hijackthis log for IST?

here are the results from this AM


Logfile of HijackThis v1.99.1
Scan saved at 9:36:36 AM, on 3/23/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\WINDOWS\system32\ctfmon.exe
C:\downloads\HijackThis.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: (no name) - {1BB48282-1A98-EEDA-8761-CA056347D52E} - (no file)
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\DELLMMKB.EXE
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [qQCPCaP4A] C:\WINDOWS\ytgkos.exe
O4 - HKLM\..\Run: [¢‰¸u0–4C
}ïÁzî[8C:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\ytgkos.exe
O4 - HKLM\..\Run: [¢‰¸u0Ô@ÔÁß]*ú"ü‰üžiC:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\ytgkos.exe
O4 - HKLM\..\Run: [¢‰¸u0Ô@ÔÁß]*ú"ü‰¸u0C:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\ytgkos.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [R8hyMTBI] C:\WINDOWS\ytgkos.exe
O4 - HKLM\..\Run: [FE61EE6B] C:\WINDOWS\sys5355.exe
O4 - HKLM\..\Run: [FE61ECDB] C:\WINDOWS\sys5358.exe
O4 - HKLM\..\Run: [FE6DEE5B] C:\WINDOWS\sys5317.exe
O4 - HKLM\..\Run: [EuvFGbMv] C:\WINDOWS\ytgkos.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [dYKxK] C:\WINDOWS\ytgkos.exe
O4 - HKLM\..\Run: [tds9PMG2H] C:\WINDOWS\ytgkos.exe
O4 - HKLM\..\Run: [1fFZ] C:\WINDOWS\ytgkos.exe
O4 - HKLM\..\Run: [v7kIfZ] C:\WINDOWS\ytgkos.exe
O4 - HKLM\..\Run: [aXx33ZEaf] C:\WINDOWS\ytgkos.exe
O4 - HKLM\..\RunOnce: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKLM\..\RunOnce: [MicrosoftAntiSpywareCleaner] C:\Program Files\Microsoft AntiSpyware\gcASCleaner.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [FE6DEE5B] C:\WINDOWS\sys5317.exe
O4 - HKCU\..\Run: [FE61ECDB] C:\WINDOWS\sys5358.exe
O4 - Global Startup: Canon iR1200-1300 Status Window.LNK = C:\WINDOWS\system32\spool\drivers\w32x86\3\CAPM2LAK.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Set Network Time.lnk = C:\WINDOWS\system32\net.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.iframeprofit.com/
O15 - Trusted Zone: http://*.mycounter.biz/
O15 - Trusted Zone: http://*.porno-search.biz/porn/
O15 - Trusted Zone: http://*.porno-search.biz/sex/
O16 - DPF: JT's Blocks - http://download.games.yahoo.com/games/clients/y/blt1_x.cab
O16 - DPF: {00134F72-5284-44F7-95A8-52A619F70751} (ObjWinNTCheck Class) - http://192.168.199.1/officescan/ClientInstall/WinNTChk.cab
O16 - DPF: {08D75BB0-D2B5-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment SetupIniCtrl Class) - http://192.168.199.1/officescan/clientinstall/setupini.cab
O16 - DPF: {08D75BC1-D2B5-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment SetupCtrl Class) - http://192.168.199.1/officescan/clientinstall/setup.cab
O16 - DPF: {5EFE8CB1-D095-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment ObjRemoveCtrl Class) - http://192.168.199.1/officescan/clientinstall/RemoveCtrl.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/20040427/qtinstall.info.apple.com/saba/us/win/QuickTimeInstaller.exe
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = domain
O17 - HKLM\Software\..\Telephony: DomainName = domain
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = domain
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: ASF Agent (ASFAgent) - Intel Corporation - C:\Program Files\Intel\ASF Agent\ASFAgent.exe
O23 - Service: Netropa NHK Server (Nhksrv) - Unknown owner - C:\WINDOWS\Nhksrv.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: OfficeScanNT Listener (tmlisten) - Unknown owner - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Program Files\RealVNC\WinVNC\WinVNC.exe" -service (file missing)

any help would be greatly appreciated.

Hi scooters,

I would like you to perform an onlne virus scan at Trend Micro Housecall

http://housecall.trendmicro.com/

Select all of your drives listed for scanning. Please check "Auto clean" before scanning.

Please copy and paste the report logs from the scan into your next post. If you can't capture the information, please write down what was found and if anything was or was not deleted. Please include this information in your next post.
Next....

Let's do some more cleaning up:

Download Ad-Aware SE Personal Edition version 1.05 from:

http://www.lavasoft.de/support/download/

Run Adaware, click the "Check for Updates now" link. Install the latest reference file

Just update it for now, you will scan with it later!

or

Perform a "Full system scan" with Adaware. Allow it to remove anything it finds.

Then...

Download Spybot - Search & Destroy 1.3 from.

http://www.safer-networking.org/en/download/index.html

Make sure you are online, run Spybot - Search & Destroy, click the "Check for Updates now" link. Install the latest reference file

Scan and fix all items checked in RED.

Reboot and post a fresh HijackThis log.

Tom

1st of all, thanks for the help

1) The Co. that I work for runs the latest version of Trend Micro Office scan that was just updated and ran. It found no viruses.

2) I ran adaware and deleted evrything that it found (but some of them keep coming back)

3) I ran Spybot search and destroy and deleted evrything in red.

4) I also ran M$'s new antispyware and it keeps on deleting things but they seem to come back also.

I work in a 4 star hotel and the porn popups have become more than just a pain in the @ss.

Thanks again.

The housecall online scan is quite different than a standalone antivirus scanner.

I'd like you to download the Istbar Removal Tool from Symantec:

The tool can be found here:

http://securityresponse.symantec.co...er/FxIstbar.exe

Download the tool to a convenient place such as your desktop, close all other windows and browsers and run it.

Note:

* The date and time displayed will be adjusted to your time zone, if your computer is not set to the Pacific time zone.
* The removal tool may terminate Internet Explorer and Windows Explorer. It is recommended that users save their work and log out of these programs before running the removal tool.
* The removal tool will reset the Internet start page to a blank page. The start page can be modified by clicking on Tools > Internet Options in Internet Explorer.
* The removal tool will not delete some harmless Temporary Internet files, which Adware.Istbar created, in C:\Documents and Setings\Administrator\Local Settings\Temporary Internet Files.

These can be manually deleted using the following steps:

1. Start Internet Explorer.
2. Click Tools > Internet Options.
3. In the Temporary Internet Files section, then click the Delete Files button.
4. Check Delete all offline content, and then click OK.

After you have run the tool, please post a fresh HijackThis log.

Tom

I reallt tried to fix it myself before I bothered you guys so I have already tried the Symantec fix. It said that it could not find the "ist" spyware on my computer, but if you look at the HJT log you will see that it is there so I don't understand. What's next?

You might want to print these instructions for reference or copy and paste them into notepad and save them on your desktop, as you will be off the internet while using HijackThis.

If you have any questions before starting the fix, please don't hesitate to ask!

Please be sure Adaware and Spybot have the latest updates, if not, update them now.

Boot into Safe Mode. Restart your computer, start tapping F8 when your computer first starts booting, there will be a menu displayed > select Safe Mode.

Next...

Run HijackThis, click scan, place a checkmark next to the following items. Close all browsers and any other windows or the fix may not work! Click "fix checked". It is OK if some of these items are no longer listed.

O3 - Toolbar: (no name) - {1BB48282-1A98-EEDA-8761-CA056347D52E} - (no file)
O4 - HKLM\..\Run: [qQCPCaP4A] C:\WINDOWS\ytgkos.exe
O4 - HKLM\..\Run: [¢‰¸u0–4C
}ïÁzî[8C:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\ytgkos.exe
O4 - HKLM\..\Run: [¢‰¸u0Ô@ÔÁß]*ú"ü‰üžiC:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\ytgkos.exe
O4 - HKLM\..\Run: [¢‰¸u0Ô@ÔÁß]*ú"ü‰¸u0C:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\ytgkos.exe
O4 - HKLM\..\Run: [R8hyMTBI] C:\WINDOWS\ytgkos.exe
O4 - HKLM\..\Run: [FE61EE6B] C:\WINDOWS\sys5355.exe
O4 - HKLM\..\Run: [FE61ECDB] C:\WINDOWS\sys5358.exe
O4 - HKLM\..\Run: [FE6DEE5B] C:\WINDOWS\sys5317.exe
O4 - HKLM\..\Run: [EuvFGbMv] C:\WINDOWS\ytgkos.exe
O4 - HKLM\..\Run: [dYKxK] C:\WINDOWS\ytgkos.exe
O4 - HKLM\..\Run: [tds9PMG2H] C:\WINDOWS\ytgkos.exe
O4 - HKLM\..\Run: [1fFZ] C:\WINDOWS\ytgkos.exe
O4 - HKLM\..\Run: [v7kIfZ] C:\WINDOWS\ytgkos.exe
O4 - HKLM\..\Run: [aXx33ZEaf] C:\WINDOWS\ytgkos.exe
O4 - HKCU\..\Run: [FE6DEE5B] C:\WINDOWS\sys5317.exe
O4 - HKCU\..\Run: [FE61ECDB] C:\WINDOWS\sys5358.exe
O15 - Trusted Zone: http://*.iframeprofit.com/
O15 - Trusted Zone: http://*.mycounter.biz/
O15 - Trusted Zone: http://*.porno-search.biz/porn/
O15 - Trusted Zone: http://*.porno-search.biz/sex/
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll

These are resource hogs that can be fixed also:

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

Next...

Make sure your computer is configured to show all files and folders.
Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden Files and Folders heading select Show Hidden Files and Folders.
Uncheck hide extensions for known file types.
Uncheck the Hide Protected Operating System Files option.
Click Yes to confirm.
Click OK.

Search for and delete the following files:

C:\WINDOWS\ytgkos.exe
C:\WINDOWS\sys5355.exe
C:\WINDOWS\sys5358.exe
C:\WINDOWS\sys5317.exe
C:\WINDOWS\SYSTEM32\igfxsrvc.dll

Next....

Go to Start > Run > type "cleanmgr" (without the quotes). > Select the drive to clean up (usually C ) > Place a checkmark next to the following:

Temporary Internet Files
Recycle Bin
Temporary Files

Then click OK.

Run Adaware and Spybot Search and Destroy. let them remove anything they find. If either program asks you to reboot and allow it to run again answer yes!

Reboot normally.

Please post a fresh HijackThis log.

Tom

hold on... I need to add something!

While in Safe Mode:

Delete this folder:

C:\Program Files\ISTsvc < delete the entire folder.

Tom

YOU THE MAN! It seems to work just fine now. I ran Adaware again in user mode and all that it found were cookies. Spybot S&D found nothing. I'll write back if anything else pops up but it seems to be fine. Thank you.

Scott

Scott,

We may not be done yet... please post a fresh HijackThis log.

Tom

It's going to have to be tomorrow AM. I hope that this isn't a problem.

No problem. You might want to consider a firewall. Zone Alarm has a free version:

http://www.zonelabs.com/store/conte...reeDownload.jsp

Tom