Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Aurora[RESOLVED]

Started by jmgiv` , May 31 2005 09:32 AM

  • This topic is locked This topic is locked

#1
jmgiv`
Posted 31 May 2005 - 09:32 AM

jmgiv`

    New Member

  • Member
  • Pip
  • 4 posts
Can't seem to beat this

heres my hijack this logfile

Logfile of HijackThis v1.99.1
Scan saved at 11:29:03 AM, on 5/31/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2

(6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common

Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\system\uovlikfd.exe
c:\windows\system32\nnqhqa.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\Sony

Shared\AVLib\SSScsiSV.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\msidev.exe
C:\Documents and Settings\Md\Desktop\New

Folder\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet

Explorer\Main,Default_Page_URL =

www.intergate.com/startpage
R1 - HKCU\Software\Microsoft\Internet

Explorer\Main,Search Bar =

http://websearch.drs...desearch.cgi?id

=
R1 - HKCU\Software\Microsoft\Internet

Explorer\Main,Search Page =

http://websearch.drs...desearch.cgi?id

=
R0 - HKCU\Software\Microsoft\Internet

Explorer\Main,Start Page =

http://home.bellsouth.net/
R1 - HKLM\Software\Microsoft\Internet

Explorer\Main,Search Bar =

http://websearch.drs...desearch.cgi?id

=
R1 - HKLM\Software\Microsoft\Internet

Explorer\Main,Search Page =

http://websearch.drs...desearch.cgi?id

=
R0 - HKLM\Software\Microsoft\Internet

Explorer\Search,SearchAssistant =

http://websearch.drs...desearch.cgi?id

=
R0 - HKLM\Software\Microsoft\Internet

Explorer\Search,CustomizeSearch =

http://websearch.drs...desearch.cgi?id

=
R1 - HKCU\Software\Microsoft\Internet

Explorer\SearchURL,(Default) =

websearch.drsnsrch.com/q.cgi?q=
R1 - HKCU\Software\Microsoft\Internet

Explorer\Main,Window Title = Microsoft Internet

Explorer
R0 - HKCU\Software\Microsoft\Internet

Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: Shell=Explorer.exe

C:\WINDOWS\Nail.exe
O2 - BHO: Band Class -

{01F44A8A-8C97-4325-A378-76E68DC4AB2E} -

C:\WINDOWS\systb.dll
O2 - BHO: AcroIEHlprObj Class -

{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -

C:\Program Files\Adobe\Acrobat

7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Shorty -

{11A4CA8C-A8B9-49c2-A6D3-3F64C9EEBAE6} -

C:\Program Files\DNS\Catcher.dll
O2 - BHO: (no name) -

{53707962-6F74-2D53-2644-206D7942484F} -

C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: MPEG Support Dll -

{57A70350-87D9-4EA2-B3AC-C1C1B5296035} -

C:\WINDOWS\system32\mpegcore.dll
O2 - BHO: DriveLetterAccess -

{5CA3D70E-1895-11CF-8E15-001234567890} -

C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) -

{6EA86F08-BA34-28C0-8750-67557FAD233A} -

C:\WINDOWS\System32\lldhehn.dll (file missing)
O3 - Toolbar: (no name) -

{2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no

file)
O4 - HKLM\..\Run: [NeroFilterCheck]

C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [tgcmd] "C:\Program

Files\Support.com\BellSouth\hcenter.exe"

/starthidden /tgcmdwrapper
O4 - HKLM\..\Run: [ISUSPM Startup]

C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.e

xe -startup
O4 - HKLM\..\Run: [TkBellExe] "C:\Program

Files\Common

Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SsAAD.exe]

C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
O4 - HKLM\..\Run: [dla]

C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [WildTangent CDA] "C:\Program

Files\WildTangent\Apps\CDA\GameDrvr.exe"

/startup "C:\Program

Files\WildTangent\Apps\CDA\cdaEngine0500.dll"
O4 - HKLM\..\Run: [lvbzcc]

C:\WINDOWS\system32\lvbzcc.exe
O4 - HKLM\..\Run: [uxqugt]

c:\windows\system32\nnqhqa.exe
O4 - HKLM\..\Run: [C:\WINDOWS\VCMnet11.exe]

C:\WINDOWS\VCMnet11.exe
O4 - HKLM\..\Run: [Win Server Updt]

C:\WINDOWS\wupdt.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program

Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program

Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [msnmsgr] "C:\Program

Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [DNS] C:\Program Files\Common

Files\mc-58-12-0000079-d.exe
O4 - HKCU\..\Run: [SpySweeper] "C:\Program

Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O6 - HKCU\Software\Policies\Microsoft\Internet

Explorer\Control Panel present
O8 - Extra context menu item: &AOL Toolbar

search - res://C:\Program Files\AOL

Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to

Microsoft Excel -

res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3

000
O9 - Extra button: (no name) -

{08B0E5C0-4FCB-11CF-AAA5-00401C608501} -

C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console -

{08B0E5C0-4FCB-11CF-AAA5-00401C608501} -

C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: Research -

{92780B25-18CC-41C8-B9BE-3C9C571A8263} -

C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger -

{FB5F1910-F110-11d2-BB9E-00C04F795683} -

C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger

- {FB5F1910-F110-11d2-BB9E-00C04F795683} -

C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Point Alert -

{16BF42FD-CA0A-4f48-819D-B0343254DD67} -

file://C:\Program

Files\MyPointsPointAlert\System\Temp\mypoints_s

cript0.htm (HKCU)
O15 - Trusted Zone: *.skoobidoo.com (HKLM)
O15 - Trusted Zone: *.windupdates.com (HKLM)
O15 - Trusted IP range: 213.159.117.133 (HKLM)
O15 - ProtocolDefaults: 'http' protocol is in

Trusted Zone, should be Internet Zone (HKLM)
O16 - DPF:

{03F998B2-0E00-11D3-A498-00104B6EB52E}

(MetaStreamCtl Class) -

https://components.v.../adobe/MTSInsta

llers/MetaStream3.cab?url=http://www.irobotmovi

e.com/english/atmosphere/index.html
O16 - DPF:

{39B0684F-D7BF-4743-B050-FDC3F48F7E3B}

(FilePlanet Download Control Class) -

http://www.fileplane...r/cabs/FPDC_1_0

_0_44.cab
O16 - DPF:

{56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE

Class) -

http://software-dl.r...a75a04439494ab0

3/netzip/RdxIE601.cab
O16 - DPF:

{6414512B-B978-451D-A0D8-FCFDF33E833C}

(WUWebControl Class) -

http://v5.windowsupd...t.com/v5consume

r/V5Controls/en/x86/client/wuweb_site.cab?10938

37981390
O16 - DPF:

{6632A7E9-FE1F-43D2-A04A-A15951ED63E0} -

http://mediaplayer.w...nstaller/instal

l.cab
O16 - DPF:

{92CA8ACC-4E99-4A2A-93F1-B2C5CADC8613} -

http://a14.g.akamai....1/1d/www.nielse

nnetpanel.com/netmeter4_5/nminstall_en_4.52.30.

0_SILENT_2.cab
O16 - DPF:

{B38870E4-7ECB-40DA-8C6A-595F0A5519FF}

(MsnMessengerSetupDownloadControl Class) -

http://messenger.msn...d/MsnMessengerS

etupDownloader.cab
O16 - DPF:

{BB47CA33-8B4D-11D0-9511-00C04FD9152D}

(ExteriorSurround Object) -

http://autos.msn.com...ocx/exterior/Ou

tside.cab
O16 - DPF:

{D719897A-B07A-4C0C-AEA9-9B663A28DFCB}

(iTunesDetector Class) -

http://ax.phobos.app...uite.net/detect

ion/ITDetector.cab
O16 - DPF:

{EC51659D-721F-4CBF-9CEA-5E776D89CEA9} -

http://www.pacimedia...ll/pcs_0024.exe
O16 - DPF:

{FA13A9FA-CA9B-11D2-9780-00104B242EA3}

(WildTangent Control) -

http://install.wildt...gn/partners/bel

lsouth/slyder/install.cab
O17 -

HKLM\System\CCS\Services\Tcpip\..\{D98F0D0E-1C3

1-45D7-AF82-CEAA68446962}: Domain =

intergate.com
O23 - Service: Ati HotKey Poller - Unknown

owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner -

C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server

(Avg7Alrt) - GRISOFT, s.r.o. -

C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc)

- GRISOFT, s.r.o. -

C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: hmideas - Unknown owner -

C:\WINDOWS\system32\hmideas.exe
O23 - Service: iPod Service (iPodService) -

Apple Computer, Inc. - C:\Program

Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) -

Lexmark International, Inc. -

C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: MSCSPTISRV - Sony Corporation -

C:\Program Files\Common Files\Sony

Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Sony Corporation -

C:\Program Files\Common Files\Sony

Shared\AVLib\PACSPTISVR.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) -

PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: Sony SPTI Service (SPTISRV) -

Sony Corporation - C:\Program Files\Common

Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service

(SSScsiSV) - Sony Corporation - C:\Program

Files\Common Files\Sony

Shared\AVLib\SSScsiSV.exe
O23 - Service: System Startup Service

(SvcProc) - Unknown owner -

C:\WINDOWS\svcproc.exe
  • 0

Advertisements

#2
Crustyoldbloke
Posted 31 May 2005 - 10:08 AM

Crustyoldbloke

    Old Malware Surgeon with a shaky scalpel

  • Retired Staff
  • 15,131 posts
Hello jmgiv

I'd like to help you but your HijackThis log is in pieces (blank lines and spaces all over) and almost impossible to read. Please submit a fresh log, click Preview Post to make sure it is alright, and then Post Reply if it is OK.

I am informed that if you turn off "word wrap" in Notepad, it should be OK.

Have a look at some other threads to see what a HJT log should look like.

Edited by Crustyoldbloke, 31 May 2005 - 10:37 AM.

  • 0

#3
jmgiv`
Posted 31 May 2005 - 11:46 AM

jmgiv`

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts
Sorry About That here is the updated log

Logfile of HijackThis v1.99.1
Scan saved at 11:29:03 AM, on 5/31/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\system\uovlikfd.exe
c:\windows\system32\nnqhqa.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\msidev.exe
C:\Documents and Settings\Md\Desktop\New Folder\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.intergate.com/startpage
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drs...esearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drs...esearch.cgi?id=
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.bellsouth.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drs...esearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drs...esearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drs...esearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drs...esearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\systb.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Shorty - {11A4CA8C-A8B9-49c2-A6D3-3F64C9EEBAE6} - C:\Program Files\DNS\Catcher.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: MPEG Support Dll - {57A70350-87D9-4EA2-B3AC-C1C1B5296035} - C:\WINDOWS\system32\mpegcore.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {6EA86F08-BA34-28C0-8750-67557FAD233A} - C:\WINDOWS\System32\lldhehn.dll (file missing)
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\BellSouth\hcenter.exe" /starthidden /tgcmdwrapper
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [WildTangent CDA] "C:\Program Files\WildTangent\Apps\CDA\GameDrvr.exe" /startup "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0500.dll"
O4 - HKLM\..\Run: [lvbzcc] C:\WINDOWS\system32\lvbzcc.exe
O4 - HKLM\..\Run: [uxqugt] c:\windows\system32\nnqhqa.exe
O4 - HKLM\..\Run: [C:\WINDOWS\VCMnet11.exe] C:\WINDOWS\VCMnet11.exe
O4 - HKLM\..\Run: [Win Server Updt] C:\WINDOWS\wupdt.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [DNS] C:\Program Files\Common Files\mc-58-12-0000079-d.exe
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Point Alert - {16BF42FD-CA0A-4f48-819D-B0343254DD67} - file://C:\Program Files\MyPointsPointAlert\System\Temp\mypoints_script0.htm (HKCU)
O15 - Trusted Zone: *.skoobidoo.com (HKLM)
O15 - Trusted Zone: *.windupdates.com (HKLM)
O15 - Trusted IP range: 213.159.117.133 (HKLM)
O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone (HKLM)
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.v...here/index.html
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplane...DC_1_0_0_44.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...ip/RdxIE601.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1093837981390
O16 - DPF: {6632A7E9-FE1F-43D2-A04A-A15951ED63E0} - http://mediaplayer.w...ler/install.cab
O16 - DPF: {92CA8ACC-4E99-4A2A-93F1-B2C5CADC8613} - http://a14.g.akamai.....0_SILENT_2.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {BB47CA33-8B4D-11D0-9511-00C04FD9152D} (ExteriorSurround Object) - http://autos.msn.com...ior/Outside.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.app.../ITDetector.cab
O16 - DPF: {EC51659D-721F-4CBF-9CEA-5E776D89CEA9} - http://www.pacimedia...ll/pcs_0024.exe
O16 - DPF: {FA13A9FA-CA9B-11D2-9780-00104B242EA3} (WildTangent Control) - http://install.wildt...der/install.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{D98F0D0E-1C31-45D7-AF82-CEAA68446962}: Domain = intergate.com
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: hmideas - Unknown owner - C:\WINDOWS\system32\hmideas.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe
  • 0

#4
Crustyoldbloke
Posted 31 May 2005 - 02:17 PM

Crustyoldbloke

    Old Malware Surgeon with a shaky scalpel

  • Retired Staff
  • 15,131 posts
Hello again and welcome to Geeks to Go

As an introduction, please note that I am not Superhuman, I do not know everything, but what I do know has taken me years to learn. I am happy to pass on this information to you, but please bear in mind that I am also fallible.

Before we get underway, you may wish to print these instructions for easy reference during the fix, although please be aware that many of the required URLs are hyperlinks in the red names shown on your screen. Part of the fix will require you to be in Safe Mode, which may not allow you to access the internet, or my instructions!

There is quite a lot to fix since you have Aurora plus a few other things too. Let’s get on with it.

Firstly could you please disable SpySweeper from running during the fix, it may just hinder our attempts to change anything.

To start please download the following programmes, we will run them later. Please save them to a place that you will remember, I suggest the Desktop:

Killbox by Option^Explicit
CCleaner
Ewido Security Suite
Hoster
Nail Fix

Go to Start>Run and type Services.msc then hit Ok
Scroll down and find this service:

System Startup Service (SvcProc)

When you find it, double-click on it. In the next window that opens, click the Stop button, then click on properties and under the General Tab, change the Startup Type to Disabled. Now hit Apply and then OK.

Run HiJackThis. Click on None of the above, just start the program. Now, click on the Config button (bottom right), then click on Misc Tools, then click on Delete an NT Service a window will pop up. Enter this item into that field (copy and paste):

SvcProc

Click OK.

It should pull up information about the service, when it asks if you want to reboot now click YES

Right click on this link Del 015 Domains.inf and choose Save (link) As. Save it to your desktop. Right click on that file and choose Install. It will run immediately (you won't be able to see anything happen). You may delete it afterwards

Please run Hoster (just double click it to open). Choose the Restore Original Hosts button and press OK.

Please open the trial version of Ewido Security Suite, and update the definitions to the latest files. Do NOT run a scan yet.

Please install Nailfix, unzip it to the desktop but please do NOT run it yet.

Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.

For additional help in booting into Safe Mode, see the following site:

Safe Mode

Once in Safe Mode, please double-click on Nailfix.bat. Your desktop and icons will disappear and reappear, and a window should open and close very quickly, this is normal.

Install Ewido Security Suite (it is a 14-day trial version of the programme).
  • Launch ewido, there should be an icon on your desktop double-click it.
  • The programme will prompt you to update click the OK button
  • The programme will now go to the main screen
You will need to update ewido to the latest definition files.
  • On the left hand side of the main screen click update
  • Click on Start
The update will start and a progress bar will show the updates being installed.
Once the updates are installed do the following:
  • Click on scanner
  • Make sure the following boxes are checked before scanning:
    • Binder
    • Crypter
    • Archives
  • Click on Start Scan
  • Let the programme scan the machine
While the scan is in progress you will be prompted to clean files, click OK

Once the scan has completed, there will be a button located on the bottom of the screen named Save report
  • Click Save report
  • Save the report to your desktop and include it in your reply.
Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drs...esearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drs...esearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drs...esearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drs...esearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drs...esearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drs...esearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\systb.dll
O2 - BHO: MPEG Support Dll - {57A70350-87D9-4EA2-B3AC-C1C1B5296035} - C:\WINDOWS\system32\mpegcore.dll
O2 - BHO: (no name) - {6EA86F08-BA34-28C0-8750-67557FAD233A} - C:\WINDOWS\System32\lldhehn.dll (file missing)
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [C:\WINDOWS\VCMnet11.exe] C:\WINDOWS\VCMnet11.exe
O4 - HKLM\..\Run: [Win Server Updt] C:\WINDOWS\wupdt.exe
O4 - HKCU\..\Run: [DNS] C:\Program Files\Common Files\mc-58-12-0000079-d.exe
O9 - Extra button: Point Alert - {16BF42FD-CA0A-4f48-819D-B0343254DD67} - file://C:\Program Files\MyPointsPointAlert\System\Temp\mypoints_script0.htm (HKCU)
O15 - Trusted Zone: *.skoobidoo.com (HKLM)
O15 - Trusted Zone: *.windupdates.com (HKLM)
O15 - Trusted IP range: 213.159.117.133 (HKLM)
O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone (HKLM)
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...ip/RdxIE601.cab
O23 - Service: hmideas - Unknown owner - C:\WINDOWS\system32\hmideas.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe
Now close all windows other than HiJackThis, then click Fix Checked.

Please install Killbox by Option^Explicit.

*Extract the programme to your desktop and double-click on its folder, then double-click on Killbox.exe to start the programme.
*In the Killbox programme, select the Delete on Reboot option.
* Open the text file with these instructions in it, and copy the file names below to the clipboard by highlighting them and pressing Control-C:

C:\WINDOWS\system\uovlikfd.exe
c:\windows\system32\nnqhqa.exe
C:\WINDOWS\system32\msidev.exe
C:\WINDOWS\Nail.exe
C:\WINDOWS\systb.dll
C:\WINDOWS\system32\mpegcore.dll
C:\WINDOWS\VCMnet11.exe
C:\WINDOWS\wupdt.exe
C:\Program Files\Common Files\mc-58-12-0000079-d.exe
C:\Program Files\MyPointsPointAlert
C:\WINDOWS\system32\hmideas.exe
C:\WINDOWS\svcproc.exe

*Return to Killbox, go to the File menu, and choose "Paste from Clipboard".

*Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run TheKillbox, click download and run missingfilesetup.exe. Then try TheKillbox again.

There is almost certainly bound to be some junk (leftover bits and pieces) on your system that is doing nothing but taking up space. I would recommend that you run CCleaner. Install it, update it, check the default setting in the left-hand pane, Analyze, Run Cleaner. You may be fairly surprised by how much it finds.

Post back a fresh HijackThis log and also an Uninstall Log:

Open HijackThis, click Config, click Misc Tools
Click "Open Uninstall Manager"
Click Save List (generates uninstall_list.txt)
Click Save, copy and paste the results in your next post.

and I will take another look.

Please ensure you include the 3 logs as requested in your reply..
  • 0

#5
jmgiv`
Posted 31 May 2005 - 05:46 PM

jmgiv`

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts
Okay I did everything first here is the scan logfile
---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 7:18:19 PM, 5/31/2005
+ Report-Checksum: 8D162C3B

+ Date of database: 5/31/2005
+ Version of scan engine: v3.0

+ Duration: 46 min
+ Scanned Files: 84593
+ Speed: 30.04 Files/Second
+ Infected files: 84
+ Removed files: 84
+ Files put in quarantine: 84
+ Files that could not be opened: 0
+ Files that could not be cleaned: 0

+ Binder: Yes
+ Crypter: Yes
+ Archives: Yes

+ Scanned items:
C:\

+ Scan result:
C:\WINDOWS\SYSTEM32\anajfqp.exe -> Trojan.Agent.cp -> Cleaned with backup
C:\WINDOWS\SYSTEM32\msidev.exe -> Spyware.VB.gc -> Cleaned with backup
C:\WINDOWS\SYSTEM32\mpegcore.dll -> Spyware.MediaBack.a -> Cleaned with backup
C:\WINDOWS\SYSTEM32\rp0raae6.exe -> Spyware.SAHA -> Cleaned with backup
C:\WINDOWS\SYSTEM32\2e1lv4pr.dll -> Spyware.SAHA -> Cleaned with backup
C:\WINDOWS\SYSTEM32\unpack.exe -> Trojan.Painwin.a -> Cleaned with backup
C:\WINDOWS\SYSTEM32\hmideas.exe -> Trojan.Painwin.a -> Cleaned with backup
C:\WINDOWS\SYSTEM32\lvbzcf.exe -> Spyware.Adstart.b2 -> Cleaned with backup
C:\WINDOWS\SYSTEM32\hmiuebp.exe -> Trojan.Painwin.a -> Cleaned with backup
C:\WINDOWS\SYSTEM32\hbapycl.exe -> Trojan.Painwin.a -> Cleaned with backup
C:\WINDOWS\SYSTEM32\hiasygb.dll -> Trojan.Painwin.a -> Cleaned with backup
C:\WINDOWS\SYSTEM32\modgxyz.exe -> Spyware.Adstart.b2 -> Cleaned with backup
C:\WINDOWS\NDNuninstall4_85.exe -> Spyware.NewDotNet -> Cleaned with backup
C:\WINDOWS\wt\wtvh.dll -> Spyware.WildTangent.b -> Cleaned with backup
C:\WINDOWS\NDNuninstall6_30.exe -> Spyware.NewDotNet -> Cleaned with backup
C:\WINDOWS\Downloaded Program Files\m67m.ocx -> Spyware.MediaMotor.a -> Cleaned with backup
C:\WINDOWS\Downloaded Program Files\website.ocx -> TrojanDownloader.Agent.ex -> Cleaned with backup
C:\WINDOWS\Downloaded Program Files\CONFLICT.1\website.ocx -> TrojanDownloader.Agent.ex -> Cleaned with backup
C:\WINDOWS\bbchk.exe -> Spyware.Bargainbuddy -> Cleaned with backup
C:\WINDOWS\Handy-Paradies[hpa-10008,,].exe -> Dialer.Generic -> Cleaned with backup
C:\WINDOWS\doxhqmcypli.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\WINDOWS\mm15201518.Stub.exe -> Spyware.EZula.ah -> Cleaned with backup
C:\WINDOWS\cxtpls_loader.exe -> TrojanDownloader.Apropo.ab -> Cleaned with backup
C:\WINDOWS\shop1004.exe -> Spyware.Sahat.m -> Cleaned with backup
C:\WINDOWS\installer_SIAC.exe -> TrojanDownloader.Adload.a -> Cleaned with backup
C:\WINDOWS\wupdt.exe -> TrojanDownloader.Intexp.c -> Cleaned with backup
C:\WINDOWS\tdtb.exe -> Trojan.Imiserv.c -> Cleaned with backup
C:\WINDOWS\systb.dll -> Spyware.ImiBar.d -> Cleaned with backup
C:\Program Files\KaZaA Lite\supertrick.txt -> Trojan.Qhost.av -> Cleaned with backup
C:\Downloads\Monopoly3-dm[1].exe -> Spyware.Trymedia.a -> Cleaned with backup
C:\Documents and Settings\Md\Local Settings\Temp\4D5QF0EI.dll -> Spyware.Sahat.m -> Cleaned with backup
C:\Documents and Settings\Md\Local Settings\Temp\shop1004.exe -> Spyware.Sahat.m -> Cleaned with backup
C:\Documents and Settings\Md\Local Settings\Temp\HZW\aurareco.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\Documents and Settings\Md\Local Settings\Temp\WToolsA.exe -> Spyware.Wintol.y -> Cleaned with backup
C:\Documents and Settings\Md\Cookies\md@zedo[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Md\Cookies\[email protected][2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Md\Cookies\md@abcsearch[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Md\Cookies\[email protected][2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\System Volume Information\_restore{1EA06A09-2E07-4A83-8407-B3126A027A9F}\RP357\A0081234.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\System Volume Information\_restore{1EA06A09-2E07-4A83-8407-B3126A027A9F}\RP357\A0082196.exe -> Trojan.Agent.cp -> Cleaned with backup
C:\System Volume Information\_restore{1EA06A09-2E07-4A83-8407-B3126A027A9F}\RP357\A0083198.exe -> Spyware.WinAD -> Cleaned with backup
C:\System Volume Information\_restore{1EA06A09-2E07-4A83-8407-B3126A027A9F}\RP357\A0083201.exe -> Spyware.WebSearch.aj -> Cleaned with backup
C:\System Volume Information\_restore{1EA06A09-2E07-4A83-8407-B3126A027A9F}\RP357\A0083202.exe -> TrojanDownloader.Wintool.e -> Cleaned with backup
C:\System Volume Information\_restore{1EA06A09-2E07-4A83-8407-B3126A027A9F}\RP357\A0083205.exe -> Trojan.Stervis.c -> Cleaned with backup
C:\System Volume Information\_restore{1EA06A09-2E07-4A83-8407-B3126A027A9F}\RP357\A0083206.exe -> Trojan.Agent.cp -> Cleaned with backup
C:\System Volume Information\_restore{1EA06A09-2E07-4A83-8407-B3126A027A9F}\RP357\A0083213.exe -> Spyware.SAHA -> Cleaned with backup
C:\System Volume Information\_restore{1EA06A09-2E07-4A83-8407-B3126A027A9F}\RP357\A0083215.dll -> Spyware.SAHA -> Cleaned with backup
C:\System Volume Information\_restore{1EA06A09-2E07-4A83-8407-B3126A027A9F}\RP357\A0083217.exe -> Spyware.Pacer.a -> Cleaned with backup
C:\System Volume Information\_restore{1EA06A09-2E07-4A83-8407-B3126A027A9F}\RP357\A0083224.dll -> Spyware.HotBar -> Cleaned with backup
C:\System Volume Information\_restore{1EA06A09-2E07-4A83-8407-B3126A027A9F}\RP357\A0083241.exe -> TrojanDownloader.Apropo.ab -> Cleaned with backup
C:\System Volume Information\_restore{1EA06A09-2E07-4A83-8407-B3126A027A9F}\RP357\A0083242.exe -> TrojanDownloader.Apropo.ab -> Cleaned with backup
C:\System Volume Information\_restore{1EA06A09-2E07-4A83-8407-B3126A027A9F}\RP357\A0084256.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\System Volume Information\_restore{1EA06A09-2E07-4A83-8407-B3126A027A9F}\RP357\A0085440.vxd -> Spyware.MediaPass -> Cleaned with backup
C:\System Volume Information\_restore{1EA06A09-2E07-4A83-8407-B3126A027A9F}\RP357\A0085441.exe -> Spyware.Bargainbuddy -> Cleaned with backup
C:\System Volume Information\_restore{1EA06A09-2E07-4A83-8407-B3126A027A9F}\RP357\A0085442.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\System Volume Information\_restore{1EA06A09-2E07-4A83-8407-B3126A027A9F}\RP358\A0085445.exe -> TrojanDownloader.Small.asf -> Cleaned with backup
C:\System Volume Information\_restore{1EA06A09-2E07-4A83-8407-B3126A027A9F}\RP358\A0085451.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\System Volume Information\_restore{1EA06A09-2E07-4A83-8407-B3126A027A9F}\RP358\A0085462.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\System Volume Information\_restore{1EA06A09-2E07-4A83-8407-B3126A027A9F}\RP358\A0085480.exe -> Trojan.Nail -> Cleaned with backup
C:\System Volume Information\_restore{1EA06A09-2E07-4A83-8407-B3126A027A9F}\RP358\A0085481.exe -> Spyware.Sahat.m -> Cleaned with backup
C:\System Volume Information\_restore{1EA06A09-2E07-4A83-8407-B3126A027A9F}\RP358\A0086489.exe -> Trojan.AproposAd -> Cleaned with backup
C:\System Volume Information\_restore{1EA06A09-2E07-4A83-8407-B3126A027A9F}\RP358\A0086490.exe -> Trojan.AproposAd -> Cleaned with backup
C:\System Volume Information\_restore{1EA06A09-2E07-4A83-8407-B3126A027A9F}\RP358\A0086491.exe -> Spyware.Sahat.aa -> Cleaned with backup
C:\System Volume Information\_restore{1EA06A09-2E07-4A83-8407-B3126A027A9F}\RP358\A0086492.dll -> Trojan.Agent.db -> Cleaned with backup
C:\System Volume Information\_restore{1EA06A09-2E07-4A83-8407-B3126A027A9F}\RP358\A0086493.exe -> TrojanDownloader.Dyfuca.dk -> Cleaned with backup
C:\System Volume Information\_restore{1EA06A09-2E07-4A83-8407-B3126A027A9F}\RP358\A0086494.exe -> Spyware.SAHA -> Cleaned with backup
C:\System Volume Information\_restore{1EA06A09-2E07-4A83-8407-B3126A027A9F}\RP358\A0086504.exe -> Trojan.Agent.cp -> Cleaned with backup
C:\System Volume Information\_restore{1EA06A09-2E07-4A83-8407-B3126A027A9F}\RP358\A0086505.exe -> TrojanDownloader.Small.asf -> Cleaned with backup
C:\System Volume Information\_restore{1EA06A09-2E07-4A83-8407-B3126A027A9F}\RP358\A0086507.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\System Volume Information\_restore{1EA06A09-2E07-4A83-8407-B3126A027A9F}\RP359\A0086533.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\System Volume Information\_restore{1EA06A09-2E07-4A83-8407-B3126A027A9F}\RP359\A0086534.exe -> Trojan.Stervis.c -> Cleaned with backup
C:\System Volume Information\_restore{1EA06A09-2E07-4A83-8407-B3126A027A9F}\RP359\A0086535.exe -> Trojan.Nail -> Cleaned with backup
C:\System Volume Information\_restore{1EA06A09-2E07-4A83-8407-B3126A027A9F}\RP359\A0086536.exe -> Trojan.Agent.cp -> Cleaned with backup
C:\System Volume Information\_restore{1EA06A09-2E07-4A83-8407-B3126A027A9F}\RP359\A0086543.exe -> Trojan.Agent.cp -> Cleaned with backup
C:\System Volume Information\_restore{1EA06A09-2E07-4A83-8407-B3126A027A9F}\RP359\A0086558.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\System Volume Information\_restore{1EA06A09-2E07-4A83-8407-B3126A027A9F}\RP359\A0086581.exe -> Trojan.Agent.cp -> Cleaned with backup
C:\System Volume Information\_restore{1EA06A09-2E07-4A83-8407-B3126A027A9F}\RP359\A0086587.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\System Volume Information\_restore{1EA06A09-2E07-4A83-8407-B3126A027A9F}\RP359\A0086599.exe -> Trojan.Nail -> Cleaned with backup
C:\System Volume Information\_restore{1EA06A09-2E07-4A83-8407-B3126A027A9F}\RP359\A0086600.exe -> Trojan.Stervis.c -> Cleaned with backup
C:\System Volume Information\_restore{1EA06A09-2E07-4A83-8407-B3126A027A9F}\RP359\A0086601.dll -> Trojan.Agent.db -> Cleaned with backup
C:\System Volume Information\_restore{1EA06A09-2E07-4A83-8407-B3126A027A9F}\RP356\A0081190.exe -> Spyware.Sahat.m -> Cleaned with backup
C:\System Volume Information\_restore{1EA06A09-2E07-4A83-8407-B3126A027A9F}\RP356\A0081192.exe -> Spyware.Wintol.y -> Cleaned with backup
C:\System Volume Information\_restore{1EA06A09-2E07-4A83-8407-B3126A027A9F}\RP356\A0081199.exe -> Trojan.Agent.cp -> Cleaned with backup
C:\System Volume Information\_restore{1EA06A09-2E07-4A83-8407-B3126A027A9F}\RP356\A0081211.exe -> Spyware.BetterInternet -> Cleaned with backup


::Report End


then here is the new hijack this log file

Logfile of HijackThis v1.99.1
Scan saved at 7:42:02 PM, on 5/31/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Support.com\bin\tgcmd.exe
C:\Documents and Settings\Md\Desktop\New Folder\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.intergate.com/startpage
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.bellsouth.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Shorty - {11A4CA8C-A8B9-49c2-A6D3-3F64C9EEBAE6} - C:\Program Files\DNS\Catcher.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\BellSouth\hcenter.exe" /starthidden /tgcmdwrapper
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [WildTangent CDA] "C:\Program Files\WildTangent\Apps\CDA\GameDrvr.exe" /startup "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0500.dll"
O4 - HKLM\..\Run: [lvbzcc] C:\WINDOWS\system32\lvbzcc.exe
O4 - HKLM\..\Run: [guarnset] C:\WINDOWS\system32\guarnset.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.v...here/index.html
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplane...DC_1_0_0_44.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1093837981390
O16 - DPF: {6632A7E9-FE1F-43D2-A04A-A15951ED63E0} - http://mediaplayer.w...ler/install.cab
O16 - DPF: {79849612-A98F-45B8-95E9-4D13C7B6B35C} (Loader2 Control) - http://static.topcon...vex/website.ocx
O16 - DPF: {92CA8ACC-4E99-4A2A-93F1-B2C5CADC8613} - http://a14.g.akamai.....0_SILENT_2.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {BB47CA33-8B4D-11D0-9511-00C04FD9152D} (ExteriorSurround Object) - http://autos.msn.com...ior/Outside.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.app.../ITDetector.cab
O16 - DPF: {EC51659D-721F-4CBF-9CEA-5E776D89CEA9} - http://www.pacimedia...ll/pcs_0024.exe
O16 - DPF: {FA13A9FA-CA9B-11D2-9780-00104B242EA3} (WildTangent Control) - http://install.wildt...der/install.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{D98F0D0E-1C31-45D7-AF82-CEAA68446962}: Domain = intergate.com
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe



and finally here is the uninstall log from hijack this

ABBYY FineReader 5.0 Sprint
AC3Filter (remove only)
Adobe Acrobat 7.0.1 and Reader 7.0.1 Update
Adobe Reader 7.0
Alarm Clock v1.0
America Online (Choose which version to remove)
ATI - Software Uninstall Utility
ATI Control Panel
ATI Display Driver
ATI HydraVision
AVG Free Edition
BellSouth FastAccess DSL Help Center
BitTornado 0.3.7
Browser Mouse
Browser MOUSE
CCleaner (remove only)
CleanUp!
CloneDVD2
Creative DVD Audio Plugin for Audigy Series
dBpowerAMP Mp4 & AAC Decode Codec
dBpowerAMP Music Converter
dBpowerAMP Nero Mp4 Codec
dBpowerAMP Ogg Vorbis Codec
dBpowerAMP WMA V9 Codec
DivX
DivX Player
DVD Decoder Pak for Windows XP
DVD-Squeeze 3.0
ewido security suite
HighMAT Extension to Microsoft Windows XP CD Writing Wizard
HijackThis 1.99.1
HSP56 MicroModem Drivers
InterActual Player
InterVideo DVDCopy 2
InterVideo WinDVD 6
IsoBuster 1.7
iTunes
J2SE Runtime Environment 5.0
Java 2 Runtime Environment, SE v1.4.1_02
Java Web Start
Kazaa Lite K++ v2.4.3
Lexmark Skin: Helix
Lexmark Skin: PotatoSkin
Lexmark X74-X75
Macromedia Shockwave Player
MakeTorrent v2.1
Media Library Management Wizard
Micrografx Windows Draw 6 LE
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB886903)
Microsoft Office Professional Edition 2003
Microsoft Windows Journal Viewer
Microsoft XML Parser and SDK
mIRC
Movie Maker Background Music Files
Movie Maker Sound Effects
Movie Maker Title Images
Mozilla Firefox (1.0)
Mpeg Layer3 Codec FHG-Radium v1.263
MSN Messenger 7.0
MSN Music Assistant
MSXML 4.0 SP2 Parser and SDK
MSXML4 Parser
MultiMedia Keyboard 1.1
MyPoints Point Alert!
Nero 6 Ultra Edition
NeroVision Express 3
OpenMG Secure Module 4.1.00
PaperlessPrinter version 3.0
PeerGuardian 2.0
Personal License Update Wizard for Windows Media Player
PhotoMAX SE
Plus! MP3 Audio Converter LE
Pop-Up Stopper Free Edition
PowerDVD
ProSavageDDR and Utilities
PSP Video 9 1.22
QuickSFV (Remove only)
QuickTime
RealPlayer
S3Display
S3Gamma2
S3Info2
S3Overlay
Select CashBack
Shockwave
Sonic Audio Module
Sonic Backup MyPC
Sonic CinePlayer
Sonic Copy Module
Sonic Data Module
Sonic DLA
Sonic Express Labeler
Sonic RecordNow!
Sonic Sonic MyDVD Studio Deluxe Suite
Sonic Update Manager
SonicStage 3.0
Spybot - Search & Destroy 1.2
TagScanner 4.8 build 481 beta
TaxACT 2003
TaxACT 2004
The ABI Network- A Division of Direct Revenue
VCD Galaxy DVDRip ComboPack
VIA Audio Driver Setup Program
VIA Rhine-Family Fast Ethernet Adapter
Wal-Mart Music Downloads Store
WildTangent Web Driver
Windows Installer 3.1 (KB893803)
Windows Installer 3.1 (KB893803)
Windows Media Bonus Pack for Windows XP
Windows Media Connect
Windows Media Connect
Windows Media Format Runtime
Windows Media Player 10
Windows Media Player Playlist Import to Excel Wizard
Windows Media Player Skin Importer
Windows Media Player Tray Control
Windows XP Hotfix - KB834707
Windows XP Hotfix - KB867282
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB887797
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890047
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB890923
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB893066
Windows XP Hotfix - KB893086
Windows XP Service Pack 2
WinRAR archiver
WinZip
XDCC Catcher Basic
Xteq Systems X-Setup 6.3
Xteq-dotec X-Setup Pro 6.5.200.Final1
XviD MPEG-4 Video Codec
Yahoo! Messenger
  • 0

#6
Crustyoldbloke
Posted 01 June 2005 - 01:59 AM

Crustyoldbloke

    Old Malware Surgeon with a shaky scalpel

  • Retired Staff
  • 15,131 posts
Hello again MD

Before we get underway, you may wish to print these instructions for easy reference during the fix, although please be aware that many of the required URLs are hyperlinks in the red names shown on your screen. Part of the fix will require you to be in Safe Mode, which may not allow you to access the internet, or my instructions!

We appear to be winning, but there is still more to do.

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
O4 - HKLM\..\Run: [lvbzcc] C:\WINDOWS\system32\lvbzcc.exe
O4 - HKLM\..\Run: [guarnset] C:\WINDOWS\system32\guarnset.exe
O16 - DPF: {79849612-A98F-45B8-95E9-4D13C7B6B35C} (Loader2 Control) - http://static.topcon...vex/website.ocx

Now close all windows other than HiJackThis, then click Fix Checked. Please now reboot into safe mode. Here's how:

Restart your computer and as soon as it starts booting up again continuously tap the F8 key. A menu should appear where you will be given the option to enter Safe Mode.

Please remove these entries from Add/Remove Programs in the Control Panel (if present):(click Start>Settings>Control Panel)

InterActual Player
MyPoints Point Alert!
Select CashBack
WildTangent Web Driver

Please notify me of any other programmes that you don’t recognise in that list in your next response

Please install Killbox by Option^Explicit.

*Extract the programme to your desktop and double-click on its folder, then double-click on Killbox.exe to start the programme.
*In the Killbox programme, select the Delete on Reboot option.
* Open the text file with these instructions in it, and copy the file names below to the clipboard by highlighting them and pressing Control-C:

C:\WINDOWS\system32\lvbzcc.exe
C:\WINDOWS\system32\guarnset.exe

*Return to Killbox, go to the File menu, and choose "Paste from Clipboard".

*Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run TheKillbox, click download and run missingfilesetup.exe. Then try TheKillbox again.

Post back a fresh HijackThis log and I will take another look.
  • 0

#7
jmgiv`
Posted 01 June 2005 - 01:07 PM

jmgiv`

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts
alright heres the new log one thing though

MyPoints Point Alert! &
WildTangent Web Driver

would not let me remove them from the add/remove programs list

Logfile of HijackThis v1.99.1
Scan saved at 2:41:04 PM, on 6/1/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
C:\Program Files\Support.com\bin\tgcmd.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Md\Desktop\New Folder\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.intergate.com/startpage
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.bellsouth.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Shorty - {11A4CA8C-A8B9-49c2-A6D3-3F64C9EEBAE6} - C:\Program Files\DNS\Catcher.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\BellSouth\hcenter.exe" /starthidden /tgcmdwrapper
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [WildTangent CDA] "C:\Program Files\WildTangent\Apps\CDA\GameDrvr.exe" /startup "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0500.dll"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.v...here/index.html
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplane...DC_1_0_0_44.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1093837981390
O16 - DPF: {6632A7E9-FE1F-43D2-A04A-A15951ED63E0} - http://mediaplayer.w...ler/install.cab
O16 - DPF: {92CA8ACC-4E99-4A2A-93F1-B2C5CADC8613} - http://a14.g.akamai.....0_SILENT_2.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {BB47CA33-8B4D-11D0-9511-00C04FD9152D} (ExteriorSurround Object) - http://autos.msn.com...ior/Outside.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.app.../ITDetector.cab
O16 - DPF: {EC51659D-721F-4CBF-9CEA-5E776D89CEA9} - http://www.pacimedia...ll/pcs_0024.exe
O16 - DPF: {FA13A9FA-CA9B-11D2-9780-00104B242EA3} (WildTangent Control) - http://install.wildt...der/install.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{D98F0D0E-1C31-45D7-AF82-CEAA68446962}: Domain = intergate.com
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
  • 0

#8
Crustyoldbloke
Posted 01 June 2005 - 01:28 PM

Crustyoldbloke

    Old Malware Surgeon with a shaky scalpel

  • Retired Staff
  • 15,131 posts
Hello again

Your log is almost clean, except for two non malicious entries: Viewpoint and WildTangent. They both report back to their sponsors but neither do anything bad. If you want to get rid of them. Try this:

Close all programmes leaving only HijackThis running. Scan with HJT and place a checkmark against each of the following:

O4 - HKLM\..\Run: [WildTangent CDA] "C:\Program Files\WildTangent\Apps\CDA\GameDrvr.exe" /startup "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0500.dll"
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.v...here/index.html

Click on Fix Checked when finished and exit HijackThis.

Reboot into Safe Mode: please see here if you are not sure how to do this.

Using Windows Explorer, locate the following folder, and delete it:

C:\Program Files\WildTangent\

Exit Explorer, and reboot as normal afterwards.

Post a fresh HJT log and I'll take another look.
  • 0

#9
Crustyoldbloke
Posted 09 June 2005 - 09:50 AM

Crustyoldbloke

    Old Malware Surgeon with a shaky scalpel

  • Retired Staff
  • 15,131 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :tazz:

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP