Solved

I am having an issue with ZestyFind - I cannot get rid of it

Posted on 2004-04-21
11
430 Views
Last Modified: 2010-04-11
I have W2K SP4, running IE 5.5 SP2.

Somehow, some way I have downloaded this terrible little bugger and cannot get rid of it on my machine.  I have run AdAware and Spybot, both are finding it but not able to delete it.  I have tried rebooting, going into Safe Mode and deleting the dll, but for some reason, I cannot reboot in Safe Mode, I hit the F8, it just continues on.

Your assistance is greatly appreciated.

Thanks

Scott
0
Comment
Question by:smeadows
11 Comments
 
LVL 12

Accepted Solution

by:
rossfingal earned 300 total points
ID: 10883410
Hi Scott!

Download Hijack This from:
http://www.spywareinfo.com/%7Emerijn/downloads.html

Before you run it, install it in it's own folder, not in a temp file or on your Desktop.
Make sure you have all browser windows closed.
Run it and don't fix anything yet - post your log file here and we'll take a look at it.
Please be patient - we have a lot of these logs to look at!

Good luck!
0
 

Expert Comment

by:Justlogin
ID: 10886625
is there a version of Hijack for Windows Server 2003? I encountered error message when I attempted to run it on Windows Server 2003.
0
 
LVL 12

Expert Comment

by:rossfingal
ID: 10886860
Justlogin
Hi!
What does the error message say?

Good luck!
0
 

Author Comment

by:smeadows
ID: 10887732
RossFingal,

Here is the log, any assistance would be greatly appreciated.

Logfile of HijackThis v1.97.7
Scan saved at 7:38:56 AM, on 4/22/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.51 SP2 (5.51.4807.2300)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
C:\WINNT\MS\SMS\CORE\BIN\CLISVCL.EXE
C:\Program Files\NavNT\defwatch.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\hidserv.exe
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\mssql7\binn\sqlservr.exe
C:\Program Files\NavNT\rtvscan.exe
C:\Oracle\Ora81\BIN\OWASTSVR.EXE
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\tcpsvcs.exe
C:\WINNT\System32\snmp.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\MS\SMS\CLICOMP\RemCtrl\Wuser32.exe
C:\WINNT\System32\inetsrv\inetinfo.exe
C:\Program Files\Exchsrvr\bin\exmgmt.exe
C:\WINNT\system32\rundll32.exe
C:\WINNT\MS\SMS\clicomp\apa\Bin\smsapm32.exe
C:\WINNT\system32\MsgSys.EXE
C:\WINNT\Explorer.EXE
C:\WINNT\system32\atiptaxx.exe
C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\Netropa\Multimedia Keyboard\mmusbkb2.exe
C:\WINNT\MS\SMS\CORE\BIN\LAUNCH32.EXE
C:\Program Files\ATI Technologies\ATI HYDRAVISION\HydraDM.exe
C:\Program Files\Netropa\Multimedia Keyboard\TrayMon.exe
C:\Program Files\ATI Technologies\ATI HYDRAVISION\HydraMD.exe
C:\Program Files\Netropa\Onscreen Display\OSD.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINNT\MS\SMS\CLICOMP\SWDist32\bin\smsmon32.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\AIM95\aim.exe
C:\Program Files\Yahoo!\Messenger\YPager.exe
C:\HiJack\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://intranet/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://intranet
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Sherman Financial Group, LLC
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = CINSHRPRX01:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = orl10plus02.cserver;orl10plusws01.cserver;<local>
R3 - Default URLSearchHook is missing
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [Microsoft WebServer] C:\Program Files\WebSvr\System\svctrl /init
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SMS Application Launcher] C:\WINNT\MS\SMS\CORE\BIN\LAUNCH32.EXE
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\winampa.exe"
O4 - HKLM\..\Run: [HydraVisionDesktopManager] C:\Program Files\ATI Technologies\ATI HYDRAVISION\HydraDM.exe
O4 - HKLM\..\Run: [HydraVisionViewport] C:\Program Files\ATI Technologies\ATI HYDRAVISION\HydraMD.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\RunServices: [Microsoft WebServer] C:\Program Files\WebSvr\System\inetsw95 -w3svc
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Forbes] C:\Program Files\Forbes\ForbesAlerts.exe
O4 - Startup: Virtual Bouncer.lnk = C:\Program Files\VBouncer\VirtualBouncer.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &SearchIt Toolbar search - res://C:\Program Files\IEToolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Open Client to monitor &1 - C:\WINNT\web\AOpenClient.htm
O8 - Extra context menu item: Open Client to monitor &2 - C:\WINNT\web\AOpenClient.htm
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Create Mobile Favorite (HKLM)
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 (HKLM)
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 (HKLM)
O12 - Plugin for .NPSSView: C:\Program Files\Seagate Software\Viewers\ActiveXViewer\NPssView.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://intranet
O15 - Trusted Zone: http://*.Intranet
O16 - DPF: ITA64 - http://cinshrmgt02/itassistant/ITA64.CAB
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {0B72CCA4-5F11-11D0-9CB5-0000C0EC9FDB} (Street Technologies ActiveX Control Object) - http://www.stlu.com/plugins/Plugin0501.0096/streetnoagent7.cab
O16 - DPF: {0FAA926E-2AF4-11D3-9995-00A0CC3A27A9} (Infragistics ComboBox Control) - http://cinshriis03/TimeCentre/Common/pvcombo.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab
O16 - DPF: {230C3D02-DA27-11D2-8612-00A0C93EEA3C} (SAXFile FileUpload ActiveX Control) - http://www.filesanywhere.com/References/FilesanywhereUploader.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0401.cab
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://i.a.cnn.net/cnn/resources/cult3d/cult.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/193109f30c406d176920/netzip/RdxIE601.cab
O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.24.143/code/PWActiveXImgCtl.CAB
O16 - DPF: {7823A620-9DD9-11CF-A662-00AA00C066D2} (PopupMenu Object) - http://cinshriis03/TimeCentre/Common/iemenu.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://24.234.255.102/activex/AxisCamControl.cab
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/4018/ftp.coupons.com/v3122/cpbrkpie.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37876.2882523148
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://download.yahoo.com/dl/mail/autocomplete.cab
O16 - DPF: {C6B086D2-146B-47A4-A218-B82DCAF2D872} (cpbrxpie Control) - http://a19.g.akamai.net/7/19/7125/4007/ftp.coupons.com/r3120/cpbrxpie.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {DF6A0F17-0B1E-11D4-829D-00C04F6843FE} (Microsoft Office Tools on the Web Control) - http://officeupdate.microsoft.com/TemplateGallery/downloads/outc.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup.cab
O16 - DPF: {E9C9692E-F93C-11D1-ABB0-0040054FC6FB} (Infragistics DataTable Control 8.0 (OLEDB)) - http://cinshriis03/TimeCentre/Common/pvdt80.cab
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX22/download/kdx.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = (I left this blank)
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = (I left this blank)
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = (I left this blank)


Let me know your thoughts, thanks.
0
 
LVL 12

Expert Comment

by:rossfingal
ID: 10889299
Usually, we're told to have people fix the following entry - it wastes system resources and it's unnecessary.
Still considered user preference:
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

The following entry should be fixed:
R3 - Default URLSearchHook is missing

Unless you know what these are, the following should be fixed: (see the next entry - O14)
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://intranet/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://intranet

This entry: if the URL is not the provider of your computer or your ISP, have HijackThis fix it.
O14 - IERESET.INF: START_PAGE_URL=http://intranet

Most of the time only AOL and  Coolwebsearch silently add sites to the Trusted Zone. If you didn't add the listed domain to
the Trusted Zone yourself, have HijackThis fix it.
O15 - Trusted Zone: http://*.Intranet

The following is considered a candidate for removal:
O4 - Startup: Virtual Bouncer.lnk = C:\Program Files\VBouncer\VirtualBouncer.exe
Virtual Bouncer - malware from Spyware Labs. It is distributed by the same bundling and drive-by download techniques as the parasites it claims to remove, so definitely qualifies as unsolicited commercial software in itself. It also has an update
feature that can download and execute arbitrary code. Warning - choose "custom" uninstall as "automatic" may
remove other programs - see here:

http://groups.google.com/groups?hl=en&lr=&ie=UTF-8&oe=UTF-8&selm=95e66f0.0302121154.4a347ea0%40posting.google.com  
"xxxx" represents 4 random numbers

Unless you have the Spybot S&D option 'Lock homepage from changes' active, or your system administrator put this into place, have HijackThis fix these two:
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

The following is part of Kontiki:
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX22/download/kdx.cab
See here: http://www.pestpatrol.com/PestInfo/k/kontiki.asp
The rest of the O16 - DPF entries look alright, as long as you know what they are.

You have an awfully lot of services running - this is generally considered as opening your computer up as a target for
attack.
See the site below as a guide for Services, and how to configure them:
http://www.blackviper.com/WIN2K/servicecfg.htm

It concerns me that you can't get into Safe Mode - right-click My Computer, click on Properties, click Advanced, click on
Startup and Recovery, and make sure you have a check in the box "Display list of operating systems for" usually 30 seconds
is good.
After you have Hijack This fix anything, empty your recycle bin and reboot - also, it's often better to run Hijack This in
Safe Mode, if you can.
Post a new log file.
Any questions?
Good luck!
0
Backup Your Microsoft Windows Server®

Backup all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

 
LVL 12

Expert Comment

by:rossfingal
ID: 10891360
Hi!
Was doing some checking and this entry should be fixed:
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/193109f30c406d176920/netzip/RdxIE601.cab

Good luck!
0
 

Author Comment

by:smeadows
ID: 10891556
Here is what I have now:

Logfile of HijackThis v1.97.7
Scan saved at 1:33:48 PM, on 4/22/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.51 SP2 (5.51.4807.2300)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
C:\WINNT\MS\SMS\CORE\BIN\CLISVCL.EXE
C:\Program Files\NavNT\defwatch.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\hidserv.exe
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\mssql7\binn\sqlservr.exe
C:\Program Files\NavNT\rtvscan.exe
C:\Oracle\Ora81\BIN\OWASTSVR.EXE
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\tcpsvcs.exe
C:\WINNT\System32\snmp.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\MS\SMS\CLICOMP\RemCtrl\Wuser32.exe
C:\WINNT\System32\inetsrv\inetinfo.exe
C:\Program Files\Exchsrvr\bin\exmgmt.exe
C:\WINNT\MS\SMS\clicomp\apa\Bin\smsapm32.exe
C:\WINNT\system32\MsgSys.EXE
C:\WINNT\system32\rundll32.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\atiptaxx.exe
C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\Netropa\Multimedia Keyboard\mmusbkb2.exe
C:\WINNT\MS\SMS\CORE\BIN\LAUNCH32.EXE
C:\Program Files\Netropa\Multimedia Keyboard\TrayMon.exe
C:\Program Files\ATI Technologies\ATI HYDRAVISION\HydraDM.exe
C:\Program Files\Netropa\Onscreen Display\OSD.exe
C:\Program Files\ATI Technologies\ATI HYDRAVISION\HydraMD.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\WINNT\system32\ctfmon.exe
C:\WINNT\MS\SMS\CLICOMP\SWDist32\bin\smsmon32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\Yahoo!\Messenger\ypager.exe
C:\Program Files\Microsoft Office\Office10\OUTLOOK.EXE
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\WINNT\system32\mmc.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\HiJack\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://intranet
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://intranet
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Sherman Financial Group, LLC
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = CINSHRPRX01:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = orl10plus02.cserver;orl10plusws01.cserver;<local>
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [Microsoft WebServer] C:\Program Files\WebSvr\System\svctrl /init
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SMS Application Launcher] C:\WINNT\MS\SMS\CORE\BIN\LAUNCH32.EXE
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\winampa.exe"
O4 - HKLM\..\Run: [HydraVisionDesktopManager] C:\Program Files\ATI Technologies\ATI HYDRAVISION\HydraDM.exe
O4 - HKLM\..\Run: [HydraVisionViewport] C:\Program Files\ATI Technologies\ATI HYDRAVISION\HydraMD.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\RunServices: [Microsoft WebServer] C:\Program Files\WebSvr\System\inetsw95 -w3svc
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Open Client to monitor &1 - C:\WINNT\web\AOpenClient.htm
O8 - Extra context menu item: Open Client to monitor &2 - C:\WINNT\web\AOpenClient.htm
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Create Mobile Favorite (HKLM)
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 (HKLM)
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 (HKLM)
O12 - Plugin for .NPSSView: C:\Program Files\Seagate Software\Viewers\ActiveXViewer\NPssView.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://intranet
O15 - Trusted Zone: http://*.cinshriis01
O15 - Trusted Zone: http://*.cinshriis02
O15 - Trusted Zone: http://*.cinshriis03
O15 - Trusted Zone: http://*.cinshriis04
O15 - Trusted Zone: http://*.cinshriis05
O15 - Trusted Zone: http://*.Intranet
O16 - DPF: ITA64 - http://cinshrmgt02/itassistant/ITA64.CAB
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {0B72CCA4-5F11-11D0-9CB5-0000C0EC9FDB} (Street Technologies ActiveX Control Object) - http://www.stlu.com/plugins/Plugin0501.0096/streetnoagent7.cab
O16 - DPF: {0FAA926E-2AF4-11D3-9995-00A0CC3A27A9} (Infragistics ComboBox Control) - http://cinshriis03/TimeCentre/Common/pvcombo.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0401.cab
O16 - DPF: {7823A620-9DD9-11CF-A662-00AA00C066D2} (PopupMenu Object) - http://cinshriis03/TimeCentre/Common/iemenu.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37876.2882523148
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://download.yahoo.com/dl/mail/autocomplete.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {DF6A0F17-0B1E-11D4-829D-00C04F6843FE} (Microsoft Office Tools on the Web Control) - http://officeupdate.microsoft.com/TemplateGallery/downloads/outc.cab
O16 - DPF: {E9C9692E-F93C-11D1-ABB0-0040054FC6FB} (Infragistics DataTable Control 8.0 (OLEDB)) - http://cinshriis03/TimeCentre/Common/pvdt80.cab
0
 
LVL 49

Expert Comment

by:sunray_2003
ID: 10966149
0
 

Expert Comment

by:nuschel
ID: 10983395
This is caused by the Look2Me parasite.  It can be easily removed by using the kill2me tool located at this website:

http://www.spywareinfo.com/~merijn/

You do have a lot of programs starting as well.   I've used this tool on about 15 different computers with the ZestyFind problem and it has always worked perfectly.
0
 

Author Comment

by:smeadows
ID: 10988458
I ran the Look2Me fix and still having IE windows pop up and close and/or Icons appear on my desktop.  I ran HijackThis again and here is the log file, any assistance would be great:

Logfile of HijackThis v1.97.7
Scan saved at 12:38:30 PM, on 5/4/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.51 SP2 (5.51.4807.2300)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
C:\Program Files\NavNT\defwatch.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\hidserv.exe
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\mssql7\binn\sqlservr.exe
C:\Program Files\NavNT\rtvscan.exe
C:\Oracle\Ora81\BIN\OWASTSVR.EXE
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\tcpsvcs.exe
C:\WINNT\System32\snmp.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\CCM\CLICOMP\RemCtrl\Wuser32.exe
C:\WINNT\system32\CCM\CcmExec.exe
C:\WINNT\System32\inetsrv\inetinfo.exe
C:\Program Files\Exchsrvr\bin\exmgmt.exe
C:\WINNT\system32\MsgSys.EXE
C:\WINNT\system32\rundll32.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\atiptaxx.exe
C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\Netropa\Multimedia Keyboard\mmusbkb2.exe
C:\Program Files\Netropa\Multimedia Keyboard\TrayMon.exe
C:\Program Files\Netropa\Onscreen Display\OSD.exe
C:\Program Files\ATI Technologies\ATI HYDRAVISION\HydraDM.exe
C:\Program Files\ATI Technologies\ATI HYDRAVISION\HydraMD.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\Yahoo!\Messenger\ypager.exe
C:\Program Files\Microsoft Office\Office10\OUTLOOK.EXE
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\WINNT\system32\mmc.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\AR System\aruser.exe
C:\Program Files\AR System\alert.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINNT\system32\wisptis.exe
C:\HiJack\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://intranet
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://intranet
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Sherman Financial Group, LLC
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = CINSHRPRX01:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = orl10plus02.cserver;orl10plusws01.cserver;<local>
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [Microsoft WebServer] C:\Program Files\WebSvr\System\svctrl /init
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\winampa.exe"
O4 - HKLM\..\Run: [HydraVisionDesktopManager] C:\Program Files\ATI Technologies\ATI HYDRAVISION\HydraDM.exe
O4 - HKLM\..\Run: [HydraVisionViewport] C:\Program Files\ATI Technologies\ATI HYDRAVISION\HydraMD.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\RunServices: [Microsoft WebServer] C:\Program Files\WebSvr\System\inetsw95 -w3svc
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Open Client to monitor &1 - C:\WINNT\web\AOpenClient.htm
O8 - Extra context menu item: Open Client to monitor &2 - C:\WINNT\web\AOpenClient.htm
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Create Mobile Favorite (HKLM)
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 (HKLM)
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 (HKLM)
O12 - Plugin for .NPSSView: C:\Program Files\Seagate Software\Viewers\ActiveXViewer\NPssView.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://intranet
O15 - Trusted Zone: http://*.cinshriis01
O15 - Trusted Zone: http://*.cinshriis02
O15 - Trusted Zone: http://*.cinshriis03
O15 - Trusted Zone: http://*.cinshriis04
O15 - Trusted Zone: http://*.cinshriis05
O15 - Trusted Zone: http://*.Intranet
O16 - DPF: ITA64 - http://cinshrmgt02/itassistant/ITA64.CAB
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {0B72CCA4-5F11-11D0-9CB5-0000C0EC9FDB} (Street Technologies ActiveX Control Object) - http://www.stlu.com/plugins/Plugin0501.0096/streetnoagent7.cab
O16 - DPF: {0FAA926E-2AF4-11D3-9995-00A0CC3A27A9} (Infragistics ComboBox Control) - http://cinshriis03/TimeCentre/Common/pvcombo.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0401.cab
O16 - DPF: {7823A620-9DD9-11CF-A662-00AA00C066D2} (PopupMenu Object) - http://cinshriis03/TimeCentre/Common/iemenu.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37876.2882523148
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://download.yahoo.com/dl/mail/autocomplete.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {DF6A0F17-0B1E-11D4-829D-00C04F6843FE} (Microsoft Office Tools on the Web Control) - http://officeupdate.microsoft.com/TemplateGallery/downloads/outc.cab
O16 - DPF: {E9C9692E-F93C-11D1-ABB0-0040054FC6FB} (Infragistics DataTable Control 8.0 (OLEDB)) - http://cinshriis03/TimeCentre/Common/pvdt80.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = shermfin.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = shermfin.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = shermfin.com

0
 

Author Comment

by:smeadows
ID: 11004611
None of these remedies worked, I have had to reimage my machine.  This did take care of this issue, I appreciate all of your assistance
0

Featured Post

Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

Join & Write a Comment

Suggested Solutions

Container Orchestration platforms empower organizations to scale their apps at an exceptional rate. This is the reason numerous innovation-driven companies are moving apps to an appropriated datacenter wide platform that empowers them to scale at a …
Ransomware continues to be a growing problem for both personal and business users alike and Antivirus companies are still struggling to find a reliable way to protect you from this dangerous threat.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
This tutorial demonstrates a quick way of adding group price to multiple Magento products.

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now