Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Log File WinXP aboutblank [resolved]


  • This topic is locked This topic is locked

#1
ChuG

ChuG

    Member

  • Member
  • PipPip
  • 10 posts
Hello,
have taken all the necesary steps leading up to posting the hijack log file. Recently my internet connection has slowed down signifigantly and I have spotted an about blank popup. Also CWS was detected in several scans. Any help is greatly appreciated.

Logfile of HijackThis v1.99.1
Scan saved at 11:42:50 PM, on 4/14/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\system32\DeltTray.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr_.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\AIM\aim.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Alias\Maya6.0\docs\Wrapper.exe
C:\Program Files\Intel\ASF Agent\ASFAgent.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Alias\Maya6.0\docs\jre\bin\java.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis.exe

O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [REWARDS NETWORK] C:\Program Files\Rewards Network\brntray.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [DeltTray] DeltTray.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr_.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePoker\EmpirePoker.exe (file missing)
O9 - Extra 'Tools' menuitem: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePoker\EmpirePoker.exe (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Downloads - {AF0828BC-CB46-4C8D-95B6-8A7C4988F9FF} - c:\nge-kazemule-uk\index.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted IP range: 66.230.143.209
O16 - DPF: RaptisoftGameLoader - http://www.miniclip....tgameloader.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop...p/PCPitStop.CAB
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://24.234.255.10...sCamControl.cab
O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} (WTHoster Class) - http://install.wildt...der/install.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.shockwave...aploader_v6.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{BD3D707A-4FF0-4F27-A67B-D70D4DFE6CEC}: NameServer = 151.203.0.84 151.203.0.85
O23 - Service: Alias Documentation Server (aliasdocserver) - Unknown owner - C:\Program Files\Alias\Maya6.0\docs\Wrapper.exe" -s "C:\Program Files\Alias\Maya6.0\docs/Wrapper.conf (file missing)
O23 - Service: ASF Agent (ASFAgent) - Intel Corporation - C:\Program Files\Intel\ASF Agent\ASFAgent.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

Edited by ChuG, 14 April 2005 - 09:51 PM.

  • 0

Advertisements


#2
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
Welcome to Geeks to Go!

First thing I recommend doing is removing SpyKiller from your system. It's optional, but SpyKiller is tagged as a Rogue/Suspect 'anti-spyware' program. You can read more about it here:

http://www.spywarewa...nti-spyware.htm

Go into Start > Control Panel > Add or Remove Programs and remove the following:

SpyKiller

Then using Windows Explorer, locate the following folder (in bold) and delete it, if found:

C:\Program Files\SpyKiller

Post a new HiJackThis log.
  • 0

#3
ChuG

ChuG

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
Hey,
Thanks for the reply. I checked for Spykiller in both those locations and it wasnt present. I did remove it to the best of my knowledge a while back. :tazz: Whats next?
  • 0

#4
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
Well, it's still on startup so it's there somewhere. We'll deal with it later.

Do you know what the following are?

C:\nge-kazemule-uk
RaptisoftGameLoader

And do you play at EmpirePoker?
  • 0

#5
ChuG

ChuG

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
Banana,
Im not sure what that kazemule is. Also I rarely use Empire poker at all. As far as Spykiller goes I do not see it. Again thanks for the help.
  • 0

#6
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
Please press CTRL ALT DELETE to open Windows Task Manager. Click on the processes tab and end the following process:

ViewMgr_.exe

Exit Task Manger.

Go to Start > Control Panel > Add/Remove programs and remove the following:

Viewpoint
Rewards Network (if you don't know what it is or don't use it)
Empire Poker (if you don't want it)

Then, make sure you are disconnected from the Internet and that all programs and windows are closed. Put a check next to the following items, if found, and click FIX CHECKED:

O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr_.exe
O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup

O9 - Extra button: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePoker\EmpirePoker.exe (file missing)
O9 - Extra 'Tools' menuitem: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePoker\EmpirePoker.exe (file missing)
O9 - Extra button: Downloads - {AF0828BC-CB46-4C8D-95B6-8A7C4988F9FF} - c:\nge-kazemule-uk\index.html

O16 - DPF: RaptisoftGameLoader - http://www.miniclip....tgameloader.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://24.234.255.10...sCamControl.cab
O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} (WTHoster Class) - http://install.wildt...der/install.cab


IF YOU DON'T KNOW WHAT THESE ARE, then put a check next to them as well:

O4 - HKLM\..\Run: [REWARDS NETWORK] C:\Program Files\Rewards Network\brntray.exe
O15 - Trusted IP range: 66.230.143.209


Close HiJackThis.

Reboot into Safe Mode. You can do this by continually tapping the F8 key until a menu appears. Use your up arrow key to highlight Safe Mode and hit enter.

Click this link to be sure you're able to: VIEW HIDDEN FILES

Then using Windows Explorer (don't perform a search), delete the following items if found (in bold):

C:\Program Files\Viewpoint <-Whole FOLDER
C:\Program Files\SpyKiller <- Whole FOLDER
C:\nge-kazemule-uk <- Whole FOLDER
C:\Program Files\Rewards Network <- Whole FOLDER (delete only if you removed and "fixed" with HiJackThis)
C:\Program Files\EmpirePoker <- Whole FOLDER (delete only if you decided to remove it from Add/Remove programs)
  • 0

#7
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
After rebooting back into normal mode...

Download, install, and run CleanUp!

Then run this online virus scan:
ActiveScan

Copy the results from ActiveScan and paste them here along with a new HiJackThis log.
  • 0

#8
ChuG

ChuG

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
banana,
Thanks a bunch for the help. I will do this stuff and get back to you when I get in tonight.

Edited by ChuG, 15 April 2005 - 10:08 AM.

  • 0

#9
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
I'll keep an eye out for your post :tazz:
  • 0

#10
ChuG

ChuG

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
Panda Scan:

Adware:Adware/NavHelper No disinfected C:\Program Files\Ares
Adware:Adware/WildTangent No disinfected C:\WINDOWS\wt
Adware:Adware/Delta No disinfected Windows Registry
Adware:Adware/Minibug No disinfected C:\Program Files\AIM\Sysfiles\WxBug.EXE
Adware:Adware/Minibug No disinfected C:\WINDOWS\Downloaded Program Files\MiniBugTransporter.dll
Adware:Adware/XPlugin No disinfected C:\WINDOWS\SYSTEM32\t239478.exe

HijackThis:

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\system32\DeltTray.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Alias\Maya6.0\docs\Wrapper.exe
C:\Program Files\Intel\ASF Agent\ASFAgent.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\Program Files\Alias\Maya6.0\docs\jre\bin\java.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\SYSTEM32\notepad.exe
C:\Program Files\HijackThis.exe

O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [DeltTray] DeltTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\RunOnce: [CleanUp!] C:\PROGRA~1\CleanUp!\CleanUp.exe /WindowsRestart
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop...p/PCPitStop.CAB
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.shockwave...aploader_v6.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{BD3D707A-4FF0-4F27-A67B-D70D4DFE6CEC}: NameServer = 151.203.0.84 151.203.0.85
O23 - Service: Alias Documentation Server (aliasdocserver) - Unknown owner - C:\Program Files\Alias\Maya6.0\docs\Wrapper.exe" -s "C:\Program Files\Alias\Maya6.0\docs/Wrapper.conf (file missing)
O23 - Service: ASF Agent (ASFAgent) - Intel Corporation - C:\Program Files\Intel\ASF Agent\ASFAgent.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe


Thanks
  • 0

Advertisements


#11
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
Please read these instructions carefully

*Click Here to download Killbox by Option^Explicit.
*Extract the program to your desktop and double-click on its folder, then double-click on Killbox.exe to start the program.
*In the killbox program, select the Delete on Reboot option.
*In the field labeled Full Path of File to Delete enter the file paths listed below ONE AT A TIME (EXACTLY as it appears, please double check to make sure! I would just copy each file path and paste it in the field):

C:\Program Files\AIM\Sysfiles\WxBug.EXE
C:\WINDOWS\Downloaded Program Files\MiniBugTransporter.dll
C:\WINDOWS\SYSTEM32\t239478.exe


Press the button that looks like a red circle with a white X in it after each one. When it asks if you would like to delete on reboot, press the YES button, when it asks if you want to reboot now, press the NO button. Do this after each one until you have entered the LAST file path I have listed above. After that LAST file path has been entered press the YES button at both prompts so that your computer restarts.

As the computer is restarting, tap the F8 key highlight Safe Mode and hit enter.

In Safe Mode, delete the following folders:
C:\Program Files\Ares
C:\WINDOWS\wt
  • 0

#12
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
Let me know how your system is running after following my previous instructions.
  • 0

#13
ChuG

ChuG

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
Hello again,

Still receiving this message quite often while surfing :

The page you are looking for is currently unavailable. The Web site might be experiencing technical difficulties, or you may need to adjust your browser settings.


Web page load time is still slow and I often have to click links twice .
  • 0

#14
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
Your system is clean. The only thing I see that MIGHT cause problems is NVIEW on startup. It causes various problems on some computers. You can read about it here.

http://www.bleepingc...dHook-3824.html

What I suggest is we remove NVIEW from startup (we will NOT delete it from your system!!) , you reboot your computer and let me know if you're still having problems. If you are, then we know it wasn't NVIEW and we can use the HiJackThis backup to put it back in startup (very easy to do). Sound good to you?

Make sure you are disconnected from the Internet and that all programs and windows are closed. Place a check next to the following item and click FIX CHECKED:

O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook

Close HiJackThis. Reboot your computer and let me know if you're still having problems.

You sure it's isn't your ISP giving you problems??
  • 0

#15
ChuG

ChuG

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
It could very well be my ISP. Im gonna go ahead and remove nview. Ill be monitoring its performance closely and if it begins to slip I'll get back to you. For now I guess it isnt too bad.

Again thanks very much for the assitance

Edited by ChuG, 15 April 2005 - 10:45 PM.

  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP