View Full Version : Help...Another victim of winfixer2005

2005-12-21, 05:54
I will appreciate very much any tricks you can show this "old dog". I am definitely motivated to learn; out of shear frustration; believe me! Here is the log file from HijackThis...
OK... never mind that. I can't copy & paste my log file (with a .txt file extension). It looks like you guys have to give me the "browse" button permission before I can make any attachments.
I will forward my log file to my work e-mail address so that I can continue working with you guys tomorrow. Simply reply to my query through this forum; due to the fact I cannot read my "home" e-mail from my computer at work.
Thanks SpyBot folks, you are awsome !!

2005-12-21, 12:51
I can't copy & paste my log file (with a .txt file extension). <snip>
Thanks SpyBot folks, you are awsome !!

Hi there and thank you. :)

Have you tried this:

Double click HijackThis.exe.
Hit None Of The Above, just start the program.
Hit Scan.
When the scan is finished, the "Scan" button will change into a "Save Log" button.
Click that, save the log somewhere, and copy/paste the HJT log.

Before you post a log (http://forums.spybot.info/showthread.php?t=288)

2005-12-21, 18:08
Hi Tashi: I didn't have any problem running & creating my HighJackThis log. My problem is this... according to the "Attachment" instructions SpyBot provides; it says to select "Browse" at the bottom of the window one is in when creating a "thread" to post. But there is no "Browse" button anywhere to be found. So... how do I give you my log file?
Any chance you can reply to this msg. before I leave work at 2:45-pm PST?
Thanks again... Jim

2005-12-21, 20:35

You could post it into a reply, if the log is to large post half in one reply half in another

2005-12-21, 21:13
Wow !! This time it worked. I clicked on "Manage Attachments" and another window opened. Great ! Here you go...
Looking forward to reading your words of wisdom.
Thanks again !!

2005-12-21, 21:28
Go start run and type in
sc delete TBPSSvc
press ok or enter

Download smitRem.exe (http://noahdfear.geekstogo.com/click%20counter/click.php?id=1) and save the file to your
desktop. (By noahdfear.)
Double click on the file to extract it to it's own folder on the desktop.

Please download the trial version of Ewido Security Suite here:
install then from within the program check for updates BUT dont scan yet
ewido security suite: http://www.ewido.net/en/download/
When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
When you run ewido for the first time, you will get a warning "Database could not be found!". Click OK.
We will fix this in a moment.
From the main ewido screen, click on update in the left menu, then click the Start update button.
After the update finishes (the status bar at the bottom will display "Update successful"), Now close the program.
Do NOT run a scan yet.

If you have not already installed Ad-Aware SE 1.06, follow these download and setup instructions, otherwise, check for
updates: Ad-Aware SE Setup (http://rstones12.geekstogo.com/adawareSE_setup.htm)
Don't run it yet!

Next, please reboot your computer in SafeMode by doing the following:

Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
Instead of Windows loading as normal, a menu should appear
Select the first option, to run Windows in Safe Mode.Start Hijackthis and place a check next to these items If there.
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.iquicksearch.net/search.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.websearch.com/ie.aspx?tb_id=50141
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50141
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50141
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
R3 - URLSearchHook: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - C:\PROGRA~1\Toolbar\toolbar.dll
O2 - BHO: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - C:\PROGRA~1\Toolbar\toolbar.dll
O3 - Toolbar: &WebSearch Toolbar - {339BB23F-A864-48C0-A59F-29EA915965EC} - C:\PROGRA~1\Toolbar\toolbar.dll
O4 - HKLM\..\Run: [FNI.WFX5AS_0001_0818] "C:\DOCUME~1\JDix\LOCALS~1\Temp\WFX1.exe"
O4 - HKLM\..\Run: [WinFixer helper] C:\Program Files\WinFixer\wfxcwr.exe
O4 - HKLM\..\Run: [ICF] "C:\Program Files\Internet Content Filter\TheApp.exe"
O4 - HKLM\..\Run: [TBPS] C:\PROGRA~1\Toolbar\TBPS.exe
O4 - HKCU\..\Run: [Sguj] C:\WINDOWS\system32\l?gonui.exe
O4 - HKCU\..\Run: [WinFixer] C:\Program Files\WinFixer\WFX5.exe /min
O4 - HKCU\..\Run: [Lndt] "C:\Program Files\bcas\teas.exe" -vt mt
O15 - Trusted Zone: *.05p.com (HKLM)
O15 - Trusted Zone: *.scoobidoo.com (HKLM)
O15 - Trusted IP range: (HKLM)
O18 - Protocol: tpro - {FF76A5DA-6158-4439-99FF-EDC1B3FE100C} - C:\PROGRA~1\Toolbar\toolbar.dll
O23 - Service: WebSeach Toolbar support NT service (TBPSSvc) - WebSearch - C:\PROGRA~1\Toolbar\TBPSSvc.exe

Hit fix checked and close Hijackthis.

Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on
Wait for the tool to complete and disk cleanup to finish.
The tool will create a log named smitfiles.txt in the root of your drive, eg; Local Disk C: or partition where your
operating system is installed. Please post that log along with all others requested in your next reply.

Open Spybot check for and fix any problems found.
Open Ad-aware and do a full scan. Remove all it finds.

Run Ewido:

Click on scanner
Click on Complete System Scan and the scan will begin.
NOTE: During some scans with ewido it is finding cases of false positives.
You will need to step through the process of cleaning files one-by-one.
If ewido detects a file you KNOW to be legitimate, select none as the action.
DO NOT select "Perform action on all infections"
If you are unsure of any entry found select none for now.
When the scan is finished, click the Save report button at the bottom of the screen.
Save the report to your desktopClose Ewido

Restart back to a normal windows session
Next go to Control Panel click Display > Desktop > Customize Desktop > Web > Uncheck "Security Info" if

Get this free onlines scan and post the results
Kaspersky Lab - Free Online scan:
Click scan settings and place a check next to use [x]extended this database etc etc. Click ok.
Then choose: my computer: scan all your hard drives and mapped disks.
when finished click save as text and post that in your reply.

Post a new HijackThis Log, the contents of the smitfiles.txt log and the Ewido Log by using Add
Let us know if any problems persist

2005-12-21, 22:17
Lonny, thank you for your quick response. Now I can "tackle this monster" later today when I get home from work. I have a lot to do... download AdAware etc. I'll post back to the forum the results, per your instructions.
Man I'm psyched ! :dancing-c

2005-12-22, 16:39
Hello again: After running Spybot & fixing the problems, I tried to open Ad-aware to do a full scan (per your instructions). However it went "out to lunch" on me. It was trying to connect to the Ad-Aware server to look for updates. I left the computer on for 6-hours & nothing happened. I had to do an "end-task" on it before shutting down the PC.
Should I skip this step (running Ad-Aware) & go on to run Ewido?

2005-12-22, 16:45
Yes skip that step

Remind us/me later about that ad-aware problem if it still happens later when all cleaned up.

2005-12-25, 19:07
As you requested here are the various scan results. Also, to remind you, I tried running Ad-Aware afterwards, and once again it "went out to lunch" looking for updates. According to the Task Manager Ad-Aware was "not responding". I ended the task and continued to this reply.
Oh great! The "Manage Attachments" isn't working. This happened before. I think it only occurs when I'm using my home PC. When I'm at work the "Manage Attachments" button works fine. I will forward my scan result files to my work computer & get back to you.
Thanks again for all your help...

2005-12-27, 15:29
Spybot pros: The scan results from Ewido is an empty file. Not sure what happened with that. However, I can say that it appears most of my problems are gone. Thank you all so very, very, much! One thing to note is... the "free" Kaspersky scan wasn't available. I had to download a 30-day free trial in order to run it. My free trial expires at the end of Jan. 2006. In the mean time I will use Kaspersky until I figure out how to get "Active X" controls working. I need them (Active-X) to get the Norton Anti-Virus "Automated Assistant" to function; then I can hopefully debug the problem I am having with their software. I noticed someone posted a problem regarding Norton software that sounds similar to mine; so I will stay abreast of that situation; I may find some answers there. I've also been following the posts regarding Active-X controls.
You "Spybot guys" are awsome! As soon as I recover from the recent holiday "pocket-book" depletion (maybe in a couple weeks) I want you all to know I'll be making a donation ($$) to your work. You're "worth every penny" as the old saying goes. Thank you all again very much!
Respectfully, Jim

2005-12-27, 15:57
Yahoos is a seperate browser that uses Internet explorer, perhaps adjusting it and ie's security will help
Re-Adjust your security settings & ActiveX:
Go to Internet Options/Security/Internet(green&blue globe), press 'default level', then OK.
If its not available click the custom level button and change something ok then apply now
use the default button.
Then press Custom Level.
In the ActiveX section,
1rst: prompt or enable
2nd: disable
3rd: disable
4th: Prompt or enable
5th: prompt or enable
Installation of Desktop items" = Prompt
Launching programs and files in a IFRAME = Prompt
click apply > OK
Highlight the restricted zone,click custom level
and disable everything that can be, click OK
then click the advanced tab and
Uncheck: Install on demand (other), click Apply then Ok

Start Hijackthis and place a check next to these items If there.
Close all browser windows and shut down all other programs that show in the taskbar.(even Folders)
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.iquicksearch.net/search.htm
R3 - Default URLSearchHook is missing
O4 - HKLM\..\Run: [SpyBlocs] C:\Program Files\SpyBlocs\SpyBlocs.exe
4 - HKCU\..\Run: [Sguj] C:\WINDOWS\system32\l?gonui.exe
O4 - HKCU\..\Run: [WinFixer] C:\Program Files\WinFixer\WFX5.exe /min
O4 - HKCU\..\Run: [Lndt] "C:\Program Files\bcas\teas.exe" -vt mt
Hit fix checked and close Hijackthis.
Restart the PC
In control panel addremove programs uninstall SpyBlocs (if there)

Set windows to show hidden extensions file's and folder's.
click for> instructions<. (http://www.xtra.co.nz/help/0,,4155-1916458,00.html)

delete these folders if present
C:\Program Files\SpyBlocs
C:\Program Files\WinFixer
C:\Program Files\bcas

Post a new log and let us know of any problems

2005-12-28, 16:06
:D Good morning all! I followed your latest instructions (Lonny) last night. I will see if I can get my Norton Anti Virus software working properly this evening. Hopefully the "Active-X" problems are resolved now & I can run Norton's "Automated Assistant". Man! That Kaspersky software is really good. It scrutinizes everything! While performing one of the scans (either Ad-Aware or Ewido); Kaspersky kept popping-up with msgs. several times informing me of Trojan attacks; recommending that I delete them; of course I did. I'm beginning to wonder if I should consider purchasing their product after my 30-day free trial ends; and dump my Norton software. If you have any comment or recomendations I will update my profile so that you can send me an e-mail to my home PC.
Oh yeah, I almost forgot. The Kaspersky scan result simply says no viruses found. No log file to save.
Thanks again to all for your time & expertise!

2005-12-28, 16:35

I dont see anything in that ewido log, was there with any error 's ?

The hijackthis log looks great

To prevent conflict's do not have more that one antivirus installed at a time
Yes i recommend Kaspersky over norton any day :)

Put in place a good hosts file
How To Download and Extract the HOSTS file:
Replace it about once monthly
How did that go ?
To help avoid reinfection see "So how did I get infected in the first place?"

2005-12-29, 19:50
Lonny: One of the problems I've been having is this... from my home PC, when I am posting a reply, I click on "Manage Attachments"; but nothing happens. Therefore I have to e-mail my (in this case, Ewido) scan results .txt file to where I work. For some strange reason the "Manage Attachments" button works when I'm using this computer. However... I just realized another problem. The Ewido scan file had info. in it when I sent it from my home PC; but when I open the e-mail at work; the Ewido file is empty. I think maybe the company I work for has some kind of anti-virus software running and it is deleting the contents of my file. It's amazing that I didn't lose the contents of my HJT file when I went through this same process in order to get you guys my scan results. But, anyways, I think I'm good to go now! My computer seems to be working fine.
This should be my last post (wishful thinking).
Thanks again to all of you SpyBot "brainiacs" (I mean that in a complimentary way); for all your wise instructions / suggestions.:bigthumb:
Happy New Year to all !!
p/s I won't forget about my donation promise (give me a week or two):)

2005-12-29, 21:55

You could have copy then pasted them here rather that attach.
Maybe Re-Adjusting your security settings & ActiveX will help, did you do that ?

2005-12-29, 22:14
Lonny: Yeah, I did reset my active-x IE control settings per instructions.
As for the copy & paste, it doesn't work. I just (right-mouse button) copied the file from my folder on C: drive & came here to this "post reply" window & went to (right-mouse button) paste... but the "paste" function is "greyed out". In fact all (cut, copy & paste) functions are greyed-out (unselectable).
If I could only get my "Manage Attachments" button to work at home as it does here at work... that would just about wrap-up all my problems.
Later man... Jim :confused:

2005-12-30, 02:22
If i understand correctly, We cant copy a whole file into a post
Open the text then go file select all >file copy > then in a reply rightclick paste.

Perhaps these browser check will help

2005-12-30, 03:33
Lonny: Duh... why didn't I think of that :o (don't answer that)... it worked!
Here is my Ewido scan result from the other day... :D

ewido anti-malware - Scan report

+ Created on: 9:34:07 PM, 12/27/2005
+ Report-Checksum: BCAB4F70

+ Scan result:

C:\Documents and Settings\Gnat.DIX-HOME-PC\Local Settings\Temporary Internet Files\Content.IE5\85ABCDAF\WinTS[1].cab/WToolsS.exe -> Downloader.Wintool.b : Cleaned with backup
C:\Documents and Settings\Gnat.DIX-HOME-PC\Local Settings\Temporary Internet Files\Content.IE5\ET0F2981\hotfix[1].cab/hotfix.exe -> Spyware.WebSearch : Cleaned with backup
C:\Documents and Settings\Gnat.DIX-HOME-PC\Local Settings\Temporary Internet Files\Content.IE5\ET0F2981\newmajorse2[1].cab/newmajorse2.txt -> Spyware.WebSearch : Cleaned with backup
C:\WINDOWS\Temp\~323065.tmp -> Spyware.Wintools : Error during cleaning
C:\WINDOWS\Temp\~770932.tmp -> Spyware.Wintools : Error during cleaning
C:\WINDOWS\Temp\~891705.tmp -> Spyware.Wintools : Error during cleaning

::Report End

2005-12-30, 06:20
Those are probaly inactive files, but lets get them
Use a program such as System Security Suite to clear temps, do so about once or twice a month
If that site is unavailable use this link please
Extract it from the zip file and run setup.exe
after the install you can delete setup.exe and the downloaded zip file
Start the program Check all the boxes under the 'Items to Clear' (except perhaps cookies) tab and click
'Clear Selected Items'. You will be prompted to reboot, do so.

Run ewido again and post a current log if there are any "Error during cleaning"
Happy new years

2005-12-31, 18:53
Hi Lonny: I did all that you recommended in your last post. Thanks again for your input. Here's to you & the SpyBot crew... :beerbeerb
Here is the latest Ewido result...
ewido anti-malware - Scan report

+ Created on: 9:45:42 AM, 12/31/2005
+ Report-Checksum: 6D4A04D5

+ Scan result:

C:\WINDOWS\Temp\~323065.tmp -> Spyware.Wintools : Error during cleaning
C:\WINDOWS\Temp\~770932.tmp -> Spyware.Wintools : Error during cleaning
C:\WINDOWS\Temp\~891705.tmp -> Spyware.Wintools : Error during cleaning

::Report End

2005-12-31, 20:01
Run System Security Suite again then reboot your pc, after that >

Lets see another hijackthis log and a silent runners report
Download and run Silentrunners.Vbs post the log it creates please
http://www.silentrunners.org/sr_scriptuse.html click no to not skip the suplimentry searchs
Wait until there is a All Done message !!, Then open and post the log next to it.
Your antivirus script protection might interfear or alert, please allow it to run after a bit box will say done.

2006-01-06, 05:18
Logfile of HijackThis v1.99.1
Scan saved at 8:15:07 PM, on 1/5/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe
C:\Program Files\Creative\Shared Files\CAMTRAY.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\WDC\SetIcon.exe
C:\Program Files\Yahoo!\browser\ybrwicon.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Internet Content Filter\TheApp.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Kaspersky Lab\Kaspersky Security Suite\Kaspersky Anti-Hacker\KAVPF.exe
C:\Program Files\Sierra Imaging\Image Expert 2000\IXApplet.exe
C:\Program Files\TrueAssistant\TrueAssistant.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\AntiSpyWare\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://my.netzero.net/s/search?r=minisearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Common\ycomp5_1_6_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\ycomp5_1_6_0.dll
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [Creative WebCam Tray] C:\Program Files\Creative\Shared Files\CAMTRAY.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WD Button Manager] WDBtnMgr.exe
O4 - HKLM\..\Run: [SetIcon] \Program Files\WDC\SetIcon.exe
O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [IPInSightLAN 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe" -l
O4 - HKLM\..\Run: [IPInSightMonitor 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe"
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [ICF] "C:\Program Files\Internet Content Filter\TheApp.exe"
O4 - HKLM\..\Run: [KAVPersonal50] "C:\Program Files\Kaspersky Lab\Kaspersky Security Suite\Kaspersky Anti-Virus Personal\kav.exe" /minimize
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Startup: Camio Viewer 3.2.lnk = C:\Program Files\Sierra Imaging\Image Expert 2000\IXApplet.exe
O4 - Startup: TrueAssistant.lnk = C:\Program Files\TrueAssistant\TrueAssistant.exe
O4 - Global Startup: Kaspersky Anti-Hacker.lnk = C:\Program Files\Kaspersky Lab\Kaspersky Security Suite\Kaspersky Anti-Hacker\KAVPF.exe
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Broken Internet access because of LSP provider 'icf.dll' missing
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://my.netzero.net/s/sp
O15 - Trusted IP range: (HKLM)
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1094967297104
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: kavsvc - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Security Suite\Kaspersky Anti-Virus Personal\kavsvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE

"Silent Runners.vbs", revision 41, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"

Startup items buried in registry:

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"msnmsgr" = ""C:\Program Files\MSN Messenger\msnmsgr.exe" /background" [MS]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"MMTray" = "C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe" ["MusicMatch"]
"Creative WebCam Tray" = "C:\Program Files\Creative\Shared Files\CAMTRAY.EXE" ["Creative Technology Ltd"]
"QuickTime Task" = ""C:\Program Files\QuickTime\qttask.exe" -atboottime" ["Apple Computer, Inc."]
"WD Button Manager" = "WDBtnMgr.exe" ["Western Digital Technologies, Inc."]
"SetIcon" = "\Program Files\WDC\SetIcon.exe" ["Standard Microsystems Corp."]
"YBrowser" = "C:\Program Files\Yahoo!\browser\ybrwicon.exe" ["Yahoo!, Inc."]
"IPInSightLAN 02" = ""C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe" -l" ["Visual Networks"]
"IPInSightMonitor 02" = ""C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe"" ["Visual Networks"]
"Zone Labs Client" = "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" ["Zone Labs, LLC"]
"ICF" = ""C:\Program Files\Internet Content Filter\TheApp.exe"" ["SafeBrowse.com, Inc."]
"KAVPersonal50" = ""C:\Program Files\Kaspersky Lab\Kaspersky Security Suite\Kaspersky Anti-Virus Personal\kav.exe" /minimize" ["Kaspersky Lab"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{02478D38-C3F9-4efb-9B51-7695ECA05670}\(Default) = "Yahoo! Companion BHO" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Common\ycomp5_1_6_0.dll" ["Yahoo! Inc."]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = "AcroIEHlprObj Class" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx" [empty string]
{9394EDE7-C8B5-483E-8773-474BF36AF6E4}\(Default) = "ST" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{5464D816-CF16-4784-B9F3-75C0DB52B499}" = "Yahoo! Mail"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\Yahoo!\Common\ymmapi20040613.dll" ["Yahoo! Inc."]
"{640167b4-59b0-47a6-b335-a6b3c0695aea}" = "Portable Media Devices"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]
"{21569614-B795-46b1-85F4-E737A8DC09AD}" = "Shell Search Band"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\browseui.dll" [MS]

INFECTION WARNING! "{54D9498B-CF93-414F-8984-8CE7FDE0D391}" = "ewido shell guard"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\ewido anti-malware\shellhook.dll" ["TODO: <Firmenname>"]

Kaspersky Anti-Virus\(Default) = "{dd230880-495a-11d1-b064-008048ec2fc5}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Kaspersky Lab\Kaspersky Security Suite\Kaspersky Anti-Virus Personal\shellex.dll" ["Kaspersky Lab"]
Yahoo! Mail\(Default) = "{5464D816-CF16-4784-B9F3-75C0DB52B499}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\Yahoo!\Common\ymmapi20040613.dll" ["Yahoo! Inc."]

Kaspersky Anti-Virus\(Default) = "{dd230880-495a-11d1-b064-008048ec2fc5}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Kaspersky Lab\Kaspersky Security Suite\Kaspersky Anti-Virus Personal\shellex.dll" ["Kaspersky Lab"]

Active Desktop and Wallpaper:

Active Desktop is disabled at this entry:

HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Documents and Settings\JDix\Local Settings\Application Data\Microsoft\Wallpaper1.bmp"

Enabled Screen Saver:

HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\WINDOWS\System32\ssstars.scr" [MS]

Startup items in "JDix" & "All Users" startup folders:

C:\Documents and Settings\JDix\Start Menu\Programs\Startup
"Camio Viewer 3.2" -> shortcut to: "C:\Program Files\Sierra Imaging\Image Expert 2000\IXApplet.exe" ["Sierra Imaging"]
"TrueAssistant" -> shortcut to: "C:\Program Files\TrueAssistant\TrueAssistant.exe" ["Esaya, Inc."]

C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup
"Kaspersky Anti-Hacker" -> shortcut to: "C:\Program Files\Kaspersky Lab\Kaspersky Security Suite\Kaspersky Anti-Hacker\KAVPF.exe /silence" ["Kaspersky Lab"]

Enabled Scheduled Tasks:

"Auto-scheduled task of Free Registry Fix" -> launches: "C:\Program Files\Free Registry Fix\regfixf.exe /run" ["Promosoft Corp."]

Winsock2 Service Provider DLLs:

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
ICF.dll [null data], 01 - 02, 20
%SystemRoot%\system32\mswsock.dll [MS], 03 - 05, 08 - 19
%SystemRoot%\system32\rsvpsp.dll [MS], 06 - 07

Toolbars, Explorer Bars, Extensions:


HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{EF99BD32-C1FB-11D2-892F-0090271D4F88}" = "&Yahoo! Companion" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Common\ycomp5_1_6_0.dll" ["Yahoo! Inc."]

HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{EF99BD32-C1FB-11D2-892F-0090271D4F88}" = "&Yahoo! Companion" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Common\ycomp5_1_6_0.dll" ["Yahoo! Inc."]

Explorer Bars

HKCU\Software\Microsoft\Internet Explorer\Explorer Bars\
{4528BBE0-4E08-11D5-AD55-00010333D0AD}\ = "&Yahoo! Messenger" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll" ["Yahoo! Inc."]

HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\
{4528BBE0-4E08-11D5-AD55-00010333D0AD}\ = "&Yahoo! Messenger" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll" ["Yahoo! Inc."]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
"ButtonText" = "Yahoo! Login"
"MenuText" = "Yahoo! Login"
"CLSIDExtension" = "{2499216C-4BA5-11D5-BD9C-000103C116D5}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Common\ylogin.dll" ["Yahoo! Inc."]

"ButtonText" = "Messenger"
"MenuText" = "Yahoo! Messenger"
"CLSIDExtension" = "{4C171D40-8277-11D5-AD55-00010333D0AD}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll" ["Yahoo! Inc."]

"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]

Miscellaneous IE Hijack Points

C:\WINDOWS\INF\IERESET.INF (used to "Reset Web Settings")

Added lines (compared with English-language version):
[Strings]: START_PAGE_URL=http://my.netzero.net/s/sp

Missing lines (compared with English-language version):
[Strings]: 1 line

Running Services (Display Name, Service Name, Path {Service DLL}):

ewido security suite control, ewido security suite control, "C:\Program Files\ewido anti-malware\ewidoctrl.exe" ["ewido networks"]
kavsvc, kavsvc, ""C:\Program Files\Kaspersky Lab\Kaspersky Security Suite\Kaspersky Anti-Virus Personal\kavsvc.exe"" ["Kaspersky Lab"]
TrueVector Internet Monitor, vsmon, "C:\WINDOWS\system32\ZoneLabs\vsmon.exe -service" ["Zone Labs, LLC"]
Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\system32\wdfmgr.exe" [MS]

+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
DLL launch points and all Registry CLSIDs for dormant Explorer Bars,
use the -supp parameter or answer "No" at the first message box.
---------- (total run time: 43 seconds, including 18 seconds for message boxes)

2006-01-06, 10:39

Those logs look fine, any current problems ?
You should uninstall zonealarm since you have antihacker now

See if you can manualy delete the contents of the C:\windows\temp folder ?

2006-01-09, 05:28
Lonny: I could not delete the Temp folder or any of it's sub-folders even when logged in as "administrator". Should I be worried? So far everything else seems to be working great!
Thanks again... Jim

2006-01-09, 08:10
Contents not the folder, anyway
"Should I be worried? " No i think your good to go :)

2006-01-09, 20:20
Lonny: Yeah, I fogot to mention that all the folders were empty (no contents). So I tried to delete the folders individually and couldn't do it; even at the lowest level (sub-folder).
But, anyway, you mentioned I'm "good to go". That's comforting, for sure! Now all I have to do is maintain "my clean computer condition" with Spybot et al.
It's been a fun learning experience working with you & the other Spybot experts.
Thank you again so very much !! :bigthumb:

2006-01-10, 03:42
Put in place a good hosts file
How To Download and Extract the HOSTS file:
Replace it about once monthly
How did that go ?

To help avoid reinfection see "So how did I get infected in the first place?"


2006-01-14, 23:30
As the problem appears to be resolved this topic will be archived.
If you need it re-opened please pm me or one of the forum mods.

Glad we could help. :D