HJT Log File

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by The Brewer, Jul 10, 2004.

  1. The Brewer

    The Brewer Private E-2

    Hi, Would someone mind checking this for me.

    The history is, in-laws changed from dial-up ISP to Broadband - really slow performance, hijacking of homepage etc. They had no anti-virus and no windows updates.

    Have installed Norton Professional 2003 and used online scans at Panda etc.
    Have enabled and installed windows updates.
    Have installed and run Ad-Aware and Spybot S&D
    Incidentally Norton won't allow me to enable the auto-protect mode.

    Ad-watch has flagging up huge amounts of attempts to change the registry - I've had particular trouble with; wuam.exe, wumgrd.exe and NewDotNet. - Hopefully I've removed some of the junk, but all help gratefully received.

    Many thanks in advance.

    Here's the log;

    Logfile of HijackThis v1.97.7
    Scan saved at 17:54:56, on 10/07/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\SOINTGR.EXE
    C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
    C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\Program Files\Inoculator\inoc.exe
    C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
    C:\WINDOWS\System32\NDrv.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Documents and Settings\Betty\Desktop\Security Tools\HJT\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.blueyonder.co.uk/dial
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by blueyonder
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: Curl - {A78CC2FF-6E4E-4556-B27C-D7C3A70D7A50} - C:\WINDOWS\System32\NDrv.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [SupaStatus] C:\Program Files\Internet Explorer\Connection Wizard\Status.exe
    O4 - HKLM\..\Run: [SO5 Integrator Pass Two] C:\WINDOWS\SOINTGR.EXE
    O4 - HKLM\..\Run: [EPSON Stylus C42 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P23 "EPSON Stylus C42 Series" /O6 "USB001" /M "Stylus C42"
    O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
    O4 - HKLM\..\Run: [Inoculator] C:\Program Files\Inoculator\inoc.exe
    O4 - HKLM\..\Run: [NetWork] csrs.exe
    O4 - HKLM\..\Run: [Ad-watch] C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe
    O4 - HKLM\..\RunServices: [NetWork] csrs.exe
    O4 - HKCU\..\Run: [WTSC] C:\WINDOWS\System32\wapisvcc.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: blueyonder Instant Support Tool.lnk = C:\Program Files\blueyonder IST\bin\matcli.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
    O14 - IERESET.INF: START_PAGE_URL=http://www.blueyonder.co.uk/dial
    O16 - DPF: {11111111-1111-1111-1111-111111111123} - file://c:\Recycled\1.exe
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
     
    The Brewer, Jul 10, 2004
    #1
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Did a quick look at the log. I see one item (two lines):
    O4 - HKLM\..\Run: [NetWork] csrs.exe
    O4 - HKLM\..\RunServices: [NetWork] csrs.exe

    This appears to be W32/Agobot-JJ Refer to the links below link:
    http://www.sophos.com/virusinfo/analyses/w32agobotjj.html
    http://vil.nai.com/vil/content/v_100532.htm
    http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_AGOBOT.QI
    http://securityresponse.symantec.com/avcenter/venc/data/w32.hllw.polybot.html

    I'm surprise you Norton stuff did not find it. Are your definitions up to date?

    Also, did you purposely set all the search pages to about:blank?
     
    chaslang, Jul 10, 2004
    #2
  3. The Brewer

    The Brewer Private E-2

    Thanks - I'll look into those points now.

    I think I may have 'issues' with the Norton install - I know that it was done at a time that the machine was infected and am guessing that's the reason for auto-protect not working. Certainly the definitions are up to date - I had to download them via my own machine. Hence me trying the online scans.
     
    The Brewer, Jul 10, 2004
    #3
  4. The Brewer

    The Brewer Private E-2

    "Also, did you purposely set all the search pages to about:blank?"

    No...
     
    The Brewer, Jul 10, 2004
    #4
  5. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Then fix these lines with HijaakThis:

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank

    Then Reset Web Settings on the Internet Explorer, Tools, Internet Options window. Then go back to the General tab and set your home page to what you want to use. Looks like you were using: http://www.blueyonder.co.uk/dial

    Run these online scans:
    http://housecall.trendmicro.com/housecall/start_corp.asp select Auto Clean
    http://www.pandasoftware.com/activescan/com/activescan_principal.htm

    Then try downloading and running McAfee Stinger (if still necessary):
    http://www.majorgeeks.com/download4063.html

    See if the W32/Agobot-JJ is cleaned up.
     
    chaslang, Jul 10, 2004
    #5
  6. The Brewer

    The Brewer Private E-2

    Cheers for the swift responses!

