Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

cxtpls\ace.dll [resolved]


  • This topic is locked This topic is locked

#1
th3

th3

    Member

  • Member
  • PipPipPip
  • 130 posts
Any help please?

Ad-Aware and Spybot have been unsucessful so far in ridding me of this nasty little problem.

Log below:



Logfile of HijackThis v1.99.1
Scan saved at 15:33:40, on 27/02/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\MSWorks\Calendar\WKCALREM.EXE
C:\Program Files\BT Broadband Basic Help\bin\mpbtn.exe
C:\WINDOWS\system32\wuauclt.exe
C:\hijackthis[1]\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.reba.co.uk/
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [Microsoft Update Machine] wuamgrd.exe
O4 - HKLM\..\Run: [BBDial] C:\Program Files\BT Voyager 105 ADSL Modem\BT Broadband.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\MSWorks\Calendar\WKCALREM.EXE
O4 - Global Startup: BT Broadband Basic Help.lnk = C:\Program Files\BT Broadband Basic Help\bin\matcli.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {91433D86-9F27-402C-B5E3-DEBDD122C339} - http://www.netvenda....bc6/games10.cab
O16 - DPF: {9E98E84C-79E1-49C3-82EB-798FCD552EFB} - http://advnt01.com/d...ionale_ver4.CAB
O17 - HKLM\System\CCS\Services\Tcpip\..\{79DA2740-AD40-4F8B-82D7-153A0B829E99}: NameServer = 194.72.9.39 194.74.65.68
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
  • 0

Advertisements


#2
Guest_thatman_*

Guest_thatman_*
  • Guest
Hi th3

Welcome to or forum ;)

Please set your system to show all files; see here for how to do this if you're unsure.

Close all programs down, leaving only HijackThis running.
Place a check against the following items:

O4 - HKLM\..\Run: [Microsoft Update Machine] wuamgrd.exe
O16 - DPF: {91433D86-9F27-402C-B5E3-DEBDD122C339} - http://www.netvenda....bc6/games10.cab
O16 - DPF: {9E98E84C-79E1-49C3-82EB-798FCD552EFB} - http://advnt01.com/d...ionale_ver4.CAB


Click on Fix Checked and exit HijackThis.

Reboot into Safe Mode: see here if you don't know how to do this.

Using Windows Explorer, locate the following files/folders, and delete them:

wuamgrd.exe<--Delete this file

Exit Explorer, .

Reboot into normal mode (simply restart your computer as you normally would),
Please run the following free, online virus scans:

http://housecall.tre.../start_corp.asp
http://www.pandasoft...n_principal.htm

Reboot your PC

Post a new HJT.Log

Kc :tazz:
  • 0

#3
th3

th3

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 130 posts
Many thanks for your help. To a novice like me I wouldn't know where to start.

The Panda Scan results were:


Incident Status Location

Spyware:Spyware/BargainBuddy No disinfected C:\WINDOWS\system32\exclean.exe
Spyware:Spyware/ISTbar No disinfected C:\DOCUME~1\Tony\LOCALS~1\Temp\iinstall.exe
Spyware:Spyware/BetterInet No disinfected Windows Registry
Adware:Adware/SAHAgent No disinfected C:\WINDOWS\system32\sahhtml.exe
Adware:Adware/BHO No disinfected Windows Registry
Adware:Adware/SideFind No disinfected C:\DOCUME~1\Tony\LOCALS~1\Temp\SideFind.exe
Adware:Adware/WUpd No disinfected C:\Program Files\Windows ServeAd
Adware:Adware/SuperSpider No disinfected Windows Registry
Spyware:Spyware/Dyfuca No disinfected C:\Documents and Settings\Tony\Local Settings\Temp\optimize.exe
Adware:Adware/SideFind No disinfected C:\Documents and Settings\Tony\Local Settings\Temp\sidefind.exe
Spyware:Spyware/ISTbar No disinfected C:\Documents and Settings\Tony\Local Settings\Temp\temp.fr222F\istsvc.exe
Spyware:Spyware/ISTbar No disinfected C:\Documents and Settings\Tony\Local Settings\Temp\temp.fr6AD8\istsvc.exe
Spyware:Spyware/ISTbar No disinfected C:\Documents and Settings\Tony\Local Settings\Temp\temp.fr84E6\istsvc.exe
Adware:Adware/WUpd No disinfected C:\Documents and Settings\Tony\Local Settings\Temp\temp.fr8935
Adware:Adware/Apropos No disinfected C:\Documents and Settings\Tony\Local Settings\Temp\temp.fr8EB8\CxtPls.dll
Adware:Adware/Apropos No disinfected C:\Documents and Settings\Tony\Local Settings\Temp\temp.fr8EB8\ProxyStub.dll
Adware:Adware/WUpd No disinfected C:\Program Files\AdStatus Service\AdStatComm.dll
Adware:Adware/WUpd No disinfected C:\Program Files\AdStatus Service\AdStatKeep.exe
Adware:Adware/WUpd No disinfected C:\Program Files\Windows ControlAd\WinCtlAdShift.dll
Adware:Adware/WUpd No disinfected C:\Program Files\Windows ServeAd\WinAtServ.dll
Adware:Adware/SAHAgent No disinfected C:\WINDOWS\Downloaded Program Files\SAHAgent_.exe
Adware:Adware/SAHAgent No disinfected C:\WINDOWS\Downloaded Program Files\SahHtml_.exe
Adware:Adware/SAHAgent No disinfected C:\WINDOWS\Downloaded Program Files\SAHUninstall_.exe
Adware:Adware/CWS.008k No disinfected C:\WINDOWS\system32\iasart.exe
Spyware:Spyware/BargainBuddy No disinfected C:\WINDOWS\system32\mac80ex.idf[msbe.dll]
Spyware:Spyware/BargainBuddy No disinfected C:\WINDOWS\system32\mac80ex.idf[bargains.exe]
Adware:Adware/ExactSearch No disinfected C:\WINDOWS\system32\mqexdlm.srg
Adware:Adware/ExactSearch No disinfected C:\WINDOWS\system32\netut80ex.vxd[exdl.exe]
Adware:Adware/ExactSearch No disinfected C:\WINDOWS\system32\netut80ex.vxd[mqexdlm.srg]
Adware:Adware/ExactSearch No disinfected C:\WINDOWS\system32\netut80ex.vxd[exul.exe]
Adware:Adware/ExactSearch No disinfected C:\WINDOWS\system32\netut80ex.vxd[javexulm.vxd]
Spyware:Spyware/BargainBuddy No disinfected C:\WINDOWS\system32\netut80ex.vxd[msexreg.exe]
Adware:Adware/SAHAgent No disinfected C:\WINDOWS\system32\SahHtml.exe
Adware:Adware/SAHAgent No disinfected C:\WINDOWS\system32\xmlparse.dll
Adware:Adware/SAHAgent No disinfected C:\WINDOWS\system32\xmltok.dll
Trend Micro and new HJT log to follow
  • 0

#4
Guest_thatman_*

Guest_thatman_*
  • Guest
Hi th3

Let start with this first

Please download this http://www.ccleaner.com/

Unzip the program, then run the program

Post a new Hijackthis log

Kc :tazz:
  • 0

#5
th3

th3

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 130 posts
I installed and ran the cleaner just prior to your first reply.

Came up clean!

Trend Micro scan also clean.

While in safe mode I couldn't find wuamgrd.exe so I haven't been able to delete.

New HJT scan:

Logfile of HijackThis v1.99.1
Scan saved at 19:42:32, on 27/02/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\The Cleaner\tca.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\The Cleaner\tcm.exe
C:\Program Files\MSWorks\Calendar\WKCALREM.EXE
C:\Program Files\BT Broadband Basic Help\bin\mpbtn.exe
C:\hijackthis[1]\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.reba.co.uk/
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [BBDial] C:\Program Files\BT Voyager 105 ADSL Modem\BT Broadband.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [tcactive] C:\Program Files\The Cleaner\tca.exe
O4 - HKLM\..\Run: [tcmonitor] C:\Program Files\The Cleaner\tcm.exe
O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\MSWorks\Calendar\WKCALREM.EXE
O4 - Global Startup: BT Broadband Basic Help.lnk = C:\Program Files\BT Broadband Basic Help\bin\matcli.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{79DA2740-AD40-4F8B-82D7-153A0B829E99}: NameServer = 194.72.9.39 194.74.65.68
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

Where do I go next? :tazz:
  • 0

#6
Guest_thatman_*

Guest_thatman_*
  • Guest
Hi th3

Next double click on AD-aware when the program opens>click on the open quarantine list>now do a right click and delete all archives.

now close Ad-aware

Please run the following free, online virus scans:

http://housecall.tre.../start_corp.asp
http://www.pandasoft...n_principal.htm

Reboot your PC

Post a new HJT.Log and the new virus scan list

Thanks

Kc :tazz:
  • 0

#7
th3

th3

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 130 posts
trend micro is still clear

HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 20:44:52, on 27/02/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\The Cleaner\tca.exe
C:\Program Files\The Cleaner\tcm.exe
C:\Program Files\MSWorks\Calendar\WKCALREM.EXE
C:\Program Files\BT Broadband Basic Help\bin\mpbtn.exe
C:\WINDOWS\system32\wuauclt.exe
C:\hijackthis[1]\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.reba.co.uk/
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [BBDial] C:\Program Files\BT Voyager 105 ADSL Modem\BT Broadband.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [tcactive] C:\Program Files\The Cleaner\tca.exe
O4 - HKLM\..\Run: [tcmonitor] C:\Program Files\The Cleaner\tcm.exe
O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\MSWorks\Calendar\WKCALREM.EXE
O4 - Global Startup: BT Broadband Basic Help.lnk = C:\Program Files\BT Broadband Basic Help\bin\matcli.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{79DA2740-AD40-4F8B-82D7-153A0B829E99}: NameServer = 194.72.9.39 194.74.65.68
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe




Panda results:


Incident Status Location

Spyware:Spyware/BargainBuddy No disinfected C:\WINDOWS\system32\exclean.exe
Spyware:Spyware/ISTbar No disinfected Windows Registry
Adware:Adware/SAHAgent No disinfected C:\WINDOWS\system32\sahhtml.exe
Adware:Adware/BHO No disinfected Windows Registry
Adware:Adware/WUpd No disinfected C:\Program Files\Windows ServeAd
Adware:Adware/SuperSpider No disinfected Windows Registry
Adware:Adware/WUpd No disinfected C:\Program Files\AdStatus Service\AdStatComm.dll
Adware:Adware/WUpd No disinfected C:\Program Files\AdStatus Service\AdStatKeep.exe
Adware:Adware/WUpd No disinfected C:\Program Files\Windows ControlAd\WinCtlAdShift.dll
Adware:Adware/WUpd No disinfected C:\Program Files\Windows ServeAd\WinAtServ.dll
Adware:Adware/SAHAgent No disinfected C:\WINDOWS\Downloaded Program Files\SAHAgent_.exe
Adware:Adware/SAHAgent No disinfected C:\WINDOWS\Downloaded Program Files\SahHtml_.exe
Adware:Adware/SAHAgent No disinfected C:\WINDOWS\Downloaded Program Files\SAHUninstall_.exe
Adware:Adware/CWS.008k No disinfected C:\WINDOWS\system32\iasart.exe
Spyware:Spyware/BargainBuddy No disinfected C:\WINDOWS\system32\mac80ex.idf[msbe.dll]
Spyware:Spyware/BargainBuddy No disinfected C:\WINDOWS\system32\mac80ex.idf[bargains.exe]
Adware:Adware/ExactSearch No disinfected C:\WINDOWS\system32\mqexdlm.srg
Adware:Adware/ExactSearch No disinfected C:\WINDOWS\system32\netut80ex.vxd[exdl.exe]
Adware:Adware/ExactSearch No disinfected C:\WINDOWS\system32\netut80ex.vxd[mqexdlm.srg]
Adware:Adware/ExactSearch No disinfected C:\WINDOWS\system32\netut80ex.vxd[exul.exe]
Adware:Adware/ExactSearch No disinfected C:\WINDOWS\system32\netut80ex.vxd[javexulm.vxd]
Spyware:Spyware/BargainBuddy No disinfected C:\WINDOWS\system32\netut80ex.vxd[msexreg.exe]
Adware:Adware/SAHAgent No disinfected C:\WINDOWS\system32\SahHtml.exe
Adware:Adware/SAHAgent No disinfected C:\WINDOWS\system32\xmlparse.dll
Adware:Adware/SAHAgent No disinfected C:\WINDOWS\system32\xmltok.dll
how are we getting on?
  • 0

#8
Guest_thatman_*

Guest_thatman_*
  • Guest
Hi th3
Just mark off the one you find

Using Windows Explorer, locate the following files/folders, and delete them:

C:\WINDOWS\system32\exclean.exe<--Delete if found

C:\WINDOWS\system32\sahhtml.exe<--Delete if found

C:\Program Files\Windows ServeAd<--Delete the whole folder

C:\Program Files\AdStatus Service\AdStatComm.dll<--Delete the whole folder

C:\Program Files\Windows ControlAd\WinCtlAdShift.dll[/b]<--Delete the whole folder

C:\Program Files\Windows ServeAd\WinAtServ.dll<--Delete the whole folder

C:\WINDOWS\Downloaded Program Files\SAHAgent_.exe<--Delete the whole folder

C:\WINDOWS\Downloaded Program Files\SahHtml_.exe<--Delete the whole folder

C:\WINDOWS\Downloaded Program Files\SAHUninstall_.exe<--Delete the whole folder

C:\WINDOWS\system32\iasart.exe<--Delete if found

C:\WINDOWS\system32\mac80ex.idf [msbe.dll<--Delete if found

C:\WINDOWS\system32\bargains.exe<--Delete if found

C:\WINDOWS\system32\mqexdlm.srg<--Delete if found

C:\WINDOWS\system32\exdl.exe<--Delete if found

C:\WINDOWS\system32\mqexdlm.srg<--Delete if found

C:\WINDOWS\system32\exul.exe<--Delete if found

C:\WINDOWS\system32\javexulm.vxd<--Delete if found

C:\WINDOWS\system32\netut80ex.vxd <--Delete the whole folder

C:\WINDOWS\system32msexreg.exe<--Delete this file

C:\WINDOWS\system32\SahHtml.exe<--Delete if found

C:\WINDOWS\system32\xmlparse.dll<--Delete if found

C:\WINDOWS\system32\xmltok.dll <--Delete if found


Kc
  • 0

#9
th3

th3

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 130 posts
Done and new HJT log below....

Logfile of HijackThis v1.99.1
Scan saved at 23:06:56, on 27/02/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\The Cleaner\tca.exe
C:\Program Files\The Cleaner\tcm.exe
C:\Program Files\MSWorks\Calendar\WKCALREM.EXE
C:\Program Files\BT Broadband Basic Help\bin\mpbtn.exe
C:\PROGRA~1\Motive\ASSTCO~1\MOTIVE~1.EXE
C:\Program Files\BT Broadband Basic Help\bin\mad.exe
C:\WINDOWS\system32\wuauclt.exe
C:\hijackthis[1]\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.reba.co.uk/
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [BBDial] C:\Program Files\BT Voyager 105 ADSL Modem\BT Broadband.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [tcactive] C:\Program Files\The Cleaner\tca.exe
O4 - HKLM\..\Run: [tcmonitor] C:\Program Files\The Cleaner\tcm.exe
O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\MSWorks\Calendar\WKCALREM.EXE
O4 - Global Startup: BT Broadband Basic Help.lnk = C:\Program Files\BT Broadband Basic Help\bin\matcli.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe



Anything else to do?

And thanks for all your help again.
  • 0

#10
Guest_thatman_*

Guest_thatman_*
  • Guest
Hi th3

Congratulations! Your system is CLEAN :tazz:

How do you prevent spyware from being installed again? We strongly recommend installing SpywareBlaster (it's free for personal use). Click Here
QUOTE
Prevent the installation of ActiveX-based spyware, adware, browser hijackers, dialers, and other potentially unwanted pests.
Block spyware/tracking cookies in Internet Explorer and Mozilla/Firefox.
Restrict the actions of potentially dangerous sites in Internet Explorer.
Consumes no system resources.

Download, run, check for updates, download updates, select all, protect against checked. All done. Check for updates every couple of weeks. If you have any errors running the program like a missing file see the link at the bottom of the javacool page.

It's also very important to keep your system up to date to avoid unnecessary security risks. Click Here http://windowsupdate.microsoft.com/ to make sure that you have the latest patches for Windows.

These next two steps are optional, but will provide the greatest protection.
1. Use ANY browser besides Internet Explorer, almost every exploit is crafted to take advantage of an IE weakness. We usually recommend FireFox user posted image.
2. Install Sun's Java. It's much more secure than Microsoft's Java Virtual Machine .

It's okay to delete the Hijack This folder if everything is working okay.

After doing all these, your system will be thoroughly protected from future threats. :thumbsup:

Kc ;)
  • 0

#11
th3

th3

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 130 posts
Great and thank you.

I have installed FireFox and set as default browser, do I need to do anything with IE? delete/Uninstall or just leave in the background?

Also do you have a link for Sun Java download, looking at the site there's a number of versions/options, which ones best for a home PC?

Thanks again

Tony
  • 0

#12
Guest_thatman_*

Guest_thatman_*
  • Guest
Hi th3

You can download Sun's newer JVM for Windows at http://java.sun.com/getjava/index.html.
http://www.java.com/...load/manual.jsp
Windows (Offline Installation)
Download sun java first make sure it is working if ok

Then follow the steps to remove Microsoft Java Virtual Machine

How can I uninstall the Microsoft Java Virtual Machine (JVM) from Windows XP?

John Savill
InstantDoc #38206
John Savill's FAQ for Windows


A. You might want to remove the Microsoft JVM, which Microsoft no longer supports, in favor of the more recent Sun Microsystems JVM. To remove the Microsoft JVM, perform the following steps:

1. From the Start menu, select Run.
2. Enter the command

RunDll32 advpack.dll,LaunchINFSection java.inf,UnInstall

to start the uninstall process
3. Click Yes to the confirmation, then select Reboot.
4. After the machine restarts, delete the following items:
* the \%systemroot%\java folder
* java.pnf from the \%systemroot%\inf folder
* jview.exe and wjview.exe from the \%systemroot%\system32 folder
* The HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Java VM registry subkey
* The HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\JAVA_VM registry subkey (to remove the Microsoft Internet Explorer (IE) options)

Kc
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP