Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Popups and Aurora

Started by MondiBlue , Apr 26 2005 05:39 PM

  • This topic is locked This topic is locked

#1
MondiBlue
Posted 26 April 2005 - 05:39 PM

MondiBlue

    Member

  • Member
  • PipPip
  • 10 posts
Here's my logfile, Please help me:
Logfile of HijackThis v1.99.1
Scan saved at 4:33:55 PM, on 04/26/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLACSD.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton Internet Security\NISUM.EXE
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Norton Internet Security\ccPxySvc.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\WINDOWS\GWMDMMSG.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\MMTray.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\WINDOWS\kdx\KHost.exe
C:\WINDOWS\system32\qttask.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\AWS\WeatherBug\Weather.exe
C:\WINDOWS\system32\ctfmon.exe
c:\windows\system32\mnoczt.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\DC Series 1\Console\Watch.exe
C:\Program Files\America Online 9.0a\aoltray.exe
C:\WINDOWS\system32\MsgSys.EXE
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\DOCUME~1\Chase\LOCALS~1\Temp\Temporary Directory 4 for hijackthis[1].zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.arkansas....um.asp?fid=1191
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.arkansas....um.asp?fid=1191
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\about.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\about.htm
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.arkansas....um.asp?fid=1191
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {1CF93A20-C21D-2CCF-875F-16550EF3216B} - C:\WINDOWS\system32\ppub.dll (file missing)
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: (no name) - {8419C74B-2413-2429-0323-F889937157D7} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [GWMDMpi] C:\WINDOWS\GWMDMpi.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [MMTray] MMTray.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [kdx] C:\WINDOWS\kdx\KHost.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\system32\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [klsvqtwh] C:\WINDOWS\klsvqtwh.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [gah95on6] C:\WINDOWS\system32\gah95on6.exe
O4 - HKLM\..\Run: [ccbyvv] c:\windows\system32\mnoczt.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [EasyDVDPlayer] "C:\Program Files\EasyDVD\EasyDVD.EXE /min"
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Dvemv] C:\WINDOWS\system32\??rvices.exe
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
O4 - HKCU\..\Run: [KazaaMate] C:\Program Files\Kazaa-Pal\Kazaa-Pal.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: Watch.lnk = C:\Program Files\DC Series 1\Console\Watch.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0a\aoltray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office3\Office10\OSA.EXE
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://wdownload.wea...Transporter.cab?
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.app.../ITDetector.cab
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://moviefone.kon...ry/main/kdx.cab
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLACSD.EXE
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\\aolserv.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Proxy Service (ccPxySvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\ccPxySvc.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: Norton Internet Security Accounts Manager (NISUM) - Symantec Corporation - C:\Program Files\Norton Internet Security\NISUM.EXE
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
  • 0

Advertisements

#2
g2i2r4
Posted 01 May 2005 - 11:43 AM

g2i2r4

    retired HiJack Helper

  • Retired Staff
  • 5,080 posts
Welcome MondiBlue to Geeks to Go!

Sorry for the delay, the forums are very busy.


You are running HijackThis from its zipped archive; please create a new folder for it and unzip the program into it. It is very important you do this before anything else!

***

Please run Notepad and copy the following text into a new file:

@ECHO OFF
cd\windows
Nail.exe /FULLREMOVE
sc config SvcProc start= disabled
sc stop SvcProc
sc delete SvcProc
attrib -s -r -h nail.exe
attrib -s -r -h svcproc.exe
del nail.exe
del svcproc.exe
exit

Save the file to the desktop as remove.bat and make sure the "Save as type" field says "All files".

***

Next, please reboot your computer in Safe Mode.
Once in Safe Mode, please double-click on remove.bat. A window should open and close very quickly --- this is normal.

***

Open HijackThis
Close all programs leaving only HijackThis running. Place a check against each of the following, making sure you get them all and not any others by mistake:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.arkansas....um.asp?fid=1191

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.arkansas....um.asp?fid=1191

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\about.htm

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\about.htm

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.arkansas....um.asp?fid=1191

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe

O2 - BHO: (no name) - {1CF93A20-C21D-2CCF-875F-16550EF3216B} - C:\WINDOWS\system32\ppub.dll (file missing)

O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)

O2 - BHO: (no name) - {8419C74B-2413-2429-0323-F889937157D7} - (no file)

O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} -
C:\Program Files\AOL Toolbar\toolbar.dll (file missing)

O4 - HKLM\..\Run: [klsvqtwh] C:\WINDOWS\klsvqtwh.exe

O4 - HKLM\..\Run: [gah95on6] C:\WINDOWS\system32\gah95on6.exe

O4 - HKLM\..\Run: [ccbyvv] c:\windows\system32\mnoczt.exe

O4 - HKCU\..\Run: [Dvemv] C:\WINDOWS\system32\??rvices.exe

O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://wdownload.wea...Transporter.cab?

O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe

O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe

Then close all open windows except for HijackThis and click Fix Checked.

***

Then delete these files:
C:\WINDOWS\klsvqtwh.exe
C:\WINDOWS\system32\gah95on6.ex
c:\windows\system32\mnoczt.exe

Restart your computer

***

Please run Notepad and copy the following text into a new file:
dir C:\WINDOWS\system32\??rvices.exe /a h > files.txt
notepad files.txt
Save the file to the desktop as findfile.bat and make sure the "Save as type" field says "All files".
Doubleclick the findfile.bat on your desktop. It will create a file called filex.txt.

***

Download this scanner:
ewido.
Install it and doubleclick the icon on your desktop.
Let it update.
Then, let it do a full run, and copy the log. Past it to a blank Notepad file and save it to post here.
Than let it rerun. Save that log too.

Post back here with a fresh log using HijackThis and both scan results.
Also post me the content of the files.txt we created earlier.
  • 0

#3
MondiBlue
Posted 02 May 2005 - 12:09 AM

MondiBlue

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
I did everything you said to do, is this what you wanted?

This is from ewido.
---------------------------------------------------------
ewido security suite - Process report
---------------------------------------------------------

+ Created on: 1:03:29 AM, 05/02/2005
+ Report-Checksum: 8EDA247B

0: System Process
4: System Process
136: C:\Documents and Settings\Chase\Desktop\security suite\ewidoctrl.exe
328: C:\WINDOWS\system32\wdfmgr.exe
484: C:\WINDOWS\wanmpsvc.exe
592: \SystemRoot\System32\smss.exe
664: \??\C:\WINDOWS\system32\csrss.exe
688: \??\C:\WINDOWS\system32\winlogon.exe
732: C:\WINDOWS\system32\services.exe
744: C:\WINDOWS\system32\lsass.exe
908: C:\WINDOWS\system32\svchost.exe
968: C:\WINDOWS\system32\svchost.exe
1080: C:\WINDOWS\System32\svchost.exe
1156: C:\Program Files\Norton Internet Security\ccPxySvc.exe
1180: C:\WINDOWS\System32\svchost.exe
1252: C:\Documents and Settings\Chase\Desktop\security suite\ewidoguard.exe
1372: C:\WINDOWS\System32\svchost.exe
1448: C:\WINDOWS\System32\alg.exe
1544: C:\WINDOWS\system32\spoolsv.exe
1628: C:\WINDOWS\system32\NOTEPAD.EXE
1680: C:\WINDOWS\system32\MsgSys.EXE
1780: C:\PROGRA~1\COMMON~1\AOL\ACS\AOLACSD.EXE
1812: C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
1860: C:\Program Files\NavNT\defwatch.exe
1896: C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
1948: C:\Program Files\Norton Internet Security\NISUM.EXE
2040: C:\Program Files\NavNT\rtvscan.exe
2356: C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
2744: C:\WINDOWS\system32\devldr32.exe
2752: C:\WINDOWS\Explorer.exe
2868: C:\Program Files\Logitech\iTouch\iTouch.exe
2904: C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
2928: C:\WINDOWS\GWMDMMSG.exe
2940: C:\Documents and Settings\Chase\Desktop\security suite\securitysuite.exe
3012: C:\Program Files\NavNT\vptray.exe
3028: C:\Program Files\Common Files\Symantec Shared\ccApp.exe
3084: C:\WINDOWS\system32\MMTray.exe
3180: C:\WINDOWS\system32\NOTEPAD.EXE
3196: C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
3212: C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
3264: C:\WINDOWS\kdx\KHost.exe
3288: C:\WINDOWS\system32\qttask.exe
3324: C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
3404: C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
3496: C:\Program Files\AWS\WeatherBug\Weather.exe
3592: C:\WINDOWS\System32\wbem\wmiprvse.exe
3624: C:\Program Files\Internet Explorer\iexplore.exe
3640: C:\WINDOWS\system32\ctfmon.exe
3708: C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
3728: C:\Program Files\DC Series 1\Console\Watch.exe
3752: C:\Program Files\America Online 9.0a\aoltray.exe
3884: C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe

---------------------------------------------------------
ewido security suite - Startup report
---------------------------------------------------------

+ Created on: 1:03:11 AM, 05/02/2005
+ Report-Checksum: 5D5CF74C

Reg\HKLM\Run AOL Spyware Protection "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
Reg\HKLM\Run MMTray MMTray.exe
Shell\CommonStartup Watch.lnk C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Watch.lnk
Shell\CommonStartup America Online 9.0 Tray Icon.lnk C:\Documents and Settings\All Users\Start Menu\Programs\Startup\America Online 9.0 Tray Icon.lnk
Shell\CommonStartup Microsoft Office.lnk C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
File\SystemIni il.exe Explorer.exe C:\WINDOWS\Nail.exe
Reg\HKLM\Run zBrowser Launcher C:\Program Files\Logitech\iTouch\iTouch.exe
Reg\HKLM\Run EM_EXEC C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
Reg\HKLM\Run GWMDMMSG GWMDMMSG.exe
Reg\HKLM\Run GWMDMpi C:\WINDOWS\GWMDMpi.exe
Reg\HKLM\Run UpdReg C:\WINDOWS\Updreg.exe
Reg\HKLM\Run WorksFUD C:\Program Files\Microsoft Works\wkfud.exe
Reg\HKLM\Run Microsoft Works Portfolio C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
Reg\HKLM\Run vptray C:\Program Files\NavNT\vptray.exe
Reg\HKLM\Run ccApp "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
Reg\HKLM\Run ccRegVfy "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
Reg\HKLM\Run NvMediaCenter RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
Reg\HKCU\Run ctfmon.exe C:\WINDOWS\system32\ctfmon.exe
Reg\HKLM\Run AOLDialer C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
Reg\HKLM\Run Pure Networks Port Magic "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
Reg\HKLM\Run kdx C:\WINDOWS\kdx\KHost.exe
Reg\HKLM\Run QuickTime Task "C:\WINDOWS\system32\qttask.exe" -atboottime
Reg\HKLM\Run SunJavaUpdateSched C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
Reg\HKLM\Run NeroFilterCheck C:\WINDOWS\system32\NeroCheck.exe
Reg\HKLM\Run gcasServ "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
Reg\HKCU\Run Yahoo! Pager C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
Reg\HKCU\Run EasyDVDPlayer "C:\Program Files\EasyDVD\EasyDVD.EXE /min"
Reg\HKCU\Run Microsoft Works Update Detection C:\Program Files\Microsoft Works\WkDetect.exe
Reg\HKCU\Run Weather C:\Program Files\AWS\WeatherBug\Weather.exe 1
Reg\HKCU\Run MsnMsgr "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
Reg\HKCU\Run ares "C:\Program Files\Ares\Ares.exe" -h
Reg\HKCU\Run KazaaMate C:\Program Files\Kazaa-Pal\Kazaa-Pal.exe
Reg\HKCU\Run Skype "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
Shell\CommonStartup Microsoft Works Calendar Reminders.lnk C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Works Calendar Reminders.lnk

