The problems I am having are at the bottom of this page.. thank you.
First is my ewido reports
---------------------------------------------------------
ewido security suite - Startup report
---------------------------------------------------------
+ Created on: 1:52:33 AM, 5/1/2005
+ Report-Checksum: 6461D96D
Reg\HKLM\Run LVCOMS C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
Reg\HKLM\Run NvMixerTray "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
Reg\HKLM\Run QuickTime Task "C:\Program Files\QuickTime\qttask.exe" -atboottime
Reg\HKLM\Run TkBellExe "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
Reg\HKLM\Run ATIPTA C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
Reg\HKCU\Run Yahoo! Pager C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
Reg\HKCU\Run MSMSGS "C:\Program Files\Messenger\msmsgs.exe" /background
Reg\HKCU\Run msnmsgr "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
Reg\HKCU\Run Steam "c:\program files\valve\steam\steam.exe" -silent
Reg\HKCU\Run areslite "C:\Program Files\Ares Lite Edition\AresLite.exe" -h
Reg\HKCU\Run STYLEXP C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
Reg\HKCU\Run PSwitch C:\Program Files\Proxy Switcher Standard\ProxySwitcher.exe
Reg\HKCU\Run AIM C:\Program Files\AIM\aim.exe -cnetwait.odl
Reg\HKCU\Run LDM \Program\BackWeb-8876480.exe
Shell\CommonStartup Adobe Gamma Loader.lnk C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
Shell\CommonStartup Logitech Desktop Messenger.lnk C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Logitech Desktop Messenger.lnk
Shell\CommonStartup Photo Loader supervisory.lnk C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Photo Loader supervisory.lnk
Shell\UserStartup PowerReg Scheduler.exe C:\Documents and Settings\Jordan\Start Menu\Programs\Startup\PowerReg Scheduler.exe
---------------------------------------------------------
ewido security suite - Process report
---------------------------------------------------------
+ Created on: 1:52:58 AM, 5/1/2005
+ Report-Checksum: 7DA1514A
0: System Process
4: System Process
268: C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
280: \SystemRoot\System32\smss.exe
332: \??\C:\WINDOWS\system32\csrss.exe
356: \??\C:\WINDOWS\system32\winlogon.exe
472: C:\WINDOWS\system32\wscntfy.exe
492: C:\WINDOWS\system32\Ati2evxx.exe
600: C:\WINDOWS\Explorer.EXE
624: C:\WINDOWS\system32\services.exe
636: C:\WINDOWS\system32\lsass.exe
876: C:\WINDOWS\system32\Ati2evxx.exe
888: C:\WINDOWS\system32\svchost.exe
960: C:\WINDOWS\system32\svchost.exe
1052: C:\WINDOWS\System32\svchost.exe
1088: C:\WINDOWS\system32\wscntfy.exe
1096: C:\WINDOWS\System32\svchost.exe
1104: C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
1128: C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
1136: C:\Program Files\QuickTime\qttask.exe
1144: C:\Program Files\Common Files\Real\Update_OB\realsched.exe
1160: C:\WINDOWS\System32\svchost.exe
1204: C:\Program Files\Messenger\msmsgs.exe
1212: C:\program files\valve\steam\steam.exe
1244: C:\Program Files\MSN Messenger\msnmsgr.exe
1276: C:\Program Files\Proxy Switcher Standard\ProxySwitcher.exe
1296: C:\Program Files\AIM\aim.exe
1440: C:\WINDOWS\system32\spoolsv.exe
1588: C:\Program Files\ewido\security suite\ewidoctrl.exe
1684: C:\WINDOWS\System32\svchost.exe
1692: C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe
1728: C:\Program Files\CASIO\Photo Loader\Plauto.exe
1996: C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
2004: C:\WINDOWS\System32\alg.exe
2080: \??\C:\WINDOWS\system32\csrss.exe
2196: C:\WINDOWS\system32\Ati2evxx.exe
2204: C:\WINDOWS\Explorer.EXE
2296: C:\Program Files\QuickTime\qttask.exe
2316: C:\Program Files\Common Files\Real\Update_OB\realsched.exe
2332: C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
2372: C:\WINDOWS\System32\svchost.exe
2520: C:\Program Files\CASIO\Photo Loader\Plauto.exe
2532: C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
3964: C:\WINDOWS\system32\NOTEPAD.EXE
4052: \??\C:\WINDOWS\system32\winlogon.exe
4092: C:\Program Files\ewido\security suite\SecuritySuite.exe
---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------
+ Created on: 11:46:47 PM, 4/30/2005
+ Report-Checksum: 75CB6AE0
+ Date of database: 4/30/2005
+ Version of scan engine: v3.0
+ Duration: 115 min
+ Scanned Files: 259853
+ Speed: 37.40 Files/Second
+ Infected files: 30
+ Removed files: 29
+ Files put in quarantine: 29
+ Files that could not be opened: 0
+ Files that could not be cleaned: 1
+ Binder: Yes
+ Crypter: Yes
+ Archives: Yes
+ Scanned items:
C:\
F:\
+ Scan result:
C:\Documents and Settings\Janice\Cookies\janice@adknowledge[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Janice\Cookies\janice@advertising[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Janice\Cookies\janice@atdmt[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Janice\Cookies\janice@doubleclick[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Janice\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Janice\Cookies\janice@fastclick[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Janice\Cookies\janice@geocities[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Janice\Cookies\janice@hitbox[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Janice\Cookies\janice@realmedia[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Janice\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Janice\Cookies\janice@targetnet[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Janice\Cookies\janice@tribalfusion[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Janice\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Janice\Desktop\backups\backup-20050430-120958-578.dll -> Spyware.ImiBar.d -> Cleaned with backup
C:\Documents and Settings\Janice\Desktop\backups\backup-20050430-120958-825.dll -> Spyware.DlMax.a -> Cleaned with backup
C:\Documents and Settings\Janice\Desktop\backups\backup-20050430-124330-361.dll -> Spyware.DlMax.a -> Cleaned with backup
C:\Documents and Settings\Janice\Local Settings\Temp\DrTemp\farmmext.exe -> Spyware.ConsCorr -> Cleaned with backup
C:\Documents and Settings\Janice\Local Settings\Temp\THI2CA.tmp\dlmax.dll -> Spyware.DlMax.a -> Cleaned with backup
C:\Documents and Settings\Jordan\Cookies\jordan@atdmt[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Jordan\Cookies\jordan@doubleclick[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Jordan\Cookies\jordan@mediaplex[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Jordan\Local Settings\Temp\THI1962.tmp\farmmext.exe -> Spyware.ConsCorr -> Cleaned with backup
C:\Documents and Settings\Jordan\Local Settings\Temp\THI607E.tmp\dlmax.dll -> Spyware.DlMax.a -> Cleaned with backup
C:\Documents and Settings\Jordan\Local Settings\Temporary Internet Files\Content.IE5\CLI9KH05\Bolger[1].dll -> Spyware.BetterInternet -> Cleaned with backup
C:\WINDOWS\Bolger.dll -> Spyware.BetterInternet -> Cleaned with backup
C:\WINDOWS\systb.exe -> Trojan.Imiserv.c -> Cleaned with backup
C:\WINDOWS\system32\udlglanx.exe -> Trojan.Agent.ay -> Cleaned with backup
C:\WINDOWS\uxdukbdyqp.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\WINDOWS\wupdsnff.exe -> Spyware.BetterInternet -> Cleaned with backup
F:\Checked 8\Final_Draft_v7.0.0.43_Cracked_by_BLiZZARD.zip/crack.exe -> TrojanDownloader.IstBar.er -> Error during cleaning
::Report End
-----------------------------------------------------------------------------------------
Then i did a hijack post...
---------------------------------------------------------
HijackThis - Log
---------------------------------------------------------
Logfile of HijackThis v1.99.1
Scan saved at 3:55:41 PM, on 5/1/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\program files\valve\steam\steam.exe
C:\Program Files\Proxy Switcher Standard\ProxySwitcher.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\CASIO\Photo Loader\Plauto.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\AIM\aim.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = www.google.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = www.google.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drs...esearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drs...esearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drs...esearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drs...esearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 134.159.124.202:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - Default URLSearchHook is missing
O2 - BHO: BolgerObj Class - {302A3240-4805-4a34-97D7-1645A0B08410} - C:\WINDOWS\Bolger.dll (file missing)
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
O4 - HKLM\..\Run: [NvMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Steam] "c:\program files\valve\steam\steam.exe" -silent
O4 - HKCU\..\Run: [areslite] "C:\Program Files\Ares Lite Edition\AresLite.exe" -h
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - HKCU\..\Run: [PSwitch] C:\Program Files\Proxy Switcher Standard\ProxySwitcher.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [LDM] \Program\BackWeb-8876480.exe
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Photo Loader supervisory.lnk = C:\Program Files\CASIO\Photo Loader\Plauto.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akama...meInstaller.exe
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe
-----------------------------------------------------------------------------------------
Then i did a Spybot S&D
---------------------------------------------------------
Spybot S&D - Log
---------------------------------------------------------
LinkSynergy: Tracking cookie (Internet Explorer: Jordan) (Cookie, nothing done)
Advertising.com: Tracking cookie (Internet Explorer: Jordan) (Cookie, nothing done)
Advertising.com: Tracking cookie (Internet Explorer: Jordan) (Cookie, nothing done)
Avenue A, Inc.: Tracking cookie (Internet Explorer: Jordan) (Cookie, nothing done)
ClickAgents: Tracking cookie (Internet Explorer: Jordan) (Cookie, nothing done)
DoubleClick: Tracking cookie (Internet Explorer: Jordan) (Cookie, nothing done)
HitBox: Tracking cookie (Internet Explorer: Jordan) (Cookie, nothing done)
HitBox: Tracking cookie (Internet Explorer: Jordan) (Cookie, nothing done)
HitBox: Tracking cookie (Internet Explorer: Jordan) (Cookie, nothing done)
IE Plugin: Interface (Registry key, nothing done)
HKEY_CLASSES_ROOT\Interface\{E4458B4A-6149-4450-84F2-864ADB7E8C52}
IE Plugin: Class ID (Registry key, nothing done)
HKEY_CLASSES_ROOT\CLSID\{D36F70B1-7DF5-4FD4-A765-70CCC8F72CD7}
IE Plugin: Class ID (Registry key, nothing done)
HKEY_CLASSES_ROOT\CLSID\{1C896551-8B92-4907-8C06-15DB2D1F874A}
IE Plugin: Class ID (Registry key, nothing done)
HKEY_CLASSES_ROOT\CLSID\{E2BF1BF3-1FDB-4C93-8874-0B09E71C594C}
IE Plugin: Class ID (Registry key, nothing done)
HKEY_CLASSES_ROOT\CLSID\{F3155057-4C2C-4078-8576-50486693FD49}
IE Plugin: Interface (Registry key, nothing done)
HKEY_CLASSES_ROOT\Interface\{98B2DDBA-6DA2-4421-AF2B-814E98F53649}
IE Plugin: Interface (Registry key, nothing done)
HKEY_CLASSES_ROOT\Interface\{7371AD3F-C419-4DC0-8E8A-E21FAFAD53E0}
IE Plugin: Interface (Registry key, nothing done)
HKEY_CLASSES_ROOT\Interface\{6A288140-3E1C-4CD9-AAC5-E20FDD4F5D64}
IE Plugin: Interface (Registry key, nothing done)
HKEY_CLASSES_ROOT\Interface\{220959EA-B54C-4201-8DF2-1CFAC8B59FD7}
IE Plugin: Root class (Registry key, nothing done)
HKEY_CLASSES_ROOT\IMIToolbar.PopupWindow.1
IE Plugin: Root class (Registry key, nothing done)
HKEY_CLASSES_ROOT\IMIToolbar.PopupWindow
IE Plugin: Root class (Registry key, nothing done)
HKEY_CLASSES_ROOT\IMIToolbar.PopupBrowser.1
IE Plugin: Root class (Registry key, nothing done)
HKEY_CLASSES_ROOT\IMIToolbar.PopupBrowser
IE Plugin: Root class (Registry key, nothing done)
HKEY_CLASSES_ROOT\IMIToolbar.LeftFrame.1
IE Plugin: Root class (Registry key, nothing done)
HKEY_CLASSES_ROOT\IMIToolbar.LeftFrame
IE Plugin: Root class (Registry key, nothing done)
HKEY_CLASSES_ROOT\IMIToolbar.BottomFrame.1
IE Plugin: Root class (Registry key, nothing done)
HKEY_CLASSES_ROOT\IMIToolbar.BottomFrame
ISTbar.Slotch: Tracking cookie (Internet Explorer: Jordan) (Cookie, nothing done)
MediaPlex: Tracking cookie (Internet Explorer: Jordan) (Cookie, nothing done)
Possible extension hijack: Default registry file handler (Registry change, nothing done)
HKEY_CLASSES_ROOT\regfile\shell\open\command\!=regedit.exe "%1"
TargetNet: Tracking cookie (Internet Explorer: Jordan) (Cookie, nothing done)
ValueClick: Tracking cookie (Internet Explorer: Jordan) (Cookie, nothing done)
WebTrends live: Tracking cookie (Internet Explorer: Jordan) (Cookie, nothing done)
WebTrends live: Tracking cookie (Internet Explorer: Jordan) (Cookie, nothing done)
--- Spybot - Search && Destroy version: 1.3 ---
2004-05-12 Includes\Cookies.sbi
2004-05-12 Includes\Dialer.sbi
2004-05-12 Includes\Hijackers.sbi
2004-05-12 Includes\Keyloggers.sbi
2004-05-12 Includes\LSP.sbi
2004-05-12 Includes\Malware.sbi
2003-03-16 Includes\plugin-ignore.ini
2004-05-12 Includes\Revision.sbi
2004-05-12 Includes\Security.sbi
2004-05-12 Includes\Spybots.sbi
2003-03-16 Includes\Temporary.sbi
2004-05-12 Includes\Tracks.uti
2004-05-12 Includes\Trojans.sbi
----------------------------------------------------------------------------------------
I have used Killbox, Ewido, HijackThis, and some online virus programs that stop halfway through, and dont finish. I have gotten rid of nail.exe, wupdt.exe, and some other crap, i think...but somewhere in the process of this, my sound no longer works and get beeps, i thought maybe my nForce soundcard drivers got deleted, so i re-installed, still didnt work.. Everything is fine, in device manager as well. I also have Aurora still.. and i dont know how to get rid of it.. so if someone could help me.. i would appreciate it.. thanks!
also this shows up almost everytime i do Spybot
Possible extension hijack: Default registry file handler (Registry change, nothing done)
HKEY_CLASSES_ROOT\regfile\shell\open\command\!=regedit.exe "%1"
EDIT: Would also like to add
A command program runs everytime i start windows. It comes up as kypmjss.exe quickly then dissappears. Anyone know what this is?
Edited by irhxcbcziuzxs, 02 May 2005 - 09:00 PM.