Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

The Aurora PopUp[RESOLVED]


  • This topic is locked This topic is locked

#16
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,672 posts

The link doesn't work...Says page cannot be displayed

View Post


Works for me. Maybe they tampered with your hosts file.

Find C:\WINDOWS\SYSTEM32\DRIVERS\ETC\HOSTS and rename it to hosts.bak

Then try again.

Regards,

Pieter
  • 0

Advertisements


#17
death_hand

death_hand

    Member

  • Topic Starter
  • Member
  • PipPip
  • 56 posts
That is amazing how you know these things. I changed it to hosts.bak and the kaspersky site loaded the next time I clicked the link.

Am running the scan now...

Do you want me to post any results from the kaspersky scan and a new HJT log after the scan has completed???

Edited by death_hand, 24 April 2005 - 08:49 AM.

  • 0

#18
death_hand

death_hand

    Member

  • Topic Starter
  • Member
  • PipPip
  • 56 posts
The scan works so far, and then it gets to a certain point after scanning 1852 files and gets stuck on the shortcuts on my desktop and doesn't scan any further.

In the files it has scanned though it finds quite a few viruses :S

I saw this thread http://www.geekstogo...ups-t19112.html is it worth me running this???

Edited by death_hand, 24 April 2005 - 09:13 AM.

  • 0

#19
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,672 posts
We do not recommend that, because it is made by the same people spreading this cr@p and we don't know if and what surprises were built into it.

And it won't help against the Bube infection you have.

Regards,

Pieter
  • 0

#20
death_hand

death_hand

    Member

  • Topic Starter
  • Member
  • PipPip
  • 56 posts
Any ideas to another course of action as the kaspersky scan doesn't seem to work?

And what's a Bube infection??

Edited by death_hand, 24 April 2005 - 12:33 PM.

  • 0

#21
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,672 posts
I'm sorry. The Bube infection was mentioned at the forum where you uploaded the files:
http://www.thespykil...php?topic=155.0

Is your NAV running OK and completely updated?
You could try running a full scan with that if KAV refuses to go on.

Regards,

Pieter
  • 0

#22
death_hand

death_hand

    Member

  • Topic Starter
  • Member
  • PipPip
  • 56 posts
Will run Symantec AV and see what that picks up.

Here is the results of the Kaspersky scan up until it gets stuck...

C:\Documents and Settings\All Use...ry\eXactAdvertisingBargainsBuddy.zip Passwor...tected-EXE send delete

C:\Documents and Settings\All Use...- Search & Destroy\Recovery\TIBS.zip Passwor...tected-EXE send delete

C:\Documents and Settings\All Use... Edition\7.5\Quarantine\00B00000.VBN Trojan-...2.Agent.ki send delete

C:\Documents and Settings\All Use... Edition\7.5\Quarantine\00B00001.VBN Backdoo...32.Rbot.km send delete

C:\Documents and Settings\All Use... Edition\7.5\Quarantine\00B00002.VBN IM-Worm...2.Kelvir.a send delete

C:\Documents and Settings\All Use... Edition\7.5\Quarantine\00B00003.VBN Backdoo...32.Rbot.km send delete

C:\Documents and Settings\All Use... Edition\7.5\Quarantine\00EC0000.VBN Trojan-...2.Agent.ki send delete

C:\Documents and Settings\All Use... Edition\7.5\Quarantine\01A00000.VBN Trojan-...2.Agent.ki send delete

C:\Documents and Settings\All Use... Edition\7.5\Quarantine\01C40000.VBN Trojan-...2.Agent.ki send delete

C:\Documents and Settings\All Use... Edition\7.5\Quarantine\01C40001.VBN Backdoo...Wisdoor.av send delete

C:\Documents and Settings\All Use... Edition\7.5\Quarantine\01C40002.VBN Backdoo...32.Rbot.kz send delete

C:\Documents and Settings\All Use... Edition\7.5\Quarantine\03240000.VBN Trojan-...2.Domcom.b send delete

C:\Documents and Settings\All Use... Edition\7.5\Quarantine\03EC0000.VBN Trojan-...2.Agent.ki send delete

C:\Documents and Settings\All Use... Edition\7.5\Quarantine\04FC0000.VBN Trojan-...32.Ieser.a send delete

C:\Documents and Settings\All Use... Edition\7.5\Quarantine\04FC0001.VBN Trojan.....Delprot.a send delete

C:\Documents and Settings\All Use... Edition\7.5\Quarantine\06480000.VBN Trojan-...2.Agent.is send delete

C:\Documents and Settings\All Use... Edition\7.5\Quarantine\06480001.VBN Trojan-...2.Agent.ki send delete

C:\Documents and Settings\All Use... Edition\7.5\Quarantine\07080000.VBN Trojan-...2.Agent.ki send delete

C:\Documents and Settings\All Use... Edition\7.5\Quarantine\07380000.VBN Trojan-...2.Agent.ki send delete

C:\Documents and Settings\All Use... Edition\7.5\Quarantine\07440000.VBN Trojan-...2.Agent.ki send delete

C:\Documents and Settings\All Use... Edition\7.5\Quarantine\07440001.VBN Backdoo...32.Rbot.kw send delete

C:\Documents and Settings\All Use... Edition\7.5\Quarantine\07440002.VBN Backdoo...Wisdoor.av send delete

C:\Documents and Settings\All Use... Edition\7.5\Quarantine\07440003.VBN Backdoo...32.Rbot.kz send delete

C:\Documents and Settings\All Use... Edition\7.5\Quarantine\07440004.VBN Backdoo...32.Rbot.kw send delete

C:\Documents and Settings\All Use... Edition\7.5\Quarantine\07440005.VBN Backdoo...Wisdoor.av send delete

C:\Documents and Settings\All Use... Edition\7.5\Quarantine\07440006.VBN Trojan-....Small.aoi send delete

C:\Documents and Settings\All Use... Edition\7.5\Quarantine\07440007.VBN Trojan-....PWSteal.b send delete

C:\Documents and Settings\All Use... Edition\7.5\Quarantine\07440008.VBN Backdoo...32.Rbot.kw send delete

C:\Documents and Settings\All Use... Edition\7.5\Quarantine\07540000.VBN Trojan-...32.Ieser.a send delete

C:\Documents and Settings\All Use... Edition\7.5\Quarantine\07540001.VBN Trojan.....Delprot.a send delete

C:\Documents and Settings\All Use... Edition\7.5\Quarantine\07540002.VBN Trojan-...2.Domcom.b send delete

C:\Documents and Settings\All Use... Edition\7.5\Quarantine\07700000.VBN Trojan-...2.Agent.ki send delete

C:\Documents and Settings\All Use... Edition\7.5\Quarantine\07700001.VBN Backdoo...32.Rbot.km send delete

C:\Documents and Settings\All Use... Edition\7.5\Quarantine\07BC0000.VBN Exploit.HTML.Mht send delete

C:\Documents and Settings\All Use... Edition\7.5\Quarantine\07BC0001.VBN Trojan-...2.Domcom.b send delete

C:\Documents and Settings\All Use... Edition\7.5\Quarantine\07BC0002.VBN Exploit.HTML.Mht send delete

C:\Documents and Settings\All Use... Edition\7.5\Quarantine\07BC0003.VBN Trojan-...S.Linker.k send delete

C:\Documents and Settings\All Use... Edition\7.5\Quarantine\07BC0004.VBN Trojan-...BS.Iwill.g send delete

C:\Documents and Settings\All Use... Edition\7.5\Quarantine\07BC0005.VBN Exploit.HTML.Mht send delete

C:\Documents and Settings\All Use... Edition\7.5\Quarantine\07BC0006.VBN Trojan-....JS.Weis.b send delete

C:\Documents and Settings\All Use... Edition\7.5\Quarantine\07BC0007.VBN Virus.Win32.Bube.l send delete

C:\Documents and Settings\All Use... Edition\7.5\Quarantine\07BC0008.VBN Virus.Win32.Bube.k send delete

C:\Documents and Settings\All Use... Edition\7.5\Quarantine\07BC0009.VBN Virus.Win32.Bube.k send delete

C:\Documents and Settings\All Use... Edition\7.5\Quarantine\07BC000A.VBN Trojan-...BS.Iwill.g send delete

C:\Documents and Settings\All Use... Edition\7.5\Quarantine\07BC000B.VBN Trojan-...2.Domcom.b send delete

C:\Documents and Settings\All Use... Edition\7.5\Quarantine\09740000.VBN Trojan-...2.Agent.ki send delete

C:\Documents and Settings\All Use... Edition\7.5\Quarantine\0E0C0000.VBN Trojan-....IstBar.hg send delete

C:\Documents and Settings\All Use... Edition\7.5\Quarantine\0E0C0001.VBN Trojan-....IstBar.eo send delete

C:\Documents and Settings\All Use... Edition\7.5\Quarantine\0E0C0003.VBN Trojan-....IstBar.eo send delete

I'm not sure how much use this will be to you but I thought I'd put it in anyway
  • 0

#23
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,672 posts
The list you posted seem to be files that were quarantined by other scanners, so nothing to worry about sofar. :tazz:

Regards,

Pieter
  • 0

#24
death_hand

death_hand

    Member

  • Topic Starter
  • Member
  • PipPip
  • 56 posts
Hi there,

Ran a full scan with Symantec Av and it didn't pick anything up, ran a scan with Ewido earlier and it picked up and cleaned a few things.

I'm still getting the Ewido popup window telling me it has found an infected file though. Do you want my latest HJT log to look at?

Thanks
  • 0

#25
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,672 posts
I would also like to know what the Ewido window says exactly.

Regards,

Pieter
  • 0

Advertisements


#26
death_hand

death_hand

    Member

  • Topic Starter
  • Member
  • PipPip
  • 56 posts
Here is the latest HJT log after running Symantec AV, Microsoft AS, Spybot S&D and Adaware SE:

Logfile of HijackThis v1.99.1
Scan saved at 20:46:53, on 26/04/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\AntiVirus\security suite\ewidoctrl.exe
C:\Program Files\AntiVirus\security suite\ewidoguard.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\spss_lmd.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svhost.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\ntl\BROADB~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Microsoft Office\Office\1033\msoffice.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Bitorrent\BitTornado\btdownloadgui.exe
C:\Program Files\MicrosoftAntiSpywareInstall\gcasDtServ.exe
C:\Program Files\MicrosoftAntiSpywareInstall\gcasServ.exe
C:\Program Files\AntiVirus\Hijack This\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.lboro.ac.uk/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.lboro.ac.uk/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
F3 - REG:win.ini: run=C:\WINDOWS\system32\svhost.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\ntl\BROADB~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [PcSync] PCsync.exe
O4 - HKLM\..\RunServices: [PcSync] PCsync.exe
O4 - HKLM\..\RunOnce: [MicrosoftAntiSpywareCleaner] C:\Program Files\MicrosoftAntiSpywareInstall\gcASCleaner.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [PcSync] PCsync.exe
O4 - HKCU\..\Run: [System backup] C:\WINDOWS\system32\web.exe
O4 - HKCU\..\RunServices: [PcSync] PCsync.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: RaptisoftGameLoader - http://www.miniclip....tgameloader.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall-bet...all/xscan60.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.../kavwebscan.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....738&clcid=0x409
O16 - DPF: {4D7F48C0-CB49-4EA6-97D4-04F4EACC2F3B} (InstallShield Setup Player 2K2) - http://sib1.od2.com/...4/OCI/setup.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.co...ad/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1100103577619
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pdownloader.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by103fd.bay10...ex/HMAtchmt.ocx
O16 - DPF: {FF3F0F03-0F01-131A-A3F9-08F02B23E0CC} - http://66.117.37.13/gbn1742.exe
O23 - Service: AVSync Manager (AvSynMgr) - Unknown owner - C:\Program Files\Network Associates\VirusScan\avsynmgr.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: CWShredder Service - InterMute, Inc. - C:\Program Files\AntiVirus\CWShredder.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\AntiVirus\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\AntiVirus\security suite\ewidoguard.exe
O23 - Service: McShield - Unknown owner - C:\Program Files\Common Files\Network Associates\McShield\mcshield.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Spss License Manager (SpssLM) - Unknown owner - C:\WINDOWS\system32\spss_lmd.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - c:\windows\SvcProc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
  • 0

#27
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,672 posts
*Click Here to download Killbox by Option^Explicit.
*Extract the program to your desktop and double-click on its folder, then double-click on Killbox.exe to start the program.
*In the killbox program, select the Delete on Reboot option.
*In the field labeled Full Path of File to Delete enter the file paths listed below
C:\WINDOWS\system32\svhost.exe NOTE the spelling (without the C)

Press the button that looks like a red circle with a white X in it after each one. When it asks if you would like to delete on reboot, press the YES button, when it asks if you want to reboot now, press the NO button. Do this after each one until you have entered the LAST file path I have listed above. After that LAST file path has been entered press the YES button at both prompts so that your computer restarts. If you recieve an error message "PendingRenameOperation...." and your computer doesn't restart, please restart it manually.

After the reboot check the following items in HijackThis.
Close all windows except HijackThis and click Fix checked:

F3 - REG:win.ini: run=C:\WINDOWS\system32\svhost.exe

O4 - HKCU\..\Run: [System backup] C:\WINDOWS\system32\web.exe

Reboot once more and post a new log.

Regards,

Pieter
  • 0

#28
death_hand

death_hand

    Member

  • Topic Starter
  • Member
  • PipPip
  • 56 posts
Here is the HJT results after doing the steps posted in your last post. When I reebooted after deleting svhost.exe using killbow a dialouge box came up saying the 'svhost.exe could not be loaded' which was good to see. After running HJT and removing the two registry key things you said to, the error message did not come up the next time I rebooted after runnignHJT.

Anyway, here is the latest HJT log after doing your last set of excellent instructions:

Logfile of HijackThis v1.99.1
Scan saved at 21:31:54, on 26/04/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\AntiVirus\security suite\ewidoctrl.exe
C:\Program Files\AntiVirus\security suite\ewidoguard.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\spss_lmd.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\ntl\BROADB~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Microsoft Office\Office\1033\msoffice.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\AntiVirus\Hijack This\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.lboro.ac.uk/students
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.lboro.ac.uk/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\ntl\BROADB~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [PcSync] PCsync.exe
O4 - HKLM\..\RunServices: [PcSync] PCsync.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [PcSync] PCsync.exe
O4 - HKCU\..\RunServices: [PcSync] PCsync.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: RaptisoftGameLoader - http://www.miniclip....tgameloader.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall-bet...all/xscan60.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.../kavwebscan.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....738&clcid=0x409
O16 - DPF: {4D7F48C0-CB49-4EA6-97D4-04F4EACC2F3B} (InstallShield Setup Player 2K2) - http://sib1.od2.com/...4/OCI/setup.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.co...ad/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1100103577619
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pdownloader.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by103fd.bay10...ex/HMAtchmt.ocx
O16 - DPF: {FF3F0F03-0F01-131A-A3F9-08F02B23E0CC} - http://66.117.37.13/gbn1742.exe
O23 - Service: AVSync Manager (AvSynMgr) - Unknown owner - C:\Program Files\Network Associates\VirusScan\avsynmgr.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: CWShredder Service - InterMute, Inc. - C:\Program Files\AntiVirus\CWShredder.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\AntiVirus\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\AntiVirus\security suite\ewidoguard.exe
O23 - Service: McShield - Unknown owner - C:\Program Files\Common Files\Network Associates\McShield\mcshield.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Spss License Manager (SpssLM) - Unknown owner - C:\WINDOWS\system32\spss_lmd.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - c:\windows\SvcProc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
  • 0

#29
death_hand

death_hand

    Member

  • Topic Starter
  • Member
  • PipPip
  • 56 posts
Have just had another warning window from Ewido telling me about the same .exe file as the picture on the 1st page of this thread shows :s
  • 0

#30
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,672 posts
Same filename?

If so, use Killbox with this as the Full Path of File to delete:

C:\Windows\qkcrxvibs.exe

Your log is clean now, by the way. :tazz:

Regards,

Pieter
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP