Tom's Guide | Tom's Hardware | Tom's Games
 |
 |
 |
Help! I have run Ad-Aware, Search & Destroy, Spyhunter, and even removed some things by hand in my registry. Even so, I can't get rid of Zestyfind installing itself every reboot. Here is my log, thanks in advance!
Logfile of HijackThis v1.97.6
Scan saved at 6:11:52 PM, on 11/15/03
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.exe
C:\WINDOWS\SYSTEM\MPREXE.exe
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.exe
C:\WINDOWS\SYSTEM\SYSTRAY.exe
C:\PROGRAM FILES\WINAMP3\WINAMPA.exe
C:\WINDOWS\SYSTEM\QTTASK.exe
C:\PROGRAM FILES\COMMON FILES\ADAPTEC SHARED\CREATECD\CREATECD50.exe
C:\PROGRAM FILES\ADAPTEC\EASY CD CREATOR 5\DIRECTCD\DIRECTCD.exe
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.exe
C:\PROGRAM FILES\SONY HANDHELD\HOTSYNC.exe
C:\PROGRAM FILES\WINZIP\WZQKPICK.exe
C:\PROGRAM FILES\LINKSYS\WMP11 CONFIG UTILITY\WMP11CFG.exe
C:\WINDOWS\SYSTEM\SPOOL32.exe
C:\WINDOWS\SYSTEM\DDHELP.exe
C:\WINDOWS\SYSTEM\WMIEXE.exe
C:\WINDOWS\SYSTEM\E_S10IC2.exe
C:\WINDOWS\SYSTEM\PSTORES.exe
C:\PROGRAM FILES\WINZIP\WINZIP32.exe
C:\WINDOWS\TEMP\HIJACKTHIS.exeR1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.hotsearchbox.com/ie/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = http://www.hotsearchbox.com/ie/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.hotsearchbox.com/ie/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.hotsearchbox.com/ie/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.hotsearchbox.com/ie/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.comcast.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast High-Speed Internet
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = https://sas.r2.attbi.com:8000
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.r*.attbi.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - (no file)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CPROGRAM%20FILES%5CNETSCAPE%5CNETSCAPE%5Csearchplugins%5CSBWeb_01.src"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\1oew7oys.slt\prefs.js)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: (no name) - {000006B1-19B5-414A-849F-2A3C64AE6939} - (no file)
O2 - BHO: (no name) - {BBDAF240-0F9D-11D8-877C-004005088652} - C:\WINDOWS\SYSTEM\VSDMDBG.DLL
O2 - BHO: NavErrRedir Class - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL
O2 - BHO: (no name) - {F4A645D0-D4D5-439E-9DBC-B31BBD9CB890} - C:\WINDOWS\SYSTEM\BPV2S.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [SystemTray] SysTray.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\winampa.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.exe" -atboottime
O4 - HKLM\..\Run: [CreateCD50] "c:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
O4 - HKLM\..\Run: [AdaptecDirectCD] "c:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [PGStub.exe] C:\DP-B23011805.exe
O4 - Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Sony Handheld\HOTSYNC.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.exe
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.exe
O4 - Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\SYSTEM\E_SRCV02.exe
O4 - Startup: Wireless-B PCI Adapter Utility.lnk = C:\Program Files\Linksys\WMP11 Config Utility\WMP11Cfg.exe
O4 - Global Startup: updater.lnk = C:\Program Files\Common Files\updater\wupdater.exe
O9 - Extra button: AIM (HKLM)
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O10 - Unknown file in Winsock LSP: c:\windows\system\inetadpt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\inetadpt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\inetadpt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\inetadpt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\inetadpt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\inetadpt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\inetadpt.dll
O12 - Plugin for .mng: c:\progra~1\intern~1\PLUGINS\NpHcd32.dll
O12 - Plugin for .hlq: C:\PROGRA~1\INTERN~1\PLUGINS\nphcd32.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.comcast.net
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20020713/qtinstall.info.apple.com/samantha/us/win/QuickTimeInstaller.exe
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Lets start with killing this stuff....
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.hotsearchbox.com/ie/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = http://www.hotsearchbox.com/ie/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.hotsearchbox.com/ie/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.hotsearchbox.com/ie/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.hotsearchbox.com/ie/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast High-Speed Internet
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = https://sas.r2.attbi.com:8000
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.r*.attbi.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - (no file)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CPROGRAM%20FILES%5CNETSCAPE%5CNETSCAPE%5Csearchplugins%5CSBWeb_01.src"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\1oew7oys.slt\prefs.js)
v
O10 - Unknown file in Winsock LSP: c:\windows\system\inetadpt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\inetadpt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\inetadpt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\inetadpt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\inetadpt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\inetadpt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\inetadpt.dll
O12 - Plugin for .mng: c:\progra~1\intern~1\PLUGINS\NpHcd32.dll
O12 - Plugin for .hlq: C:\PROGRA~1\INTERN~1\PLUGINS\nphcd32.dllI would also download CWSHREDDER and run it and you might want to pay a visit to House Calls
KTTD
0 
This web address was actually given by customer support at zestyfind.com to stop it from reloading at startup: http://69.57.136.5/ads/clearer.exe
Here is the URL that I got it from, I am going to try it out right now and I will tell you if it works: http://beta.experts-exchange.com/Security/Win_Security/Q_20681825.html
Or just do a search for zestyfind in google and it should be the third match down titled: Windows Security: Zestyfind -- Getting Rid of as a home page.
0
OK tryed the program and it did work (removed zestyfind.com as my homepage from startup), but just a warning:
There's over 900 lines of code in the program to get rid of zestyfind. Very suspect to me, but since I don't have anything important on my computer I'm not worried.
Seems like they could have been able to make a simple batch file to remove the program, but /shrug, who am I to say.
0
While working on a client's computer, I also encountered INETADPT.DLL in the WINDOWS\SYSTEM folder. I sorted the files by date/time, and fould the following files which were installed at the same date and time:
CIDRULES.DLL
WINCODE.DLL
WINUPD.DLL
SPORDER.DLL
WINHOST32.EXEWhen I right-clicked to see the properties of these files, I found that they all had the same or similar evidence of ownership, mostly identified as "Targetsoft". I removed these files manually along with INETADPT.DLL, booting the system with a Windows 98SE floppy, navigating the C:\WINDOWS\SYSTEM folder and deleting the files one at a time.
I would claim that these files are related to INETADPT.DLL and are part of the same mess left behind in a drive-by install.
I think there is also a minor bug in HijackThis, which repeatedly reports INETADPT.DLL rather than all the offending and offensive files... Ben Myers
0  |
 |
 |
This post is quite old and has been locked from receiving new replies. Please create a new posting instead.
| Ads by Google |
