Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Eliminated most of it but suspect more [CLOSED]


  • This topic is locked This topic is locked

#1
Doc Holiday

Doc Holiday

    Member

  • Member
  • PipPip
  • 19 posts
I used Spy subtract, Ad-aware (from here) CWShredder (also here) and one other.

I cant seem to use Windows update, I think all the security things are set for enable (active X). Anyway, I've posted a hijack this log below. This is my daughters machine I am referring to.

Thanks,

Logfile of HijackThis v1.99.1
Scan saved at 9:55:58 AM, on 4/25/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\carpserv.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\InterMute\SpySubtract\SpySub.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\emili\v32_emilio.exe
C:\Documents and Settings\Jerry.YOUR-2R8C4ODFB2\Desktop\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.emachines.com/
N2 - Netscape 6: user_pref("browser.search.defaultengine", "engine://C%3A%5CPROGRA%7E1%5CNETSCAPE%5CNETSCA%7E1%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Jerry\Application Data\Mozilla\Profiles\default\d2342sn8.slt\prefs.js)
O2 - BHO: (no name) - SOFTWARE - (no file)
O2 - BHO: (no name) - {0023CF1A-01EF-441E-A5A7-5D2494B9CE66} - C:\Program Files\xktskmwd\xktskmwd.dll
O2 - BHO: (no name) - {07F3B284-3A45-4320-9E4C-F72E3C2C7653} - C:\Program Files\xktskmwd\xktskmwd.dll
O2 - BHO: (no name) - {15FFED3F-647D-4BD1-BF56-A7FB36950333} - C:\Program Files\xktskmwd\xktskmwd.dll
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: (no name) - {2A4109B0-E7D4-4E77-A989-BEA98B07524F} - C:\Program Files\xktskmwd\xktskmwd.dll
O2 - BHO: (no name) - {3303CDFF-427C-44CA-B96C-27DD1ABC3DC7} - C:\Program Files\xktskmwd\xktskmwd.dll
O2 - BHO: (no name) - {361DA3BF-7313-43AF-9AC9-0520A7438654} - C:\Program Files\xktskmwd\xktskmwd.dll
O2 - BHO: (no name) - {394B03AE-5A96-4E33-931B-85440FEACB37} - C:\Program Files\xktskmwd\xktskmwd.dll
O2 - BHO: (no name) - {4760E4A2-FE3F-4FCE-8FEB-E172D760801C} - C:\Program Files\xktskmwd\xktskmwd.dll
O2 - BHO: (no name) - {50559985-7898-4A40-8A1C-9FEDF1AC284B} - C:\Program Files\xktskmwd\xktskmwd.dll
O2 - BHO: (no name) - {5228BCC6-5037-4AF3-BE3C-4B964BB29F05} - C:\Program Files\xktskmwd\xktskmwd.dll
O2 - BHO: (no name) - {5CC92BFE-8EE2-4444-A856-4F48BB76C241} - C:\Program Files\xktskmwd\xktskmwd.dll
O2 - BHO: (no name) - {671C3756-8D85-467B-BC6F-13933D13F498} - C:\Program Files\xktskmwd\xktskmwd.dll
O2 - BHO: (no name) - {6A288DFE-7628-440B-AB6E-99061F5AF8C4} - C:\Program Files\xktskmwd\xktskmwd.dll
O2 - BHO: (no name) - {7A6CC597-E829-4205-9A28-F88AAA6DD943} - C:\Program Files\CSBB\CSBB.dll (file missing)
O2 - BHO: (no name) - {7CC756F3-976B-4821-BA13-7BB2716DF570} - C:\Program Files\xktskmwd\xktskmwd.dll
O2 - BHO: (no name) - {7FB4E640-F14D-4EC6-8D76-E4B7791A6021} - C:\Program Files\xktskmwd\xktskmwd.dll
O2 - BHO: (no name) - {89E4CB22-D0E3-49CA-9535-457A437713E9} - C:\Program Files\xktskmwd\xktskmwd.dll
O2 - BHO: (no name) - {8E162406-DAEE-414D-A705-0E0979D01961} - C:\Program Files\xktskmwd\xktskmwd.dll
O2 - BHO: (no name) - {90E703F9-BB85-4E65-BD8D-E7097D660740} - C:\Program Files\xktskmwd\xktskmwd.dll
O2 - BHO: (no name) - {9E5425F2-4EBC-416E-8F07-C5B9A49591F1} - C:\Program Files\xktskmwd\xktskmwd.dll
O2 - BHO: (no name) - {A1F4FDAB-1D52-44BF-B7A4-32F40F1969A1} - C:\Program Files\xktskmwd\xktskmwd.dll
O2 - BHO: (no name) - {AAB3B1E0-F50D-49D7-86C3-60C0FE5D52A6} - C:\Program Files\xktskmwd\xktskmwd.dll
O2 - BHO: (no name) - {AAE4F312-70BE-441D-8A4D-4F6ED7457B2C} - C:\Program Files\xktskmwd\xktskmwd.dll
O2 - BHO: (no name) - {B7E9354A-B303-DE4E-C582-1B30F2E0D056} - C:\WINDOWS\system32\jqktzvlq.dll
O2 - BHO: (no name) - {B9808AA9-5F82-4014-8195-368050A6A118} - C:\Program Files\xktskmwd\xktskmwd.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {C05A1F35-D0C9-4F80-8655-F4490F70C53A} - C:\Program Files\xktskmwd\xktskmwd.dll
O2 - BHO: (no name) - {C11F8566-A137-4168-82B8-690D517E8057} - C:\Program Files\xktskmwd\xktskmwd.dll
O2 - BHO: (no name) - {C53DB70D-6448-4681-9A66-3A30E0A779AF} - C:\Program Files\xktskmwd\xktskmwd.dll
O2 - BHO: (no name) - {C5A1775B-C524-45A7-8B70-429289CB3740} - C:\Program Files\xktskmwd\xktskmwd.dll
O2 - BHO: (no name) - {CBB07D4D-38A0-4162-8482-1DC71D98508E} - C:\Program Files\xktskmwd\xktskmwd.dll
O2 - BHO: (no name) - {D3C57ADE-52BB-4710-8478-5A02197A0658} - C:\Program Files\xktskmwd\xktskmwd.dll
O2 - BHO: (no name) - {D3CBAD26-8894-4A33-BB18-2CBDB5BB4A29} - C:\Program Files\CSBB\CSBB.dll (file missing)
O2 - BHO: (no name) - {D6A71097-5EFE-4A24-87F2-36398459226F} - C:\Program Files\xktskmwd\xktskmwd.dll
O2 - BHO: (no name) - {DA4D41D2-DE35-4ECD-8679-297BF6DF5BD3} - C:\Program Files\xktskmwd\xktskmwd.dll
O2 - BHO: (no name) - {E6F77C97-BF19-48FC-931A-860FD095B176} - C:\Program Files\xktskmwd\xktskmwd.dll
O2 - BHO: (no name) - {EBBBBFD3-7C5A-4166-996F-BE119E69208A} - C:\Program Files\xktskmwd\xktskmwd.dll
O2 - BHO: (no name) - {F42486CC-489B-4001-ABE2-40E0841D43AC} - C:\Program Files\xktskmwd\xktskmwd.dll
O2 - BHO: (no name) - {FD2F8522-89E4-463E-8BC4-8EE416A00AFB} - C:\Program Files\CSBB\CSBB.dll (file missing)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [MS Updates] C:\WINDOWS\mscache.exe
O4 - HKLM\..\Run: [winde] c:\windows\system32\winde.exe /noconnect
O4 - HKLM\..\Run: [v32_emilio ml710e] "C:\Program Files\emili\v32_emilio.exe"
O4 - HKLM\..\Run: [<H] c:\WINDOWS\System32\<html>
O4 - HKLM\..\Run: [ <TITLE>Error</TI] c:\WINDOWS\System32\ <TITLE>Error</TITLE>
O4 - HKLM\..\Run: [</H] c:\WINDOWS\System32\</HTML>
O4 - HKLM\..\Run: [<B] c:\WINDOWS\System32\<BODY>
O4 - HKLM\..\Run: [The site you have requested doesn't ex] c:\WINDOWS\System32\The site you have requested doesn't exist.
O4 - HKLM\..\Run: [] c:\WINDOWS\System32\
O4 - HKLM\..\Run: [The associated domain name has probably been reserved by a client ] c:\WINDOWS\System32\The associated domain name has probably been reserved by a client from
O4 - HKLM\..\Run: [<A HREF="http://www.gandi.net...net/">GANDI</A> then par] c:\WINDOWS\System32\<A HREF="http://www.gandi.net...net/">GANDI</A> then parked.
O4 - HKLM\..\Run: [</B] c:\WINDOWS\System32\</BODY>
O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain
O4 - HKLM\..\Run: [Cryptographic Service] C:\WINDOWS\System32\oaflsq.exe
O4 - HKLM\..\Run: [// Browser Detec] c:\WINDOWS\System32\// Browser Detection
O4 - HKLM\..\Run: [IEMajor ] c:\WINDOWS\System32\IEMajor = 0;
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [function redirec] c:\WINDOWS\System32\function redirect(){
O4 - HKLM\..\Run: [var strT] c:\WINDOWS\System32\var strTemp;
O4 - HKLM\..\Run: [var strP] c:\WINDOWS\System32\var strPort;
O4 - HKLM\..\Run: [ top.location.replace(strTe] c:\WINDOWS\System32\ top.location.replace(strTemp);
O4 - HKLM\..\Run: [etpbev] c:\windows\system32\etpbev.exe
O4 - HKLM\..\Run: [top.location.replace(strTe] c:\WINDOWS\System32\top.location.replace(strTemp);
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\InterMute\SpySubtract\SpySub.exe
O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O10 - Unknown file in Winsock LSP: c:\windows\system32\fltmgr.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\fltmgr.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\fltmgr.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.co...etup1.0.0.6.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/p...t/msnchat45.cab
O21 - SSODL: Web Event Logger - {79FEACFF-FFCE-815E-A900-316290B5B738} - C:\WINDOWS\System32\Ceoaibfa.dll
O21 - SSODL: mtklef - {C93459EA-B08D-4BD2-A090-39D16CFDC496} - C:\WINDOWS\System32\hjtkku32.dll
O21 - SSODL: mtklef - {C93459EA-B08D-4BD2-A090-39D16CFDC496} - C:\WINDOWS\System32\hjtkku32.dll
O21 - SSODL: mtklefap - {306B46B2-194D-4FF6-F3AB-B07274F38D96} - C:\WINDOWS\System32\drjwa32.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
  • 0

Advertisements


#2
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should 'not' have any open browsers when you are following the procedures below.

Go to My Computer->Tools/View->Folder Options->View tab and make sure that 'Show hidden files and folders' (or 'Show all files') is enabled. Also make sure that 'Display the contents of system folders' is checked. If you have Windows XP, the search feature is a little different. When you click on 'All files and folders' on the left pane, click on the 'More advanced options' at the bottom. Make sure that 'Search system folders', 'Search hidden files and folders', and 'Search subfolders' are checked.

For the options that you checked/enabled earlier, you may uncheck them after your log is clean. If we ask you to fix a program that you use or want to keep, please post back saying that (we don't know every program that exists, so we may tell you to delete a program that we think is bad to keep).

Download LSPFix http://www.greyknigh.../spy/LSPFix.exe and run it. Click on fltmgr.dll on the left window and click on the arrow pointing to the right. Click Finish and follow the prompts.

If you have a fast internet connection (broadband), run an online virus scan at TrendMicro http://uk.trendmicro...call_launch.php. Just follow the instructions on the site to run the online scan. If any viruses/trojans are detected, try to delete or clean them in that site. You may use Panda ActiveScan also at http://www.pandasoft...ucts/activescan. Otherwise, make sure your antivirus program has the latest definitions and run a full system scan.

Reboot into Safe Mode by hitting the F8 key until menu shows up. In some systems, this may be the F5 key, so try that if F8 doesn't work. Make sure to close any open browsers. Go into HijackThis->Config->Misc. Tools->Open process manager. Select the following and click 'Kill process' for each one if they are still listed (they shouldn't be - but double check):

C:\Program Files\emili\v32_emilio.exe - unless you know what it's for?

Uninstall the following via the Add/Remove Panel (Start->(Settings)->Control Panel->Add/Remove Programs) if they exist:

WildTangent - This is an online gaming package that is installed by a number of third party applications and even OEMs, ISPs and AIM. The games aspect of this is really rather cool. The being installed without you asking for it isn't cool at all. They collect information about you and your usage. We recommend uninstalling it.

Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: (no name) - SOFTWARE - (no file)
O2 - BHO: (no name) - {0023CF1A-01EF-441E-A5A7-5D2494B9CE66} - C:\Program Files\xktskmwd\xktskmwd.dll
O2 - BHO: (no name) - {07F3B284-3A45-4320-9E4C-F72E3C2C7653} - C:\Program Files\xktskmwd\xktskmwd.dll
O2 - BHO: (no name) - {15FFED3F-647D-4BD1-BF56-A7FB36950333} - C:\Program Files\xktskmwd\xktskmwd.dll
O2 - BHO: (no name) - {2A4109B0-E7D4-4E77-A989-BEA98B07524F} - C:\Program Files\xktskmwd\xktskmwd.dll
O2 - BHO: (no name) - {3303CDFF-427C-44CA-B96C-27DD1ABC3DC7} - C:\Program Files\xktskmwd\xktskmwd.dll
O2 - BHO: (no name) - {361DA3BF-7313-43AF-9AC9-0520A7438654} - C:\Program Files\xktskmwd\xktskmwd.dll
O2 - BHO: (no name) - {394B03AE-5A96-4E33-931B-85440FEACB37} - C:\Program Files\xktskmwd\xktskmwd.dll
O2 - BHO: (no name) - {4760E4A2-FE3F-4FCE-8FEB-E172D760801C} - C:\Program Files\xktskmwd\xktskmwd.dll
O2 - BHO: (no name) - {50559985-7898-4A40-8A1C-9FEDF1AC284B} - C:\Program Files\xktskmwd\xktskmwd.dll
O2 - BHO: (no name) - {5228BCC6-5037-4AF3-BE3C-4B964BB29F05} - C:\Program Files\xktskmwd\xktskmwd.dll
O2 - BHO: (no name) - {5CC92BFE-8EE2-4444-A856-4F48BB76C241} - C:\Program Files\xktskmwd\xktskmwd.dll
O2 - BHO: (no name) - {671C3756-8D85-467B-BC6F-13933D13F498} - C:\Program Files\xktskmwd\xktskmwd.dll
O2 - BHO: (no name) - {6A288DFE-7628-440B-AB6E-99061F5AF8C4} - C:\Program Files\xktskmwd\xktskmwd.dll
O2 - BHO: (no name) - {7A6CC597-E829-4205-9A28-F88AAA6DD943} - C:\Program Files\CSBB\CSBB.dll (file missing)
O2 - BHO: (no name) - {7CC756F3-976B-4821-BA13-7BB2716DF570} - C:\Program Files\xktskmwd\xktskmwd.dll
O2 - BHO: (no name) - {7FB4E640-F14D-4EC6-8D76-E4B7791A6021} - C:\Program Files\xktskmwd\xktskmwd.dll
O2 - BHO: (no name) - {89E4CB22-D0E3-49CA-9535-457A437713E9} - C:\Program Files\xktskmwd\xktskmwd.dll
O2 - BHO: (no name) - {8E162406-DAEE-414D-A705-0E0979D01961} - C:\Program Files\xktskmwd\xktskmwd.dll
O2 - BHO: (no name) - {90E703F9-BB85-4E65-BD8D-E7097D660740} - C:\Program Files\xktskmwd\xktskmwd.dll
O2 - BHO: (no name) - {9E5425F2-4EBC-416E-8F07-C5B9A49591F1} - C:\Program Files\xktskmwd\xktskmwd.dll
O2 - BHO: (no name) - {A1F4FDAB-1D52-44BF-B7A4-32F40F1969A1} - C:\Program Files\xktskmwd\xktskmwd.dll
O2 - BHO: (no name) - {AAB3B1E0-F50D-49D7-86C3-60C0FE5D52A6} - C:\Program Files\xktskmwd\xktskmwd.dll
O2 - BHO: (no name) - {AAE4F312-70BE-441D-8A4D-4F6ED7457B2C} - C:\Program Files\xktskmwd\xktskmwd.dll
O2 - BHO: (no name) - {B7E9354A-B303-DE4E-C582-1B30F2E0D056} - C:\WINDOWS\system32\jqktzvlq.dll
O2 - BHO: (no name) - {B9808AA9-5F82-4014-8195-368050A6A118} - C:\Program Files\xktskmwd\xktskmwd.dll
O2 - BHO: (no name) - {C05A1F35-D0C9-4F80-8655-F4490F70C53A} - C:\Program Files\xktskmwd\xktskmwd.dll
O2 - BHO: (no name) - {C11F8566-A137-4168-82B8-690D517E8057} - C:\Program Files\xktskmwd\xktskmwd.dll
O2 - BHO: (no name) - {C53DB70D-6448-4681-9A66-3A30E0A779AF} - C:\Program Files\xktskmwd\xktskmwd.dll
O2 - BHO: (no name) - {C5A1775B-C524-45A7-8B70-429289CB3740} - C:\Program Files\xktskmwd\xktskmwd.dll
O2 - BHO: (no name) - {CBB07D4D-38A0-4162-8482-1DC71D98508E} - C:\Program Files\xktskmwd\xktskmwd.dll
O2 - BHO: (no name) - {D3C57ADE-52BB-4710-8478-5A02197A0658} - C:\Program Files\xktskmwd\xktskmwd.dll
O2 - BHO: (no name) - {D3CBAD26-8894-4A33-BB18-2CBDB5BB4A29} - C:\Program Files\CSBB\CSBB.dll (file missing)
O2 - BHO: (no name) - {D6A71097-5EFE-4A24-87F2-36398459226F} - C:\Program Files\xktskmwd\xktskmwd.dll
O2 - BHO: (no name) - {DA4D41D2-DE35-4ECD-8679-297BF6DF5BD3} - C:\Program Files\xktskmwd\xktskmwd.dll
O2 - BHO: (no name) - {E6F77C97-BF19-48FC-931A-860FD095B176} - C:\Program Files\xktskmwd\xktskmwd.dll
O2 - BHO: (no name) - {EBBBBFD3-7C5A-4166-996F-BE119E69208A} - C:\Program Files\xktskmwd\xktskmwd.dll
O2 - BHO: (no name) - {F42486CC-489B-4001-ABE2-40E0841D43AC} - C:\Program Files\xktskmwd\xktskmwd.dll
O2 - BHO: (no name) - {FD2F8522-89E4-463E-8BC4-8EE416A00AFB} - C:\Program Files\CSBB\CSBB.dll (file missing)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [MS Updates] C:\WINDOWS\mscache.exe
O4 - HKLM\..\Run: [winde] c:\windows\system32\winde.exe /noconnect
O4 - HKLM\..\Run: [v32_emilio ml710e] "C:\Program Files\emili\v32_emilio.exe"
O4 - HKLM\..\Run: [<H] c:\WINDOWS\System32\<html>
O4 - HKLM\..\Run: [ <TITLE>Error</TI] c:\WINDOWS\System32\ <TITLE>Error</TITLE>
O4 - HKLM\..\Run: [</H] c:\WINDOWS\System32\</HTML>
O4 - HKLM\..\Run: [<B] c:\WINDOWS\System32\<BODY>
O4 - HKLM\..\Run: [The site you have requested doesn't ex] c:\WINDOWS\System32\The site you have requested doesn't exist.
O4 - HKLM\..\Run: [] c:\WINDOWS\System32\
O4 - HKLM\..\Run: [The associated domain name has probably been reserved by a client ] c:\WINDOWS\System32\The associated domain name has probably been reserved by a client from
O4 - HKLM\..\Run: [<A HREF="http://www.gandi.net...net/">GANDI</A> then par] c:\WINDOWS\System32\<A HREF="http://www.gandi.net...net/">GANDI</A> then parked.
O4 - HKLM\..\Run: [</B] c:\WINDOWS\System32\</BODY>
O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain
O4 - HKLM\..\Run: [Cryptographic Service] C:\WINDOWS\System32\oaflsq.exe
O4 - HKLM\..\Run: [// Browser Detec] c:\WINDOWS\System32\// Browser Detection
O4 - HKLM\..\Run: [IEMajor ] c:\WINDOWS\System32\IEMajor = 0;
O4 - HKLM\..\Run: [function redirec] c:\WINDOWS\System32\function redirect(){
O4 - HKLM\..\Run: [var strT] c:\WINDOWS\System32\var strTemp;
O4 - HKLM\..\Run: [var strP] c:\WINDOWS\System32\var strPort;
O4 - HKLM\..\Run: [ top.location.replace(strTe] c:\WINDOWS\System32\ top.location.replace(strTemp);
O4 - HKLM\..\Run: [etpbev] c:\windows\system32\etpbev.exe
O4 - HKLM\..\Run: [top.location.replace(strTe] c:\WINDOWS\System32\top.location.replace(strTemp);
O10 - Unknown file in Winsock LSP: c:\windows\system32\fltmgr.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\fltmgr.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\fltmgr.dll
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.co...etup1.0.0.6.cab
O21 - SSODL: Web Event Logger - {79FEACFF-FFCE-815E-A900-316290B5B738} - C:\WINDOWS\System32\Ceoaibfa.dll
O21 - SSODL: mtklef - {C93459EA-B08D-4BD2-A090-39D16CFDC496} - C:\WINDOWS\System32\hjtkku32.dll
O21 - SSODL: mtklef - {C93459EA-B08D-4BD2-A090-39D16CFDC496} - C:\WINDOWS\System32\hjtkku32.dll
O21 - SSODL: mtklefap - {306B46B2-194D-4FF6-F3AB-B07274F38D96} - C:\WINDOWS\System32\drjwa32.dll


Delete the following Files/Folders (delete folders if no filename is specified) according to their directory (if none, just do a search for them) and delete them if they exist:

C:\Program Files\emili\ - unless you know what it's for, delete the whole folder
C:\Program Files\xktskmwd\
C:\Program Files\CSBB\
C:\WINDOWS\mscache.exe
c:\windows\system32\winde.exe
C:\Program Files\WildTangent\
C:\WINDOWS\System32\oaflsq.exe
c:\windows\system32\etpbev.exe
c:\windows\system32\fltmgr.dll
C:\WINDOWS\System32\Ceoaibfa.dll
C:\WINDOWS\System32\hjtkku32.dll


Reboot into Normal Mode run a new HijackThis scan. Save the log file and post it here.
  • 0

#3
Doc Holiday

Doc Holiday

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
Ok... The problem I have now is that I still cant access many sites like the virus scan sites,or even the update windows site because I get an error that says "Your current security settings prohibit the use of active x controls..." or something to that effect. I have reset the security settings yet I still get the error. You should know still I got a pop up of some sort when I logged in here.

At any rate, here is a fresh log after completing your requested tasks.

Logfile of HijackThis v1.99.1
Scan saved at 12:42:01 PM, on 4/26/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\System32\carpserv.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\Program Files\Microsoft Money\System\mnyexpr.exe
C:\Program Files\InterMute\SpySubtract\SpySub.exe
c:\windows\system32\dkbqbyj.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Jerry.YOUR-2R8C4ODFB2\My Documents\Spyware Killers\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.emachines.com/
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
N2 - Netscape 6: user_pref("browser.search.defaultengine", "engine://C%3A%5CPROGRA%7E1%5CNETSCAPE%5CNETSCA%7E1%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Jerry\Application Data\Mozilla\Profiles\default\d2342sn8.slt\prefs.js)
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: BolgerObj Class - {302A3240-4805-4a34-97D7-1645A0B08410} - C:\WINDOWS\Bolger.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [ldqqvig] c:\windows\system32\dkbqbyj.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\InterMute\SpySubtract\SpySub.exe
O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/p...t/msnchat45.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe
  • 0

#4
Doc Holiday

Doc Holiday

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
In the mean time, I reinstalled XP with service pack 2. I know it needed done so I used my exsisting disk because the problem with updating.

Here is a fresh log, and to clarify the pop up I get is titled Aroura in the title bar regardless of the advertisement.

I think I will now try the virus scan site since I should now be able to access it without the "Active X preventing...."


Logfile of HijackThis v1.99.1
Scan saved at 3:34:27 PM, on 4/26/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\carpserv.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
c:\windows\system32\apvqdd.exe
C:\Program Files\Microsoft Money\System\mnyexpr.exe
C:\Program Files\InterMute\SpySubtract\SpySub.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Jerry.YOUR-2R8C4ODFB2\My Documents\Spyware Killers\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.emachines.com/
N2 - Netscape 6: user_pref("browser.search.defaultengine", "engine://C%3A%5CPROGRA%7E1%5CNETSCAPE%5CNETSCA%7E1%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Jerry\Application Data\Mozilla\Profiles\default\d2342sn8.slt\prefs.js)
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: BolgerObj Class - {302A3240-4805-4a34-97D7-1645A0B08410} - C:\WINDOWS\Bolger.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [wgaohba] c:\windows\system32\apvqdd.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - Startup: Resume Windows Update Installation.lnk = C:\WINDOWS\Windows Update Setup Files\ie6setup.exe
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\InterMute\SpySubtract\SpySub.exe
O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.windowsupdate.com
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/p...t/msnchat45.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe
  • 0

#5
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
OK, since you have the aurora popups, we'll need a program to see if that can remove it for you.

You really should have held back on installing SP2 because it's very picky if installed on a unstable machine.

Download ewido security suite from here http://www.ewido.net/en/download/

Update it’s database from here.. http://www.ewido.net...wnload/updates/
Run a scan and let it clean the PC. Post a new hijackthis log when complete.
  • 0

#6
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member with address of this thread. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP