Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Aurora gone but I'm still gettin nail.exe'd


  • This topic is locked This topic is locked

#1
bobick

bobick

    New Member

  • Member
  • Pip
  • 7 posts
I was hit with Aurora a couple of days ago. Read the guidelines, got the downloads and followed the initial steps. All seemed well-ran Spysubtract, Ewido a third time for good measure and HJT twice, Aurora pop ups have disappeared but did a file search and still found the nail.exe. below is the location of nail.exe

nail.exe-0008843.pf c:\windows\prefetch

Haven't downloaded nailfix yet, not sure how to start XP Professional in safe mode.

Here are the logs.

From SpySubtract-CW

Machine=BOBLAPTOP
Time=Thu Jun 02 11:39:43 2005
Product Version=3, 0, 0, 29
OS Version=Microsoft Windows XP Professional Service Pack 2 (Build 2600)

Started Scanning
Programs in Memory
Finished Scanning
Started Scanning
CoolWebSearch Variants (CWShredder)
Finished Scanning
Started Cleaning
Internet Explorer/MSN/AOL Cache
Delete History Items on Startup: Cleaned 'Internet Explorer/MSN/AOL Cache' in ''
Windows Temp Files
Delete History Items on Startup: Cleaned 'Windows Temp Files' in ''
Cookies
Delete History Items on Startup: Cleaned 'Cookies' in ''
Finished Cleaning
Started Scanning
Internet Cookies
CoolWebSearch Variants (CWShredder)
Programs in Memory
Windows Registry
Windows Registry: Found '' in 'SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TBPSSVC'
Windows Registry: Found '' in 'SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TBPSSVC\0000'
Windows Registry: Found 'Service' in 'SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TBPSSVC\0000'
Windows Registry: Found 'Legacy' in 'SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TBPSSVC\0000'
Windows Registry: Found 'DeviceDesc' in 'SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TBPSSVC\0000'
Windows Registry: Found 'ConfigFlags' in 'SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TBPSSVC\0000'
Windows Registry: Found 'ClassGUID' in 'SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TBPSSVC\0000'
Windows Registry: Found 'Class' in 'SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TBPSSVC\0000'
Windows Registry: Found 'NextInstance' in 'SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TBPSSVC'
Internet URL Shortcuts
Files and Directories
Finished Scanning
Started Backup
Unable to access the registry key HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TBPSSVC for export/import. Error=5.
Unable to access the registry key HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TBPSSVC\0000 for export/import. Error=5.
Unable to access the registry key HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TBPSSVC\0000 for export/import. Error=5.
Unable to access the registry key HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TBPSSVC\0000 for export/import. Error=5.
Unable to access the registry key HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TBPSSVC\0000 for export/import. Error=5.
Unable to access the registry key HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TBPSSVC\0000 for export/import. Error=5.
Unable to access the registry key HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TBPSSVC\0000 for export/import. Error=5.
Unable to access the registry key HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TBPSSVC\0000 for export/import. Error=5.
Unable to access the registry key HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TBPSSVC for export/import. Error=5.
Finished Backup
Started Cleaning
WARNING: Unable to remove registry keys under 'HKLM\'SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TBPSSVC'. Error=5.
WARNING: Unable to remove registry keys under 'HKLM\'SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TBPSSVC\0000'. Error=5.
Finished Cleaning
Started Scanning
Internet Cookies
Internet Cookies: Found '2o7.net' in 'Internet Explorer Cache'
Internet Cookies: Found 'advertising.com' in 'Internet Explorer Cache'
Internet Cookies: Found 'atdmt.com' in 'Internet Explorer Cache'
Internet Cookies: Found 'atwola.com' in 'Internet Explorer Cache'
Internet Cookies: Found 'doubleclick.net' in 'Internet Explorer Cache'
Internet Cookies: Cleaned 'insightfirst.com' in 'Internet Explorer Cache'
Internet Cookies: Found 'mediaplex.com' in 'Internet Explorer Cache'
Internet Cookies: Found 'servedby.advertising.com' in 'Internet Explorer Cache'
Internet Cookies: Found 'zedo.com' in 'Internet Explorer Cache'
CoolWebSearch Variants (CWShredder)
Programs in Memory
Windows Registry
Windows Registry: Found '' in 'SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TBPSSVC'
Windows Registry: Found '' in 'SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TBPSSVC\0000'
Windows Registry: Found 'Service' in 'SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TBPSSVC\0000'
Windows Registry: Found 'Legacy' in 'SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TBPSSVC\0000'
Windows Registry: Found 'DeviceDesc' in 'SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TBPSSVC\0000'
Windows Registry: Found 'ConfigFlags' in 'SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TBPSSVC\0000'
Windows Registry: Found 'ClassGUID' in 'SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TBPSSVC\0000'
Windows Registry: Found 'Class' in 'SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TBPSSVC\0000'
Windows Registry: Found 'NextInstance' in 'SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TBPSSVC'
Internet URL Shortcuts
Files and Directories
Finished Scanning
Started Backup
Unable to access the registry key HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TBPSSVC for export/import. Error=5.
Unable to access the registry key HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TBPSSVC\0000 for export/import. Error=5.
Unable to access the registry key HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TBPSSVC\0000 for export/import. Error=5.
Unable to access the registry key HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TBPSSVC\0000 for export/import. Error=5.
Unable to access the registry key HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TBPSSVC\0000 for export/import. Error=5.
Unable to access the registry key HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TBPSSVC\0000 for export/import. Error=5.
Unable to access the registry key HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TBPSSVC\0000 for export/import. Error=5.
Unable to access the registry key HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TBPSSVC\0000 for export/import. Error=5.
Finished Backup
Started Cleaning
Internet Cookies: Cleaned '2o7.net' in 'Internet Explorer Cache'
Internet Cookies: Cleaned 'advertising.com' in 'Internet Explorer Cache'
Internet Cookies: Cleaned 'atdmt.com' in 'Internet Explorer Cache'
Internet Cookies: Cleaned 'atwola.com' in 'Internet Explorer Cache'
Internet Cookies: Cleaned 'doubleclick.net' in 'Internet Explorer Cache'
Internet Cookies: Cleaned 'insightfirst.com' in 'Internet Explorer Cache'
Internet Cookies: Cleaned 'mediaplex.com' in 'Internet Explorer Cache'
Internet Cookies: Cleaned 'servedby.advertising.com' in 'Internet Explorer Cache'
Internet Cookies: Cleaned 'zedo.com' in 'Internet Explorer Cache'
WARNING: Unable to remove registry keys under 'HKLM\'SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TBPSSVC'. Error=5.
WARNING: Unable to remove registry keys under 'HKLM\'SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TBPSSVC\0000'. Error=5.


Logs from Ewido

ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 5:36:18 PM, 6/2/2005
+ Report-Checksum: 88EEF5F3

+ Date of database: 6/2/2005
+ Version of scan engine: v3.0

+ Duration: 14 min
+ Scanned Files: 67518
+ Speed: 76.88 Files/Second
+ Infected files: 2
+ Removed files: 2
+ Files put in quarantine: 2
+ Files that could not be opened: 0
+ Files that could not be cleaned: 0

+ Binder: Yes
+ Crypter: Yes
+ Archives: Yes

+ Scanned items:
C:\

+ Scan result:
C:\Documents and Settings\Bob Bickford\Cookies\bob bickford@adsremote.scripps[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Bob Bickford\Cookies\bob bickford@myway[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup

And HJT

Logfile of HijackThis v1.99.1
Scan saved at 6:46:50 PM, on 6/2/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\X3watch\x3watch.exe
C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\issch.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\InterMute\SpySubtract\SpySub.exe
C:\Program Files\Handspring\HOTSYNC.EXE
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\DOCUME~1\BOBBIC~1\LOCALS~1\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/mywaybiz
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://bfc.myway.com...de_srchlft.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.springcreekchurch.org/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/mywaybiz
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://bfc.myway.com...de_srchlft.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.springcreekchurch.org/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/mywaybiz
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\1.bin\deSrcAs.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [x3watch] C:\Program Files\X3watch\x3watch.exe
O4 - HKLM\..\Run: [ISUSScheduler] "C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\issch.exe" -start
O4 - HKLM\..\Run: [exp.exe] C:\WINDOWS\system32\exp.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Handspring\HOTSYNC.EXE
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\InterMute\SpySubtract\SpySub.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {D1ACD2D8-7312-4D06-BECD-90EB094D2277} - http://mediaplayer.w...ler/install.cab
O20 - Winlogon Notify: IntelWireless - C:\Program Files\Intel\Wireless\Bin\LgNotify.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
  • 0

Advertisements


#2
bobick

bobick

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
I've downloaded the fixes, run them and here is the latest HJT log. Can someone please advise?

Thanks!

:tazz:

Logfile of HijackThis v1.99.1
Scan saved at 10:34:10 AM, on 6/6/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\DOCUME~1\BOBBIC~1\LOCALS~1\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/mywaybiz
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://bfc.myway.com...de_srchlft.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.springcreekchurch.org/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/mywaybiz
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://bfc.myway.com...de_srchlft.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.springcreekchurch.org/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/mywaybiz
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\1.bin\deSrcAs.dll
O2 - BHO: (no name) - {4D25F921-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\1.bin\deSrcAs.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [x3watch] C:\Program Files\X3watch\x3watch.exe
O4 - HKLM\..\Run: [ISUSScheduler] "C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\issch.exe" -start
O4 - HKLM\..\Run: [exp.exe] C:\WINDOWS\system32\exp.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Handspring\HOTSYNC.EXE
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\InterMute\SpySubtract\SpySub.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {D1ACD2D8-7312-4D06-BECD-90EB094D2277} - http://mediaplayer.w...ler/install.cab
O20 - Winlogon Notify: IntelWireless - C:\Program Files\Intel\Wireless\Bin\LgNotify.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
  • 0

#3
g2i2r4

g2i2r4

    retired HiJack Helper

  • Retired Staff
  • 5,080 posts
Welcome bobick to Geeks to Go!

Please unzip HijackThis to a folder of its own. Run it from there.

Download CleanUp!.
If that doesn’t work, use this link.
Double click the file cleanup.

Go to option
Select ‘custom’
Put a check to:* Cookies
* Prefetch
* Temp
* All users.
Press 'cleanup!'

Once it's done, press Close.

Let the system reboot.

***

Open HijackThis.
Close all programs leaving only HijackThis running.

Go to ‘config’
Go to ‘misc tools’
Press the button ‘open uninstall manager’
In the list find:
MyWay search bar / search assistent
Press ‘delete this entry’.
Press ‘back’
Than press ‘scan’

***

Place a check against each of the following, making sure you get them all and not any others by mistake:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://bfc.myway.com...de_srchlft.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://bfc.myway.com...de_srchlft.html
R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\1.bin\deSrcAs.dll
O4 - HKLM\..\Run: [exp.exe] C:\WINDOWS\system32\exp.exe

Click on Fix Checked when finished and exit HijackThis.

***

Please download the Killbox.
Unzip it to the desktop
Please double-click Killbox.exe to run it.

Select "Delete on Reboot".
Place the following line (complete path) in bold in the "Full Path of File to Delete" box in Killbox:
C:\WINDOWS\system32\exp.exe
Put a mark next to "Delete on Reboot"
Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.
If your computer does not restart automatically, please restart it manually.

***

Udate Ewido to the latest definitions. Run a scan and save the log.

Post back here with a log using Hijackthis and a scanlog from Ewido.



If you have resolved this issue please let me know.
  • 0

#4
bobick

bobick

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
:tazz: Thanks for the reply! Here's where I am so....

1. Ran the cleanup and rebooted
2. Ran HJT(having difficulty figuring out how to unzip it to a non-temp file) help! did the steps and checked the specified entries.
3. downloaded and ran killbox, entered the file and followed the steps.

I received this message after clicking yes and didn't get the "No" option for pending operations prompt. Here's what I got.

Pending file rename operations registry data has been removed by external process. Clicked "OK" and manually rebooted.

Ran ewido here's the log:

+ Created on: 10:45:25 PM, 6/7/2005
+ Report-Checksum: 6D421D53

0: System Process
4: System Process
208: C:\WINDOWS\system32\spoolsv.exe
260: C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
340: C:\Program Files\Apoint\Apntex.exe
376: C:\Program Files\Common Files\Real\Update_OB\realsched.exe
440: C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
444: \SystemRoot\System32\smss.exe
464: C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
576: C:\Program Files\Dell Support\DSAgnt.exe
596: C:\Program Files\QuickTime\qttask.exe
632: C:\Program Files\iTunes\iTunesHelper.exe
636: C:\WINDOWS\system32\ctfmon.exe
708: C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\issch.exe
720: C:\Program Files\ewido\security suite\ewidoctrl.exe
768: C:\Program Files\X3watch\x3watch.exe
784: C:\Program Files\ewido\security suite\ewidoguard.exe
872: C:\Program Files\Apoint\Apoint.exe
912: C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
920: C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
928: C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
936: C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
988: \??\C:\WINDOWS\system32\csrss.exe
1012: \??\C:\WINDOWS\system32\winlogon.exe
1056: C:\WINDOWS\system32\services.exe
1068: C:\WINDOWS\system32\lsass.exe
1072: C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
1244: C:\WINDOWS\system32\Ati2evxx.exe
1264: C:\WINDOWS\system32\svchost.exe
1288: C:\Program Files\Dell\QuickSet\quickset.exe
1320: C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
1388: C:\WINDOWS\system32\svchost.exe
1420: C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
1432: C:\WINDOWS\System32\svchost.exe
1520: C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
1528: C:\Program Files\ewido\security suite\SecuritySuite.exe
1564: C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
1580: C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
1640: C:\WINDOWS\system32\svchost.exe
1660: C:\WINDOWS\system32\dla\tfswctrl.exe
1692: C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
1732: C:\WINDOWS\system32\svchost.exe
1888: C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
1900: C:\WINDOWS\system32\Ati2evxx.exe
1932: C:\WINDOWS\system32\wbem\wmiprvse.exe
2008: C:\WINDOWS\Explorer.EXE
2156: C:\WINDOWS\System32\alg.exe
2300: C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
2336: C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
2384: C:\Program Files\Digital Line Detect\DLG.exe
2420: C:\Program Files\InterMute\SpySubtract\SpySub.exe
2444: C:\Program Files\Handspring\HOTSYNC.EXE
2552: C:\WINDOWS\system32\wbem\wmiprvse.exe
2920: C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
3032: C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
3084: C:\WINDOWS\system32\wdfmgr.exe
3632: C:\WINDOWS\system32\wbem\wmiapsrv.exe
3712: C:\Program Files\iPod\bin\iPodService.exe

Ran HJT-here's the log

Logfile of HijackThis v1.99.1
Scan saved at 10:46:35 PM, on 6/7/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\X3watch\x3watch.exe
C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\issch.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\InterMute\SpySubtract\SpySub.exe
C:\Program Files\Handspring\HOTSYNC.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\DOCUME~1\BOBBIC~1\LOCALS~1\Temp\Temporary Directory 2 for hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/mywaybiz
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.springcreekchurch.org/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/mywaybiz
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.springcreekchurch.org/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/mywaybiz
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [x3watch] C:\Program Files\X3watch\x3watch.exe
O4 - HKLM\..\Run: [ISUSScheduler] "C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\issch.exe" -start
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Handspring\HOTSYNC.EXE
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\InterMute\SpySubtract\SpySub.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {D1ACD2D8-7312-4D06-BECD-90EB094D2277} - http://mediaplayer.w...ler/install.cab
O20 - Winlogon Notify: IntelWireless - C:\Program Files\Intel\Wireless\Bin\LgNotify.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

What next?
  • 0

#5
g2i2r4

g2i2r4

    retired HiJack Helper

  • Retired Staff
  • 5,080 posts
Weldone :tazz:
This HijackThis log looks great (guess you don't need it anymore now).

The 'pending file etc.' message Killbox gave you means the file was already removed by previously taken steps.

If you saved the log Ewido made, could you please post the 'infected files' part?
  • 0

#6
bobick

bobick

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
:tazz: Thanks! Ewido found nothing on its last scan, however. Spysubtract returned some files and I've copied the log below. I also found a CWS variant I believe it's listed.

Is there reason to be concerned by the files listed below in the spysubtract log?

Started Scanning
Internet Cookies
Internet Cookies: Found 'advertising.com' in 'Internet Explorer Cache'
Internet Cookies: Cleaned 'insightfirst.com' in 'Internet Explorer Cache'
Internet Cookies: Found 'mediaplex.com' in 'Internet Explorer Cache'
Internet Cookies: Found 'servedby.advertising.com' in 'Internet Explorer Cache'
CoolWebSearch Variants (CWShredder)
Programs in Memory
Windows Registry
Windows Registry: Found '' in 'SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TBPSSVC'
Windows Registry: Found '' in 'SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TBPSSVC\0000'
Windows Registry: Found 'Service' in 'SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TBPSSVC\0000'
Windows Registry: Found 'Legacy' in 'SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TBPSSVC\0000'
Windows Registry: Found 'DeviceDesc' in 'SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TBPSSVC\0000'
Windows Registry: Found 'ConfigFlags' in 'SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TBPSSVC\0000'
Windows Registry: Found 'ClassGUID' in 'SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TBPSSVC\0000'
Windows Registry: Found 'Class' in 'SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TBPSSVC\0000'
Windows Registry: Found 'NextInstance' in 'SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TBPSSVC'
Windows Registry: Found '' in 'S-1-5-21-3137201005-2477606125-1027978818-1007\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E62-B078-11D0-89E4-00C04FC9E26E}'
Internet URL Shortcuts
Files and Directories
Finished Scanning
Started Backup
Unable to access the registry key HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TBPSSVC for export/import. Error=5.
Unable to access the registry key HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TBPSSVC\0000 for export/import. Error=5.
Unable to access the registry key HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TBPSSVC\0000 for export/import. Error=5.
Unable to access the registry key HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TBPSSVC\0000 for export/import. Error=5.
Unable to access the registry key HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TBPSSVC\0000 for export/import. Error=5.
Unable to access the registry key HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TBPSSVC\0000 for export/import. Error=5.
Unable to access the registry key HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TBPSSVC\0000 for export/import. Error=5.
Unable to access the registry key HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TBPSSVC\0000 for export/import. Error=5.
Unable to access the registry key HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TBPSSVC for export/import. Error=5.
Finished Backup
Started Cleaning
Internet Cookies: Cleaned 'advertising.com' in 'Internet Explorer Cache'
Internet Cookies: Cleaned 'insightfirst.com' in 'Internet Explorer Cache'
Internet Cookies: Cleaned 'mediaplex.com' in 'Internet Explorer Cache'
Internet Cookies: Cleaned 'servedby.advertising.com' in 'Internet Explorer Cache'
WARNING: Unable to remove registry keys under 'HKLM\'SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TBPSSVC'. Error=5.
WARNING: Unable to remove registry keys under 'HKLM\'SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TBPSSVC\0000'. Error=5.
Finished Cleaning
Started Scanning
CoolWebSearch Variants (CWShredder)
Finished Scanning
Started Cleaning
Internet Explorer/MSN/AOL Cache
Delete History Items on Startup: Cleaned 'Internet Explorer/MSN/AOL Cache' in ''
Windows Temp Files
Delete History Items on Startup: Cleaned 'Windows Temp Files' in ''
Cookies
Delete History Items on Startup: Cleaned 'Cookies' in ''
Finished Cleaning


Please advise....
  • 0

#7
g2i2r4

g2i2r4

    retired HiJack Helper

  • Retired Staff
  • 5,080 posts
Please do this:

Open HijackThis
Go to ‘config’
Go to ‘misc tools’
Press the button ‘open uninstall manager’
Press the button 'save list'. It will open a Notepad file. Place the content of that file here in your answer please.
  • 0

#8
bobick

bobick

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Here's the list from uninstall.

Adobe Acrobat - Reader 6.0.2 Update
Adobe Acrobat and Reader 6.0.3 Update
Adobe Atmosphere Player for Acrobat and Adobe Reader
Adobe Photoshop Album 2.0 Starter Edition
Adobe Reader 6.0.1
ALPS Touch Pad Driver
ATI Control Panel
ATI Display Driver
Broadcom Management Programs
Business Contact Manager for Outlook 2003
CleanUp!
Conexant D110 MDC V.9x Modem
Dell Driver Reset Tool
Dell Picture Studio v3.0
Dell Support 5.0.0 (766)
Digital Line Detect
ewido security suite
HijackThis 1.99.1
Intel® PROSet/Wireless Software
Internet Explorer Default Page
iTunes
Jasc Paint Shop Photo Album 5
Jasc Paint Shop Pro Studio, Dell Editon
Java 2 Runtime Environment, SE v1.4.2_03
Java 2 Runtime Environment, SE v1.4.2_06
LiveUpdate 1.80 (Symantec Corporation)
mCore
mDrWiFi
mHlpDell
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB886903)
Microsoft AntiSpyware
Microsoft Office Small Business Edition 2003
Microsoft Plus! Digital Media Edition Installer
Microsoft Plus! Photo Story 2 LE
Microsoft PowerPoint Viewer 97
mIWA
mIWCA
mLogView
mMHouse
Modem Helper
mPfMgr
mPfWiz
mProSafe
mSSO
mToolkit
Musicmatch® Jukebox
mWlsSafe
mXML
mZConfig
NetWaiting
Palm Desktop and Synchronization Software
PowerDVD 5.1
QuickSet
QuickTime
RealPlayer
Sonic DLA
Sonic RecordNow!
Sonic Update Manager
SpySubtract
Symantec AntiVirus Client
The ABI Network- A Division of Direct Revenue
Viewpoint Manager (Remove Only)
Windows Installer 3.1 (KB893803)
Windows Installer 3.1 (KB893803)
Windows Media Format Runtime
Windows Media Player 10
Windows Media Player 10
Windows XP Hotfix - KB834707
Windows XP Hotfix - KB867282
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890047
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB890923
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB893066
Windows XP Hotfix - KB893086
X3watch 4.3.0
  • 0

#9
g2i2r4

g2i2r4

    retired HiJack Helper

  • Retired Staff
  • 5,080 posts
Open HijackThis
Go to ‘config’
Go to ‘misc tools’
Press the button ‘open uninstall manager’
In the list find:
The ABI Network- A Division of Direct Revenue
Press ‘delete this entry’.
Close HijackThis and reboot.

Please download and unzip
About:Buster to a folder. Inside the folder is a readme file that has instructions on the use of the program.
AboutBuster MUST be updated before you use it.

Start AboutBuster, click the update button, check for update, drag the box to the side and hit download updates, close the box

Run AboutBuster. This will scan your computer for the bad files and delete them.
Please run About:Buster:
  • Click Start and then OK to allow AboutBuster to scan for Alternate Data Streams.
  • Click Yes to allow it to shutdown explorer.exe.
  • It will begin to check your computer for malicious files. If it asks if you would like to do a second pass, allow it to do so.
  • When it has finished, click Save Log. Make sure you save it as I may need a copy of it later.
  • Reboot your computer into safe mode again
Run about:buster again following the same instructions as above, this time without the restart at the end.

Save the report (copy and paste into notepad or wordpad and save as a .txt file) and post a copy back here.
  • 0

#10
bobick

bobick

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Here's the latest.

Ran HJT and found and deleted ABI network

about buster didn't ask for alternative data streams, shut down explorer.exe or to make a second pass. Here is the about buster log.

AboutBuster 5.0 reference file 28
Scan started on [6/8/2005] at [2:59:39 PM]
------------------------------------------------
No Ads Found!
------------------------------------------------
No Files Found!
------------------------------------------------
Scan was COMPLETED SUCCESSFULLY at 2:59:42 PM


AboutBuster 5.0 reference file 28
Scan started on [6/8/2005] at [3:05:59 PM]
------------------------------------------------
No Ads Found!
------------------------------------------------
No Files Found!
------------------------------------------------
Scan was COMPLETED SUCCESSFULLY at 3:06:03 PM
  • 0

#11
g2i2r4

g2i2r4

    retired HiJack Helper

  • Retired Staff
  • 5,080 posts
How are things now?
  • 0

#12
bobick

bobick

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Seem to be okay but spysubtract is still picking up these registry key files, i did a regedit and found where they are but am not sure if i can delete them from there. They seem to have something to do with a search bar and BHO from what spysubtract tells me.

Here's the list again.
Machine=BOBLAPTOP
Time=Wed Jun 08 15:10:25 2005
Product Version=3, 0, 0, 29
OS Version=Microsoft Windows XP Professional Service Pack 2 (Build 2600)

Started Scanning
Programs in Memory
Finished Scanning
Started Scanning
Internet Cookies
CoolWebSearch Variants (CWShredder)
Programs in Memory
Windows Registry
Windows Registry: Found '' in 'SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TBPSSVC'
Windows Registry: Found '' in 'SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TBPSSVC\0000'
Windows Registry: Found 'Service' in 'SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TBPSSVC\0000'
Windows Registry: Found 'Legacy' in 'SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TBPSSVC\0000'
Windows Registry: Found 'DeviceDesc' in 'SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TBPSSVC\0000'
Windows Registry: Found 'ConfigFlags' in 'SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TBPSSVC\0000'
Windows Registry: Found 'ClassGUID' in 'SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TBPSSVC\0000'
Windows Registry: Found 'Class' in 'SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TBPSSVC\0000'
Windows Registry: Found 'NextInstance' in 'SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TBPSSVC'
Windows Registry: Found '' in 'S-1-5-21-3137201005-2477606125-1027978818-1007\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E62-B078-11D0-89E4-00C04FC9E26E}'
Internet URL Shortcuts
Files and Directories
Finished Scanning

And the latest HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 4:10:03 PM, on 6/8/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\X3watch\x3watch.exe
C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\issch.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\InterMute\SpySubtract\SpySub.exe
C:\Program Files\Handspring\HOTSYNC.EXE
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\WINDOWS\regedit.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\DOCUME~1\BOBBIC~1\LOCALS~1\Temp\Temporary Directory 4 for hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/mywaybiz
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://bfc.myway.com...de_srchlft.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.springcreekchurch.org/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/mywaybiz
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://bfc.myway.com...de_srchlft.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.springcreekchurch.org/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/mywaybiz
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [x3watch] C:\Program Files\X3watch\x3watch.exe
O4 - HKLM\..\Run: [ISUSScheduler] "C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\issch.exe" -start
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Handspring\HOTSYNC.EXE
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\InterMute\SpySubtract\SpySub.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {D1ACD2D8-7312-4D06-BECD-90EB094D2277} - http://mediaplayer.w...ler/install.cab
O20 - Winlogon Notify: IntelWireless - C:\Program Files\Intel\Wireless\Bin\LgNotify.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
  • 0

#13
g2i2r4

g2i2r4

    retired HiJack Helper

  • Retired Staff
  • 5,080 posts
It seems to belong to NEO toolbar.

Try disabling AntiSpyware and than run CWShredder. Maybe AntiSpyware is protecting those entries from being changed.



EDIT:
As there has been no reply from the original poster for more than two weeks this topic is now closed.

If you are the original poster and still need assistance, please send me a PM.

Edited by g2i2r4, 24 June 2005 - 01:29 PM.

  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP