~1\Indexer.exe
C:\WINDOWS\system32\addab.exe
C:\Pvsw\Bin\W3DBSMGR.EXE
C:\Program Files\Sharp\Sharpdesk\sdFTP.exe
\Cdi05\c$\Program Files\desktop weather\desktopweather_1225103.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\ipzc.exe
C:\Documents and Settings\shawnw\Local Settings\Temp\Temporary Directory 5 for hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\nrmjn.dll/sp.html#37049
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://nrmjn.dll/index.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://nrmjn.dll/index.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\nrmjn.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://nrmjn.dll/index.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\nrmjn.dll/sp.html#37049
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {FCEBB27B-4E18-DA71-68DF-31397091EAF8} - C:\WINDOWS\javahg.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\ycomp5_3_19_0.dll
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [IndexTray] "C:\Program Files\Sharp\Sharpdesk\IndexTray.exe"
O4 - HKLM\..\Run: [SharpTray] "C:\Program Files\Sharp\Sharpdesk\SharpTray.exe"
O4 - HKLM\..\Run: [addab.exe] C:\WINDOWS\system32\addab.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKLM\..\RunOnce: [ipzc.exe] C:\WINDOWS\ipzc.exe
O4 - HKLM\..\RunOnce: [apiuf.exe] C:\WINDOWS\apiuf.exe
O4 - HKLM\..\RunOnce: [ntap.exe] C:\WINDOWS\ntap.exe
O4 - HKLM\..\RunOnce: [mfcsd32.exe] C:\WINDOWS\mfcsd32.exe
O4 - HKLM\..\RunOnce: [javamj.exe] C:\WINDOWS\system32\javamj.exe
O4 - HKLM\..\RunOnce: [netap32.exe] C:\WINDOWS\netap32.exe
O4 - HKLM\..\RunOnce: [apikl.exe] C:\WINDOWS\system32\apikl.exe
O4 - HKLM\..\RunOnce: [sysjs32.exe] C:\WINDOWS\system32\sysjs32.exe
O4 - HKLM\..\RunOnce: [sdkke.exe] C:\WINDOWS\sdkke.exe
O4 - HKLM\..\RunOnce: [msyf.exe] C:\WINDOWS\msyf.exe
O4 - Startup: desktop weather.lnk = Program Files\desktop weather\desktopweather_1225103.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Pervasive.SQL Workgroup Engine.lnk = C:\Pvsw\Bin\W3DBSMGR.EXE
O4 - Global Startup: Start Network Scanner Tool.lnk = C:\Program Files\Sharp\Sharpdesk\sdFTP.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Yahoo! Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potc_x.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
O16 - DPF: {32322460-3E7D-11D7-ABD8-0001029A9BA6} (FastBid2 Class) - http://www.bxwa.com/fastbid/fastbidx2.cab
O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://www.officeupdate.com/productupdates/content/opuc.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {91876926-89DC-11D7-B590-00500467786D} (DnldCtrl Control) - http://cosstore.cnsx.com/download/DnldCtrl.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37678.4814814815
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab
O16 - DPF: {C876C44F-F4CF-11D2-BC2A-E5C9894AD505} (FastBid Class) - http://www.bxwa.com/fastbid/fastbidx.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {DF6A0F17-0B1E-11D4-829D-00C04F6843FE} (Microsoft Office Tools on the Web Control) - http://officeupdate.microsoft.com/TemplateGallery/downloads/outc.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = cdi-services.com
O17 - HKLM\Software\..\Telephony: DomainName = cdi-services.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{9B1964E9-99D7-4C49-9E6E-20DA4C5F6574}: NameServer = 192.168.0.10
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = cdi-services.com

Logged

 
Pages: [1] 2  All Go Up Print 
 
Jump to:  

Powered by MySQL Powered by PHP

Powered by SMF 1.1.21 | SMF © 2015, Simple Machines

Valid XHTML 1.0! Valid CSS!

Disclaimer
This site is NOT responsible for any damage that the information on this site may cause to your system. Everything you try, whether inspired by the response given from this site or not, is entirely at your own risk. All product names and company names used herein are for identification purpose only and may be trademarks or registered trademarks of their respective owners. We are in no way affiliated or representing any of the companies on this site unless specified.
Back to Top
Stop Spam Harvesters, Join Project Honey Pot Fight Back Against Spammers! Get Firefox! Get Thunderbird! View Sylvain Amyots profile on LinkedIn
Back to Top
Google visited last this page May 31, 2018, 08:19:29 PM