    I've checked Norton for updates, & am running a scan now, which hasn't found anything as yet.

    I'll post again when I've followed up on all your points.

    Many thanks.
     
    The Brewer, Jul 10, 2004
    #6
  7. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay! Get back to me when you finish.
     
    chaslang, Jul 10, 2004
    #7
  8. The Brewer

    The Brewer Private E-2

    I'm back! - I've started looking at this again today due to work and stuff..

    Anyway, I followed Chaslangs advice (cheers!) - The Panda scan came back clean. However, the Housecall scan found & 'cleaned' Agobot.QI and identified Trojan Buddylink.A and Worm Hybris.B

    I've followed the instructions to remove these and have now had a clean scan from Housecall as well as Panda and the Installed Norton Professional.

    But...

    I still get Ad-Watch popup as soon as I boot. It warns of 'csrs.exe' and 'about blank' - hence there being a record of this in the log below despite me choosing to 'fix' (several times)

    I've tried searching for csrs.exe but can't find it.
    I've tried the stinger as was suggested.

    What now, do I just delete the registry key and see if that's enough?

    Here's my most recent log;

    Logfile of HijackThis v1.97.7
    Scan saved at 18:08:27, on 17/07/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\SOINTGR.EXE
    C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\Program Files\Inoculator\inoc.exe
    C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
    C:\Program Files\blueyonder IST\bin\mpbtn.exe
    C:\WINDOWS\system32\sessmgr.exe
    C:\Documents and Settings\Betty\Desktop\Security Tools\HJT\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.blueyonder.co.uk/dial
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by blueyonder
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: Curl - {A78CC2FF-6E4E-4556-B27C-D7C3A70D7A50} - C:\WINDOWS\System32\NDrv.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [SupaStatus] C:\Program Files\Internet Explorer\Connection Wizard\Status.exe
    O4 - HKLM\..\Run: [SO5 Integrator Pass Two] C:\WINDOWS\SOINTGR.EXE
    O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
    O4 - HKLM\..\Run: [Inoculator] C:\Program Files\Inoculator\inoc.exe
    O4 - HKLM\..\Run: [Ad-watch] C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe
    O4 - HKLM\..\Run: [EPSON Stylus C42 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P23 "EPSON Stylus C42 Series" /O6 "USB001" /M "Stylus C42"
    O4 - HKLM\..\Run: [NetWork] csrs.exe
    O4 - HKLM\..\RunServices: [NetWork] csrs.exe
    O4 - HKCU\..\Run: [WTSC] C:\WINDOWS\System32\wapisvcc.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: blueyonder Instant Support Tool.lnk = C:\Program Files\blueyonder IST\bin\matcli.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
    O14 - IERESET.INF: START_PAGE_URL=http://www.blueyonder.co.uk/dial
    O16 - DPF: {11111111-1111-1111-1111-111111111123} - file://c:\Recycled\1.exe
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
     
    The Brewer, Jul 17, 2004
    #8
  9. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Why is Remote Assistance session manager running ---> C:\WINDOWS\system32\sessmgr.exe
    Here is a description of what this is:

    “Remote Assistance is a technology in Windows XP which enables Windows XP users to help each other over an internal network or over the Internet. With this tool, one user, called the "Expert," can view the desktop of another user, the "Novice.". With the Novice's permission, the Expert can even share control of the Novice's computer to resolve issues remotely. With Remote Assistance, a Help Desk can assist users on the network, which is known as the Offer Remote Assistance feature.”.

    Did you or someone else set this up on your PC? Where you getting remote help? If not I would suggest disabling it. It's up to you.
    Here is how to disable it:

    To disable this service go into “Control Panel \ Administrative Tools \ Services”, look for the Remote Desktop Help Session Manager service and set it to Disabled.


    Now for the other problems.

    First you need to disable system restore: http://forums.majorgeeks.com/showthread.php?t=31668
    Do not reboot when told to. We will do that later.


    Bring up Task Manager (CTRL-ALT-DEL) and select the Processes tab.
    Look for any of the following running and "End" them (let me know if you find them):

    1.exe
    csrs.exe
    NDrv.exe

    Now setup windows explorer to show hidden files and folders. Read this:
    http://www.xtra.co.nz/help/0,,4155-1916458,00.html


    Now click Start, and then click Run. (The Run dialog box appears.)
    Type, or copy and paste, the following text:

    regsvr32 /u C:\WINDOWS\System32\NDrv.dll

    then click OK. If a dialog box confirming this action appears, click OK


    Now run HijackThis and select each of the following items but DO NOT CLICK FIX UNTIL I SAY TO:

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
    O2 - BHO: Curl - {A78CC2FF-6E4E-4556-B27C-D7C3A70D7A50} - C:\WINDOWS\System32\NDrv.dll
    O4 - HKLM\..\Run: [NetWork] csrs.exe
    O4 - HKLM\..\RunServices: [NetWork] csrs.exe
    O16 - DPF: {11111111-1111-1111-1111-111111111123} - file://c:\Recycled\1.exe

    READ AND PRINT THE STUFF DOWN BELOW FOR WHAT YOU ARE GOING TO DO IN SAFE MODE BECAUSE AFTER SHUTTING DOWN INTERNET EXPLORER (IE) YOU WILL NOT BE ABLE TO READ IT. ALSO DO NOT RUN IE AGAIN UNTIL TOLD.

    Now make sure all Internet Explorer Windows are closed (not minimized) and then
    click the Fix button in HijackThis.


    Now boot into safe mode:
    http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406?OpenDocument&src=sec_doc_nam
    and use Windows Explorer to navigate to the below files and delete them (if found. Tell me what you find and don't find.)
    c:\WINDOWS\csrs.exe or C:\WINDOWS\System\csrs.exe or C:\WINDOWS\System32\csrs.exe
    C:\WINDOWS\System32\NDrv.dll
    C:\WINDOWS\System32\NDrv.exe

    Now reboot in norma mode. Run HijackThis and get a new log. Run IE connect back here and post your log. Tell me the answers to my questions and post you log. If all is well, we will enable System Restore again.
     
    chaslang, Jul 17, 2004
    #9
  10. The Brewer

    The Brewer Private E-2

    Thanks for that.

    I set the Remote Assistance - the infected PC isn't mine. Have just double checked the invitations tho' - all is as it I intended.

    Watch this space...
     
    The Brewer, Jul 17, 2004
    #10
  11. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    I'm always watching!!! ;)
     
    chaslang, Jul 17, 2004
    #11
  12. The Brewer

    The Brewer Private E-2

    OK - First off - I've followed all your instructions carefully, so the About Blanks are coming back rather than me not removing them!!

    Your previous questions;

    Task Mngr
    1.exe - Not present
    csrs.exe - Not present
    NDrv.exe - Present

    Unreg of Dll was successful

    csrs.exe was nowhere to be found
    NDrv.dll and NDrv.exe were both in the System32 directory


    Heres the log;

    Logfile of HijackThis v1.97.7
    Scan saved at 19:41:51, on 17/07/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\SOINTGR.EXE
    C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\Program Files\Inoculator\inoc.exe
    C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
    C:\WINDOWS\system32\sessmgr.exe
    C:\Documents and Settings\Betty\Desktop\Security Tools\HJT\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.blueyonder.co.uk/dial
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by blueyonder
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [SupaStatus] C:\Program Files\Internet Explorer\Connection Wizard\Status.exe
    O4 - HKLM\..\Run: [SO5 Integrator Pass Two] C:\WINDOWS\SOINTGR.EXE
    O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
    O4 - HKLM\..\Run: [Inoculator] C:\Program Files\Inoculator\inoc.exe
    O4 - HKLM\..\Run: [Ad-watch] C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe
    O4 - HKLM\..\Run: [EPSON Stylus C42 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P23 "EPSON Stylus C42 Series" /O6 "USB001" /M "Stylus C42"
    O4 - HKLM\..\Run: [NetWork] csrs.exe
    O4 - HKLM\..\RunServices: [NetWork] csrs.exe
    O4 - HKCU\..\Run: [WTSC] C:\WINDOWS\System32\wapisvcc.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: blueyonder Instant Support Tool.lnk = C:\Program Files\blueyonder IST\bin\matcli.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
    O14 - IERESET.INF: START_PAGE_URL=http://www.blueyonder.co.uk/dial
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
     
    The Brewer, Jul 17, 2004
    #12
  13. General_Lee_Stoned

    General_Lee_Stoned BuZZed Lightyear

    Seeing as Chas isnt here ill jump in with a few questions of my own, are you 100% sure those processes are not showing in task manager?
    please refollow the previous instructions and this time use windows in built search to look for csrs.exe and see exactly where its hiding itself, obviously use advanced search options to include search hidden files and folders ;)
    post back with results
     
    General_Lee_Stoned, Jul 17, 2004
    #13
  14. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    We need to find that csrs.exe file. But it may be coming from something else. I'll send another item to do in a few minutes.

    Here is how you do that advanced search.
    How to use windows XP search mechanism to look for hidden files:
    If you use Search, you need to do the following:
    Click Search and the Select "All files and folders"
    Enter the filename in the "All or part of the file name:" box, so enter csrs.exe
    Now select "More advanced options"
    Make sure the following check boxes are checked:
    - Search system folders
    - Search hidden files and folders
    - Search subfolders
    Then click the Search button.
     
    chaslang, Jul 17, 2004
    #14
  15. The Brewer

    The Brewer Private E-2

    I'm 110% sure.

    Hidden & system files are shown but csrs.exe is not there.
    Looking (searching) for files containing csrs just returns csrss.exe (Located WINDOWS\System32 - so I'm leaving that well alone!!!)
     
    The Brewer, Jul 17, 2004
    #15
  16. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay faster than I thought:

    1) First, go here and download Registrar Lite and install it: http://www.resplendence.com/reglite
    2) Run it, copy and paste this line to reglite's address bar:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs
    3) Click the "go" tab
    4) Find: "AppInit_Dlls" value on the right side panel.
    5) DoubleClick on AppInit_Dlls tell me exactly what you see in the Value.

    If a DLL is found here, it could be the cause of the about:blanks. But they do not look like the typical about:blank problems.
     
    chaslang, Jul 17, 2004
    #16
  17. General_Lee_Stoned

    General_Lee_Stoned BuZZed Lightyear

    LOL thats why you the anti spyware man, im too lazy to write all those instructions down :p

    And looks like that sucker is spawning elsewhere :rolleyes:
     
    General_Lee_Stoned, Jul 17, 2004
    #17
  18. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Yes leave csrss.exe alone. It is part of Windows: Client/Server Runtime Server Subsystem
     
    chaslang, Jul 17, 2004
    #18
  19. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Something else I just noticed:

    O4 - HKCU\..\Run: [WTSC] C:\WINDOWS\System32\wapisvcc.exe

    This is part of PurityScan. Try doing this:
    1.In order to uninstall our interstitial advertisements, simply click on the following link:

    http://www.purityscan.com/ps_uninstaller.exe

    2.The uninstall prompt will appear. Run it.

    3.After the uninstall program has run, RESTART your computer. You will then no longer receive offers from PuritySCAN.
     
    chaslang, Jul 17, 2004
    #19
  20. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Come On Brewer! You are falling behind! ;) What did you do, stop off to have a brew! :p

    Or did I confuse you?

    I'm ready to post a load more steps before I have to run out for a few hours.
     
    chaslang, Jul 17, 2004
    #20
  21. The Brewer

    The Brewer Private E-2

    The Value is empty.
    This is what I see..

    Keyname = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
    Value Name = AppInit_DLLs
    Category =
    Description =
    Type = REG_SZ Type No = 00000001
    Size = 1
    Value =
     
    The Brewer, Jul 17, 2004
    #21
  22. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay do the what I told you for the PurityScan stuff. And then try these steps (they start at number 6 because they pick up where I left off with the last Registrar Lite steps):

    6) shutdown Registrar Lite
    7) ***** Shutdown all browsers and Disconnect from the internet ***** Do not connect again until told to do so.
    8) run HijaakThis and have it fix only the following:
    O2 - BHO: (no name) - {5AD8254C-B4E9-496E-A4F1-4156980DC94D} - C:\WINDOWS\System32\ajd.dll
    O18 - Filter: text/html - {C7FD4D7D-EAD6-4421-8971-434D4D055B98} - C:\WINDOWS\System32\ajd.dll
    O18 - Filter: text/plain - {C7FD4D7D-EAD6-4421-8971-434D4D055B98} - C:\WINDOWS\System32\ajd.dll
    9) run about:Buster and save log file
    10) run HijaakThis and fix these lines (or anymore like them) if they still exist:
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank

    11) reboot to safe mode
    12) run Ad-aware and set it up for the full scan. Perform scan and clean what it finds.
    13) run the VX2 Cleaner Plugin
    14) go c:\windows\temp and delete everything you can in that directory (some file may be locked, make note of which ones).
    15) Reset Web Settings by right clicking on your desktop Internet Explorer icon. Then click Tools, Internet Options, Programs, and click the Reset Web Settings button. Then go back to the General tab and set you home page back to what you prefer (like www.majorgeeks.com).
    16) reconnect your cables for internet access
    17) reboot to normal mode
    18) check everything out
    19) I want to repeat running Registrar Lite again and paste this line to reglite's address bar:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs
    Click the "go" tab
    Find: "AppInit_Dlls" value on the right side panel.
    DoubleClick on AppInit_Dlls tell me exactly what you see in the Value. (Just reply for step 19 AppInit_DLLs was....)
    shutdown Registrar Lite
    20) if still having a problem post new HijaakThis log and the log from about:Buster and do not reboot the PC until you get a response back from me. It is okay to disconnect from the internet but do not reboot or shutdown.

    I have to step out for awhile. Be back later. Let me know how this goes. If it does not work please do the below:

    Check to see if a Windows service name "Network Security Service" is running. To do this, click Start, Run, and enter the following in the Open box: "services.msc" (without the quotes). Then click OK. Now in the Services window that pops up look for Network Security Service. If you find
    that service, you must stop it by right clicking on it then select stop. Now disable it by right clicking on it and selecting Properties. Then in the General tab see the area that says "Startup type: " click on the pull down arrow and change it to Disabled. Also on the Properties page, make note of
    the information in the "Path to executable" box. Tell me if you find this service and the Path to executable if found.
     
    chaslang, Jul 17, 2004
    #22
  23. The Brewer

    The Brewer Private E-2

    I'm back and about to action your last post.

    I went to get a beer - sorry! I've made arrangements so it shan't happen again. (PC Owners will keep bringing it to me!!)
     
    The Brewer, Jul 17, 2004
    #23
  24. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    LOL! I'll be back later. Keep me posted!
     
    chaslang, Jul 17, 2004
    #24
  25. The Brewer

    The Brewer Private E-2

    Sorry - Point 9 about:Buster

    This must be a utility that I don't have...
    Where will I find it?
     
    The Brewer, Jul 17, 2004
    #25
  26. The Brewer

    The Brewer Private E-2

    Sorry - Still new to the site, have found it now.
     
    The Brewer, Jul 17, 2004
    #26
  27. The Brewer

    The Brewer Private E-2

    Step 19 - Applnit_DLLs was empty

    Here's my log files;

    Logfile of HijackThis v1.97.7
    Scan saved at 19:41:51, on 17/07/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\SOINTGR.EXE
    C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\Program Files\Inoculator\inoc.exe
    C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
    C:\WINDOWS\system32\sessmgr.exe
    C:\Documents and Settings\Betty\Desktop\Security Tools\HJT\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.blueyonder.co.uk/dial
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by blueyonder
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [SupaStatus] C:\Program Files\Internet Explorer\Connection Wizard\Status.exe
    O4 - HKLM\..\Run: [SO5 Integrator Pass Two] C:\WINDOWS\SOINTGR.EXE
    O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
    O4 - HKLM\..\Run: [Inoculator] C:\Program Files\Inoculator\inoc.exe
    O4 - HKLM\..\Run: [Ad-watch] C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe
    O4 - HKLM\..\Run: [EPSON Stylus C42 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P23 "EPSON Stylus C42 Series" /O6 "USB001" /M "Stylus C42"
    O4 - HKLM\..\Run: [NetWork] csrs.exe
    O4 - HKLM\..\RunServices: [NetWork] csrs.exe
    O4 - HKCU\..\Run: [WTSC] C:\WINDOWS\System32\wapisvcc.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: blueyonder Instant Support Tool.lnk = C:\Program Files\blueyonder IST\bin\matcli.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
    O14 - IERESET.INF: START_PAGE_URL=http://www.blueyonder.co.uk/dial
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

    -- Scan 1 --------
    About:Buster Version 1.30
    Attempted Clean Of Temp folder.
    Pages Reset... Done

    I Really appreciate all you help on this, but I've got to slip away for a few hours too. (to sleep!) - I'll leave the machine on overnight and carry on from there.

    Many thanks.
     
    The Brewer, Jul 17, 2004
    #27
  28. The Brewer

    The Brewer Private E-2

    Oh, forgot to mention that there was no listing for Network Security Service.

    Cheers,

    The Brewer.
     
    The Brewer, Jul 17, 2004
    #28
  29. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Did you actually run steps 10 and 15 okay? It's rather strange that all those about:blank R0&R1 lines be there after those two steps. Are you sure you are actually checking the lines to fix and then clicking "Fix checked" with HijackThis? Did the Reset Web Settings actually work and did you set your start page manually back to "http://www.blueyonder.co.uk/dial"?

    For the time being, I want you to not have that for the start page so could you run HijackThis and put checks on the following lines and then select Fix checked:

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.blueyonder.co.uk/dial
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by blueyonder
    O14 - IERESET.INF: START_PAGE_URL=http://www.blueyonder.co.uk/dial

    Then do the Reset Web Settings step 15 from before again but this time (at least temporarily) set the start page to www.majorgeeks.com


    Also it does not look like you ran the steps I asked for fixing PurityScan. I'll repeat them:

    Something else I just noticed:

    O4 - HKCU\..\Run: [WTSC] C:\WINDOWS\System32\wapisvcc.exe

    This is part of PurityScan. Try doing this:
    1.In order to uninstall our interstitial advertisements, simply click on the following link:

    http://www.purityscan.com/ps_uninstaller.exe

    2.The uninstall prompt will appear. Run it.
    3.After the uninstall program has run, RESTART your computer. You will then no longer receive offers from PuritySCAN.

    If you did not do those steps, do them now. If you did run them (or you run them now and the O4 line with wapisvcc.exe is still there) then do the following:

    1) bring up Task Manager, select Processes and look for wapisvcc.exe. If found, end it.
    2) shutdown Task Manager and all IE sessions and run HijackThis
    3) check the line with
    O4 - HKCU\..\Run: [WTSC] C:\WINDOWS\System32\wapisvcc.exe
    4) click Fix checked
    5) immediately run another HijackThis scan and veryify line was fixed
    6) boot to safe mode
    7) delete the C:\WINDOWS\System32\wapisvcc.exe file
    8) reboot normal post another log
     
    chaslang, Jul 17, 2004
    #29
  30. The Brewer

    The Brewer Private E-2

    "Did you actually run steps 10 and 15 okay?"

    Yes. I actioned those and didn't see any indication that they weren't working.
    However, I reset my homepage to Google, and Google is what actually loads as I open IE.

    Blueyonder is the ISP for both the infected machine and my own.
    My own machine sits behind a hardware firewall , and has always run anti-virus and anti-spyware software since it was unpacked. I scan it etc frequently and I believe it to be clean.
    When I run Hijack This on my own machine there's no entry for Blueyonder/dialer.
    Neither of us are using a dial-up connection to our ISP - it's a broadband connection through our cable TV provider.
    Do you think I should fix the bLueyonder/dialer entry?

    Also, I did run the purity scan uninstalller.
    Will do again, because as you mentioned wapisvcc.exe is a running process.
    It was definately there in Task Manager before when I was looking for 1.exe, csrs and NDrv.exe

    I will action everything in your last post when I go round to my inlaws in approx 3 hours.
    As mentioned, I truly appreciate your efforts on this and wouldn't be as rude as to not follow your guidance fully.
     
    The Brewer, Jul 18, 2004
    #30
  31. The Brewer

    The Brewer Private E-2

    Latest log is attached below.

    It looks a lot, lot cleaner to me!
    The csrs.exe definitely wasn't there as an .exe - I searched many times, but reading your comment re the About Blanks returning, and the fact that the wapisvcc.exe entry was there (although again I searched for the actual .exe and could find it) made me realise why everything was being so hard to get rid of.

    Ad-Watch!!

    I've disabled it completely for the time being and run through all that you advised again, hence the log below.

    No csrs.exe, no wapisvcc.exe, MG.com not about blank etc.

    What do you think - am I clean at last? And should I fix the Blueyonder/dial @ R1?

    I'll hold off rebooting and re-enabling Ad-Watch until I hear.

    Cheers,

    Logfile of HijackThis v1.97.7
    Scan saved at 14:20:47, on 18/07/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
    C:\WINDOWS\SOINTGR.EXE
    C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\Program Files\Inoculator\inoc.exe
    C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
    C:\WINDOWS\System32\ctfmon.exe
    C:\Documents and Settings\Betty\Desktop\Security Tools\HJT\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.majorgeeks.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.blueyonder.co.uk/dial
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by blueyonder
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [SupaStatus] C:\Program Files\Internet Explorer\Connection Wizard\Status.exe
    O4 - HKLM\..\Run: [SO5 Integrator Pass Two] C:\WINDOWS\SOINTGR.EXE
    O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
    O4 - HKLM\..\Run: [Inoculator] C:\Program Files\Inoculator\inoc.exe
    O4 - HKLM\..\Run: [EPSON Stylus C42 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P23 "EPSON Stylus C42 Series" /O6 "USB001" /M "Stylus C42"
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: blueyonder Instant Support Tool.lnk = C:\Program Files\blueyonder IST\bin\matcli.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
     
    The Brewer, Jul 18, 2004
    #31
  32. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    It was not so much that I thought you didn't run them, it was more that I was worried that something did not go right (an error message or something or bad directions). It gets pretty hard doing these things via messages like this. The only way I can be sure what is actually happening is if you specifically tell me or if I ask questions that request a direct answer. Sometimes things that should work, don't. And that is always somewhat baffling.
     
    chaslang, Jul 18, 2004
    #32
  33. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Right now the log looks pretty clean. I would delete the Blueyonder/dial @ R1 especially since you do not use a dialup connection. (In fact I would fix both R1 lines that mention Blueyonder). Do you know whether the next line is really necessary:
    O4 - Global Startup: blueyonder Instant Support Tool.lnk = C:\Program Files\blueyonder IST\bin\matcli.exe

    I have no idea I'm just questioning it. Lot's of times things like this just waste system resources and can be run later by selecting them only when you need them. But since I do not know anything about Blueyonder or this "tool", I have no idea.

    At any rate, your looking good right now. Hopefully it stays that way. Let's get a firewall on this PC and a spyware blocker like SpywareBlaster.
     
    chaslang, Jul 18, 2004
    #33
  34. The Brewer

    The Brewer Private E-2

    Cool!!!

    I'll loose both the R1 lines - but the O4 line probably relates to a support tool for Blueyonder's broadband which normally lives in the system tray so I'll leave that.

    Your help is much appreciated - but I'm sure you don't want to give it twice, so do you rate Spyware blaster above Spybot S&D and Ad-Aware? (Which have been installed since problems started occuring)

    Thanks again for all you time and efforts on this.
     
    The Brewer, Jul 18, 2004
    #34
  35. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Spybot is only a scanning tool.
    Ad-aware is a also only a scanner unless you purchase it with Ad-watch.
    SpywareBlaster is a free blocking tool and used together with their other tool called SpywareGuard you get good protection. But no protection is perfect because this malware stuff keeps evolving just like viruses do. Our experience has shown that multiple programs are need to get greated coverage in this are. That is why you always see us asking users to run both Ad-aware and SpyBot (sometimes I also ask them to run SpySweeper for specific problems too). Another item that gets very good rating is PestPatrol: http://www.majorgeeks.com/download1187.html There is a review link on that page too.
     
    chaslang, Jul 18, 2004
    #35

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds