Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Aurora - ABI Networks popups [CLOSED]

Started by qc-zhao , Jun 03 2005 09:23 AM

  • This topic is locked This topic is locked

#1
qc-zhao
Posted 03 June 2005 - 09:23 AM

qc-zhao

    New Member

  • Member
  • Pip
  • 5 posts
I have recently been having problems and getting very annoyed with the pop-ups from these guys. I've browsed through the other threads and followed the steps to removal *hopefully*, however i'm not sure it has gone, what does my HJT logfile say guys?

Logfile of HijackThis v1.99.1
Scan saved at 16:22:55, on 03/06/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
G:\WINDOWS\System32\smss.exe
G:\WINDOWS\system32\winlogon.exe
G:\WINDOWS\system32\services.exe
G:\WINDOWS\system32\lsass.exe
G:\WINDOWS\System32\Ati2evxx.exe
G:\WINDOWS\system32\svchost.exe
G:\WINDOWS\System32\svchost.exe
G:\WINDOWS\system32\Ati2evxx.exe
G:\WINDOWS\system32\LEXBCES.EXE
G:\WINDOWS\system32\spoolsv.exe
G:\WINDOWS\system32\LEXPPS.EXE
G:\WINDOWS\Explorer.exe
G:\Program Files\Creative\SBAudigy LS\Surround Mixer\CTSysVol.exe
G:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
G:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
G:\Program Files\Microsoft IntelliPoint\point32.exe
G:\Program Files\Logitech\iTouch\iTouch.exe
G:\Program Files\QuickTime\qttask.exe
G:\Program Files\Common Files\Real\Update_OB\realsched.exe
G:\WINDOWS\seeve.exe
G:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
G:\WINDOWS\System32\svchost.exe
G:\WINDOWS\system32\ctfmon.exe
g:\windows\system32\netlia.exe
G:\Program Files\MSN Messenger\MsnMsgr.Exe
G:\Program Files\LG PC Suite\LG PC Sync\LGSyncManager.exe
G:\Program Files\Winamp\winamp.exe
C:\Fraps\fraps.exe
G:\Program Files\Mozilla Firefox\firefox.exe
G:\DOCUME~1\GEORGE~1\LOCALS~1\Temp\Rar$EX24.641\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = www.google.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://community.derbiz.com/
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: Shell=Explorer.exe G:\WINDOWS\Nail.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - G:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] G:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] G:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] G:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [CTSysVol] G:\Program Files\Creative\SBAudigy LS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [SunJavaUpdateSched] G:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKLM\..\Run: [NeroFilterCheck] G:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "G:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [IntelliPoint] "G:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [zBrowser Launcher] G:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [QuickTime Task] "G:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "G:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [seeve] G:\WINDOWS\seeve.exe
O4 - HKLM\..\Run: [firlnin] G:\Documents and Settings\George Zhao\Local Settings\Temporary Internet Files\Content.IE5\1D7Z2WAL\delf061225[1].exe
O4 - HKLM\..\Run: [maqlmuu] g:\windows\system32\netlia.exe
O4 - HKCU\..\Run: [CTFMON.EXE] G:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "G:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Startup: Adobe Gamma.lnk = G:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = G:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: LG SyncManager.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://G:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - G:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - G:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - G:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - G:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - G:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.media-motor.net
O15 - Trusted Zone: *.popuppers.com
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplane...DC_1_0_0_44.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1107533951765
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pdownloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{D80DAD2D-0529-4D3D-B930-1A53E61AB553}: NameServer = 158.43.240.4,158.43.240.3
O17 - HKLM\System\CCS\Services\Tcpip\..\{ED074AE6-28B6-44EE-9922-823265E07D53}: NameServer = 209.47.15.118,64.157.143.38,158.43.240.4,158.43.240.3
O23 - Service: Adobe LM Service - Adobe Systems - G:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - G:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - G:\WINDOWS\system32\ati2sgag.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - G:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: RadClock - Unknown owner - G:\WINDOWS\system32\RadClock.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - G:\WINDOWS\svcproc.exe (file missing) <-- is this important that theres a file missing? :tazz:

cheers in advance!
  • 0

Advertisements

#2
therock247uk
Posted 03 June 2005 - 09:48 AM

therock247uk

    Expert

  • Expert
  • 14,672 posts
  • MVP
Please download the trial version of Ewido Security Suite here:
http://www.ewido.net/en/download/
Install it, and update the definitions to the newest files. Do NOT run a scan yet.

Please download Nailfix from here:
http://www.noidea.us...050515010747824
Unzip it to the desktop but please do NOT run it yet.

Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.

For additional help in booting into Safe Mode, see the following site:
http://www.pchell.co.../safemode.shtml


Once in Safe Mode, please double-click on Nailfix.cmd. Your desktop and icons will disappear and reappear, and a window should open and close very quickly --- this is normal.

Then please run Ewido, and run a full scan. Save the logfile from the scan.

Next please run HijackThis, click Scan, and check:

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe

Close all open windows except for HijackThis and click Fix Checked.

Restart your computer in normal mode and please post a new HijackThis log, as well as the log from the Ewido scan.
  • 0

#3
qc-zhao
Posted 03 June 2005 - 11:07 AM

qc-zhao

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
Thanks for quick reply

Hijackthis log:

Logfile of HijackThis v1.99.1
Scan saved at 18:06:56, on 03/06/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
G:\WINDOWS\System32\smss.exe
G:\WINDOWS\system32\winlogon.exe
G:\WINDOWS\system32\services.exe
G:\WINDOWS\system32\lsass.exe
G:\WINDOWS\System32\Ati2evxx.exe
G:\WINDOWS\system32\svchost.exe
G:\WINDOWS\System32\svchost.exe
G:\WINDOWS\system32\Ati2evxx.exe
G:\WINDOWS\Explorer.EXE
G:\WINDOWS\system32\LEXBCES.EXE
G:\WINDOWS\system32\spoolsv.exe
G:\WINDOWS\system32\LEXPPS.EXE
G:\Program Files\Creative\SBAudigy LS\Surround Mixer\CTSysVol.exe
G:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
G:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
G:\Program Files\Microsoft IntelliPoint\point32.exe
G:\Program Files\Logitech\iTouch\iTouch.exe
G:\Program Files\QuickTime\qttask.exe
G:\Program Files\Common Files\Real\Update_OB\realsched.exe
G:\WINDOWS\system32\ctfmon.exe
G:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
G:\Program Files\LG PC Suite\LG PC Sync\LGSyncManager.exe
G:\Program Files\ewido\security suite\ewidoctrl.exe
G:\Program Files\ewido\security suite\ewidoguard.exe
G:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
G:\WINDOWS\System32\svchost.exe
G:\WINDOWS\system32\wuauclt.exe
G:\Program Files\Mozilla Firefox\firefox.exe
G:\Program Files\WinRAR\WinRAR.exe
G:\DOCUME~1\GEORGE~1\LOCALS~1\Temp\Rar$EX00.469\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = www.google.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://community.derbiz.com/
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - G:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] G:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] G:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] G:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [CTSysVol] G:\Program Files\Creative\SBAudigy LS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [SunJavaUpdateSched] G:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKLM\..\Run: [NeroFilterCheck] G:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "G:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [IntelliPoint] "G:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [zBrowser Launcher] G:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [QuickTime Task] "G:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "G:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [firlnin] G:\Documents and Settings\George Zhao\Local Settings\Temporary Internet Files\Content.IE5\1D7Z2WAL\delf061225[1].exe
O4 - HKCU\..\Run: [CTFMON.EXE] G:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "G:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Startup: Adobe Gamma.lnk = G:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = G:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: LG SyncManager.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://G:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - G:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - G:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - G:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - G:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - G:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.media-motor.net
O15 - Trusted Zone: *.popuppers.com
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplane...DC_1_0_0_44.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1107533951765
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pdownloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{D80DAD2D-0529-4D3D-B930-1A53E61AB553}: NameServer = 158.43.240.4,158.43.240.3
O17 - HKLM\System\CCS\Services\Tcpip\..\{ED074AE6-28B6-44EE-9922-823265E07D53}: NameServer = 209.47.15.118,64.157.143.38,158.43.240.4,158.43.240.3
O23 - Service: Adobe LM Service - Adobe Systems - G:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - G:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - G:\WINDOWS\system32\ati2sgag.exe
O23 - Service: ewido security suite control - ewido networks - G:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - G:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - G:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: RadClock - Unknown owner - G:\WINDOWS\system32\RadClock.exe


Ewido scan log:

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 17:58:11, 03/06/2005
+ Report-Checksum: 8D1D10F6

+ Date of database: 03/06/2005
+ Version of scan engine: v3.0

+ Duration: 35 min
+ Scanned Files: 66814
+ Speed: 31.50 Files/Second
+ Infected files: 12
+ Removed files: 12
+ Files put in quarantine: 0
+ Files that could not be opened: 0
+ Files that could not be cleaned: 0

+ Binder: Yes
+ Crypter: Yes
+ Archives: Yes

+ Scanned items:
C:\
D:\
G:\

+ Scan result:
G:\Documents and Settings\George Zhao\Cookies\george zhao@adtrak[1].txt -> Spyware.Tracking-Cookie -> Cleaned without backup
G:\Documents and Settings\George Zhao\Cookies\george zhao@doubleclick[1].txt -> Spyware.Tracking-Cookie -> Cleaned without backup
G:\Downloads\Cracks\file6.zip/crack.exe -> TrojanDownloader.IstBar.is -> Cleaned without backup
G:\Downloads\Cracks\GameCam_1.2.0.15.zip/crack.exe -> TrojanDownloader.IstBar.is -> Cleaned without backup
G:\Program Files\Web_Rebates\WebRebates0.exe -> Spyware.TopRebates.a -> Cleaned without backup
G:\WINDOWS\mm63.ocx -> Spyware.MediaMotor.a -> Cleaned without backup
G:\WINDOWS\scwmxeepl.exe -> Spyware.BetterInternet -> Cleaned without backup
G:\WINDOWS\seeve.exe -> Spyware.MediaMotor.f -> Cleaned without backup
G:\WINDOWS\system32\eliteppo32.exe -> Spyware.Hijacker.Generic -> Cleaned without backup
G:\WINDOWS\system32\kglqcsg.exe -> Trojan.Agent.cp -> Cleaned without backup
G:\WINDOWS\system32\temperror32.dat -> Spyware.Hijacker.Generic -> Cleaned without backup
G:\WINDOWS\system32\unregister.exe -> Spyware.VB.f -> Cleaned without backup


::Report End
  • 0

#4
therock247uk
Posted 03 June 2005 - 11:12 AM

therock247uk

    Expert

  • Expert
  • 14,672 posts
  • MVP
1. Open Hijackthis and click scan. Then tick and fix the following in Hijackthis with all windows closed except Hijackthis.

R3 - Default URLSearchHook is missing
O4 - HKLM\..\Run: [firlnin] G:\Documents and Settings\George Zhao\Local Settings\Temporary Internet Files\Content.IE5\1D7Z2WAL\delf061225[1].exe
O15 - Trusted Zone: *.media-motor.net
O15 - Trusted Zone: *.popuppers.com

2. Then post a new Hijackthis log here in a reply.
  • 0

#5
qc-zhao
Posted 04 June 2005 - 10:42 AM

qc-zhao

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
Here we are:

Logfile of HijackThis v1.99.1
Scan saved at 17:41:07, on 04/06/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
G:\WINDOWS\System32\smss.exe
G:\WINDOWS\system32\winlogon.exe
G:\WINDOWS\system32\services.exe
G:\WINDOWS\system32\lsass.exe
G:\WINDOWS\System32\Ati2evxx.exe
G:\WINDOWS\system32\svchost.exe
G:\WINDOWS\System32\svchost.exe
G:\WINDOWS\system32\Ati2evxx.exe
G:\WINDOWS\Explorer.EXE
G:\WINDOWS\system32\LEXBCES.EXE
G:\WINDOWS\system32\spoolsv.exe
G:\WINDOWS\system32\LEXPPS.EXE
G:\Program Files\Creative\SBAudigy LS\Surround Mixer\CTSysVol.exe
G:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
G:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
G:\Program Files\Microsoft IntelliPoint\point32.exe
G:\Program Files\Logitech\iTouch\iTouch.exe
G:\Program Files\QuickTime\qttask.exe
G:\Program Files\Common Files\Real\Update_OB\realsched.exe
G:\WINDOWS\system32\ctfmon.exe
G:\Program Files\MSN Messenger\MsnMsgr.Exe
G:\Program Files\LG PC Suite\LG PC Sync\LGSyncManager.exe
G:\Program Files\ewido\security suite\ewidoctrl.exe
G:\Program Files\ewido\security suite\ewidoguard.exe
G:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
G:\WINDOWS\System32\svchost.exe
G:\Program Files\Azureus\Azureus.exe
G:\Program Files\Java\j2re1.4.2_06\bin\javaw.exe
G:\Program Files\Winamp\winamp.exe
G:\DOCUME~1\GEORGE~1\LOCALS~1\Temp\Rar$EX00.921\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = www.google.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://community.derbiz.com/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - G:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] G:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] G:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] G:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [CTSysVol] G:\Program Files\Creative\SBAudigy LS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [SunJavaUpdateSched] G:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKLM\..\Run: [NeroFilterCheck] G:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "G:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [IntelliPoint] "G:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [zBrowser Launcher] G:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [QuickTime Task] "G:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "G:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [firlnin] G:\Documents and Settings\George Zhao\Local Settings\Temporary Internet Files\Content.IE5\1D7Z2WAL\delf061225[1].exe
O4 - HKCU\..\Run: [CTFMON.EXE] G:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "G:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Startup: Adobe Gamma.lnk = G:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = G:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: LG SyncManager.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://G:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - G:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - G:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - G:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - G:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - G:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplane...DC_1_0_0_44.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1107533951765
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pdownloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{D80DAD2D-0529-4D3D-B930-1A53E61AB553}: NameServer = 158.43.240.4,158.43.240.3
O17 - HKLM\System\CCS\Services\Tcpip\..\{ED074AE6-28B6-44EE-9922-823265E07D53}: NameServer = 209.47.15.118,64.157.143.38,158.43.240.4,158.43.240.3
O23 - Service: Adobe LM Service - Adobe Systems - G:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - G:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - G:\WINDOWS\system32\ati2sgag.exe
O23 - Service: ewido security suite control - ewido networks - G:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - G:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - G:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: RadClock - Unknown owner - G:\WINDOWS\system32\RadClock.exe
  • 0

#6
therock247uk
Posted 04 June 2005 - 11:45 AM

therock247uk

    Expert

  • Expert
  • 14,672 posts
  • MVP
1. Make sure your PC is set to show all hidden files and folders go here for instructions on how to do this. http://www.xtra.co.n...1916458,00.html

2. Boot into safemode to do this keep tapping F8 on your keyboard while your PC is starting up you will get a menu select safemode.

3. While in safemode open Hijackthis and click scan. Then tick and fix the following in Hijackthis with all windows closed except Hijackthis.

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://community.derbiz.com/
O4 - HKLM\..\Run: [firlnin] G:\Documents and Settings\George Zhao\Local Settings\Temporary Internet Files\Content.IE5\1D7Z2WAL\delf061225[1].exe

4. Delete the files. (if present)

G:\Documents and Settings\George Zhao\Local Settings\Temporary Internet Files\Content.IE5\1D7Z2WAL\delf061225[1].exe

5. Reboot and post a new Hijackthis log here in a reply.
  • 0

#7
qc-zhao
Posted 09 June 2005 - 09:54 AM

qc-zhao

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
Sorry for the delayed reply - my router broke and had to be replaced.

Here is the new HJT logfile.

Logfile of HijackThis v1.99.1
Scan saved at 16:54:33, on 09/06/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
G:\WINDOWS\System32\smss.exe
G:\WINDOWS\system32\winlogon.exe
G:\WINDOWS\system32\services.exe
G:\WINDOWS\system32\lsass.exe
G:\WINDOWS\System32\Ati2evxx.exe
G:\WINDOWS\system32\svchost.exe
G:\WINDOWS\System32\svchost.exe
G:\WINDOWS\system32\Ati2evxx.exe
G:\WINDOWS\Explorer.EXE
G:\WINDOWS\system32\LEXBCES.EXE
G:\WINDOWS\system32\spoolsv.exe
G:\WINDOWS\system32\LEXPPS.EXE
G:\Program Files\Creative\SBAudigy LS\Surround Mixer\CTSysVol.exe
G:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
G:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
G:\Program Files\Microsoft IntelliPoint\point32.exe
G:\Program Files\Logitech\iTouch\iTouch.exe
G:\Program Files\QuickTime\qttask.exe
G:\Program Files\Common Files\Real\Update_OB\realsched.exe
G:\WINDOWS\system32\ctfmon.exe
G:\Program Files\MSN Messenger\MsnMsgr.Exe
G:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
G:\Program Files\LG PC Suite\LG PC Sync\LGSyncManager.exe
G:\Program Files\ewido\security suite\ewidoctrl.exe
G:\Program Files\ewido\security suite\ewidoguard.exe
G:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
G:\Program Files\Mozilla Firefox\firefox.exe
G:\WINDOWS\System32\svchost.exe
G:\WINDOWS\system32\wuauclt.exe
G:\Downloads\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = www.google.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.com
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - G:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] G:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] G:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] G:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [CTSysVol] G:\Program Files\Creative\SBAudigy LS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [SunJavaUpdateSched] G:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKLM\..\Run: [NeroFilterCheck] G:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "G:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [IntelliPoint] "G:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [zBrowser Launcher] G:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [QuickTime Task] "G:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "G:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [firlnin] G:\Documents and Settings\George Zhao\Local Settings\Temporary Internet Files\Content.IE5\1D7Z2WAL\delf061225[1].exe
O4 - HKCU\..\Run: [CTFMON.EXE] G:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "G:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Startup: Adobe Gamma.lnk = G:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = G:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: LG SyncManager.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://G:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - G:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - G:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - G:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - G:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - G:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplane...DC_1_0_0_44.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pdownloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{D80DAD2D-0529-4D3D-B930-1A53E61AB553}: NameServer = 158.43.240.4,158.43.240.3
O17 - HKLM\System\CCS\Services\Tcpip\..\{ED074AE6-28B6-44EE-9922-823265E07D53}: NameServer = 209.47.15.118,64.157.143.38,158.43.240.4,158.43.240.3
O23 - Service: Adobe LM Service - Adobe Systems - G:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - G:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - G:\WINDOWS\system32\ati2sgag.exe
O23 - Service: ewido security suite control - ewido networks - G:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - G:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - G:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: RadClock - Unknown owner - G:\WINDOWS\system32\RadClock.exe
  • 0

#8
therock247uk
Posted 09 June 2005 - 04:49 PM

therock247uk

    Expert

  • Expert
  • 14,672 posts
  • MVP
1. Make sure your PC is set to show all hidden files and folders go here for instructions on how to do this. http://www.xtra.co.n...1916458,00.html

2. Boot into safemode to do this keep tapping F8 on your keyboard while your PC is starting up you will get a menu select safemode.

3. While in safemode open Hijackthis and click scan. Then tick and fix the following in Hijackthis with all windows closed except Hijackthis.

O4 - HKLM\..\Run: [firlnin] G:\Documents and Settings\George Zhao\Local Settings\Temporary Internet Files\Content.IE5\1D7Z2WAL\delf061225[1].exe

4. Delete the files. (if present)

G:\Documents and Settings\George Zhao\Local Settings\Temporary Internet Files\Content.IE5\1D7Z2WAL\delf061225[1].exe

5. Reboot and post a new Hijackthis log here in a reply.
  • 0

#9
qc-zhao
Posted 25 June 2005 - 09:37 AM

qc-zhao

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
G:\Documents and Settings\George Zhao\Local Settings\Temporary Internet Files\Content.IE5\1D7Z2WAL\delf061225[1].exe

was not present in the folder and i could not delete it.

HJT also did not seem to be able to "fix" it, as it just re-appeared in the next scan.

Logfile of HijackThis v1.99.1
Scan saved at 16:42:22, on 26/06/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
G:\WINDOWS\System32\smss.exe
G:\WINDOWS\system32\winlogon.exe
G:\WINDOWS\system32\services.exe
G:\WINDOWS\system32\lsass.exe
G:\WINDOWS\system32\svchost.exe
G:\WINDOWS\system32\svchost.exe
G:\WINDOWS\Explorer.EXE
G:\Downloads\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - G:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] G:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] G:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] G:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [CTSysVol] G:\Program Files\Creative\SBAudigy LS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [SunJavaUpdateSched] G:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKLM\..\Run: [NeroFilterCheck] G:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "G:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [IntelliPoint] "G:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [zBrowser Launcher] G:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [QuickTime Task] "G:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "G:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [firlnin] G:\Documents and Settings\George Zhao\Local Settings\Temporary Internet Files\Content.IE5\1D7Z2WAL\delf061225[1].exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [WildTangent CDA] "G:\Program Files\WildTangent\Apps\CDA\GameDrvr.exe" /startup "G:\Program Files\WildTangent\Apps\CDA\cdaEngine0500.dll"
O4 - HKLM\..\Run: [WinampAgent] G:\Program Files\Winamp\winampa.exe
O4 - HKCU\..\Run: [CTFMON.EXE] G:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = G:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: LG SyncManager.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - G:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - G:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - G:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - G:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - G:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplane...DC_1_0_0_44.cab
O16 - DPF: {3A7FE611-1994-4EF1-A09F-99456752289D} (WildTangent Active Launcher) - http://install.wildt...iveLauncher.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pdownloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{D80DAD2D-0529-4D3D-B930-1A53E61AB553}: NameServer = 158.43.240.4,158.43.240.3
O17 - HKLM\System\CCS\Services\Tcpip\..\{ED074AE6-28B6-44EE-9922-823265E07D53}: NameServer = 209.47.15.118,64.157.143.38,158.43.240.4,158.43.240.3
O23 - Service: Adobe LM Service - Adobe Systems - G:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - G:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - G:\WINDOWS\system32\ati2sgag.exe
O23 - Service: ewido security suite control - ewido networks - G:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - G:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: RadClock - Unknown owner - G:\WINDOWS\system32\RadClock.exe
  • 0

#10
therock247uk
Posted 02 July 2005 - 12:40 PM

therock247uk

    Expert

  • Expert
  • 14,672 posts
  • MVP
Post a new log if you still need help.
  • 0

#11
therock247uk
Posted 22 July 2005 - 08:20 AM

therock247uk

    Expert

  • Expert
  • 14,672 posts
  • MVP
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP