Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

been hit by Dr. Watson!

Started by heerozeero , Mar 25 2005 07:11 AM

  • This topic is locked This topic is locked

#1
heerozeero
Posted 25 March 2005 - 07:11 AM

heerozeero

    New Member

  • Member
  • Pip
  • 7 posts
hello there! very recently i got an error message claiming that Dr. Watson Postmortem thingie needed to close. since i don't remember every installing any such software, i knew there was something fishy going on. i stumbled into Geeks to Go! and was curious about how HJT works and awed at how many systems this program has helped clean. i've done the preliminary cleanup steps outlined by the Geek to Go admin and would like someone to check my first HJT logfile for anything suspicious. :tazz: ;)
  • 0

Advertisements

#2
heerozeero
Posted 25 March 2005 - 07:12 AM

heerozeero

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Logfile of HijackThis v1.99.1
Scan saved at 9:01:25 PM, on 3/25/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZONELABS\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RunDll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\ACD Systems\EN\DevDetect.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\RUNDLL32.EXE
E:\Program Files\Nokia\Nokia PC Suite 6\Launch Application 2.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
E:\Program Files\FarStone\VirtualDrive\VDTask.exe
C:\WINDOWS\vcdplayx.exe
C:\Program Files\Washer\washer.exe
C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE
C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\HJT\HijackThis.exe

O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - e:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [Device Detector] "C:\Program Files\Common Files\ACD Systems\EN\DevDetect.exe" -autorun
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [PCSuiteTrayApplication] E:\Program Files\Nokia\Nokia PC Suite 6\Launch Application 2.exe -onlytray
O4 - HKLM\..\Run: [DataLayer] C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE
O4 - HKLM\..\Run: [Tsl2] C:\PROGRA~1\COMMON~1\tsa\tsl2.exe
O4 - HKLM\..\Run: [BLBo8] C:\WINDOWS\yafeflh.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [VirtualDrive] "E:\Program Files\FarStone\VirtualDrive\VDTask.exe" /AutoRestore
O4 - HKLM\..\Run: [vcdplayx] "C:\WINDOWS\vcdplayx.exe"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKCU\..\Run: [Washer] c:\Program Files\Washer\washer.exe /0
O4 - HKCU\..\RunServices: [start uploading] crsss.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - E:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - E:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {09883431-7429-11D5-8B69-0050049F5256} (VBAuthentic.Authentic) - https://www.metroban...VBAuthentic.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {D6FCA8ED-4715-43DE-9BD2-2789778A5B09} - http://210.1.70.65/n...Crypt/npkcx.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{D6D8418A-73ED-4199-803D-F875C7A580DA}: NameServer = 210.5.68.147 203.172.17.204
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: npkcsvc - INCA Internet Co., Ltd. - C:\WINDOWS\system32\npkcsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZONELABS\vsmon.exe
  • 0

#3
heerozeero
Posted 25 March 2005 - 09:33 AM

heerozeero

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
GTG Admins, Mods and Experts... please help! i would like to know if i still have bugs in my system. pls check my log! thank you! :tazz:
  • 0

#4
Guest_thatman_*
Posted 27 March 2005 - 08:16 AM

Guest_thatman_*
  • Guest
Hi heerozeero

Welcome to geekstogo ;)

Please read through the instructions before you start (you may want to print this out).

Please set your system to show all files; please see here if you're unsure how to do this.

[*]Close all programs leaving only HijackThis running. Place a check against each of the following, making sure you get them all and not any others by mistake:
O4 - HKLM\..\Run: [Tsl2] C:\PROGRA~1\COMMON~1\tsa\tsl2.exe
O4 - HKLM\..\Run: [BLBo8] C:\WINDOWS\yafeflh.exe
O4 - HKCU\..\RunServices: [start uploading] crsss.exe
O16 - DPF: {D6FCA8ED-4715-43DE-9BD2-2789778A5B09} - http://210.1.70.65/n...Crypt/npkcx.cab
Click on Fix Checked when finished and exit HijackThis.

Reboot into Safe Mode: please see here if you are not sure how to do this.

Using Windows Explorer, locate the following files/folders, and delete them:

C:\PROGRA~1\COMMON~1\tsa<--Delete the whole folder
C:\WINDOWS\yafeflh.exe<--Delete this file
crsss.exe<--Delete this file

Exit Explorer

Reboot as normal

Please run the following free, online virus scans.
http://www.pandasoft...n_principal.htm
http://housecall.tre.../start_corp.asp

Please post the logs From both virus scans and HJT.log we will need them to remove previous infections that have left files on your system.

Kc :tazz:
  • 0

#5
heerozeero
Posted 29 March 2005 - 05:11 AM

heerozeero

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
sir kc,

thank you very much for replying!
i am very excited because i must admit that this is the first time i sought professional help through the net.

i followed the first part of your instructions. i closed all programs and ran an HJT scan. i successfully fixed

O4 - HKCU\..\RunServices: [start uploading] crsss.exe
O16 - DPF: {D6FCA8ED-4715-43DE-9BD2-2789778A5B09} - http://210.1.70.65/n...Crypt/npkcx.cab

but mysteriously,

O4 - HKLM\..\Run: [Tsl2] C:\PROGRA~1\COMMON~1\tsa\tsl2.exe
O4 - HKLM\..\Run: [BLBo8] C:\WINDOWS\yafeflh.exe

were not there anymore.

i rebooted into safe mode but TSA, YAFEFLH, and CRSSS was nowhere to be seen. now i am back in normal mode and scanning my PC using the online services you posted. will post back results! :tazz:
  • 0

#6
heerozeero
Posted 29 March 2005 - 06:22 AM

heerozeero

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
this is the activescan log! housecall log after this...

---------------------------------------

Incident Status Location

Adware:Adware/SideFind No disinfected Windows Registry
Adware:Adware/NavHelper No disinfected C:\Program Files\Ares
Adware:Adware/WUpd No disinfected C:\Program Files\Windows SyncroAd
Spyware:Spyware/ISTbar No disinfected C:\Documents and Settings\MIKE\Local Settings\Temp\temp.frD636\istsvc.exe
Adware:Adware/Trymedia No disinfected C:\Documents and Settings\MIKE\Application Data\Mozilla\Firefox\Profiles\iux6blrr.default\Cache\3537BDB5d01
Adware:Adware/Trymedia No disinfected C:\Documents and Settings\MIKE\Application Data\Mozilla\Firefox\Profiles\iux6blrr.default\Cache\C232E64Ad01
Adware:Adware/Trymedia No disinfected C:\Documents and Settings\MIKE\Application Data\Mozilla\Firefox\Profiles\iux6blrr.default\Cache\1C4F9ADDd01
Spyware:Spyware/Dyfuca No disinfected C:\Documents and Settings\rey\Local Settings\Temp\optimize.exe
Adware:Adware/SideFind No disinfected C:\Documents and Settings\rey\Local Settings\Temp\iinstall17034.exe
Adware:Adware/SideFind No disinfected C:\Documents and Settings\rey\Local Settings\Temp\targetsaver.exe
Adware:Adware/SideFind No disinfected C:\Documents and Settings\rey\Local Settings\Temp\GLF8GLF8.EXE
Spyware:Spyware/ISTbar No disinfected C:\Documents and Settings\rey\Local Settings\Temporary Internet Files\Content.IE5\OLMBO963\istrecover[1].exe
Adware:Adware/SideFind No disinfected C:\Documents and Settings\rey\Local Settings\Temporary Internet Files\Content.IE5\4LM70HEF\targetsaver[1].exe
Adware:Adware/SideFind No disinfected C:\Documents and Settings\rey\Local Settings\Temporary Internet Files\Content.IE5\S1EJ896F\sidefind[1].exe
Adware:Adware/SideFind No disinfected C:\Documents and Settings\rey\Local Settings\Temporary Internet Files\Content.IE5\45IBWXAJ\istsvc[1].exe
Spyware:Spyware/YourSiteBar No disinfected C:\Documents and Settings\rey\Local Settings\Temporary Internet Files\Content.IE5\45IBWXAJ\ysb[1].dll
Spyware:Spyware/Dyfuca No disinfected C:\Documents and Settings\rey\Local Settings\Temporary Internet Files\Content.IE5\45IBWXAJ\optimize[1].exe
Adware:Adware/WUpd No disinfected C:\Program Files\Windows SyncroAd\CComm.dll
Virus:HackTool Disinfected E:\Installr\Internet\DARKICQ.EXE
Possible Virus. No disinfected E:\My Games\AirStrike 2\airstrike3d ii.exe
Virus:Trj/WmvDownloader.A Disinfected E:\My Shared Folder\Workout - Nude Aerobics XXX - GOOD.wmv
Virus:Trj/WmvDownloader.A Disinfected E:\My Shared Folder\Workout - Nude Aerobics XXX cd1.wmv
Virus:Kamikaze Renamed F:\1\HACKS\202.163.205.224\mmm sarap.txt
Adware:Adware/BrilliantDigitalNo disinfected F:\Kazaa\My Shared Folder\BDCORE.DLL
Virus:Trj/Banker.EG Disinfected F:\Kazaa\My Shared Folder\Corel Draw 11 Serials (1).exe
Adware:Adware/Trymedia No disinfected F:\NEWMP3\HeavyWeaponSetup-dm.exe
Adware:Adware/Trymedia No disinfected F:\NEWMP3\Worms3DSetup-dm.exe
Adware:Adware/Trymedia No disinfected F:\NEWMP3\HeavyWeaponSetup-dm-1.exe
Adware:Adware/Trymedia No disinfected F:\NEWMP3\Worms3DSetup-dm-1.exe
Adware:Adware/Trymedia No disinfected F:\NEWMP3\AssignmentBerlinSetup-dm.exe
Adware:Adware/Trymedia No disinfected F:\NEWMP3\UplinkSetup-dm.exe
Adware:Adware/Trymedia No disinfected F:\NEWMP3\StarWraith3-dm-1.exe
Adware:Adware/Trymedia No disinfected F:\NEWMP3\UplinkSetup-dm-1.exe
Adware:Adware/Trymedia No disinfected F:\NEWMP3\BeachHead2002-dm.exe
Adware:Adware/Trymedia No disinfected F:\NEWMP3\AirportTycoon3Setup-dm.exe
Adware:Adware/Trymedia No disinfected F:\NEWMP3\StarWraith3-dm.exe
Adware:Adware/Trymedia No disinfected F:\NEWMP3\AirportTycoon3Setup-dm-1.exe
Adware:Adware/Trymedia No disinfected F:\NEWMP3\WormsFortsSetup-dm.exe
Adware:Adware/Trymedia No disinfected F:\NEWMP3\MobEnf_Setup-dm.exe
Adware:Adware/Trymedia No disinfected F:\NEWMP3\Diplomacy-dm.exe
Adware:Adware/Trymedia No disinfected F:\NEWMP3\Diplomacy-dm-1.exe
Adware:Adware/BrilliantDigitalNo disinfected F:\program files\Kazaa\BDCORE.DLL
Adware:Adware/BrilliantDigitalNo disinfected F:\Documents and Settings\Rey\Kazaa Lite\BDCORE.DLL
Adware:Adware/BrilliantDigitalNo disinfected F:\Documents and Settings\Rey\Kazaa\BDCORE.DLL
  • 0

#7
heerozeero
Posted 29 March 2005 - 07:12 AM

heerozeero

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
odd... housecall didn't prompt me to save any logs... at any rate, it found lone virus and labelled it uncleanable. i deleted it without incident and ran HJT. hope i did good! :tazz:

Logfile of HijackThis v1.99.1
Scan saved at 9:10:43 PM, on 3/29/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZONELABS\vsmon.exe
C:\WINDOWS\system32\RunDll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\ACD Systems\EN\DevDetect.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\RUNDLL32.EXE
E:\Program Files\Nokia\Nokia PC Suite 6\Launch Application 2.exe
C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
E:\Program Files\FarStone\VirtualDrive\VDTask.exe
C:\WINDOWS\vcdplayx.exe
C:\Program Files\Washer\washer.exe
C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE
C:\WINDOWS\system32\ntvdm.exe
E:\Program Files\Yahoo!\Messenger\YPager.exe
E:\PROGRA~1\YAHOO!\MESSEN~1\YSERVER.EXE
C:\HJT\HijackThis.exe

O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program

Files\Yahoo!\Companion\Installs\cpn0\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program

Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} -

e:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program

files\google\googletoolbar1.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program

Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program

Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program

files\google\googletoolbar1.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program

Files\Yahoo!\Companion\Installs\cpn0\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe

bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [Device Detector] "C:\Program Files\Common Files\ACD

Systems\EN\DevDetect.exe" -autorun
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [PCSuiteTrayApplication] E:\Program Files\Nokia\Nokia PC Suite 6\Launch

Application 2.exe -onlytray
O4 - HKLM\..\Run: [DataLayer] C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [VirtualDrive] "E:\Program Files\FarStone\VirtualDrive\VDTask.exe"

/AutoRestore
O4 - HKLM\..\Run: [vcdplayx] "C:\WINDOWS\vcdplayx.exe"
O4 - HKCU\..\Run: [Washer] c:\Program Files\Washer\washer.exe /0
O8 - Extra context menu item: &Google Search - res://C:\Program

Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program

Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program

Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel -

res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program

Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program

Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program

Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -

C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} -

C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} -

E:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} -

E:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -

C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {09883431-7429-11D5-8B69-0050049F5256} (VBAuthentic.Authentic) -

https://www.metroban...VBAuthentic.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) -

http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) -

http://www.pandasoft.../as5/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{D6D8418A-73ED-4199-803D-F875C7A580DA}: NameServer =

210.5.68.147 203.172.17.204
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. -

C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. -

C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: npkcsvc - INCA Internet Co., Ltd. - C:\WINDOWS\system32\npkcsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation -

C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. -

C:\WINDOWS\system32\ZONELABS\vsmon.exe
  • 0

#8
Guest_thatman_*
Posted 29 March 2005 - 07:14 AM

Guest_thatman_*
  • Guest
Hi heerozeero

Need some information and a new HijackThis.log.

1. Is this a multi-boot system

2. With every reply I will need a HijackThis.Log

Kc :tazz:
  • 0

#9
heerozeero
Posted 29 March 2005 - 07:17 AM

heerozeero

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
if multi-boot means a PC that allows multi OSs to be used, then no it is not. its all XP SP2. and a hijack log with every reply aye! :tazz:
  • 0

#10
Guest_thatman_*
Posted 29 March 2005 - 08:04 AM

Guest_thatman_*
  • Guest
Hi heerozeero

Download the CCleaner unzip the file to install.
Unzip the program then open the ccleaner.
Place a check by everything in the Applications tab.
Place a check by Internet Explorer, Windows explorer, and System in the Windows tab.
Double click on the ccleaner icon then run the program.

Reboot into safemode

Using windows Explorer delete the following files and folder: If Found
C:\Program Files\Ares<--Delete the whole folder
C:\Program Files\Windows SyncroAd<--Delete the whole folder
F:\program files\Kazaa<--Delete the whole folder
F:\Documents and Settings\Rey\Kazaa Lite<--Delete the whole folder
F:\Kazaa<--Delete the whole folder
F:\1\HACKS<--Delete the whole folder
F:\NEWMP3<--Delete the whole folder

Possible Virus. No disinfected E:\My Games\AirStrike 2\airstrike3d ii.exe<-- if this items did not come with your game you will need to remove it.

Now run the ccleaner again

Reboot back into normal mode

Post a new Panda scan.Log and a new HJT.Log

Kc :tazz:
  • 0

#11
Guest_thatman_*
Posted 15 April 2005 - 11:33 AM

Guest_thatman_*
  • Guest
No reply from user

Topic closed

Kc
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP