Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Help free me from incessant popups [RESOLVED]

Started by danielray , Jun 05 2005 03:08 PM

This topic is locked

#1
danielray

Posted 05 June 2005 - 03:08 PM

Member

Member
21 posts

Few days ago, our son visited some obscure website, and since then we have been inundated with pop-ups. These nasty little suckers show up even when IE isn't running. The kids will be playing a game, and right in the middle of the action, the popups stop them.

I've installed Ad-Aware, and run it. Every time I do so, it finds numerous malware, data miners, etc. Last run produced 88 of them...I also ran Housecall, and it found about a dozen trojans. I was able to delete all but three. Also ran cleanup and installed spybot as suggested. Attached is the hijackthis logfile. Any suggestions on how to rid our PC of these incessant pop-ups is very much appreciated:

Logfile of HijackThis v1.99.1
Scan saved at 4:53:29 PM, on 6/5/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\System32\RUNDLL32.exe
C:\WINDOWS\System32\msxct.exe
C:\Program Files\WeirdOnTheWeb\WeirdOnTheWeb.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\kzakuk.exe
C:\Program Files\Messenger\msmsgs.exe
c:\windows\system32\pgerlii.exe
C:\Program Files\Logitech\Profiler\lwemon.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe
C:\Documents and Settings\Ray Salgado\Local Settings\Temporary Internet

Files\Content.IE5\QLGNU1W9\HijackThis[1].exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =

http://www.yahoo.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName

=
R3 - URLSearchHook: (no name) - _{8952A998-1E7E-4716-B23D-3DBE03910972}

- (no file)
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} -

C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper -

{AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program

files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} -

c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI

Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [AUNPS2] RUNDLL32 AUNPS2.DLL,_Run@16
O4 - HKLM\..\Run: [msxct] msxct.exe
O4 - HKLM\..\Run: [PS1] C:\WINDOWS\System32\ps1.exe
O4 - HKLM\..\Run: [WeirdOnTheWeb] "C:\Program

Files\WeirdOnTheWeb\WeirdOnTheWeb.exe"
O4 - HKLM\..\Run: [VBouncer] C:\PROGRA~1\VBouncer\VirtualBouncer.exe
O4 - HKLM\..\Run: [WinTools] C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe
O4 - HKLM\..\Run: [checkrun] C:\windows\system32\elitehxt32.exe
O4 - HKLM\..\Run: [A70F6A1D-0195-42a2-934C-D8AC0F7C08EB] rundll32.exe

E6F1873B.DLL,D9EBC318C
O4 - HKLM\..\Run: [98D0CE0C16B1] rundll32.exe D0CE0C16B1,D0CE0C16B1
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program

Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [C:\WINDOWS\VCMnet11.exe] C:\WINDOWS\VCMnet11.exe
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\System32\kzakuk.exe reg_run
O4 - HKLM\..\Run: [winupdtl] C:\WINDOWS\System32\winupdt.exe
O4 - HKLM\..\Run: [fodqwq] c:\windows\system32\pgerlii.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe"

/background
O4 - HKCU\..\Run: [Start WingMan Profiler] "C:\Program

Files\Logitech\Profiler\lwemon.exe" /noui
O4 - HKCU\..\Run: [sf] C:\Program Files\sf\sf.exe
O4 - HKCU\..\Run: [sfita] C:\WINDOWS\sfita.exe
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft

Office\Office\FINDFAST.EXE
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft

Office\Office\OSA.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program

Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word -

res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program

Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page -

res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program

Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English -

res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O12 - Plugin for .spop: C:\Program Files\Internet

Explorer\Plugins\NPDocBox.dll
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) -

http://a840.g.akamai...trendmicro.com/

housecall/xscan53.cab
O16 - DPF: {EC51659D-721F-4CBF-9CEA-5E776D89CEA9} -

http://www.pacimedia...ll/pcs_0002.exe
O23 - Service: Ati HotKey Poller - Unknown owner -

C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner -

C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner -

C:\WINDOWS\svcproc.exe

#2
therock247uk

Posted 05 June 2005 - 03:15 PM

Expert

Expert
14,672 posts

We can definitely help you, but first you need to help us. The first step in this process is to apply Service Pack 1a for Windows XP. Without this update, you're wide open to re-infection, and we're both just wasting our time.
Click here: http://www.microsoft...p1/default.mspx
Apply the update, reboot, and post a fresh Hijack This log.

#3
danielray

Posted 05 June 2005 - 08:26 PM

Member

Topic Starter
Member
21 posts

I went to the website to download SP1a. All 57 files/updates were completed successfully. Here is the new hijackthis logfile:

Logfile of HijackThis v1.99.1
Scan saved at 10:09:35 PM, on 6/5/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\System32\RUNDLL32.exe
C:\WINDOWS\System32\msxct.exe
C:\Program Files\WeirdOnTheWeb\WeirdOnTheWeb.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\kzakuk.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Logitech\Profiler\lwemon.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\DOCUME~1\RAYSAL~1\LOCALS~1\Temp\XSD\aurareco.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\PCHealth\HelpCtr\Binaries\HelpSvc.exe
C:\WINDOWS\PCHealth\HelpCtr\Binaries\HelpHost.exe
C:\WINDOWS\pchealth\helpctr\binaries\helpctr.exe
c:\windows\system32\fisgyn.exe
C:\Documents and Settings\Ray Salgado\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =

http://www.yahoo.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName

=
R3 - URLSearchHook: (no name) - _{8952A998-1E7E-4716-B23D-3DBE03910972}

- (no file)
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} -

C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {5B77B4B4-7BD9-5B30-B696-B2CF28363846} -

C:\Program Files\cdapp\qynvloigfj.dll
O2 - BHO: Google Toolbar Helper -

{AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program

files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} -

c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -

C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI

Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [AUNPS2] RUNDLL32 AUNPS2.DLL,_Run@16
O4 - HKLM\..\Run: [msxct] msxct.exe
O4 - HKLM\..\Run: [PS1] C:\WINDOWS\System32\ps1.exe
O4 - HKLM\..\Run: [WeirdOnTheWeb] "C:\Program

Files\WeirdOnTheWeb\WeirdOnTheWeb.exe"
O4 - HKLM\..\Run: [VBouncer] C:\PROGRA~1\VBouncer\VirtualBouncer.exe
O4 - HKLM\..\Run: [WinTools] C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe
O4 - HKLM\..\Run: [checkrun] C:\windows\system32\elitehxt32.exe
O4 - HKLM\..\Run: [A70F6A1D-0195-42a2-934C-D8AC0F7C08EB] rundll32.exe

E6F1873B.DLL,D9EBC318C
O4 - HKLM\..\Run: [98D0CE0C16B1] rundll32.exe D0CE0C16B1,D0CE0C16B1
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program

Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [C:\WINDOWS\VCMnet11.exe] C:\WINDOWS\VCMnet11.exe
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\System32\kzakuk.exe reg_run
O4 - HKLM\..\Run: [zinrvx] c:\windows\system32\fisgyn.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe"

/background
O4 - HKCU\..\Run: [Start WingMan Profiler] "C:\Program

Files\Logitech\Profiler\lwemon.exe" /noui
O4 - HKCU\..\Run: [sf] C:\Program Files\sf\sf.exe
O4 - HKCU\..\Run: [sfita] C:\WINDOWS\sfita.exe
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft

Office\Office\FINDFAST.EXE
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft

Office\Office\OSA.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program

Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word -

res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program

Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page -

res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program

Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English -

res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O12 - Plugin for .spop: C:\Program Files\Internet

Explorer\Plugins\NPDocBox.dll
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) -

http://a840.g.akamai...trendmicro.com/

housecall/xscan53.cab
O16 - DPF: {EC51659D-721F-4CBF-9CEA-5E776D89CEA9} -

http://www.pacimedia...ll/pcs_0002.exe
O23 - Service: Ati HotKey Poller - Unknown owner -

C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner -

C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner -

C:\WINDOWS\svcproc.exe

One last thing. When I go to 'my computer' -> 'properties', I don't see SP1a listed under Windows XP??? However, the download completed successfully with no errors. Wondered if the properties tab was accurate or not. So, after installing SP1a, I went back to the MS Update page, and after it did a comparison of available fixes (to what I had installed), the only recommended fix left to apply was SP2...

#4
therock247uk

Posted 06 June 2005 - 07:05 AM

Expert

Expert
14,672 posts

Ok download SP2 and post a new log here in a reply please just copy and paste like it is when its made it looks like it pasted wrong the past few times.

#5
danielray

Posted 06 June 2005 - 08:47 PM

Member

Topic Starter
Member
21 posts

OK Rock, i installed SP2. This time, the windows properties accurately reflects this too. I've also pasted in a fresh hijackthis logfile below. Hopefully this time i cut and pasted it correctly.

Logfile of HijackThis v1.99.1
Scan saved at 10:32:58 PM, on 6/6/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\msiexec.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\RUNDLL32.exe
C:\WINDOWS\system32\msxct.exe
C:\Program Files\WeirdOnTheWeb\WeirdOnTheWeb.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\kzakuk.exe
C:\Program Files\Messenger\msmsgs.exe
c:\windows\system32\doinqs.exe
C:\Program Files\Logitech\Profiler\lwemon.exe
\?\C:\WINDOWS\system32\WBEM\WMIADAP.EXE
C:\Program Files\Microsoft Office\Office\OSA.EXE
\?\C:\WINDOWS\system32\WBEM\WMIADAP.EXE
C:\Documents and Settings\Ray Salgado\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R3 - URLSearchHook: (no name) - _{8952A998-1E7E-4716-B23D-3DBE03910972} - (no file)
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {BD55DEEB-5237-46A8-85F0-9CC64036CBAA} - C:\Program Files\cdapp\qynvloigfj.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [AUNPS2] RUNDLL32 AUNPS2.DLL,_Run@16
O4 - HKLM\..\Run: [msxct] msxct.exe
O4 - HKLM\..\Run: [PS1] C:\WINDOWS\System32\ps1.exe
O4 - HKLM\..\Run: [WeirdOnTheWeb] "C:\Program Files\WeirdOnTheWeb\WeirdOnTheWeb.exe"
O4 - HKLM\..\Run: [VBouncer] C:\PROGRA~1\VBouncer\VirtualBouncer.exe
O4 - HKLM\..\Run: [WinTools] C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe
O4 - HKLM\..\Run: [checkrun] C:\windows\system32\elitehxt32.exe
O4 - HKLM\..\Run: [A70F6A1D-0195-42a2-934C-D8AC0F7C08EB] rundll32.exe E6F1873B.DLL,D9EBC318C
O4 - HKLM\..\Run: [98D0CE0C16B1] rundll32.exe D0CE0C16B1,D0CE0C16B1
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [C:\WINDOWS\VCMnet11.exe] C:\WINDOWS\VCMnet11.exe
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\system32\kzakuk.exe reg_run
O4 - HKLM\..\Run: [ruvthw] c:\windows\system32\doinqs.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Start WingMan Profiler] "C:\Program Files\Logitech\Profiler\lwemon.exe" /noui
O4 - HKCU\..\Run: [sf] C:\Program Files\sf\sf.exe
O4 - HKCU\..\Run: [sfita] C:\WINDOWS\sfita.exe
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {EC51659D-721F-4CBF-9CEA-5E776D89CEA9} - http://www.pacimedia...ll/pcs_0002.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe

Thanks for your patience and help.

#6
therock247uk

Posted 07 June 2005 - 06:22 AM

Expert

Expert
14,672 posts

Please download the trial version of Ewido Security Suite here:
http://www.ewido.net/en/download/
Install it, and update the definitions to the newest files. Do NOT run a scan yet.

Please download Nailfix from here:
http://www.noidea.us...050515010747824
Unzip it to the desktop but please do NOT run it yet.

Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.

For additional help in booting into Safe Mode, see the following site:
http://www.pchell.co.../safemode.shtml

Once in Safe Mode, please double-click on Nailfix.cmd. Your desktop and icons will disappear and reappear, and a window should open and close very quickly --- this is normal.

Then please run Ewido, and run a full scan. Save the logfile from the scan.

Next please run HijackThis, click Scan, and check:

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe

Close all open windows except for HijackThis and click Fix Checked.

Restart your computer in normal mode and please post a new HijackThis log, as well as the log from the Ewido scan.

#7
danielray

Posted 07 June 2005 - 10:39 PM

Member

Topic Starter
Member
21 posts

OK, i followed the instructions and here is the new hijackthis log followed by the ewido log:

Logfile of HijackThis v1.99.1
Scan saved at 12:32:14 AM, on 6/8/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Logitech\Profiler\lwemon.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\imapi.exe
C:\Documents and Settings\Ray Salgado\Desktop\HijackThis.exe
C:\WINDOWS\system32\wscntfy.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R3 - URLSearchHook: (no name) - _{8952A998-1E7E-4716-B23D-3DBE03910972} - (no file)
O2 - BHO: (no name) - {0E88C273-CD34-31A8-EE3C-A690087E9A14} - C:\Program Files\cdapp\qynvloigfj.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [PS1] C:\WINDOWS\System32\ps1.exe
O4 - HKLM\..\Run: [VBouncer] C:\PROGRA~1\VBouncer\VirtualBouncer.exe
O4 - HKLM\..\Run: [WinTools] C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe
O4 - HKLM\..\Run: [98D0CE0C16B1] rundll32.exe D0CE0C16B1,D0CE0C16B1
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [C:\WINDOWS\VCMnet11.exe] C:\WINDOWS\VCMnet11.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Start WingMan Profiler] "C:\Program Files\Logitech\Profiler\lwemon.exe" /noui
O4 - HKCU\..\Run: [sf] C:\Program Files\sf\sf.exe
O4 - HKCU\..\Run: [sfita] C:\WINDOWS\sfita.exe
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {EC51659D-721F-4CBF-9CEA-5E776D89CEA9} - http://www.pacimedia...ll/pcs_0002.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 12:26:47 AM, 6/8/2005
+ Report-Checksum: 5C917DE4

+ Date of database: 6/8/2005
+ Version of scan engine: v3.0

+ Duration: 36 min
+ Scanned Files: 41538
+ Speed: 18.94 Files/Second
+ Infected files: 70
+ Removed files: 69
+ Files put in quarantine: 69
+ Files that could not be opened: 0
+ Files that could not be cleaned: 1

+ Binder: Yes
+ Crypter: Yes
+ Archives: Yes

+ Scanned items:
C:\

+ Scan result:
C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\kack.exe -> TrojanDownloader.Qoologic.n -> Error during cleaning
C:\Documents and Settings\Ray Salgado\Cookies\ray salgado@66693905[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Ray Salgado\Cookies\ray salgado@adknowledge[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Ray Salgado\Cookies\ray [email protected][2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Ray Salgado\Cookies\ray [email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Ray Salgado\Cookies\ray [email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Ray Salgado\Cookies\ray salgado@burstnet[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Ray Salgado\Cookies\ray salgado@burstnet[3].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Ray Salgado\Cookies\ray [email protected][2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Ray Salgado\Cookies\ray salgado@exitexchange[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Ray Salgado\Cookies\ray [email protected][2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Ray Salgado\Cookies\ray [email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Ray Salgado\Cookies\ray [email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Ray Salgado\Cookies\ray salgado@realmedia[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Ray Salgado\Cookies\ray [email protected][2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Ray Salgado\Cookies\ray salgado@targetnetworks[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Ray Salgado\Cookies\ray salgado@tribalfusion[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Ray Salgado\Cookies\ray [email protected][2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Ray Salgado\Cookies\ray [email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Ray Salgado\Cookies\ray salgado@zedo[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Ray Salgado\Local Settings\Temp\nst6.EXE -> Spyware.SmartPops -> Cleaned with backup
C:\Documents and Settings\Ray Salgado\Local Settings\Temp\temp.fr8D74 -> Trojan.Agent.db -> Cleaned with backup
C:\Documents and Settings\Ray Salgado\Local Settings\Temp\toc_0032.exe -> TrojanDownloader.Agent.jq -> Cleaned with backup
C:\Documents and Settings\Ray Salgado\Local Settings\Temp\toc_0035.exe -> TrojanDownloader.Agent.jq -> Cleaned with backup
C:\Documents and Settings\Ray Salgado\Local Settings\Temp\XSD\aurareco.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\Program Files\cdapp\qynvloigfj.exe -> Spyware.SmartPops -> Cleaned with backup
C:\Program Files\FwBarTemp\searchbar.exe -> TrojanDownloader.VB.eu -> Cleaned with backup
C:\Program Files\SurfSideKick 3\Ssk.exe -> Spyware.SurfSide -> Cleaned with backup
C:\Program Files\WeirdOnTheWeb\weirdontheweb.exe -> Spyware.WeirWeb -> Cleaned with backup
C:\Program Files\Windows Media Player\wmplayer.exe.tmp -> TrojanDownloader.Small.apm -> Cleaned with backup
C:\temporary\aun_0032.exe -> TrojanDownloader.Small.akz -> Cleaned with backup
C:\temporary\aun_0035.exe -> TrojanDownloader.Small.akz -> Cleaned with backup
C:\WINDOWS\EliteToolBar\EliteToolBar version 60.dll -> Spyware.EliteBar.af -> Cleaned with backup
C:\WINDOWS\Helper101.dll -> Spyware.Delf.r -> Cleaned with backup
C:\WINDOWS\qlimvjocg.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\WINDOWS\system32\AUNPS2.dll -> Spyware.Small.ez -> Cleaned with backup
C:\WINDOWS\system32\auyaw.dat -> TrojanDownloader.Qoologic.n -> Cleaned with backup
C:\WINDOWS\system32\Cache\cxtpls_loader.exe -> TrojanDownloader.Apropo.ab -> Cleaned with backup
C:\WINDOWS\system32\Cache\EDow_AS2.exe -> TrojanDownloader.Wintool.e -> Cleaned with backup
C:\WINDOWS\system32\Cache\HelperInstall.exe -> TrojanDropper.Delf.z -> Cleaned with backup
C:\WINDOWS\system32\Cache\optimize4.exe -> TrojanDownloader.Dyfuca.dx -> Cleaned with backup
C:\WINDOWS\system32\Cache\optimize5.exe -> TrojanDownloader.Dyfuca.dx -> Cleaned with backup
C:\WINDOWS\system32\Cache\smsca.exe -> TrojanDropper.Agent.kd -> Cleaned with backup
C:\WINDOWS\system32\Cache\ven_d1.exe -> TrojanDownloader.IstBar -> Cleaned with backup
C:\WINDOWS\system32\cxtpls_loader.exe -> TrojanDownloader.Apropo.ab -> Cleaned with backup
C:\WINDOWS\system32\D0CE0C16B1.DLL -> Spyware.Agent.dh -> Cleaned with backup
C:\WINDOWS\system32\e6f1873b.dll -> TrojanDownloader.Braidupdate.d -> Cleaned with backup
C:\WINDOWS\system32\eliteewx32.exe -> Spyware.Hijacker.Generic -> Cleaned with backup
C:\WINDOWS\system32\elitefeg32.exe -> Spyware.Hijacker.Generic -> Cleaned with backup
C:\WINDOWS\system32\elitehxt32.exe -> Spyware.Hijacker.Generic -> Cleaned with backup
C:\WINDOWS\system32\eliteuzl32.exe -> Spyware.Hijacker.Generic -> Cleaned with backup
C:\WINDOWS\system32\elitevlv32.exe -> Spyware.Hijacker.Generic -> Cleaned with backup
C:\WINDOWS\system32\elitewvx32.exe -> Spyware.Hijacker.Generic -> Cleaned with backup
C:\WINDOWS\system32\gxdkgaa.exe -> Trojan.Agent.cp -> Cleaned with backup
C:\WINDOWS\system32\ixbioib.dll -> TrojanDownloader.Qoologic.q -> Cleaned with backup
C:\WINDOWS\system32\javex80.vxd/C:/WINDOWS/System32/nvms.dll -> Spyware.Bargainbuddy -> Cleaned with backup
C:\WINDOWS\system32\javex80.vxd/C:/Program Files/NaviSearch/bin/nls.exe -> Spyware.ExactSearchBar -> Cleaned with backup
C:\WINDOWS\system32\kmqko.dll -> TrojanDownloader.Qoologic.q -> Cleaned with backup
C:\WINDOWS\system32\kzakuk.exe -> TrojanDownloader.Qoologic.n -> Cleaned with backup
C:\WINDOWS\system32\msxct.exe -> Spyware.BargainBuddy -> Cleaned with backup
C:\WINDOWS\system32\nsa8.dll -> Spyware.HotBar -> Cleaned with backup
C:\WINDOWS\system32\nsp98.dll -> Spyware.HotBar -> Cleaned with backup
C:\WINDOWS\system32\psis80ex.ax/C:/WINDOWS/System32/mscb.dll -> Spyware.BargainBuddy.i -> Cleaned with backup
C:\WINDOWS\system32\psis80ex.ax/C:/Program Files/CashBack/bin/cb.exe -> Spyware.CashBack.b -> Cleaned with backup
C:\WINDOWS\system32\psis80ex.ax/C:/Program Files/CashBack/bin/flash.exe -> Spyware.CashBack.d -> Cleaned with backup
C:\WINDOWS\system32\redit.cpl -> TrojanDownloader.Qoologic.p -> Cleaned with backup
C:\WINDOWS\system32\supdate.dll -> TrojanDownloader.Qoologic.p -> Cleaned with backup
C:\WINDOWS\system32\temperror32.dat -> Spyware.Hijacker.Generic -> Cleaned with backup
C:\WINDOWS\tct101.dll -> TrojanDownloader.Dyfuca.eg -> Cleaned with backup
C:\WINDOWS\weird.exe -> Trojan.Imiserv.c -> Cleaned with backup

::Report End

Anything else I need to do?

#8
therock247uk

Posted 08 June 2005 - 07:50 AM

Expert

Expert
14,672 posts

1. Make sure your PC is set to show all hidden files and folders go here for instructions on how to do this. http://www.xtra.co.n...1916458,00.html

2. Boot into safemode to do this keep tapping F8 on your keyboard while your PC is starting up you will get a menu select safemode.

3. While in safemode open Hijackthis and click scan. Then tick and fix the following in Hijackthis with all windows closed except Hijackthis.

R3 - URLSearchHook: (no name) - _{8952A998-1E7E-4716-B23D-3DBE03910972} - (no file)
O2 - BHO: (no name) - {0E88C273-CD34-31A8-EE3C-A690087E9A14} - C:\Program Files\cdapp\qynvloigfj.dll
O4 - HKLM\..\Run: [VBouncer] C:\PROGRA~1\VBouncer\VirtualBouncer.exe
O4 - HKLM\..\Run: [WinTools] C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe
O4 - HKLM\..\Run: [98D0CE0C16B1] rundll32.exe D0CE0C16B1,D0CE0C16B1
O4 - HKLM\..\Run: [C:\WINDOWS\VCMnet11.exe] C:\WINDOWS\VCMnet11.exe
O4 - HKCU\..\Run: [sf] C:\Program Files\sf\sf.exe
O4 - HKCU\..\Run: [sfita] C:\WINDOWS\sfita.exe

4. Delete the folders. (if present)

C:\Program Files\cdapp\
C:\Program Files\VBouncer\
C:\Program Files\Common Files\WinTools\
C:\Program Files\sf

5. Delete the files. (if present)

C:\WINDOWS\VCMnet11.exe
C:\WINDOWS\sfita.exe

6. Reboot and post a new Hijackthis log here in a reply.

#9
danielray

Posted 11 June 2005 - 10:38 AM

Member

Topic Starter
Member
21 posts

Apologize for the delay in responding but I did as you requested, and here is the new logfile.

Logfile of HijackThis v1.99.1
Scan saved at 12:35:06 PM, on 6/11/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Logitech\Profiler\lwemon.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\Ray Salgado\Desktop\HijackThis.exe
C:\WINDOWS\system32\wuauclt.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [PS1] C:\WINDOWS\System32\ps1.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Start WingMan Profiler] "C:\Program Files\Logitech\Profiler\lwemon.exe" /noui
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {EC51659D-721F-4CBF-9CEA-5E776D89CEA9} - http://www.pacimedia...ll/pcs_0002.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe

#10
therock247uk

Posted 11 June 2005 - 10:48 AM

Expert

Expert
14,672 posts

#11
danielray

Posted 12 June 2005 - 11:03 AM

Member

Topic Starter
Member
21 posts

OK Rock, did as you requested, and here again is the HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 12:49:39 PM, on 6/12/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\Ray Salgado\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Start WingMan Profiler] "C:\Program Files\Logitech\Profiler\lwemon.exe" /noui
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe

#12
therock247uk

Posted 12 June 2005 - 11:19 AM

Expert

Expert
14,672 posts

Your log is clean :tazz:

Here are some tips, to reduce the potential for spyware infection in the future, I strongly recommend installing the following applications:

Spywareblaster <= SpywareBlaster will prevent spyware from being installed.
Spywareguard <= SpywareGuard offers realtime protection from spyware installation attempts.
How to use Ad-Aware to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Ad-Aware.
How to use Spybot to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Spybot. Similar to Ad-Aware, I strongly recommend both to catch most spyware.

To protect yourself further:

IE/Spyad <= IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
Google Toolbar <= Get the free google toolbar to help stop pop up windows.

I also suggest that you delete any files from "temp", "tmp" folders. In Internet Explorer, click on "Tools" => "Internet Options" => "Delete Files" and select the box that says "Delete All Offline Content" and click on "OK" twice. Also, empty the recycle bin by right clicking on it and selecting "Empty Recycle Bin". These steps should be done on a regular basis.

Credit to PGPhantom for canned speech.

#13
danielray

Posted 12 June 2005 - 01:44 PM

Member

Topic Starter
Member
21 posts

Everything seems to be working fine. Thanks for all your help! I've downloaded and installed the spyware protection software you suggested below. Hope that keeps us clean in the future. These popups were nasty little boogers.

I was contemplating just reformatting my hard drive and reinstalling everything, when I found the geeks to go website. I saw that others were getting help from similar problems, so I decided to post too. I was very pleased with the responsiveness of 'therock247uk' and am glad that I found this website. Thanks again!

#14
therock247uk

Posted 12 June 2005 - 02:37 PM

Expert

Expert
14,672 posts

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :tazz:

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.