Please help, YupSearch toolbar

Question

hammy 7 Junior Poster

19 Years Ago

Hello everybody. About 2 days ago something quite odd happened on my computer. The first thing i noticed was that the Programs,doucuments, settings, help and support, run log off and turn off buttons, in my start menu had disappeared. I went on the internet to check some stuff out, and noticed that i had a very "bad" looking toolbar. I knew it was something not good right away considering it had installed itself somehow. So i figure hey no biggy, I will just go to add/remove programs and delete it. Thing is that it wasn't there. Now i knew this was something serious. So I ran my Ad-aware and spybot hopping to get rid of the problem. It fixed many things but none in which got rid of the toolbar. At this point I still had no idea what it was even called, considering i couldnt find it anywhere on my computer. then i started messing around with the buttons and stuff on the toolbar trying to find a way to get rid of it. I found a uninstall button. Im like "Oh thank god finally!". But the I clicked the button which took me to a webpage which could not be found. (The webpage was: http://yupsearch.com/uninstall.php?ver=62&acc=) I looked at the URL and saw yupsearch at the biggening. I tried going to yupsearch.com but still no luck. Then i decided to post a Hijackthis log for the good ol` people at daniweb to look at. It wasnt until i started righting this that the yupseach URLS started working so i dont know what was up there.

hijackthis log:

Logfile of HijackThis v1.99.1
Scan saved at 11:27:16 PM, on 8/7/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\csrss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\spoolsv.exe
E:\WINDOWS\Explorer.EXE
E:\WINDOWS\system32\pctspk.exe
E:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
E:\WINDOWS\system32\RUNDLL32.EXE
E:\Program Files\QuickTime\qttask.exe
E:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
E:\Program Files\MessengerPlus! 3\MsgPlus.exe
E:\Program Files\Java\jre1.5.0_01\bin\jucheck.exe
E:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
E:\WINDOWS\system32\ctfmon.exe
E:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
E:\WINDOWS\etb\pokapoka62.exe
E:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
E:\WINDOWS\System32\nvsvc32.exe
E:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
E:\WINDOWS\System32\svchost.exe
E:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
E:\WINDOWS\system32\wdfmgr.exe
E:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
E:\WINDOWS\System32\alg.exe
E:\Program Files\Internet Explorer\IEXPLORE.EXE
E:\Program Files\Internet Explorer\iexplore.exe
E:\Documents and Settings\Hammy\My Documents\desktop\Tool Kit\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.lavasoft.de/news/product/info/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [NAV Agent] E:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE E:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE E:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] E:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [QuickTime Task] "E:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] E:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [MessengerPlus3] "E:\Program Files\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [LaunchList] E:\Program Files\Pinnacle\Studio 9\LaunchList.exe
O4 - HKLM\..\Run: [checkrun] E:\windows\system32\elitecla32.exe
O4 - HKLM\..\Run: [System service62] E:\WINDOWS\etb\pokapoka62.exe
O4 - HKCU\..\Run: [ctfmon.exe] E:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Plus Blue] E:\DOCUME~1\Hammy\APPLIC~1\drawbend\duperealpure.exe
O4 - Global Startup: AOL Instant Messenger.lnk = E:\Program Files\AIM\aim.exe
O4 - Global Startup: MSN Messenger 6.2.lnk = ?
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - E:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {665585FD-2068-4C5E-A6D3-53AC3270ECD4} (FileSharingCtrl Class) - http://appdirectory.messenger.msn.com/AppDirectory/P4Apps/FileSharing/en/filesharingctrl.cab
O16 - DPF: {8C410098-8BA7-4550-A0A4-6959C02FC935} (karCntrlIE Class) - http://karaoke.cokemusic.com//karClientIE.cab
O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zone.msn.com/binary/Chess.cab31267.cab
O23 - Service: Macromedia Licensing Service - Macromedia - E:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - E:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - E:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - E:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - E:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - E:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - E:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - E:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

Please, please tell me what i need to do to fix this. Thanks.

windows-virus

5 Contributors
17 Replies
944 Views
1 Month Discussion Span
Latest Post 19 Years Ago Latest Post by chrisbliss18

dlh6213 27 Posting Maven

19 Years Ago

Hey Hammy, long time no see.

In the future, remember to close any open browser windows before scanning with HJT.

I believe 'pokapoka' is your main problem. Scan with HJT and have it fix the following entries:

R3 - Default URLSearchHook is missing
O4 - HKLM\..\Run: [checkrun] E:\windows\system32\elitecla32.exe
O4 - HKLM\..\Run: [System service62] E:\WINDOWS\etb\pokapoka62.exe

Close any open windows, other then HijackThis, and hit Fix checked.

Go to the following locations and delete the highlighted file and folder:

E:\windows\system32\elitecla32.exe

E:\WINDOWS\etb

If either cannot be deleted, try booting into Safe Mode and deleting it from there.

Do you know what this file is for? duperealpure.exe If not, do a search for it, right-click on it, go to Properties, and get whatever information you can from there (Company, version, etc.)

Reboot (normally), close any open browser windows, scan with HJT, and post a new log please.

dlh6213 27 Posting Maven

19 Years Ago

It was supposed to go away, but it's being stubborn :(

Make sure your system is set up to 'Show hidden files and folders' -- Open Windows Explorer, go to Tools, and in Folder Options, select Show hidden files and folders, and deselect (uncheck) Hide protected operating system files.

Reboot into Safe Mode.

Scan with HJT and have it fix the following entries:

O4 - HKLM\..\Run: [checkrun] E:\windows\system32\elitecla32.exe
O4 - HKLM\..\Run: [System service62] E:\WINDOWS\etb\pokapoka62.exe

Close any open windows, other then HijackThis, and hit Fix checked.

Go to the following locations and delete the highlighted file and folder:

E:\windows\system32\elitecla32.exe <-- File

E:\WINDOWS\etb <-- Folder

If you still can't find or delete these, open HijackThis again and click on the Config... button in the lower right corner of the main window. In the next window, click on the Misc Tools button at the top, and then click the Delete a file on reboot... button. Copy and paste E:\windows\system32\elitecla32.exe into the box, and click Open. A new window will pop up asking if you want to restart your computer now; click Yes.

Repeat the delete on reboot instructions for E:\WINDOWS\etb\pokapoka62.exe.

Do a search for drawbend and duperealpure and see if you can find out anything about these now. It's no longer in your log, but if it's something bad we should make sure it's actually gone.

Back in normal mode, scan with HijackThis and post a new log.

dlh6213 27 Posting Maven

19 Years Ago

Sorry, I missed a step. Open Windows Explorer, go to Tools, and then Folder Options; when the Folder Options window opens, click on the View tab. You should find these entries in the list under Advanced settings. Select Show hidden files and folders, and deselect (uncheck) Hide protected operating system files.

For any of the popup messages you're getting, don't click on any of them, not even to close them; either right-click and select Close, or use Task Manager (Ctrl-Alt-Del) and End Task.

Post a new HJT log with you're next reply (after you've fixed/deleted the bad entries).

DMR 152 Wombat At Large

19 Years Ago

Good- the main "nasties" are no longer present in your latest log.

A couple of things, though:

1. MessengerPlus! 3 has a "Sponsored" installation mode, and if installed in this mode, the program will install adware on your system. If you are unsure of which installation mode you chose, you should uninstall the program and then reinstall it without the Sponsor option.

2. The following log entry is a loose end which should be taken care of:

O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)

To do this:

A) Open the Services utility in your Administrative Tools control panel.

- In the list of services, locate the service named "Remote Packet Capture Protocol" or "rpcapd" and double-click on it.

- In the General tab of the Properties window that opens, click the Stop button if the service is not already stopped.

- Once the service is stopped, choose Disabled in the "Startup Type" drop-down menu and then click OK. Close the Services utility after that.

B) Run HijackThis again, do another scan, and put a check in the box to the left of the O23 - Service: Remote Packet Capture Protocol v.0 entry, and then click "Fix Checked".

C) Once HJT finishes the fix, click on the "Config" button in the lower right corner of HijackThis' main window. In the next window click on the "Misc Tools" button at the top then click the "Delete an NT service" button. Type the following in the box and click OK:

rpcapd

3. Reboot and then run another HJT scan to make sure the rpcapd entry no longer exists.

hammy commented: thanks for helping me out with the YupSearch toolbar! +1

dlh6213 27 Posting Maven

19 Years Ago

Post a new HJT log :)

Reply to this topic

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.

hammy 7 Junior Poster · Answer 1 · 2005-08-09T05:11:37+00:00

long time no see? We just spoke yesterday, lol! :cheesy:

I removed/fixed the problems you told me to romove/fix without a problem. However when i went to the locations you told me to to delete the things you asked me to they wern't there. I also did a search and it didn't find them. I do not know what duperealpure.exe is. I did a seach like you asked me to and it didnt find that either. I even tried a search on google and got nothing. I rebooted and ran hijackthis and here is thy log:

Logfile of HijackThis v1.99.1
Scan saved at 4:03:45 PM, on 8/8/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\spoolsv.exe
E:\WINDOWS\Explorer.EXE
E:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
E:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
E:\WINDOWS\System32\nvsvc32.exe
E:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
E:\WINDOWS\System32\svchost.exe
E:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
E:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
E:\WINDOWS\system32\msiexec.exe
E:\WINDOWS\system32\pctspk.exe
E:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
E:\WINDOWS\system32\RUNDLL32.EXE
E:\Program Files\QuickTime\qttask.exe
E:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
E:\Program Files\MessengerPlus! 3\MsgPlus.exe
E:\Program Files\Java\jre1.5.0_01\bin\jucheck.exe
E:\WINDOWS\etb\pokapoka62.exe
E:\Program Files\AIM\aim.exe
E:\WINDOWS\system32\wuauclt.exe
E:\Documents and Settings\Hammy\My Documents\desktop\Tool Kit\HijackThis.exe

O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [NAV Agent] E:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE E:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE E:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] E:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [QuickTime Task] "E:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] E:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [MessengerPlus3] "E:\Program Files\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [LaunchList] E:\Program Files\Pinnacle\Studio 9\LaunchList.exe
O4 - HKLM\..\Run: [System service62] E:\WINDOWS\etb\pokapoka62.exe
O4 - HKLM\..\Run: [checkrun] E:\windows\system32\elitecla32.exe
O4 - HKCU\..\Run: [AIM] E:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Global Startup: AOL Instant Messenger.lnk = E:\Program Files\AIM\aim.exe
O4 - Global Startup: MSN Messenger 6.2.lnk = ?
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - E:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {665585FD-2068-4C5E-A6D3-53AC3270ECD4} (FileSharingCtrl Class) - http://appdirectory.messenger.msn.com/AppDirectory/P4Apps/FileSharing/en/filesharingctrl.cab
O16 - DPF: {8C410098-8BA7-4550-A0A4-6959C02FC935} (karCntrlIE Class) - http://karaoke.cokemusic.com//karClientIE.cab
O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zone.msn.com/binary/Chess.cab31267.cab
O23 - Service: Macromedia Licensing Service - Macromedia - E:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - E:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - E:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - E:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - E:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - E:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - E:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - E:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

Im not sure if it was supposed to go away by now but i still have the search bar.

Thanks for the help, you guys are fast a replies :P
-Hammy

hammy 7 Junior Poster · Answer 2 · 2005-08-10T10:08:21+00:00

I dont see the things you are telling me to select and deselect. I went to the folder options but its not finding it.

Something else is going on with my computer and i think it has to do with this thing. Its hard to explain but im getting messages like im using things for the first time like if i open media player i have to set it up and stuff again and like it keeps asking me if i want to remember passwords even though i say not to ask again. my homepage keeps getting set to msn.com and one other windows update page thing.

hammy 7 Junior Poster · Answer 3 · 2005-08-11T01:51:03+00:00

Oh my gosh, Oh my gosh, Oh my gosh! I think we got it! No more search bar :D

I did a search on those to things, still nothing. Heres my new HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 12:48:42 PM, on 8/10/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\spoolsv.exe
E:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
E:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
E:\WINDOWS\System32\nvsvc32.exe
E:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
E:\WINDOWS\System32\svchost.exe
E:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
E:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
E:\WINDOWS\Explorer.EXE
E:\WINDOWS\system32\pctspk.exe
E:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
E:\WINDOWS\system32\RUNDLL32.EXE
E:\Program Files\QuickTime\qttask.exe
E:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
E:\Program Files\MessengerPlus! 3\MsgPlus.exe
E:\Program Files\Java\jre1.5.0_01\bin\jucheck.exe
E:\Program Files\AIM\aim.exe
E:\Documents and Settings\Hammy\My Documents\desktop\Tool Kit\HijackThis.exe

O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [NAV Agent] E:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE E:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE E:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] E:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [QuickTime Task] "E:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] E:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [MessengerPlus3] "E:\Program Files\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [LaunchList] E:\Program Files\Pinnacle\Studio 9\LaunchList.exe
O4 - HKCU\..\Run: [AIM] E:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Global Startup: AOL Instant Messenger.lnk = E:\Program Files\AIM\aim.exe
O4 - Global Startup: MSN Messenger 6.2.lnk = ?
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - E:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {665585FD-2068-4C5E-A6D3-53AC3270ECD4} (FileSharingCtrl Class) - http://appdirectory.messenger.msn.com/AppDirectory/P4Apps/FileSharing/en/filesharingctrl.cab
O16 - DPF: {8C410098-8BA7-4550-A0A4-6959C02FC935} (karCntrlIE Class) - http://karaoke.cokemusic.com//karClientIE.cab
O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zone.msn.com/binary/Chess.cab31267.cab
O23 - Service: Macromedia Licensing Service - Macromedia - E:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - E:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - E:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - E:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - E:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - E:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - E:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - E:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

hammy 7 Junior Poster · Answer 4 · 2005-08-11T10:32:40+00:00

I didnt to the sponsored version. when i did a hjt scan it didnt find the entry O23 - Service: Remote Packet Capture Protocol v.0

What should i do then?

hammy 7 Junior Poster · Answer 5 · 2005-08-13T01:33:28+00:00

okay then, here you are:

Logfile of HijackThis v1.99.1
Scan saved at 12:31:46 PM, on 8/12/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\spoolsv.exe
E:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
E:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
E:\WINDOWS\System32\nvsvc32.exe
E:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
E:\WINDOWS\System32\svchost.exe
E:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
E:\WINDOWS\Explorer.EXE
E:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
E:\WINDOWS\system32\pctspk.exe
E:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
E:\WINDOWS\system32\RUNDLL32.EXE
E:\Program Files\QuickTime\qttask.exe
E:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
E:\Program Files\MessengerPlus! 3\MsgPlus.exe
E:\Program Files\Java\jre1.5.0_01\bin\jucheck.exe
E:\Program Files\AIM\aim.exe
E:\Program Files\MSN Messenger\msnmsgr.exe
E:\WINDOWS\system32\wuauclt.exe
E:\Documents and Settings\Hammy\My Documents\desktop\Tool Kit\HijackThis.exe

O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [NAV Agent] E:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE E:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE E:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] E:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [QuickTime Task] "E:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] E:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [MessengerPlus3] "E:\Program Files\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [LaunchList] E:\Program Files\Pinnacle\Studio 9\LaunchList.exe
O4 - HKCU\..\Run: [AIM] E:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [msnmsgr] "E:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: AOL Instant Messenger.lnk = E:\Program Files\AIM\aim.exe
O4 - Global Startup: MSN Messenger 6.2.lnk = ?
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - E:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {665585FD-2068-4C5E-A6D3-53AC3270ECD4} (FileSharingCtrl Class) - http://appdirectory.messenger.msn.com/AppDirectory/P4Apps/FileSharing/en/filesharingctrl.cab
O16 - DPF: {8C410098-8BA7-4550-A0A4-6959C02FC935} (karCntrlIE Class) - http://karaoke.cokemusic.com//karClientIE.cab
O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zone.msn.com/binary/Chess.cab31267.cab
O23 - Service: Macromedia Licensing Service - Macromedia - E:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - E:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - E:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - E:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - E:\WINDOWS\System32\HPZipm12.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - E:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - E:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - E:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

DMR 152 Wombat At Large Team Colleague · Answer 6 · 2005-08-13T08:05:24+00:00

DMR 152 Wombat At Large

19 Years Ago

All looks good; your latest log is clean. :)

hammy 7 Junior Poster · Answer 7 · 2005-08-13T11:55:48+00:00

hammy 7 Junior Poster

19 Years Ago

hey yay thanks dlh6213 and DMR! :lol:

dlh6213 27 Posting Maven Team Colleague · Answer 8 · 2005-08-13T13:13:55+00:00

dlh6213 27 Posting Maven

19 Years Ago

You're welcome :)

hammy 7 Junior Poster · Answer 9 · 2005-08-16T14:30:55+00:00

Can you still give people good rep? I would like to do so with the both of you if possible :) Let me know how if we can.

dlh6213 27 Posting Maven Team Colleague · Answer 10 · 2005-08-16T19:55:58+00:00

Can you still give people good rep? I would like to do so with the both of you if possible :) Let me know how if we can.

Just click on the little 'scales' symbol next to the post number.

crazyaz88 0 Newbie Poster · Answer 11 · 2005-09-21T01:31:26+00:00

hey, that was great how you helped hammy, but please help me also, I am having trouble following the way his problem was solved with yupsearch.

Logfile of HijackThis v1.99.1
Scan saved at 12:16:00 PM, on 9/21/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\ajbvcxv.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\WINDOWS\gwxofyy.EXE
C:\WINDOWS\etb\pokapoka69.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\CMSystem\CMSystem.exe
C:\Program Files\FCEngine\FCEngine.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Real\RealPlayer\realplay.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\DOCUME~1\RAYZEQ~1\LOCALS~1\Temp\Temporary Directory 1 for hijackthis[1].zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.971searchbox.com/sp2.php
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/mywaybiz
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [VirusScan Online] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
O4 - HKLM\..\Run: [gwxofyy] C:\WINDOWS\gwxofyy.EXE
O4 - HKLM\..\Run: [stratas] lockx.exe
O4 - HKLM\..\Run: [System service68] C:\WINDOWS\\etb\pokapoka68.exe
O4 - HKLM\..\Run: [System service69] C:\WINDOWS\etb\pokapoka69.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\RunServices: [stratas] lockx.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [wincmap] "C:\Program Files\winCMAPP\wincmapp.exe"
O4 - HKCU\..\Run: [CMSystem] "C:\Program Files\CMSystem\CMSystem.exe"
O4 - HKCU\..\Run: [FCEngine] "C:\Program Files\FCEngine\FCEngine.exe"
O4 - HKCU\..\Run: [stratas] lockx.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Viewpoint Search - res://C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll/CXTSEARCH.HTML
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/aol/unagi/ampx_en_dl.cab
O18 - Filter: text/html - {724D478A-2BD0-4DB4-AE42-288B1E346EF7} - C:\Program Files\FCEngine\Plugin.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Networks Associates Technology, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: Windows Overlay Components - Unknown owner - C:\WINDOWS\ajbvcxv.exe

chrisbliss18 26 Posting Shark · Answer 12 · 2005-09-21T01:41:02+00:00

crazyaz88, make your own thread so we can focus on your issues directly.