Logfile of HijackThis v1.99.1
Scan saved at 1:08:09 AM, on 05/02/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLACSD.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton Internet Security\NISUM.EXE
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Norton Internet Security\ccPxySvc.exe
C:\WINDOWS\system32\MsgSys.EXE
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\WINDOWS\GWMDMMSG.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\MMTray.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\WINDOWS\kdx\KHost.exe
C:\WINDOWS\system32\qttask.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\AWS\WeatherBug\Weather.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\DC Series 1\Console\Watch.exe
C:\Program Files\America Online 9.0a\aoltray.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Documents and Settings\Chase\Desktop\security suite\ewidoctrl.exe
C:\Documents and Settings\Chase\Desktop\security suite\ewidoguard.exe
C:\Documents and Settings\Chase\Desktop\Hijack\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.arkansas....um.asp?fid=1191
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.arkansas....um.asp?fid=1191
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: BolgerObj Class - {302A3240-4805-4a34-97D7-1645A0B08410} - C:\WINDOWS\Bolger.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [GWMDMpi] C:\WINDOWS\GWMDMpi.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [MMTray] MMTray.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [kdx] C:\WINDOWS\kdx\KHost.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\system32\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [EasyDVDPlayer] "C:\Program Files\EasyDVD\EasyDVD.EXE /min"
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
O4 - HKCU\..\Run: [KazaaMate] C:\Program Files\Kazaa-Pal\Kazaa-Pal.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: Watch.lnk = C:\Program Files\DC Series 1\Console\Watch.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0a\aoltray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office3\Office10\OSA.EXE
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.app.../ITDetector.cab
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://moviefone.kon...ry/main/kdx.cab
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLACSD.EXE
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\\aolserv.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Proxy Service (ccPxySvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\ccPxySvc.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Documents and Settings\Chase\Desktop\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Documents and Settings\Chase\Desktop\security suite\ewidoguard.exe
O23 - Service: Norton Internet Security Accounts Manager (NISUM) - Symantec Corporation - C:\Program Files\Norton Internet Security\NISUM.EXE
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

files.txt:
Volume in drive C has no label.
Volume Serial Number is 8434-9F74

Directory of C:\WINDOWS\system32

09/08/2004 12:36 PM 372,736 ??rvices.exe
08/04/2004 02:56 AM 108,032 services.exe
2 File(s) 480,768 bytes

Directory of C:\Documents and Settings\Chase\Desktop
  • 0

#4
g2i2r4
Posted 02 May 2005 - 12:54 AM

g2i2r4

    retired HiJack Helper

  • Retired Staff
  • 5,080 posts
Please post me the list made by Ewido showing you the infected files.
  • 0

#5
MondiBlue
Posted 02 May 2005 - 03:24 PM

MondiBlue

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
I can't find the log on this for the quarantine. I went to my Quarantine and typed out the locations of the files there (it wouldn't let me cut and paste). Here they are:

C:\System Volume Information\_restore{C41878A9-7563-4EFE-B482-C14A20ABCB6F}\RP1026\A0178839.exe

C:\System Volume Information\_restore{C41878A9-7563-4EFE-B482-C14A20ABCB6F}\RP1026\A0178833.exe

C:\System Volume Information\_restore{C41878A9-7563-4EFE-B482-C14A20ABCB6F}\RP1026\A0178832.exe

C:\System Volume Information\_restore{C41878A9-7563-4EFE-B482-C14A20ABCB6F}\RP1026\A0178831.exe

C:\System Volume Information\_restore{C41878A9-7563-4EFE-B482-C14A20ABCB6F}\RP1026\A0178830.exe

C:\System Volume Information\_restore{C41878A9-7563-4EFE-B482-C14A20ABCB6F}\RP1026\A0178829.exe

C:\System Volume Information\_restore{C41878A9-7563-4EFE-B482-C14A20ABCB6F}\RP1026\A0178828.exe

C:\System Volume Information\_restore{C41878A9-7563-4EFE-B482-C14A20ABCB6F}\RP1026\A0178827.exe

C:\System Volume Information\_restore{C41878A9-7563-4EFE-B482-C14A20ABCB6F}\RP1026\A0178826.exe

C:\System Volume Information\_restore{C41878A9-7563-4EFE-B482-C14A20ABCB6F}\RP1026\A0178825.exe

C:\System Volume Information\_restore{C41878A9-7563-4EFE-B482-C14A20ABCB6F}\RP1026\A0178824.exe

C:\System Volume Information\_restore{C41878A9-7563-4EFE-B482-C14A20ABCB6F}\RP1026\A0178823.exe

C:\System Volume Information\_restore{C41878A9-7563-4EFE-B482-C14A20ABCB6F}\RP1026\A0178822.exe

C:\System Volume Information\_restore{C41878A9-7563-4EFE-B482-C14A20ABCB6F}\RP1026\A0178821.dll

C:\System Volume Information\_restore{C41878A9-7563-4EFE-B482-C14A20ABCB6F}\RP1026\A0178805.exe

C:\System Volume Information\_restore{C41878A9-7563-4EFE-B482-C14A20ABCB6F}\RP1026\A0178804.dll

C:\System Volume Information\_restore{C41878A9-7563-4EFE-B482-C14A20ABCB6F}\RP1026\A0178801.exe

C:\System Volume Information\_restore{C41878A9-7563-4EFE-B482-C14A20ABCB6F}\RP1026\A0178792.exe

C:\System Volume Information\_restore{C41878A9-7563-4EFE-B482-C14A20ABCB6F}\RP1026\A0178787.exe

C:\System Volume Information\_restore{C41878A9-7563-4EFE-B482-C14A20ABCB6F}\RP1026\A0178781.exe

C:\System Volume Information\_restore{C41878A9-7563-4EFE-B482-C14A20ABCB6F}\RP1026\A0178780.exe

C:\System Volume Information\_restore{C41878A9-7563-4EFE-B482-C14A20ABCB6F}\RP1026\A0178777.exe

C:\System Volume Information\_restore{C41878A9-7563-4EFE-B482-C14A20ABCB6F}\RP1026\A0178766.exe

C:\System Volume Information\_restore{C41878A9-7563-4EFE-B482-C14A20ABCB6F}\RP1026\A0178700.exe

C:\System Volume Information\_restore{C41878A9-7563-4EFE-B482-C14A20ABCB6F}\RP1026\A0178698.exe

C:\System Volume Information\_restore{C41878A9-7563-4EFE-B482-C14A20ABCB6F}\RP1026\A0178651.exe

C:\System Volume Information\_restore{C41878A9-7563-4EFE-B482-C14A20ABCB6F}\RP1026\A0178650.exe

C:\System Volume Information\_restore{C41878A9-7563-4EFE-B482-C14A20ABCB6F}\RP1026\A0178622.exe

C:\System Volume Information\_restore{C41878A9-7563-4EFE-B482-C14A20ABCB6F}\RP1026\A0178621.exe

C:\System Volume Information\_restore{C41878A9-7563-4EFE-B482-C14A20ABCB6F}\RP1026\A0178575.exe

C:\System Volume Information\_restore{C41878A9-7563-4EFE-B482-C14A20ABCB6F}\RP1026\A0178574.exe

C:\System Volume Information\_restore{C41878A9-7563-4EFE-B482-C14A20ABCB6F}\RP1026\A0178527.exe

C:\System Volume Information\_restore{C41878A9-7563-4EFE-B482-C14A20ABCB6F}\RP1026\A0178513.exe

C:\System Volume Information\_restore{C41878A9-7563-4EFE-B482-C14A20ABCB6F}\RP1026\A0178485.exe

C:\System Volume Information\_restore{C41878A9-7563-4EFE-B482-C14A20ABCB6F}\RP1026\A0178478.dll

C:\System Volume Information\_restore{C41878A9-7563-4EFE-B482-C14A20ABCB6F}\RP1026\A0178347.exe

C:\System Volume Information\_restore{C41878A9-7563-4EFE-B482-C14A20ABCB6F}\RP1026\A0178323.dll

C:\System Volume Information\_restore{C41878A9-7563-4EFE-B482-C14A20ABCB6F}\RP1026\A0178319.dll

C:\System Volume Information\_restore{C41878A9-7563-4EFE-B482-C14A20ABCB6F}\RP1026\A0178277.exe

C:\System Volume Information\_restore{C41878A9-7563-4EFE-B482-C14A20ABCB6F}\RP1026\A0178200.exe

C:\System Volume Information\_restore{C41878A9-7563-4EFE-B482-C14A20ABCB6F}\RP1026\A0177861.DLL

C:\System Volume Information\_restore{C41878A9-7563-4EFE-B482-C14A20ABCB6F}\RP1026\A0177860.DLL

C:\System Volume Information\_restore{C41878A9-7563-4EFE-B482-C14A20ABCB6F}\RP1026\A0177859.EXE

C:\System Volume Information\_restore{C41878A9-7563-4EFE-B482-C14A20ABCB6F}\RP1026\A0174710.exe

C:\Document and Settings\Chase\cookies\[email protected][1].txt

C:\Document and Settings\Chase\cookies\chase@atdmt[2].txt

C:\Document and Settings\Chase\cookies\chase@doubleclick[1].txt

C:\Document and Settings\Chase\cookies\chase@hitbox[2].txt

C:\WINDOWS\Nail.exe
  • 0

#6
g2i2r4
Posted 02 May 2005 - 04:55 PM

g2i2r4

    retired HiJack Helper

  • Retired Staff
  • 5,080 posts
Please rerun Ewido and copy the log where it says 'infected files'. Past it to a blank Notepad file and save it to post here.
Than let it rerun. Save that log too.

It should look like this:

+ Created on: 6:48:25 PM, 5/1/2005
+ Report-Checksum: 5666816

+ Date of database: 5/2/2005
+ Version of scan engine: v3.0

+ Duration: 28 min
+ Scanned Files: 49611
+ Speed: 28.57 Files/Second
+ Infected files: 11
+ Removed files: etc.


  • 0

#7
MondiBlue
Posted 02 May 2005 - 06:21 PM

MondiBlue

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
Here's the log of infected files:
---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 7:19:17 PM, 05/02/2005
+ Report-Checksum: A662FE8C

+ Date of database: 05/02/2005
+ Version of scan engine: v3.0

+ Duration: 42 min
+ Scanned Files: 121911
+ Speed: 47.67 Files/Second
+ Infected files: 24
+ Removed files: 24
+ Files put in quarantine: 24
+ Files that could not be opened: 0
+ Files that could not be cleaned: 0

+ Binder: Yes
+ Crypter: Yes
+ Archives: Yes

+ Scanned items:
C:\

+ Scan result:
C:\Documents and Settings\Chase\Cookies\chase@hitbox[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Chase\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Chase\Cookies\chase@tribalfusion[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\System Volume Information\_restore{C4187BA9-7563-4EFE-B482-C14A20ABCB6F}\RP1026\A0178793.exe -> Trojan.Stervis.c -> Cleaned with backup
C:\System Volume Information\_restore{C4187BA9-7563-4EFE-B482-C14A20ABCB6F}\RP1026\A0178840.exe -> Spyware.NewDotNet -> Cleaned with backup
C:\System Volume Information\_restore{C4187BA9-7563-4EFE-B482-C14A20ABCB6F}\RP1026\A0178841.exe -> Spyware.TimeSink -> Cleaned with backup
C:\System Volume Information\_restore{C4187BA9-7563-4EFE-B482-C14A20ABCB6F}\RP1026\A0178844.dll -> Trojan.Agent.db -> Cleaned with backup
C:\System Volume Information\_restore{C4187BA9-7563-4EFE-B482-C14A20ABCB6F}\RP1026\A0178845.dll -> Spyware.BetterInternet -> Cleaned with backup
C:\System Volume Information\_restore{C4187BA9-7563-4EFE-B482-C14A20ABCB6F}\RP1026\A0178851.exe -> Trojan.Nail -> Cleaned with backup
C:\System Volume Information\_restore{C4187BA9-7563-4EFE-B482-C14A20ABCB6F}\RP970\A0158858.EXE -> Spyware.MyWay.b -> Cleaned with backup
C:\System Volume Information\_restore{C4187BA9-7563-4EFE-B482-C14A20ABCB6F}\RP970\A0158859.DLL -> Spyware.MyWay.e -> Cleaned with backup
C:\System Volume Information\_restore{C4187BA9-7563-4EFE-B482-C14A20ABCB6F}\RP970\A0158878.DLL -> Spyware.ToolBar.MyWay.g -> Cleaned with backup
C:\System Volume Information\_restore{C4187BA9-7563-4EFE-B482-C14A20ABCB6F}\RP1010\A0172233.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\System Volume Information\_restore{C4187BA9-7563-4EFE-B482-C14A20ABCB6F}\RP974\A0160082.exe -> Spyware.NewDotNet -> Cleaned with backup
C:\System Volume Information\_restore{C4187BA9-7563-4EFE-B482-C14A20ABCB6F}\RP974\A0160084.exe -> Spyware.Quick.b -> Cleaned with backup
C:\System Volume Information\_restore{C4187BA9-7563-4EFE-B482-C14A20ABCB6F}\RP974\A0160127.dll -> Spyware.WildTangent.b -> Cleaned with backup
C:\System Volume Information\_restore{C4187BA9-7563-4EFE-B482-C14A20ABCB6F}\RP974\A0160137.dll -> Spyware.WildTangent.b -> Cleaned with backup
C:\System Volume Information\_restore{C4187BA9-7563-4EFE-B482-C14A20ABCB6F}\RP974\A0160162.dll -> Spyware.WildTangent.b -> Cleaned with backup
C:\System Volume Information\_restore{C4187BA9-7563-4EFE-B482-C14A20ABCB6F}\RP1007\A0166619.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\System Volume Information\_restore{C4187BA9-7563-4EFE-B482-C14A20ABCB6F}\RP1007\A0166620.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\System Volume Information\_restore{C4187BA9-7563-4EFE-B482-C14A20ABCB6F}\RP1007\A0166621.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\System Volume Information\_restore{C4187BA9-7563-4EFE-B482-C14A20ABCB6F}\RP1012\A0174810.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\System Volume Information\_restore{C4187BA9-7563-4EFE-B482-C14A20ABCB6F}\RP1012\A0177805.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\System Volume Information\_restore{C4187BA9-7563-4EFE-B482-C14A20ABCB6F}\RP1014\A0178010.exe -> Spyware.BetterInternet -> Cleaned with backup


::Report End
  • 0

#8
g2i2r4
Posted 03 May 2005 - 12:03 PM

g2i2r4

    retired HiJack Helper

  • Retired Staff
  • 5,080 posts
Open Windows Explorer.
Navigate to this folder:
C:\WINDOWS\system32

Find the file called services.exe, created 09/08/2004 12:36 PM, size 372,736
You can check if you delete the right file by rightclicking on the file and checking the date and size.

Be sure to delete the one I mention above. The other one is legit.

***

Ewido cleared out some cookies. But it also removed a fair amount of file from your system restore. Let's created a new, clean restore point.

Reset and Re-enable your System Restore:

1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

2. Reboot.

3. Turn ON System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.

***

You have the Microsoft® Windows® AntiSpyware (Beta) installed, right-click the Windows AntiSpyware icon in the taskbar notification area and click "Shutdown Microsoft AntiSpyware". It get's in the way of cleaning.

***

Open HijackThis.
Close all programs leaving only HijackThis running. Place a check against each of the following, making sure you get them all and not any others by mistake:

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe

O2 - BHO: BolgerObj Class - {302A3240-4805-4a34-97D7-1645A0B08410} - C:\WINDOWS\Bolger.dll (file missing)

Click on Fix Checked when finished and exit HijackThis.

***

Reboot the system. Post back here with a fresh log using HijackThis.

Edited by g2i2r4, 03 May 2005 - 12:04 PM.

  • 0

#9
MondiBlue
Posted 04 May 2005 - 11:17 PM

MondiBlue

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
For some reason, I couldn't find that one services.exe and I checked in a lot of different places, so I think I may have already deleted it. Thanks in advance

Logfile of HijackThis v1.99.1
Scan saved at 12:13:40 AM, on 05/05/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLACSD.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\NavNT\defwatch.exe
C:\Documents and Settings\Chase\Desktop\security suite\ewidoctrl.exe
C:\Documents and Settings\Chase\Desktop\security suite\ewidoguard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton Internet Security\NISUM.EXE
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Norton Internet Security\ccPxySvc.exe
C:\WINDOWS\system32\MsgSys.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\WINDOWS\GWMDMMSG.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\MMTray.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\WINDOWS\kdx\KHost.exe
C:\WINDOWS\system32\qttask.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\AWS\WeatherBug\Weather.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\DC Series 1\Console\Watch.exe
C:\Program Files\America Online 9.0a\aoltray.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Documents and Settings\Chase\Desktop\Hijack\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.arkansas....um.asp?fid=1191
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.arkansas....um.asp?fid=1191
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [GWMDMpi] C:\WINDOWS\GWMDMpi.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [MMTray] MMTray.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [kdx] C:\WINDOWS\kdx\KHost.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\system32\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [EasyDVDPlayer] "C:\Program Files\EasyDVD\EasyDVD.EXE /min"
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
O4 - HKCU\..\Run: [KazaaMate] C:\Program Files\Kazaa-Pal\Kazaa-Pal.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: Watch.lnk = C:\Program Files\DC Series 1\Console\Watch.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0a\aoltray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office3\Office10\OSA.EXE
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.app.../ITDetector.cab
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://moviefone.kon...ry/main/kdx.cab
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLACSD.EXE
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\\aolserv.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Proxy Service (ccPxySvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\ccPxySvc.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Documents and Settings\Chase\Desktop\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Documents and Settings\Chase\Desktop\security suite\ewidoguard.exe
O23 - Service: Norton Internet Security Accounts Manager (NISUM) - Symantec Corporation - C:\Program Files\Norton Internet Security\NISUM.EXE
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
  • 0

#10
g2i2r4
Posted 05 May 2005 - 08:18 AM

g2i2r4

    retired HiJack Helper

  • Retired Staff
  • 5,080 posts
We need to make sure all hidden files are showing so please:* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.
* Under the Hidden files and folders heading select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Click Yes to confirm.
* Click OK.
Open Windows Explorer.
Navigate to this folder:
C:\WINDOWS\system32

Find the file called services.exe, created 09/08/2004 12:36 PM, size 372,736
You can check if you delete the right file by rightclicking on the file and checking the date and size.

Be sure to delete the one I mention above. The other one is legit.

Let me know if this helped.

How are things now?



EDIT:
As there has been no reply from the original poster for more than two weeks this topic is now closed.

If you are the original poster and still need assistance, please send me a PM.

Edited by g2i2r4, 21 May 2005 - 03:34 AM.

  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP