Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Aurora pop ups[RESOLVED]

Started by MARK GILES , May 21 2005 04:28 PM

This topic is locked

#1
MARK GILES

Posted 21 May 2005 - 04:28 PM

New Member

Member
6 posts

I am having a problem with aurora pop ups. I have ran ad aware, Microsoft Anti spyware and others and they still are present. Microsoft Antispyware keeps telling me that a program called called todo is trying to install in my startup programs so I have chosen to let it be blocked. Whenever I try to end the process named todo it tries to add the program to the start up programs again and ads it back to the process list with a new file name. The other program that Microsoft Antispyware keeps trying to block is IEPlugin. Thanks for any help you can offer. Here is my hijack this log.

ogfile of HijackThis v1.99.1
Scan saved at 3:15:51 PM, on 5/21/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Dell\OpenManage\Client\ActionAgent.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\DMI\WIN32\bin\DellDmi.exe
C:\Program Files\Dell\OpenManage\Client\EventAgt.exe
C:\Program Files\Dell\OpenManage\Client\DLT.exe
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\dmi\win32\bin\Win32sl.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
c:\windows\system32\ruttah.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\THOMAS ACURA\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://smbusiness.dellnet.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.in.acura.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.in.acura.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by American Honda Motor Co., Inc.
R3 - Default URLSearchHook is missing
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\RunOnce: [MicrosoftAntiSpywareCleaner] C:\Program Files\Microsoft AntiSpyware\gcASCleaner.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.164.109.25.72
O15 - Trusted Zone: *.207.130.86.35
O15 - Trusted Zone: www.in.acura.com
O15 - Trusted Zone: *.acura.com
O15 - Trusted Zone: *.ahm-ownerlink.com
O15 - Trusted Zone: in.ahmdealer.com
O15 - Trusted Zone: www.ahmdealer.com
O15 - Trusted Zone: *.ahmdealer.com
O15 - Trusted Zone: www.ahmdealer2.com
O15 - Trusted Zone: *.edcor.com
O15 - Trusted Zone: www.in.honda.com
O15 - Trusted Zone: *.honda.com
O15 - Trusted Zone: *.programhq.com
O15 - Trusted Zone: *.xmradio.com
O15 - Trusted Zone: www.in.acura.com (HKLM)
O15 - Trusted Zone: in.ahmdealer.com (HKLM)
O15 - Trusted Zone: www.ahmdealer.com (HKLM)
O15 - Trusted Zone: www.ahmdealer2.com (HKLM)
O15 - Trusted Zone: www.in.honda.com (HKLM)
O16 - DPF: {297DE2B6-509A-4B36-93C5-A65276606900} (RRAAINAX_02.RRAAINAX) - http://www.in.honda....AX/RraainAX.CAB
O16 - DPF: {E292EFB0-EE32-11D1-8C74-0000C0B0E2E9} (RptViewerAX Class) - http://metrics.honda...RptViewerEN.cab
O16 - DPF: {F9A6E266-28AD-11D7-92CC-ECB440000000} (reaap02a.clsRegistry) - http://www.in.acura....EB/reaap02a.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{F9F23C7A-250F-4906-A4E4-F99B809800BA}: NameServer = 4.2.2.1,4.2.2.2
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: ActionAgent - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\Client\ActionAgent.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: DellDmi - Dell Computer Corporation - C:\DMI\WIN32\bin\DellDmi.exe
O23 - Service: DEventAgent - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\Client\EventAgt.exe
O23 - Service: DLT - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\Client\DLT.exe
O23 - Service: Iap - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\Client\Iap.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe
O23 - Service: Win32Sl - Intel - C:\dmi\win32\bin\Win32sl.exe

#2
Trevuren

Posted 21 May 2005 - 05:43 PM

Old Dog

Retired Staff
18,699 posts

Hi Mark Giles

Welcome to the TomCoyote Forums. My name is Trevuren and I will be helping you with your log.

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order in which they are mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes.

1. Go to the Tom Coyote Forums http://forums.tomcoyote.org/index.php?
.Click on My Controls near the top middle of the window (make sure you have signed in first)
.On the left hand column, click "view topics"
.If you click on the title of your post, you will be taken there
2. Also, while at that place in control panel, check the box to the right of your post and then scroll down.
Where it says "unsubscribe" click the pull-down menu and select "immediate email notification", By doing this, you will be notified as soon as I have posted a reply to your log.

3. Please DELETE your current HJT program from its present location.

4. Download and run the following HijackThis autoinstall program from Here HJT needs to be in its own folder so that the program itself isn't deleted by accident. Having the backups could be VITAL to restoring your system if something went wrong in the FIX process!

A. Close ALL windows except HJT

B. SCAN with HJT and SAVE LOG. (a notepad window will open with the log in it when you click Save Log) (Ctrl-A to'select all', Ctrl-C to 'copy')

C. POST the log in this thread using 'Add Reply' (Ctrl-V to 'paste')

DO NOT MAKE ANY CHANGES OR CLICK "FIX CHECKED" UNTIL WE CHECK THE LOG, AS MOST OF THE FILES ARE LEGIT AND VITAL TO THE FUNCTION OF YOUR COMPUTER

Regards,

Trevuren

#3
MARK GILES

Posted 23 May 2005 - 10:47 AM

New Member

Topic Starter
Member
6 posts

Hi Trevuren,

Thank you for trying to help me. Sorry for the delay in responding to your reply. I went to the tom coyote.org site and could not log in without registering as a new user so I registered, logged in and went to the "view topics" and there were no posts to view. I tried searching for the post but it would not come up. I deleted the hijack this program from my computer and installed the one you suggested. Would you like me to start a new post at the tom coyote site and put the hijack this log there? Thanks again.

#4
Trevuren

Posted 23 May 2005 - 11:08 AM

Old Dog

Retired Staff
18,699 posts

Hi Mark,

Here is the link to your work with me. We will keep this thread.

http://www.geekstogo...=0

Just go that link and then BOOKMARK the page. You will always find it after that

Regards,

Trevuren

#5
MARK GILES

Posted 23 May 2005 - 11:22 AM

New Member

Topic Starter
Member
6 posts

Trevuren,

Here is my hi jack this log.

Thank You.

Logfile of HijackThis v1.99.1
Scan saved at 9:16:20 AM, on 5/23/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Dell\OpenManage\Client\ActionAgent.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\DMI\WIN32\bin\DellDmi.exe
C:\Program Files\Dell\OpenManage\Client\EventAgt.exe
C:\Program Files\Dell\OpenManage\Client\DLT.exe
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\dmi\win32\bin\Win32sl.exe
C:\WINDOWS\System32\wuauclt.exe
c:\windows\system32\odoxkhq.exe
C:\WINDOWS\System32\dllhost.exe
C:\WINDOWS\System32\inetsrv\DavCData.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://smbusiness.dellnet.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.in.acura.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.in.acura.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by American Honda Motor Co., Inc.
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [gtuuqn] c:\windows\system32\odoxkhq.exe
O4 - HKLM\..\RunOnce: [MicrosoftAntiSpywareCleaner] C:\Program Files\Microsoft AntiSpyware\gcASCleaner.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.164.109.25.72
O15 - Trusted Zone: *.207.130.86.35
O15 - Trusted Zone: www.in.acura.com
O15 - Trusted Zone: *.acura.com
O15 - Trusted Zone: *.ahm-ownerlink.com
O15 - Trusted Zone: in.ahmdealer.com
O15 - Trusted Zone: www.ahmdealer.com
O15 - Trusted Zone: *.ahmdealer.com
O15 - Trusted Zone: www.ahmdealer2.com
O15 - Trusted Zone: *.edcor.com
O15 - Trusted Zone: www.in.honda.com
O15 - Trusted Zone: *.honda.com
O15 - Trusted Zone: *.programhq.com
O15 - Trusted Zone: *.xmradio.com
O15 - Trusted Zone: www.in.acura.com (HKLM)
O15 - Trusted Zone: in.ahmdealer.com (HKLM)
O15 - Trusted Zone: www.ahmdealer.com (HKLM)
O15 - Trusted Zone: www.ahmdealer2.com (HKLM)
O15 - Trusted Zone: www.in.honda.com (HKLM)
O16 - DPF: {297DE2B6-509A-4B36-93C5-A65276606900} (RRAAINAX_02.RRAAINAX) - http://www.in.honda....AX/RraainAX.CAB
O16 - DPF: {E292EFB0-EE32-11D1-8C74-0000C0B0E2E9} (RptViewerAX Class) - http://metrics.honda...RptViewerEN.cab
O16 - DPF: {F9A6E266-28AD-11D7-92CC-ECB440000000} (reaap02a.clsRegistry) - http://www.in.acura....EB/reaap02a.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{F9F23C7A-250F-4906-A4E4-F99B809800BA}: NameServer = 4.2.2.1,4.2.2.2
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: ActionAgent - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\Client\ActionAgent.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: DellDmi - Dell Computer Corporation - C:\DMI\WIN32\bin\DellDmi.exe
O23 - Service: DEventAgent - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\Client\EventAgt.exe
O23 - Service: DLT - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\Client\DLT.exe
O23 - Service: Iap - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\Client\Iap.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe
O23 - Service: Win32Sl - Intel - C:\dmi\win32\bin\Win32sl.exe

#6
Trevuren

Posted 23 May 2005 - 12:12 PM

Old Dog

Retired Staff
18,699 posts

Hi Mark,

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order in which they are mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes.

I need to disable your Microsoft AntiSpyware Real-time Protection as it may interfere with the fixes.

Open Microsoft AntiSpyware.
Click on Tools, Settings.
In the left pane, click on Real-time Protection.
Under Startup Options uncheck: Enable the Microsoft AntiSpyware Security Agents on startup (recommended).
Under Real-time spyware threat protection uncheck: Enable real-time spyware threat protection (recommended).
After you uncheck these, click on the Save button and close Microsoft AntiSpyware.
Right click on the Microsoft AntiSpyware icon on the taskbar and select Shutdown Microsoft AntiSpyware
---------------------------------------
1. Download the trial version of Ewido Security Suite here:
http://www.ewido.net/en/download/
Install it, and update the definitions to the newest files. Do NOT run a scan yet.

2. Download Nailfix from here:
http://www.noidea.us...050515010747824
. Click on Spyware Utilities
. Chose Nail/Aurora Fix
Unzip it to the desktop but please do NOT run it yet.

3. Next, reboot your computer in Safe Mode by doing the following:

A. Restart your computer
B. After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
C. Instead of Windows loading as normal, a menu should appear
D. Select the first option, to run Windows in Safe Mode.

For additional help in booting into Safe Mode, see the following site:
http://www.pchell.co.../safemode.shtml

4. Once in Safe Mode, please double-click on Nailfix.cmd. Your desktop and icons will disappear and reappear, and a window should open and close very quickly --- this is normal.

5. Now run Ewido, and run a full scan. Save the logfile from the scan.

6. Run HijackThis, click Scan, and check:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://smbusiness.dellnet.com/
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [gtuuqn] c:\windows\system32\odoxkhq.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe

Close all open windows except for HijackThis and click Fix Checked.

7. Using Windows Explorer, locate and DELETE the following files/folders (and all their content), if they are present:

c:\windows\system32\odoxkhq.exe
C:\WINDOWS\Nail.exe
C:\WINDOWS\svcproc.exe

8. Restart your computer in normal mode and please post a new HijackThis log, as well as the log from the Ewido scan.

Regards,

Trevuren

#7
MARK GILES

Posted 23 May 2005 - 02:12 PM

New Member

Topic Starter
Member
6 posts

Hi Trevuren,

I followed your instructions. when runnung Ewido I mistakenly stop the scan just after it started so I save the log and started it again so you will see to seperate logs here. I hope I didn't goof it up. Also when I ran hijack this and checked the items you requested execept 2 of them wer not there. They are

O4 - HKLM\..\Run: [gtuuqn] c:\windows\system32\odoxkhq.exe

and

O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe

but the file svcproc.exe was in the computer when I searched and deleted the files with windows explorer.

Here are the 2 Ewido Logs and the new hi jack this log.

Thanks Again for taking your time to help me.

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 12:01:54 PM, 5/23/2005
+ Report-Checksum: B1462B62

+ Date of database: 5/23/2005
+ Version of scan engine: v3.0

+ Duration: 2 min
+ Scanned Files: 4524
+ Speed: 26.98 Files/Second
+ Infected files: 5
+ Removed files: 5
+ Files put in quarantine: 5
+ Files that could not be opened: 0
+ Files that could not be cleaned: 0

+ Binder: Yes
+ Crypter: Yes
+ Archives: Yes

+ Scanned items:
C:\

+ Scan result:
C:\Documents and Settings\251232sv\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\251232SV.251232-01M01\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\251232SV.251232-01M01\Cookies\251232sv@S123639[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\251232SV.251232-01M01\Cookies\251232sv@S148679[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\251232SV.251232-01M01\Cookies\[email protected][2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup

::Report End

ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 12:33:46 PM, 5/23/2005
+ Report-Checksum: BEA5F607

+ Date of database: 5/23/2005
+ Version of scan engine: v3.0

+ Duration: 30 min
+ Scanned Files: 47844
+ Speed: 25.89 Files/Second
+ Infected files: 99
+ Removed files: 99
+ Files put in quarantine: 99
+ Files that could not be opened: 0
+ Files that could not be cleaned: 0

+ Binder: Yes
+ Crypter: Yes
+ Archives: Yes

+ Scanned items:
C:\

+ Scan result:
C:\Documents and Settings\THOMAS ACURA\Cookies\thomas acura@doubleclick[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\THOMAS ACURA\Cookies\thomas [email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\THOMAS ACURA\Cookies\thomas acura@fastclick[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\THOMAS ACURA\Cookies\thomas acura@hitbox[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\THOMAS ACURA\Cookies\thomas acura@mediaplex[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\THOMAS ACURA\Cookies\thomas acura@realmedia[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\THOMAS ACURA\Local Settings\Temp\Cookies\thomas acura@html[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\THOMAS ACURA\Local Settings\Temp\Cookies\thomas [email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\THOMAS ACURA\Local Settings\Temp\Cookies\thomas [email protected][2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\THOMAS ACURA\Local Settings\Temp\Del5F.tmp -> TrojanDownloader.Small.asf -> Cleaned with backup
C:\Documents and Settings\THOMAS ACURA\Local Settings\Temp\ENU\aurareco.exe -> Spyware.BetterInternet.f -> Cleaned with backup
C:\Documents and Settings\THOMAS ACURA\Local Settings\Temp\res60.tmp -> Spyware.180Solutions -> Cleaned with backup
C:\Documents and Settings\THOMAS ACURA\Local Settings\Temp\uppicsvr.exe -> TrojanDownloader.Delmed.b -> Cleaned with backup
C:\Program Files\Common Files\Uninstall Information\RemoveDisplayUtility.exe -> Spyware.DelphinMedia.Viewer.f -> Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\3D3FF8D9-4011-42EB-A0FE-A2EB77\344D5AF4-7DBF-403F-9CDC-2DEFD6 -> Spyware.MediaMotor.f -> Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\F7A0B28E-8AFF-476A-AFFE-30FFB1\162D088A-FE29-46B8-95ED-1F8030 -> Spyware.VirtualBouncer.g -> Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\F7A0B28E-8AFF-476A-AFFE-30FFB1\41F1B872-02F1-412C-B111-F8A9CF -> Spyware.VirtualBouncer.g -> Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\F7A0B28E-8AFF-476A-AFFE-30FFB1\6BDBBC1C-1268-4950-A6F5-80D29C -> Spyware.VirtualBouncer.g -> Cleaned with backup
C:\Program Files\SpyHunter\Backup\thomas [email protected][1].txt.bak -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Program Files\SpyHunter\Backup\thomas [email protected][1].txt.bak -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Program Files\SpyHunter\Backup\thomas acura@advertising[1].txt.bak -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Program Files\SpyHunter\Backup\thomas acura@atdmt[2].txt.bak -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Program Files\SpyHunter\Backup\thomas acura@bfast[2].txt.bak -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Program Files\SpyHunter\Backup\thomas acura@bluestreak[1].txt.bak -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Program Files\SpyHunter\Backup\thomas acura@bluestreak[2].txt.bak -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Program Files\SpyHunter\Backup\thomas [email protected][1].txt.bak -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Program Files\SpyHunter\Backup\thomas [email protected][2].txt.bak -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Program Files\SpyHunter\Backup\thomas acura@doubleclick[2].txt.bak -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Program Files\SpyHunter\Backup\thomas [email protected][2].txt.bak -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Program Files\SpyHunter\Backup\thomas [email protected][2].txt.bak -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Program Files\SpyHunter\Backup\thomas [email protected][2].txt.bak -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Program Files\SpyHunter\Backup\thomas [email protected][2].txt.bak -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Program Files\SpyHunter\Backup\thomas acura@fastclick[1].txt.bak -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Program Files\SpyHunter\Backup\thomas acura@hitbox[1].txt.bak -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Program Files\SpyHunter\Backup\thomas acura@hitbox[2].txt.bak -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Program Files\SpyHunter\Backup\thomas acura@mediaplex[1].txt.bak -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Program Files\SpyHunter\Backup\thomas [email protected][2].txt.bak -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Program Files\SpyHunter\Backup\thomas [email protected][1].txt.bak -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Program Files\SpyHunter\Backup\thomas [email protected][2].txt.bak -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Program Files\SpyHunter\Backup\thomas acura@specificpop[1].txt.bak -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Program Files\SpyHunter\Backup\thomas [email protected][1].txt.bak -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Program Files\Windows Media Player\OLD57.tmp -> TrojanDownloader.Small.apm -> Cleaned with backup
C:\Program Files\Windows Media Player\wmplayer.exe.tmp -> TrojanDownloader.Small.apm -> Cleaned with backup
C:\System Volume Information\_restore{E87A81FB-FDCF-4B92-A20C-951710F82D7C}\RP956\A0016340.exe -> TrojanDownloader.Small.apm -> Cleaned with backup
C:\System Volume Information\_restore{E87A81FB-FDCF-4B92-A20C-951710F82D7C}\RP965\A0016366.exe -> TrojanDownloader.Small.apm -> Cleaned with backup
C:\System Volume Information\_restore{E87A81FB-FDCF-4B92-A20C-951710F82D7C}\RP965\A0016371.exe -> TrojanDownloader.Small.apm -> Cleaned with backup
C:\System Volume Information\_restore{E87A81FB-FDCF-4B92-A20C-951710F82D7C}\RP965\A0016389.dll -> Spyware.WebSearch.aj -> Cleaned with backup
C:\System Volume Information\_restore{E87A81FB-FDCF-4B92-A20C-951710F82D7C}\RP965\A0016402.exe -> TrojanDownloader.Small.apm -> Cleaned with backup
C:\System Volume Information\_restore{E87A81FB-FDCF-4B92-A20C-951710F82D7C}\RP965\A0016407.exe -> TrojanDownloader.Small.apm -> Cleaned with backup
C:\System Volume Information\_restore{E87A81FB-FDCF-4B92-A20C-951710F82D7C}\RP965\A0016412.exe -> TrojanDownloader.Small.apm -> Cleaned with backup
C:\System Volume Information\_restore{E87A81FB-FDCF-4B92-A20C-951710F82D7C}\RP965\A0016417.exe -> TrojanDownloader.Small.apm -> Cleaned with backup
C:\System Volume Information\_restore{E87A81FB-FDCF-4B92-A20C-951710F82D7C}\RP965\A0016418.exe -> TrojanDownloader.Small.apm -> Cleaned with backup
C:\System Volume Information\_restore{E87A81FB-FDCF-4B92-A20C-951710F82D7C}\RP965\A0016421.exe -> TrojanDownloader.Small.apm -> Cleaned with backup
C:\System Volume Information\_restore{E87A81FB-FDCF-4B92-A20C-951710F82D7C}\RP966\A0016447.ocx -> Spyware.DelphinMediaViewer.c -> Cleaned with backup
C:\System Volume Information\_restore{E87A81FB-FDCF-4B92-A20C-951710F82D7C}\RP966\A0016458.exe -> Trojan.AproposAd -> Cleaned with backup
C:\System Volume Information\_restore{E87A81FB-FDCF-4B92-A20C-951710F82D7C}\RP966\A0016475.dll -> Spyware.DelphinMedia.f -> Cleaned with backup
C:\System Volume Information\_restore{E87A81FB-FDCF-4B92-A20C-951710F82D7C}\RP966\A0016476.exe -> Spyware.DelphinMedia.Viewer.f -> Cleaned with backup
C:\System Volume Information\_restore{E87A81FB-FDCF-4B92-A20C-951710F82D7C}\RP966\A0016499.dll -> Spyware.DelphinMedia.f -> Cleaned with backup
C:\System Volume Information\_restore{E87A81FB-FDCF-4B92-A20C-951710F82D7C}\RP966\A0016500.exe -> Spyware.DelphinMedia.Viewer.f -> Cleaned with backup
C:\System Volume Information\_restore{E87A81FB-FDCF-4B92-A20C-951710F82D7C}\RP966\A0016503.exe -> Spyware.BetterInternet.c -> Cleaned with backup
C:\System Volume Information\_restore{E87A81FB-FDCF-4B92-A20C-951710F82D7C}\RP966\A0016504.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\System Volume Information\_restore{E87A81FB-FDCF-4B92-A20C-951710F82D7C}\RP966\A0016511.exe -> TrojanDownloader.Small.apm -> Cleaned with backup
C:\System Volume Information\_restore{E87A81FB-FDCF-4B92-A20C-951710F82D7C}\RP966\A0016527.dll -> Spyware.DelphinMedia.f -> Cleaned with backup
C:\System Volume Information\_restore{E87A81FB-FDCF-4B92-A20C-951710F82D7C}\RP966\A0016528.exe -> Spyware.DelphinMedia.Viewer.f -> Cleaned with backup
C:\System Volume Information\_restore{E87A81FB-FDCF-4B92-A20C-951710F82D7C}\RP966\A0016531.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\System Volume Information\_restore{E87A81FB-FDCF-4B92-A20C-951710F82D7C}\RP966\A0016545.dll -> Spyware.DelphinMedia.f -> Cleaned with backup
C:\System Volume Information\_restore{E87A81FB-FDCF-4B92-A20C-951710F82D7C}\RP966\A0016546.exe -> Spyware.DelphinMedia.Viewer.f -> Cleaned with backup
C:\System Volume Information\_restore{E87A81FB-FDCF-4B92-A20C-951710F82D7C}\RP966\A0016559.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\System Volume Information\_restore{E87A81FB-FDCF-4B92-A20C-951710F82D7C}\RP968\A0016578.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\System Volume Information\_restore{E87A81FB-FDCF-4B92-A20C-951710F82D7C}\RP968\A0016593.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\System Volume Information\_restore{E87A81FB-FDCF-4B92-A20C-951710F82D7C}\RP972\A0016659.exe -> Trojan.Nail -> Cleaned with backup
C:\System Volume Information\_restore{E87A81FB-FDCF-4B92-A20C-951710F82D7C}\RP972\A0016667.exe -> Trojan.AproposAd -> Cleaned with backup
C:\System Volume Information\_restore{E87A81FB-FDCF-4B92-A20C-951710F82D7C}\RP972\A0016668.exe -> Trojan.AproposAd -> Cleaned with backup
C:\System Volume Information\_restore{E87A81FB-FDCF-4B92-A20C-951710F82D7C}\RP972\A0016669.exe -> Trojan.AproposAd -> Cleaned with backup
C:\System Volume Information\_restore{E87A81FB-FDCF-4B92-A20C-951710F82D7C}\RP972\A0016670.exe -> Trojan.AproposAd -> Cleaned with backup
C:\System Volume Information\_restore{E87A81FB-FDCF-4B92-A20C-951710F82D7C}\RP972\A0016671.exe -> Trojan.AproposAd -> Cleaned with backup
C:\System Volume Information\_restore{E87A81FB-FDCF-4B92-A20C-951710F82D7C}\RP972\A0016672.exe -> Trojan.AproposAd -> Cleaned with backup
C:\System Volume Information\_restore{E87A81FB-FDCF-4B92-A20C-951710F82D7C}\RP972\A0016683.exe -> Trojan.Nail -> Cleaned with backup
C:\System Volume Information\_restore{E87A81FB-FDCF-4B92-A20C-951710F82D7C}\RP972\A0016706.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\System Volume Information\_restore{E87A81FB-FDCF-4B92-A20C-951710F82D7C}\RP972\A0016783.exe -> Trojan.Nail -> Cleaned with backup
C:\System Volume Information\_restore{E87A81FB-FDCF-4B92-A20C-951710F82D7C}\RP972\A0016784.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\System Volume Information\_restore{E87A81FB-FDCF-4B92-A20C-951710F82D7C}\RP972\A0016789.dll -> Trojan.Agent.db -> Cleaned with backup
C:\System Volume Information\_restore{E87A81FB-FDCF-4B92-A20C-951710F82D7C}\RP972\A0016795.exe -> Trojan.Agent.cp -> Cleaned with backup
C:\System Volume Information\_restore{E87A81FB-FDCF-4B92-A20C-951710F82D7C}\RP972\A0016796.exe -> Trojan.Agent.cp -> Cleaned with backup
C:\System Volume Information\_restore{E87A81FB-FDCF-4B92-A20C-951710F82D7C}\RP972\A0016798.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\System Volume Information\_restore{E87A81FB-FDCF-4B92-A20C-951710F82D7C}\RP972\A0016805.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\System Volume Information\_restore{E87A81FB-FDCF-4B92-A20C-951710F82D7C}\RP972\A0016807.exe -> Trojan.Stervis.c -> Cleaned with backup
C:\System Volume Information\_restore{E87A81FB-FDCF-4B92-A20C-951710F82D7C}\RP972\A0016808.exe -> Trojan.Nail -> Cleaned with backup
C:\System Volume Information\_restore{E87A81FB-FDCF-4B92-A20C-951710F82D7C}\RP972\A0016818.exe -> Trojan.Agent.cp -> Cleaned with backup
C:\System Volume Information\_restore{E87A81FB-FDCF-4B92-A20C-951710F82D7C}\RP972\A0016820.exe -> Trojan.Imiserv.c -> Cleaned with backup
C:\System Volume Information\_restore{E87A81FB-FDCF-4B92-A20C-951710F82D7C}\RP972\A0016821.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\System Volume Information\_restore{E87A81FB-FDCF-4B92-A20C-951710F82D7C}\RP973\A0016866.exe -> Trojan.Imiserv.c -> Cleaned with backup
C:\System Volume Information\_restore{E87A81FB-FDCF-4B92-A20C-951710F82D7C}\RP974\A0016867.exe -> TrojanDownloader.Intexp.c -> Cleaned with backup
C:\System Volume Information\_restore{E87A81FB-FDCF-4B92-A20C-951710F82D7C}\RP974\A0016868.dll -> Spyware.ImiBar.d -> Cleaned with backup
C:\System Volume Information\_restore{E87A81FB-FDCF-4B92-A20C-951710F82D7C}\RP974\A0016871.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\System Volume Information\_restore{E87A81FB-FDCF-4B92-A20C-951710F82D7C}\RP974\A0016874.exe -> Trojan.Agent.cp -> Cleaned with backup
C:\System Volume Information\_restore{E87A81FB-FDCF-4B92-A20C-951710F82D7C}\RP974\A0016879.exe -> Trojan.Nail -> Cleaned with backup
C:\System Volume Information\_restore{E87A81FB-FDCF-4B92-A20C-951710F82D7C}\RP974\A0016880.exe -> Trojan.Stervis.c -> Cleaned with backup
C:\System Volume Information\_restore{E87A81FB-FDCF-4B92-A20C-951710F82D7C}\RP974\A0016881.dll -> Trojan.Agent.db -> Cleaned with backup

::Report End

Logfile of HijackThis v1.99.1
Scan saved at 12:57:07 PM, on 5/23/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Dell\OpenManage\Client\ActionAgent.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\DMI\WIN32\bin\DellDmi.exe
C:\Program Files\Dell\OpenManage\Client\EventAgt.exe
C:\Program Files\Dell\OpenManage\Client\DLT.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\dmi\win32\bin\Win32sl.exe
C:\WINDOWS\System32\wuauclt.exe
C:\HN2000B\HNPCBINM.exe
C:\Program Files\Reynolds\ERALink32\ERALink32.exe
C:\WINDOWS\System32\wuauclt.exe
C:\PROGRA~1\Reynolds\ERALIN~1\wIntegSM.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.in.acura.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.in.acura.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by American Honda Motor Co., Inc.
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.164.109.25.72
O15 - Trusted Zone: *.207.130.86.35
O15 - Trusted Zone: www.in.acura.com
O15 - Trusted Zone: *.acura.com
O15 - Trusted Zone: *.ahm-ownerlink.com
O15 - Trusted Zone: in.ahmdealer.com
O15 - Trusted Zone: www.ahmdealer.com
O15 - Trusted Zone: *.ahmdealer.com
O15 - Trusted Zone: www.ahmdealer2.com
O15 - Trusted Zone: *.edcor.com
O15 - Trusted Zone: www.in.honda.com
O15 - Trusted Zone: *.honda.com
O15 - Trusted Zone: *.programhq.com
O15 - Trusted Zone: *.xmradio.com
O15 - Trusted Zone: www.in.acura.com (HKLM)
O15 - Trusted Zone: in.ahmdealer.com (HKLM)
O15 - Trusted Zone: www.ahmdealer.com (HKLM)
O15 - Trusted Zone: www.ahmdealer2.com (HKLM)
O15 - Trusted Zone: www.in.honda.com (HKLM)
O16 - DPF: {297DE2B6-509A-4B36-93C5-A65276606900} (RRAAINAX_02.RRAAINAX) - http://www.in.honda....AX/RraainAX.CAB
O16 - DPF: {E292EFB0-EE32-11D1-8C74-0000C0B0E2E9} (RptViewerAX Class) - http://metrics.honda...RptViewerEN.cab
O16 - DPF: {F9A6E266-28AD-11D7-92CC-ECB440000000} (reaap02a.clsRegistry) - http://www.in.acura....EB/reaap02a.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{F9F23C7A-250F-4906-A4E4-F99B809800BA}: NameServer = 4.2.2.1,4.2.2.2
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: ActionAgent - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\Client\ActionAgent.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: DellDmi - Dell Computer Corporation - C:\DMI\WIN32\bin\DellDmi.exe
O23 - Service: DEventAgent - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\Client\EventAgt.exe
O23 - Service: DLT - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\Client\DLT.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Iap - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\Client\Iap.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: Win32Sl - Intel - C:\dmi\win32\bin\Win32sl.exe

#8
Trevuren

Posted 23 May 2005 - 02:39 PM

Old Dog

Retired Staff
18,699 posts

Hi Mark,

Please check all the 015 entries in your HJT log.

Did you put them there? Do you want them there?

Regards,

Trevuren

#9
MARK GILES

Posted 23 May 2005 - 02:53 PM

New Member

Topic Starter
Member
6 posts

Hi Trevuren,

The 015's were put there by me and I know why they are there except for 1
and that is *.edcor.com. I think it is ok but maybe I should delete it and put it back another time if it is something I need. What do you think? I have not seen any popups lately.

Thanks.

#10
Trevuren

Posted 23 May 2005 - 03:01 PM

Old Dog

Retired Staff
18,699 posts

Hi Mark,

Put a checkmark beside that one, click Fixed checked and reboot and send me a final log so we can start the last cleanup.

Regards,

Trevuren

#11
MARK GILES

Posted 23 May 2005 - 03:15 PM

New Member

Topic Starter
Member
6 posts

Trevuren,

I completed that and here is the new log

Thank You!

Logfile of HijackThis v1.99.1
Scan saved at 2:09:11 PM, on 5/23/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Dell\OpenManage\Client\ActionAgent.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\DMI\WIN32\bin\DellDmi.exe
C:\Program Files\Dell\OpenManage\Client\EventAgt.exe
C:\Program Files\Dell\OpenManage\Client\DLT.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Messenger\msmsgs.exe
C:\dmi\win32\bin\Win32sl.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Hijackthis\HijackThis.exe
C:\WINDOWS\System32\wuauclt.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.in.acura.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.in.acura.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by American Honda Motor Co., Inc.
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.164.109.25.72
O15 - Trusted Zone: *.207.130.86.35
O15 - Trusted Zone: www.in.acura.com
O15 - Trusted Zone: *.acura.com
O15 - Trusted Zone: *.ahm-ownerlink.com
O15 - Trusted Zone: in.ahmdealer.com
O15 - Trusted Zone: www.ahmdealer.com
O15 - Trusted Zone: *.ahmdealer.com
O15 - Trusted Zone: www.ahmdealer2.com
O15 - Trusted Zone: www.in.honda.com
O15 - Trusted Zone: *.honda.com
O15 - Trusted Zone: *.programhq.com
O15 - Trusted Zone: *.xmradio.com
O15 - Trusted Zone: www.in.acura.com (HKLM)
O15 - Trusted Zone: in.ahmdealer.com (HKLM)
O15 - Trusted Zone: www.ahmdealer.com (HKLM)
O15 - Trusted Zone: www.ahmdealer2.com (HKLM)
O15 - Trusted Zone: www.in.honda.com (HKLM)
O16 - DPF: {297DE2B6-509A-4B36-93C5-A65276606900} (RRAAINAX_02.RRAAINAX) - http://www.in.honda....AX/RraainAX.CAB
O16 - DPF: {E292EFB0-EE32-11D1-8C74-0000C0B0E2E9} (RptViewerAX Class) - http://metrics.honda...RptViewerEN.cab
O16 - DPF: {F9A6E266-28AD-11D7-92CC-ECB440000000} (reaap02a.clsRegistry) - http://www.in.acura....EB/reaap02a.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{F9F23C7A-250F-4906-A4E4-F99B809800BA}: NameServer = 4.2.2.1,4.2.2.2
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: ActionAgent - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\Client\ActionAgent.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: DellDmi - Dell Computer Corporation - C:\DMI\WIN32\bin\DellDmi.exe
O23 - Service: DEventAgent - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\Client\EventAgt.exe
O23 - Service: DLT - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\Client\DLT.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Iap - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\Client\Iap.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: Win32Sl - Intel - C:\dmi\win32\bin\Win32sl.exe

#12
Trevuren

Posted 23 May 2005 - 04:48 PM

Old Dog

Retired Staff
18,699 posts

Hi Mark,

If you are satisfied, I am too. It was fun working with you.

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order in which they are mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes.

Now let's do some work on your log:

First we need to make all files and folders VISIBLE:

Go to start>control panel>folder options>view (tab)
*choose to "show hidden files and folders,"
*uncheck the "hide protected operating system files" and the "hide extensions for know file types" boxes.
*Close the window with ok
*All hidden files will now be visible

Close all browser windows and RUN HijackThis.
. Click the SCAN button to produce a log.

Place a check mark beside each one of the following Mandatory items as well as those Optional items that you choose based upon the information provided in green.

MANDATORY ITEMS

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.seekerbar...spx?tb_id=50154
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.seekerbar...spx?tb_id=50154
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.seekerbar...spx?tb_id=50154
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - C:\PROGRA~1\Toolbar\toolbar.dll
O2 - BHO: MyWebSearch Search Assistant BHO - {00A6FAF1-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\3.bin\MWSSRCAS.DLL
O3 - Toolbar: (no name) - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - (no file)
O3 - Toolbar: &Search Toolbar - {339BB23F-A864-48C0-A59F-29EA915965EC} - C:\PROGRA~1\Toolbar\toolbar.dll
O4 - HKLM\..\Run: [TBPS] C:\PROGRA~1\Toolbar\TBPS.exe
O4 - HKLM\..\Run: [OSS] c:\windows\system32\rk.exe -boot
O4 - HKLM\..\RunOnce: [TBPS] C:\PROGRA~1\Toolbar\TBPS.exe /boot
O8 - Extra context menu item: Web Savings - file://C:\Program Files\WebSavingsfromEbates\System\Temp\ebateswebsavings_script0.htm
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windup...8df3dd4905910e6
O18 - Protocol: tpro - {FF76A5DA-6158-4439-99FF-EDC1B3FE100C} - C:\PROGRA~1\Toolbar\toolbar.dll

OPTIONAL ITEMS

The following items are considered to be either "not required", "seldom used" or "resource hogs". Their removal should slightly enhance the performance of your system.

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

If you don't recognize the following entries or if you no longer wish to have them on your system, just ckeck them off. Don't worry about making a big mistake, they return when/if you re-visit the site.

O16 - DPF: Dice Derby by pogo - http://checkeredflag...g-ob-assets.cab
O16 - DPF: Fortune Bingo by pogo - http://superbingo.po...o-ob-assets.cab
O16 - DPF: Phlinx by pogo - http://flinger.pogo....r-ob-assets.cab
O16 - DPF: Pop Fu by pogo - http://popfu.pogo.co...u-ob-assets.cab
http://69.43.133.72/...ntquick1400.cab
O16 - DPF: {F229AB32-7BF9-4225-B78F-B4680AE6FC23} (Snapfish File Upload ActiveX Control) - http://www.snapfish....pfishUpload.cab
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX/kdx.cab
O16 - DPF: {F5C90925-ABBF-4475-88F5-8622B452BA9E} (Compaq System Data Class) - http://wwemail.suppo...ts/SysQuery.cab

Now with all the items selected, delete them by clicking the FIX checked button. Close the HijackThis window and Reboot Your System in Safe Mode

How to use the F8 method to Start Your Computer in Safe Mode

*Restart the computer.
*as soon as BIOS is loaded begin tapping the F8 key until the Advanced Options menu appears.
*Use the arrow keys to select the Safe mode menu item
*press Enter.

Using Windows Explorer, locate the following files/folders, and DELETE them (if they are present):

FILES

c:\windows\system32\rk.exe -boot
C:\WINDOWS\autoupdt.exe

FOLDERS (with all their content)

C:\program files\zango\
C:\PROGRA~1\Toolbar\

Exit Explorer, and REBOOT BACK INTO NORMAL MODE

Finally, RUN Hijackthis again and produce a new HJT log. Post it in the forum so we can check how everytjhing looks now.

Regards,

Trevuren

#13
Trevuren

Posted 23 May 2005 - 04:48 PM

Old Dog

Retired Staff
18,699 posts

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :tazz:

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.