Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Stupid neighbor kid... [RESOLVED]


  • This topic is locked This topic is locked

#1
ozerik

ozerik

    New Member

  • Member
  • Pip
  • 8 posts
After three years of using her computer totally virus/trojan/adware free, my neighbor kid used my wife's computer for half an hour and infected it beyond my best efforts to clean myself.
I humbly defer to your collective, infinite wisdom to tell me what to do! My solution would be to do a clean installation of XP, but after three years of use, Karen's computer is exactly the way she likes it.

Something's in here which starts up all kinds of stuff like popups, requests to install browser and toolbar enhancers which my best fast-clicking on the "end process tree" cannot keep up with.

It's. Horrible. Here's a link to a screenshot

So... after a few hours of following directions in other posts, i'm starting my own thread. Here's my HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 3:54:34 PM, on 5/31/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Visioneer OneTouch\OneTouchMon.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Winamp3\winampa.exe
C:\Program Files\Excite\PrvtMsgr\bin\x8IMPipe.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\System32\Grxp4exe.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\D-Tools\daemon.exe
C:\WINDOWS\System32\vznuma.exe
C:\WINDOWS\system\aoxal.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Excite\PrvtMsgr\bin\x8SkPlay.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
C:\Program Files\AnalogX\POW\pow.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\ewido\security suite\SecuritySuite.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\WINDOWS\System32\adsldpc3.exe
C:\WINDOWS\explorer.exe
C:\PROGRA~1\eZula\mmod.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\hjt\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\System32\Searchx.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.searchforit.com/searchbar
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://e14.email.exc...5e50d892189a58a
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.searchforit.com/searchbar
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch...spx?tb_id=50249
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.searchforit.com/searchbar
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.searchforit.com/searchbar
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.searchforit.com/searchbar
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.findyourcouple.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - C:\PROGRA~1\Toolbar\toolbar.dll (file missing)
O2 - BHO: (no name) - {016235BE-59D4-4CEB-ADD5-E2378282A1D9} - C:\Program Files\CxtPls\cxtpls.dll
O2 - BHO: SearchToolbarBHOObject - {12EE7A5E-0674-42f9-A76A-000000004D00} - C:\WINDOWS\System32\stlb2.dll (file missing)
O2 - BHO: &EliteBar - {28CAEFF3-0F18-4036-B504-51D73BD81ABC} - C:\WINDOWS\EliteToolBar\EliteToolBar version 60.dll
O2 - BHO: Replace Search Ctl - {832BEBED-C3DA-4534-A2C2-B2FFF220C820} - C:\WINDOWS\System32\replaceSearch.dll (file missing)
O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll (file missing)
O2 - BHO: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - C:\PROGRA~1\Toolbar\toolbar.dll (file missing)
O2 - BHO: Fizzlebar.clsFwBar - {9056A11F-5EA6-4A67-BDE9-8D3C7C453DAC} - c:\sysfwb\2742545527\iefwbar.dll
O3 - Toolbar: &EliteBar - {825CF5BD-8862-4430-B771-0C15C5CA8DEF} - C:\WINDOWS\EliteToolBar\EliteToolBar version 60.dll
O3 - Toolbar: &Search Toolbar - {339BB23F-A864-48C0-A59F-29EA915965EC} - C:\PROGRA~1\Toolbar\toolbar.dll (file missing)
O3 - Toolbar: searchforit - {C109664B-CEB1-420b-B353-D55A561536DD} - C:\WINDOWS\System32\SYSsfitb.dll
O3 - Toolbar: Search - {12EE7A5E-0674-42f9-A76B-000000004D00} - C:\WINDOWS\System32\stlb2.dll (file missing)
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [OneTouch Monitor] C:\Program Files\Visioneer OneTouch\OneTouchMon.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\winampa.exe"
O4 - HKLM\..\Run: [Excite Private Messenger Pipe] C:\Program Files\Excite\PrvtMsgr\bin\x8IMPipe.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Gravis Xperience Driver Support] Grxp4exe.exe /init
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [checkrun] C:\windows\system32\eliteyrl32.exe
O4 - HKLM\..\Run: [C:\WINDOWS\VCMnet11.exe] C:\WINDOWS\VCMnet11.exe
O4 - HKLM\..\Run: [brlepc] C:\WINDOWS\System32\brlepc.exe
O4 - HKLM\..\Run: [guarnset] C:\WINDOWS\System32\guarnset.exe
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\System32\vznuma.exe reg_run
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [8daa8707ae99] C:\WINDOWS\System32\adsldpc3.exe
O4 - HKLM\..\Run: [WeirdOnTheWeb] "C:\Program Files\WeirdOnTheWeb\WeirdOnTheWeb.exe"
O4 - HKLM\..\Run: [98D0CE0C16B1] rundll32.exe D0CE0C16B1,D0CE0C16B1
O4 - HKCU\..\Run: [PPWebCap] C:\PROGRA~1\ScanSoft\PAPERP~1\PPWebCap.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet
O4 - HKCU\..\Run: [Excite Community Tools Notifier] "C:\Program Files\Excite\PrvtMsgr\bin\x8SkPlay.exe" Notifier
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [DNS] C:\Program Files\Common Files\mc-58-12-0000079-d.exe
O4 - HKCU\..\Run: [eZmmod] C:\PROGRA~1\ezula\mmod.exe
O4 - HKCU\..\Run: [eZWO] C:\PROGRA~1\Web Offer\wo.exe
O4 - Startup: POW!.lnk = C:\Program Files\AnalogX\POW\pow.exe
O4 - Global Startup: Device Detector 2.lnk = C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0819.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0819.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg...t/c381/chat.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150...ip/RdxIE601.cab
O16 - DPF: {C3D96A02-EEA7-4264-98D7-D882A7338DE5} (Excite Installer Start) - http://imgfarm.com/i...etup1.0.0.4.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://f1.pg.photos....plorer1_9us.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.app.../ITDetector.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.co...aploader_v6.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/z...s/heartbeat.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - http://us.dl1.yimg.c...ebio5_0_2_7.cab
O18 - Protocol: tpro - {FF76A5DA-6158-4439-99FF-EDC1B3FE100C} - C:\PROGRA~1\Toolbar\toolbar.dll (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: WinTools for IE service (WinToolsSvc) - Unknown owner - C:\Program Files\Common Files\WinTools\WToolsS.exe (file missing)



Here's my ewido security suite log file:


---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 3:53:10 PM, 5/31/2005
+ Report-Checksum: 45DC4A78

+ Date of database: 5/31/2005
+ Version of scan engine: v3.0

+ Duration: 72 min
+ Scanned Files: 210045
+ Speed: 48.05 Files/Second
+ Infected files: 66
+ Removed files: 65
+ Files put in quarantine: 65
+ Files that could not be opened: 0
+ Files that could not be cleaned: 1

+ Binder: Yes
+ Crypter: Yes
+ Archives: Yes

+ Scanned items:
C:\

+ Scan result:
C:\!Submit\nail.exe -> Trojan.Nail -> Cleaned with backup
C:\!Submit\svcproc.exe -> Trojan.Stervis.c -> Cleaned with backup
C:\Documents and Settings\karyn\Cookies\karyn@ads.addynamix[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\karyn\Cookies\karyn@perf.overture[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\karyn\Cookies\karyn@z1.adserver[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\karyn\Local Settings\Temp\f2117705.exe -> TrojanDownloader.Qoologoc.i -> Cleaned with backup
C:\Documents and Settings\karyn\Local Settings\Temp\toc_0018.exe -> TrojanDownloader.Agent.jq -> Cleaned with backup
C:\Documents and Settings\karyn\Local Settings\Temporary Internet Files\Content.IE5\0LABSLUF\130[1].bin -> TrojanDropper.Agent.kd -> Cleaned with backup
C:\Documents and Settings\karyn\Local Settings\Temporary Internet Files\Content.IE5\0LABSLUF\142[1].bin -> Spyware.BetterInternet -> Cleaned with backup
C:\Documents and Settings\karyn\Local Settings\Temporary Internet Files\Content.IE5\0LABSLUF\29[1].bin -> TrojanDropper.Delf.z -> Cleaned with backup
C:\Documents and Settings\karyn\Local Settings\Temporary Internet Files\Content.IE5\45AB89AB\aun_0035[1].exe -> TrojanDownloader.Small.akz -> Error during cleaning
C:\Documents and Settings\karyn\Local Settings\Temporary Internet Files\Content.IE5\GDIJGHMJ\164[1].bin -> TrojanDropper.Win32.Small.wc -> Cleaned with backup
C:\Documents and Settings\karyn\Local Settings\Temporary Internet Files\Content.IE5\GDIJGHMJ\inst12[1].exe -> TrojanDownloader.Small.apm -> Cleaned with backup
C:\Documents and Settings\karyn\Local Settings\Temporary Internet Files\Content.IE5\GDIJGHMJ\pcs_0019[1].exe -> Spyware.Pacer.b -> Cleaned with backup
C:\Documents and Settings\karyn\Local Settings\Temporary Internet Files\Content.IE5\GDIJGHMJ\trk_0025[1].exe -> Spyware.Pacer.e -> Cleaned with backup
C:\Documents and Settings\karyn\Local Settings\Temporary Internet Files\Content.IE5\GDIJGHMJ\winupdt[1].exe -> TrojanDownloader.Agent.jq -> Cleaned with backup
C:\Documents and Settings\karyn\Local Settings\Temporary Internet Files\Content.IE5\KLQNOTMV\fwbar2_main2[1].dll -> Spyware.CoolBar.a -> Cleaned with backup
C:\Documents and Settings\karyn\Local Settings\Temporary Internet Files\Content.IE5\KLQNOTMV\toc_0018[1].exe -> TrojanDownloader.Agent.jq -> Cleaned with backup
C:\Program Files\AutoUpdate\AutoUpdate.exe -> TrojanDownloader.Apropo.g -> Cleaned with backup
C:\Program Files\Common Files\tsa\tsl.exe -> TrojanDownloader.TSUpdate.f -> Cleaned with backup
C:\Program Files\Common Files\WinTools\WSup.exe -> Spyware.Wintol.y -> Cleaned with backup
C:\Program Files\Common Files\WinTools\WToolsA.exe -> Spyware.Wintol.y -> Cleaned with backup
C:\Program Files\Common Files\WinTools\WToolsB.dll -> Spyware.Wintol.y -> Cleaned with backup
C:\Program Files\Common Files\WinTools\WToolsS.exe -> TrojanDownloader.Wintool.f -> Cleaned with backup
C:\Program Files\FwBarTemp\searchbar.exe -> TrojanDownloader.VB.eu -> Cleaned with backup
C:\Program Files\sf\sf.exe -> TrojanDownloader.Small.hs -> Cleaned with backup
C:\Program Files\Toolbar\common.dll -> Spyware.WebSearch.aj -> Cleaned with backup
C:\Program Files\Toolbar\gykhxlmu.rmr -> Spyware.IBISToolbar -> Cleaned with backup
C:\Program Files\Toolbar\IExploreSkins.exe -> Spyware.Websearch -> Cleaned with backup
C:\Program Files\Toolbar\PIB.exe -> Spyware.WebSearch.aj -> Cleaned with backup
C:\Program Files\Toolbar\radio.exe -> Spyware.WebSearch -> Cleaned with backup
C:\Program Files\Toolbar\TBPS.exe -> Spyware.WebSearch.aj -> Cleaned with backup
C:\Program Files\Toolbar\toolbar.dll -> Spyware.WebSearch -> Cleaned with backup
C:\Program Files\Toolbar\xlmurin.wzg -> Spyware.IBISToolbar -> Cleaned with backup
C:\Program Files\Windows Media Player\wmplayer.exe.tmp -> TrojanDownloader.Small.apm -> Cleaned with backup
C:\RECYCLER\S-1-5-21-1482476501-1682526488-1343024091-1003\Dc5.exe -> Trojan.Nail -> Cleaned with backup
C:\temporary\aun_0018.exe -> TrojanDownloader.Small.akz -> Cleaned with backup
C:\temporary\aun_0036.exe -> TrojanDownloader.Small.akz -> Cleaned with backup
C:\WINDOWS\Helper101.dll -> Spyware.Delf.r -> Cleaned with backup
C:\WINDOWS\LastGood\systb.dll -> Spyware.ImiBar.d -> Cleaned with backup
C:\WINDOWS\LastGood\wupdt.exe -> TrojanDownloader.Intexp.c -> Cleaned with backup
C:\WINDOWS\sfita.exe -> Trojan.Favadd.o -> Cleaned with backup
C:\WINDOWS\system32\AUNPS2.dll -> Spyware.Small.ez -> Cleaned with backup
C:\WINDOWS\system32\auto_update_uninstall.exe -> Spyware.Apropos -> Cleaned with backup
C:\WINDOWS\system32\brlml2.exe -> Trojan.AproposAd -> Cleaned with backup
C:\WINDOWS\system32\Cache\cxtpls_loader.exe -> TrojanDownloader.Apropo.ab -> Cleaned with backup
C:\WINDOWS\system32\Cache\EDow_AS2.exe -> TrojanDownloader.Wintool.e -> Cleaned with backup
C:\WINDOWS\system32\Cache\HelperInstall.exe -> TrojanDropper.Delf.z -> Cleaned with backup
C:\WINDOWS\system32\Cache\installer.exe -> TrojanDropper.Win32.Small.wc -> Cleaned with backup
C:\WINDOWS\system32\Cache\thin-175-1-x-x.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\WINDOWS\system32\Cache\ven_d1.exe -> TrojanDownloader.IstBar -> Cleaned with backup
C:\WINDOWS\system32\cfgscard.exe -> Trojan.AproposAd -> Cleaned with backup
C:\WINDOWS\system32\D0CE0C16B1.DLL -> Spyware.Agent.dh -> Cleaned with backup
C:\WINDOWS\system32\e6f1873b.dll -> TrojanDownloader.Braidupdate.d -> Cleaned with backup
C:\WINDOWS\system32\exp.exe -> TrojanDownloader.Small.abd -> Cleaned with backup
C:\WINDOWS\system32\pinstaller.exe -> Spyware.UrlSpy.b -> Cleaned with backup
C:\WINDOWS\system32\puvwb.dat -> TrojanDownloader.Qoologic.n -> Cleaned with backup
C:\WINDOWS\system32\replaceSearch.dll -> Spyware.ReSearch.a -> Cleaned with backup
C:\WINDOWS\system32\stlb2.dll -> TrojanDownloader.Braidupdate.d -> Cleaned with backup
C:\WINDOWS\system32\wintask.exe -> TrojanDownloader.Small.abd -> Cleaned with backup
C:\WINDOWS\system32\winup2date.dll -> Spyware.Small.et -> Cleaned with backup
C:\WINDOWS\system32\winupdt.exe -> TrojanDownloader.Agent.jq -> Cleaned with backup
C:\WINDOWS\system32\wmconfig.cpl -> TrojanDropper.Win32.Small.wc -> Cleaned with backup
C:\WINDOWS\tdtb.exe -> Trojan.Imiserv.c -> Cleaned with backup
C:\WINDOWS\unadbeh.exe -> TrojanDropper.Win32.Small.wc -> Cleaned with backup
C:\WINDOWS\woinstall.exe -> Spyware.EzuLa -> Cleaned with backup


::Report End

  • 0

Advertisements


#2
Crustyoldbloke

Crustyoldbloke

    Old Malware Surgeon with a shaky scalpel

  • Retired Staff
  • 15,130 posts
Hello Ozerik and welcome to Geeks to Go

As an introduction, please note that I am not Superhuman, I do not know everything, but what I do know has taken me years to learn. I am happy to pass on this information to you, but please bear in mind that I am also fallible.

Before we get underway, you may wish to print these instructions for easy reference during the fix, although please be aware that many of the required URLs are hyperlinks in the red names shown on your screen. Part of the fix will require you to be in Safe Mode, which may not allow you to access the internet, or my instructions!

You have a mixture of malware that needs to be deleted; let’s see what we can do.

To start please download the following programme/s, we will run it/them later. Please save it/them to a place that you will remember, I suggest the Desktop:

Killbox by Option^Explicit
CWShredder
CCleaner
Hoster

Go to Start>Run and type Services.msc then hit OK
Scroll down and find this service:

WinTools for IE service (WinToolsSvc)

When you find it, double-click on it. In the next window that opens, click the Stop button, then click on Properties and under the General Tab, change the Startup Type to Disabled. Now hit Apply and then OK.

Run HiJackThis. Click on None of the above, just start the program. Now, click on the Config button (bottom right), then click on Misc Tools, then click on Delete an NT Service a window will pop up. Enter this item into that field (copy and paste):

WinToolsSvc

Click OK.

It should pull up information about the service, when it asks if you want to reboot now click YES

Now please install CWShredder, and run it. Click Check For Update, then Fix and then OK followed by Next, let it fix everything it asks about

Please run Hoster (just double click it to open). Choose the Restore Original Hosts button and press OK.

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\System32\Searchx.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.searchforit.com/searchbar
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch...spx?tb_id=50249
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R3 - URLSearchHook: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - C:\PROGRA~1\Toolbar\toolbar.dll (file missing)
O2 - BHO: (no name) - {016235BE-59D4-4CEB-ADD5-E2378282A1D9} - C:\Program Files\CxtPls\cxtpls.dll
O2 - BHO: SearchToolbarBHOObject - {12EE7A5E-0674-42f9-A76A-000000004D00} - C:\WINDOWS\System32\stlb2.dll (file missing)
O2 - BHO: &EliteBar - {28CAEFF3-0F18-4036-B504-51D73BD81ABC} - C:\WINDOWS\EliteToolBar\EliteToolBar version 60.dll
O2 - BHO: Replace Search Ctl - {832BEBED-C3DA-4534-A2C2-B2FFF220C820} - C:\WINDOWS\System32\replaceSearch.dll (file missing)
O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll (file missing)
O2 - BHO: Fizzlebar.clsFwBar - {9056A11F-5EA6-4A67-BDE9-8D3C7C453DAC} - c:\sysfwb\2742545527\iefwbar.dll
O3 - Toolbar: &EliteBar - {825CF5BD-8862-4430-B771-0C15C5CA8DEF} - C:\WINDOWS\EliteToolBar\EliteToolBar version 60.dll
O3 - Toolbar: &Search Toolbar - {339BB23F-A864-48C0-A59F-29EA915965EC} - C:\PROGRA~1\Toolbar\toolbar.dll (file missing)
O3 - Toolbar: searchforit - {C109664B-CEB1-420b-B353-D55A561536DD} - C:\WINDOWS\System32\SYSsfitb.dll
O3 - Toolbar: Search - {12EE7A5E-0674-42f9-A76B-000000004D00} - C:\WINDOWS\System32\stlb2.dll (file missing)
O4 - HKLM\..\Run: [checkrun] C:\windows\system32\eliteyrl32.exe
O4 - HKLM\..\Run: [C:\WINDOWS\VCMnet11.exe] C:\WINDOWS\VCMnet11.exe
O4 - HKLM\..\Run: [brlepc] C:\WINDOWS\System32\brlepc.exe
O4 - HKLM\..\Run: [guarnset] C:\WINDOWS\System32\guarnset.exe
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\System32\vznuma.exe reg_run
O4 - HKLM\..\Run: [8daa8707ae99] C:\WINDOWS\System32\adsldpc3.exe
O4 - HKLM\..\Run: [WeirdOnTheWeb] "C:\Program Files\WeirdOnTheWeb\WeirdOnTheWeb.exe"
O4 - HKLM\..\Run: [98D0CE0C16B1] rundll32.exe D0CE0C16B1,D0CE0C16B1
O4 - HKCU\..\Run: [DNS] C:\Program Files\Common Files\mc-58-12-0000079-d.exe
O4 - HKCU\..\Run: [eZmmod] C:\PROGRA~1\ezula\mmod.exe
O4 - HKCU\..\Run: [eZWO] C:\PROGRA~1\Web Offer\wo.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150...ip/RdxIE601.cab
O18 - Protocol: tpro - {FF76A5DA-6158-4439-99FF-EDC1B3FE100C} - C:\PROGRA~1\Toolbar\toolbar.dll (file missing)
O23 - Service: WinTools for IE service (WinToolsSvc) - Unknown owner - C:\Program Files\Common Files\WinTools\WToolsS.exe (file missing)

Now close all windows other than HiJackThis, then click Fix Checked.

Please install Killbox by Option^Explicit.

*Extract the programme to your desktop and double-click on its folder, then double-click on Killbox.exe to start the programme.
*In the Killbox programme, select the Delete on Reboot option.
* Open the text file with these instructions in it, and copy the file names below to the clipboard by highlighting them and pressing Control-C:

C:\WINDOWS\System32\vznuma.exe
C:\WINDOWS\system\aoxal.exe
C:\WINDOWS\System32\adsldpc3.exe
C:\PROGRA~1\eZula
C:\WINDOWS\System32\Searchx.htm
C:\PROGRA~1\Toolbar
C:\Program Files\CxtPls\cxtpls.dll
c:\sysfwb\2742545527\iefwbar.dll
C:\windows\system32\eliteyrl32.exe
C:\WINDOWS\VCMnet11.exe
C:\WINDOWS\System32\brlepc.exe
C:\WINDOWS\System32\guarnset.exe
C:\Program Files\WeirdOnTheWeb
C:\Program Files\Common Files\mc-58-12-0000079-d.exe
C:\PROGRA~1\Web Offer


*Return to Killbox, go to the File menu, and choose "Paste from Clipboard".

*Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run TheKillbox, click download and run missingfilesetup.exe. Then try TheKillbox again.

There is almost certainly bound to be some junk (leftover bits and pieces) on your system that is doing nothing but taking up space. I would recommend that you run CCleaner. Install it, update it, check the default setting in the left-hand pane, Analyze, Run Cleaner. You may be fairly surprised by how much it finds.

Post back a fresh HijackThis log and also an Uninstall Log:

Open HijackThis, click Config, click Misc Tools
Click "Open Uninstall Manager"
Click Save List (generates uninstall_list.txt)
Click Save, copy and paste the results in your next post.

and I will take another look.
  • 0

#3
ozerik

ozerik

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Here's my new logfile. We're still getting a few popups!!! GRRRRRRR
Karen and i both appreciate your rapid response! Thank you so much.

Logfile of HijackThis v1.99.1
Scan saved at 11:24:33 PM, on 5/31/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Visioneer OneTouch\OneTouchMon.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Winamp3\winampa.exe
C:\Program Files\Excite\PrvtMsgr\bin\x8IMPipe.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\System32\Grxp4exe.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\D-Tools\daemon.exe
C:\WINDOWS\System32\vznuma.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Excite\PrvtMsgr\bin\x8SkPlay.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
C:\Program Files\AnalogX\POW\pow.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\hjt\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://e14.email.exc...5e50d892189a58a
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.searchforit.com/searchbar
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.searchforit.com/searchbar
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.searchforit.com/searchbar
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.findyourcouple.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - C:\PROGRA~1\Toolbar\toolbar.dll (file missing)
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [OneTouch Monitor] C:\Program Files\Visioneer OneTouch\OneTouchMon.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\winampa.exe"
O4 - HKLM\..\Run: [Excite Private Messenger Pipe] C:\Program Files\Excite\PrvtMsgr\bin\x8IMPipe.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Gravis Xperience Driver Support] Grxp4exe.exe /init
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [checkrun] C:\windows\system32\eliteyrl32.exe
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\System32\vznuma.exe reg_run
O4 - HKCU\..\Run: [PPWebCap] C:\PROGRA~1\ScanSoft\PAPERP~1\PPWebCap.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet
O4 - HKCU\..\Run: [Excite Community Tools Notifier] "C:\Program Files\Excite\PrvtMsgr\bin\x8SkPlay.exe" Notifier
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - Startup: POW!.lnk = C:\Program Files\AnalogX\POW\pow.exe
O4 - Global Startup: Device Detector 2.lnk = C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0819.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0819.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg...t/c381/chat.cab
O16 - DPF: {C3D96A02-EEA7-4264-98D7-D882A7338DE5} (Excite Installer Start) - http://imgfarm.com/i...etup1.0.0.4.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://f1.pg.photos....plorer1_9us.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.app.../ITDetector.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.co...aploader_v6.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/z...s/heartbeat.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - http://us.dl1.yimg.c...ebio5_0_2_7.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe



And my uninstall log:

Ad-Aware SE Personal
Adobe Acrobat 5.0
Ahead Nero - Burning Rom
AnalogX POW!
AOL Instant Messenger
ATI - Software Uninstall Utility
ATI Control Panel
ATI Display Driver
Block Out
CDisplay 1.7
Citrix ICA Client
CleanUp!
CMN
Community Tools - Excite
DAEMON Tools
dBpowerAMP Music Converter
DivX Codec
Dynomite 2.00y
EasyRecovery Professional Edition
EliteBar Internet Explorer Toolbar
EPSON Printer Software
ewido security suite
Excite Easy Installer
FileRestore
FinalData NT
GameSpy Arcade
Gravis Xperience 4.5
GTK+ 2.4.14 runtime environment
HijackThis 1.99.1
IE Host R3
Macromedia Shockwave Player
MaxiFiles
Medal of Honor Allied Assault™ Breakthrough Demo
Microsoft Office XP Professional with FrontPage
Microsoft Plus! for Windows XP
Mozilla Firefox (1.0)
MSN Gaming Zone
Multitrack Stopwatch
NVIDIA Windows 2000/XP Display Drivers
Olympus Digital Wave Player
OneTouch Version 3.0
Oxygen v1.0
Paint Shop Pro 7 ESD
PamperedPartner® 9.0
PaperPort 7.02
PowerQuest Drive Image 5.0
PowerQuest PartitionMagic Pro 7.0
QuickTime
RealOne Player
searchforit - Toolbar
Shockwave
SimCity 4
Spybot - Search & Destroy 1.3
The GIMP 2.2.3
The Sims Deluxe Edition
Tweak UI
Viewpoint Media Player
WebSearch Toolbar
WeirdOnTheWeb
Winamp3 (remove only)
Windows AFA Internet Enhancement
WinRAR archiver
Win-Tools Easy Installer (by WebSearch)
Yahoo! Internet Mail
Yahoo! Messenger
Yahoo! Messenger Explorer Bar

  • 0

#4
Crustyoldbloke

Crustyoldbloke

    Old Malware Surgeon with a shaky scalpel

  • Retired Staff
  • 15,130 posts
Hello again

Before we get underway, you may wish to print these instructions for easy reference during the fix, although please be aware that many of the required URLs are hyperlinks in the red names shown on your screen. Part of the fix will require you to be in Safe Mode, which may not allow you to access the internet, or my instructions!

Elite in particular is very persistent. Let’s see if we can kill it this time.

Now please install CWShredder, and run it. Click Check For Update, then Fix and then OK followed by Next, let it fix everything it asks about

Please run Hoster (just double click it to open). Choose the Restore Original Hosts button and press OK.

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.searchforit.com/searchbar
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.searchforit.com/searchbar
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.searchforit.com/searchbar
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.findyourcouple.com
O2 - BHO: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - C:\PROGRA~1\Toolbar\toolbar.dll (file missing)
O4 - HKLM\..\Run: [checkrun] C:\windows\system32\eliteyrl32.exe
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\System32\vznuma.exe reg_run

Now close all windows other than HiJackThis, then click Fix Checked. Please now reboot into safe mode. Here's how:

Restart your computer and as soon as it starts booting up again continuously tap the F8 key. A menu should appear where you will be given the option to enter Safe Mode.

Please remove these entries from Add/Remove Programs in the Control Panel (if present):(click Start>Settings>Control Panel)

Win-Tools Easy Installer (by WebSearch)
WeirdOnTheWeb
Viewpoint Media Player
WebSearch Toolbar
searchforit – Toolbar
EliteBar Internet Explorer Toolbar

Please notify me of any other programmes that you don’t recognise in that list in your next response

Please install Killbox by Option^Explicit.

*Extract the programme to your desktop and double-click on its folder, then double-click on Killbox.exe to start the programme.
*In the Killbox programme, select the Delete on Reboot option.
* Open the text file with these instructions in it, and copy the file names below to the clipboard by highlighting them and pressing Control-C:

C:\WINDOWS\System32\vznuma.exe
C:\windows\system32\eliteyrl32.exe
C:\PROGRA~1\Toolbar\toolbar.dll/sa


*Return to Killbox, go to the File menu, and choose "Paste from Clipboard".

*Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run TheKillbox, click download and run missingfilesetup.exe. Then try TheKillbox again.

Post back a fresh HijackThis log and I will take another look.
  • 0

#5
ozerik

ozerik

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Okay, here's my latest hjt log:


Logfile of HijackThis v1.99.1
Scan saved at 1:24:30 PM, on 6/1/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Visioneer OneTouch\OneTouchMon.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Winamp3\winampa.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\System32\Grxp4exe.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\D-Tools\daemon.exe
C:\WINDOWS\System32\ctfmon.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\natr.exe
C:\Program Files\AnalogX\POW\pow.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\hjt\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://e14.email.exc...5e50d892189a58a
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [OneTouch Monitor] C:\Program Files\Visioneer OneTouch\OneTouchMon.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\winampa.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Gravis Xperience Driver Support] Grxp4exe.exe /init
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\System32\vznuma.exe reg_run
O4 - HKCU\..\Run: [PPWebCap] C:\PROGRA~1\ScanSoft\PAPERP~1\PPWebCap.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - Startup: POW!.lnk = C:\Program Files\AnalogX\POW\pow.exe
O4 - Global Startup: Device Detector 2.lnk = C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg...t/c381/chat.cab
O16 - DPF: {C3D96A02-EEA7-4264-98D7-D882A7338DE5} (Excite Installer Start) - http://imgfarm.com/i...etup1.0.0.4.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://f1.pg.photos....plorer1_9us.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.app.../ITDetector.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.co...aploader_v6.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/z...s/heartbeat.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - http://us.dl1.yimg.c...ebio5_0_2_7.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe



As you can see, vznuma.exe still makes an appearance. I uninstalled the programs you listed while i was in safe mode (and the network cable was unplugged for my entire working session) and here's a couple programs i didn't recognize:

MaxiFiles, 0.52MB
Windows AFA Internet Enhancement, with no details.

I did a few more things which i will not list here - i don't want anyone to follow my example if i did anything destructive... or useless.

So far, five minutes into this session, i have not had any popups, so we may have had success.
  • 0

#6
Crustyoldbloke

Crustyoldbloke

    Old Malware Surgeon with a shaky scalpel

  • Retired Staff
  • 15,130 posts
Hello again Ozerik

Where did this come from? Windows AFA Internet Enhancement. It must have snook in when our backs were turned. It causes pop-ups. We'll do the conventional fix for the remaining entries.

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\System32\vznuma.exe reg_run

Now close all windows other than HiJackThis, then click Fix Checked. Please now reboot into safe mode. Here's how:

Restart your computer and as soon as it starts booting up again continuously tap the F8 key. A menu should appear where you will be given the option to enter Safe Mode.

Please remove these entries from Add/Remove Programs in the Control Panel (if present):(click Start>Settings>Control Panel)

Windows AFA Internet Enhancement

Please open Killbox by Option^Explicit.

*Extract the programme to your desktop and double-click on its folder, then double-click on Killbox.exe to start the programme.
*In the Killbox programme, select the Delete on Reboot option.
* Open the text file with these instructions in it, and copy the file names below to the clipboard by highlighting them and pressing Control-C:

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\natr.exe
C:\WINDOWS\System32\vznuma.exe reg_run
C:\WINDOWS\System32\vznuma.exe
C:\WINDOWS\system32\n.dll
C:\WINDOWS\VCMnet11.exe


*Return to Killbox, go to the File menu, and choose "Paste from Clipboard".

*Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run TheKillbox, click download and run missingfilesetup.exe. Then try TheKillbox again.

I recommend that you run CCleaner. Open it, update it, check the default setting in the left-hand pane, Analyze, Run Cleaner. Reboot.

Post back a fresh HijackThis log and I will take another look.

Edited by Crustyoldbloke, 01 June 2005 - 01:51 PM.

  • 0

#7
ozerik

ozerik

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Here's my new HJT log. Windows AFA Internet Enhancement simply refuses to be uninstalled. The uninstall string shows up as pointing to C:\WINDOWS\system\QBUninstaller.exe. This file does exist, but choosing "Remove" from the remove programs list does nothing.

The only file we killbox'ed which actually existed was vznuma.exe - the other ones didn't exist anymore.

However, upon this reboot into not-safe-mode, vznuma doesn't exist either, but there's an entry referring to it shows up in HijackThis. Searching the registry turns up a reference to it, along with C:\WINDOWS\srchasst, which i killboxed (including subdirectories), and now it's gone too. Rather, there is only an empty directory called srchasst which now refuses to be deleted. I have "show hidden files" on, so hopefully it's really a harmless, empty folder.

Hopefully my problems are solved!

edit: five minutes later... CRAP i just got a popup.



Logfile of HijackThis v1.99.1
Scan saved at 10:41:22 PM, on 6/1/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\userinit.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Visioneer OneTouch\OneTouchMon.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Winamp3\winampa.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\System32\Grxp4exe.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\D-Tools\daemon.exe
C:\WINDOWS\System32\ctfmon.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\natr.exe
C:\Program Files\AnalogX\POW\pow.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\svchost.exe
C:\hjt\HijackThis.exe
C:\WINDOWS\System32\imapi.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://e14.email.exc...5e50d892189a58a
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [OneTouch Monitor] C:\Program Files\Visioneer OneTouch\OneTouchMon.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\winampa.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Gravis Xperience Driver Support] Grxp4exe.exe /init
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\System32\vznuma.exe reg_run
O4 - HKCU\..\Run: [PPWebCap] C:\PROGRA~1\ScanSoft\PAPERP~1\PPWebCap.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - Startup: POW!.lnk = C:\Program Files\AnalogX\POW\pow.exe
O4 - Global Startup: Device Detector 2.lnk = C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg...t/c381/chat.cab
O16 - DPF: {C3D96A02-EEA7-4264-98D7-D882A7338DE5} (Excite Installer Start) - http://imgfarm.com/i...etup1.0.0.4.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://f1.pg.photos....plorer1_9us.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.app.../ITDetector.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.co...aploader_v6.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/z...s/heartbeat.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - http://us.dl1.yimg.c...ebio5_0_2_7.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

Edited by ozerik, 01 June 2005 - 08:54 PM.

  • 0

#8
Crustyoldbloke

Crustyoldbloke

    Old Malware Surgeon with a shaky scalpel

  • Retired Staff
  • 15,130 posts
Hello again

Just to be sure, is this a single identity PC? Do you have administrator rights?
  • 0

#9
ozerik

ozerik

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Yes, there's only one user account, which does have administrator rights. The machine has been on for about 12 hours now, and has gotten no worse than a few popups now and again.
It seems like we've got the worst of it taken care of, and for that alone i'm very thankful!
  • 0

#10
Crustyoldbloke

Crustyoldbloke

    Old Malware Surgeon with a shaky scalpel

  • Retired Staff
  • 15,130 posts
Hello Ozerik

Thanks for the information. It's time to call out the cavalry.


Download.
FindQoologic-Narrator.zip

Extract (unzip) the files inside into their own folder called FindQoologic.

Open the FindQoologic folder.

Locate and double-click the Find-Qoologic.bat file to run it.

Wait until a text opens, post it in a reply to your thread.
  • 0

Advertisements


#11
ozerik

ozerik

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
okay...

and... thanks again...

PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
»»»»»»»»»»»»»»»»»»»»»»»» Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

* aspack C:\WINDOWS\System32\BAODRQC.EXE
* aspack C:\WINDOWS\System32\VZNUMA.EXE
* aspack C:\WINDOWS\System32\PUVWB.DAT

»»»»»»»»»»»»»»»»»»»»»»»» startup files»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

* exe C:\docume~1\alluse~1\startm~1\programs\startup\NATR.EXE

»»»»»»»»»»»»»»»»»»»»»»»» Checking Global Startup »»»»»»»»»»»»»»»»»»»»»»

(fstarts by IMM - test ver. 0.001) NOT using address check -- 0x77f75fae

Global Startup:
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
.
..
desktop.ini
Device Detector 2.lnk
EPSON Status Monitor 3 Environment Check 2.lnk
Microsoft Office.lnk
natr.exe

User Startup:
C:\Documents and Settings\karyn\Start Menu\Programs\Startup
.
..
desktop.ini
POW!.lnk

»»»»»»»»»»»»»»»»»»»»»»»» Registry Entries Found »»»»»»»»»»»»»»»»»»»»»»»

! REG.EXE VERSION 3.0

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\fyqmtkgx
<NO NAME> REG_SZ {ebf0d752-4085-4bbe-ab14-cd39e2b580ee}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
<NO NAME> REG_SZ {750fdf0e-2a26-11d1-a3ea-080036587f03}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
<NO NAME> REG_SZ {09799AFB-AD67-11d1-ABCD-00C04FC30936}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
<NO NAME> REG_SZ {A470F8CF-A1E8-4f65-8335-227475AA5C46}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinRAR
<NO NAME> REG_SZ {B41DB860-8EE4-11D2-9906-E49FADC173CA}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
<NO NAME> REG_SZ Start Menu Pin

»»»»»»»»»»»»»»»»»»»»»»»»» Active setup »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

"Find activesetup", version1, launched at: 14:35
Operating System: Windows XP


HKLM\Software\Microsoft\Active Setup\Installed Components\
">{22d6f312-b0f6-11d0-94ab-0080c74c7e95}\(Default)" = "Windows Media Player"
\StubPath = "C:\WINDOWS\inf\unregmp2.exe /ShowWMP" [MS]
"{306D6C21-C1B6-4629-986C-E59E1875B8AF}\(Default)" = ""
\StubPath = ""C:\WINDOWS\System32\rundll32.exe" "C:\Program Files\Messenger\msgsc.dll",ShowIconsUser" [MS]


  • 0

#12
Crustyoldbloke

Crustyoldbloke

    Old Malware Surgeon with a shaky scalpel

  • Retired Staff
  • 15,130 posts
Hello again Ozerik

The cavalry did well. Fingers crossed that these are the only ones.

Please open Killbox by Option^Explicit.

*Extract the programme to your desktop and double-click on its folder, then double-click on Killbox.exe to start the programme.
*In the Killbox programme, select the Delete on Reboot option.
*Open the text file with these instructions in it, and copy the file names below to the clipboard by highlighting them and pressing Control-C:

C:\WINDOWS\System32\BAODRQC.EXE
C:\WINDOWS\System32\VZNUMA.EXE
C:\WINDOWS\System32\PUVWB.DAT
C:\docume~1\alluse~1\startm~1\programs\startup\NATR.EXE


*Return to Killbox, go to the File menu, and choose "Paste from Clipboard".

*Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run TheKillbox, click download and run missingfilesetup.exe. Then try TheKillbox again.

Post back a fresh HijackThis log and I will take another look.
  • 0

#13
ozerik

ozerik

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
okay, here's the new log. I see vznuma still shows up, but we may have had success. Popup free for seven minutes now.

Logfile of HijackThis v1.99.1
Scan saved at 12:51:50 AM, on 6/3/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Visioneer OneTouch\OneTouchMon.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Winamp3\winampa.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\System32\Grxp4exe.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\D-Tools\daemon.exe
C:\WINDOWS\System32\ctfmon.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
C:\Program Files\AnalogX\POW\pow.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\svchost.exe
C:\hjt\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://e14.email.exc...5e50d892189a58a
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [OneTouch Monitor] C:\Program Files\Visioneer OneTouch\OneTouchMon.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\winampa.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Gravis Xperience Driver Support] Grxp4exe.exe /init
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\System32\vznuma.exe reg_run
O4 - HKCU\..\Run: [PPWebCap] C:\PROGRA~1\ScanSoft\PAPERP~1\PPWebCap.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - Startup: POW!.lnk = C:\Program Files\AnalogX\POW\pow.exe
O4 - Global Startup: Device Detector 2.lnk = C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg...t/c381/chat.cab
O16 - DPF: {C3D96A02-EEA7-4264-98D7-D882A7338DE5} (Excite Installer Start) - http://imgfarm.com/i...etup1.0.0.4.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://f1.pg.photos....plorer1_9us.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.app.../ITDetector.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.co...aploader_v6.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/z...s/heartbeat.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - http://us.dl1.yimg.c...ebio5_0_2_7.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

  • 0

#14
ozerik

ozerik

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
I've been browsing on my wife's computer for a little over an hour, and have had absolutely no popups or any other suspicious behavior. I think we finally beat it! A run of AdAware showed four registry entries and some tracking cookies as "critical objects", which didn't return upon reboot!

SCORE!!!!!!


So we are both totally thankful. You guys are "da bomb".

I tell you what, i'll only let my neighbor kid use any of our computers with a Knoppix live-cd running from now on. That should fix the problem permanently.
  • 0

#15
Crustyoldbloke

Crustyoldbloke

    Old Malware Surgeon with a shaky scalpel

  • Retired Staff
  • 15,130 posts
Hello again Ozerik

Certainly sounds better doesn't it?

I think that file is only there in the registry and not in reality. So here's the test. Let's fix it using HJT. It's worth a try.

Close all programmes leaving only HijackThis running. Place a checkmark against the following:

O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\System32\vznuma.exe reg_run

Click on Fix Checked when finished and exit HijackThis.

Reboot into Safe Mode: please see here if you are not sure how to do this.

Please set your system to show
all files; please see here if you're unsure how to do this.

Using Windows Explorer, locate the following file (if present), and delete it:

C:\WINDOWS\System32\vznuma.exe reg_run

Exit Explorer, and reboot as normal afterwards.

Post back a fresh HijackThis log and I will take another look.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP