[domingus]

Chappy or anyone, Here's my HiJackThis log. I don't know what to fix.

Thanks for the help


Logfile of HijackThis v1.98.2
Scan saved at 8:05:05 PM, on 10/26/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Compaq\eakdrv\STARTDRV.exe
C:\WINDOWS\System32\pctspk.exe
C:\Compaq\eakdrv\EAKDRV.exe
C:\WINDOWS\System32\taskswitch.exe
C:\Program Files\RAM Idle\RAMIdle.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Support.com\bin\tgcmd.exe
C:\Compaq\eakdrv\EAUSBKBD.EXE
C:\Program Files\Yahoo!\browser\ybrwicon.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\printray.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\GetRight\getright.exe
C:\Program Files\SBC\Connection Manager\CManager.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\Webshots\WebshotsTray.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\PROGRA~1\BROADJ~1\CORREC~1\CCD.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\Fast.exe
C:\Program Files\HiJackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.jsonline.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by AT&T WorldNet Service
R3 - Default URLSearchHook is missing
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_5_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuardDLBLOCK.CBrowserHelper - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_5_0.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [CPQEASYACC] C:\Compaq\eakdrv\STARTDRV.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\System32\taskswitch.exe
O4 - HKLM\..\Run: [FastUser] C:\WINDOWS\System32\fast.exe
O4 - HKLM\..\Run: [RAM Idle] C:\Program Files\RAM Idle\RAMIdle.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [tgcmdprovidersbc] "C:\Program Files\Support.com\bin\tgcmd.exe" /server /startmonitor /deaf /nosystray
O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe"
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\printray.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Startup: Connection Manager.lnk = C:\Program Files\SBC\Connection Manager\CManager.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\WebshotsTray.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: GetRight - Tray Icon.lnk = C:\Program Files\GetRight\getright.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Download with GetRight - C:\PROGRA~1\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Browser - C:\PROGRA~1\GetRight\GRbrowse.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: (no name) - {AFC3FA82-AD07-45cd-8B57-983435B9899E} - (no file)
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class) - http://download.zone...ee/cm/ICSCM.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{06B05BAC-58F8-490D-A4A1-342AAFDC79D6}: NameServer = 65.43.19.26 206.141.192.60
O17 - HKLM\System\CS1\Services\Tcpip\..\{06B05BAC-58F8-490D-A4A1-342AAFDC79D6}: NameServer = 65.43.19.26 206.141.192.60

[Racktracker]

Not really much in the way of problems in your log.

Run another hijackthis scan. Place a check next to the following entries, then close all other windows and click the fix button.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapp...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapp...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp.../search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapp...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
R3 - Default URLSearchHook is missing

[thesidekickcat]

I am not sure if this is any help or not.
I scanned with Spybot just after getting off the internet last night and came up clean. Today I logged on and then came over here, found a notice from someone that Spybot had an update, so I got it, did another scan, and it came up with this:

"Error during check!: Cabrotor (Datei C:\WINNT\win.ini kann nicht geöffnet werden. The process cannot access the file because it is being used by another process) ()
Congratulations!: No immediate threats were found. ()"

So it appears to be an error of some kind. It still comes up with same thing on additional scans. I don't know if that is any help or not. I would like to hear if anyone else is getting the same thing.

I am sorry if this is the wrong place to put this but thought it might be pertinent.

P.S. My Norton scans come up clean. So could this just be a Spybot S+D error or false positive?

God bless everyone.

[domingus]

Hi RackTracker,

I'm not home now, so I'll do this when I get there.

I'm curious as to why Yahoo is in need of fixes. Oh well.

Thanks.

[domingus]

thesidekickcat, on Oct 26 2004, 09:13 PM, said:

I am not sure if this is any help or not.
I scanned with Spybot just after getting off the internet last night and came up clean. Today I logged on and then came over here, found a notice from someone that Spybot had an update, so I got it, did another scan, and it came up with this:

"Error during check!: Cabrotor (Datei C:\WINNT\win.ini kann nicht geöffnet werden. The process cannot access the file because it is being used by another process) ()
Congratulations!: No immediate threats were found. ()"

So it appears to be an error of some kind. It still comes up with same thing on additional scans. I don't know if that is any help or not. I would like to hear if anyone else is getting the same thing.

I am sorry if this is the wrong place to put this but thought it might be pertinent.

God bless everyone.

Wow - I'm glad to know that it's just not happening to me.

I wonder if they goofed up again in their update.

Thanks thesidekickcat.

Take care

[domingus]

Hi thesidekickcat,

Just wanted you to know that todays update took care of the Cabrotor error message. After the update today, I ran the scan and it was all clear.

It appears yesterday's update was an "ooops".

Take care.

[thesidekickcat]

Thanks for letting me know it was Spybot S and D's error. Whew!!!

And I am sorry for butting in on your HJT log thread (yes I do know better ), but it just felt like something should would have shown up in your log if this threat had been for real. So I was adding my little bit in case there was another reason for this thing.

I did another scan after today's Norton antivirus update and came up clean again, as well as updated Spybot and scanned again. Clean!!! Whew!!!

Sure a big relief to find it wasn't something invading our computers. My Norton warns me every now and then, even as recently as night before last, that a trojan is attempting entry and it is being blocked. And that is with a dial up connection!!!!

Seriously I think my blood pressure would be lower if I wasn't always trying so hard to stay safe and keep everything working right.

God bless everyone.

[Dragon]

domingus, on Oct 26 2004, 09:15 PM, said:

Hi RackTracker,

I'm not home now, so I'll do this when I get there.

I'm curious as to why Yahoo is in need of fixes.  Oh well.

Thanks.

hi there,
in reference to your question dealing with the Yahoo entries, the RedClientsApp section is the concern, Red Clients is a form of spyware. it tracks the websites you go to so that spam can be sent to your email account that is on record with Yahoo.
By fixing these entries, it removes the red client app, but keeps your homepage set to Yahoo like you want.