Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Complex Infection (Aurora Included) [CLOSED]

Started by Darklighter137 , Jun 06 2005 07:23 PM

This topic is locked

#1
Darklighter137

Posted 06 June 2005 - 07:23 PM

Member

Member
18 posts

Hello! My computer has recently fallen victim to the Aurora Adware. I am new here, as well as to the idea of protecting myself against infection and doing something about it. Please forgive my ignorance. =)

I did a scan with Ad-Aware earlier this evening, and it found a 12 families of adware on my computer. Since I did not know if allowing it to delete these things would be a good idea (I know nothing), I did not do anything about it. If posting any part of that log file would be of use, please tell me and I will post it.

Below is my hijack this log. If I did not post this correctly, please let me know what I did wrong and I will try to correct the difficulty. If any of the steps provided could go wrong, please tell me what to do in such a case, so that I will not be lost.

Thanks!

Logfile of HijackThis v1.99.1
Scan saved at 8:09:44 PM, on 6/6/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\Program Files\Norton AntiVirus\navapsvc.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
c:\windows\system32\wpppmej.exe
C:\Justin's Folder\Downloads\Ad Ware Remover(s)\hijackthis\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us6.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us6.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drs...esearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drs...esearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us6.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us6.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drs...esearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drs...esearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://us6.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drs...esearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drs...esearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\Program Files\Internet Download Manager\IDMIECC.dll
O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\systb.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: iWon Search Assistant BHO - {08E1C8E1-E565-44fc-A766-C9539BB3ABB7} - C:\Program Files\iWon\SrchAstt\1.bin\I1SRCHAS.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: iWon BHO - {C298FB42-E3E2-11D3-ADCD-0050DAC24E8F} - C:\Program Files\iWon\iWonBar\1.bin\IWONBAR.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: i&Won Co-Pilot - {CA0B9B71-C2AF-11D3-B376-0800460222F0} - C:\Program Files\iWon\iWonBar\1.bin\IWONBAR.DLL
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [NAV Agent] c:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [checktime] c:\program files\HPSelect\Frontend\ct.exe
O4 - HKLM\..\Run: [WT GameChannel] C:\Program Files\WildTangent\Apps\GameChannel.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [ehgult] C:\WINDOWS\System32\ehgult.exe
O4 - HKLM\..\Run: [Win Server Updt] C:\WINDOWS\wupdt.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [IDMan] C:\Program Files\Internet Download Manager\IDMan.exe /onboot
O4 - Global Startup: hp center UI.lnk = C:\Program Files\hp center\137903\Shadow\ShadowBar.exe
O4 - Global Startup: hp center.lnk = C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Personal Coach.lnk = ?
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Download All Links with IDM - C:\Program Files\Internet Download Manager\IEGetAll.htm
O8 - Extra context menu item: Download with IDM - C:\Program Files\Internet Download Manager\IEExt.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O10 - Unknown file in Winsock LSP: c:\windows\system32\idmmbc.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\idmmbc.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\idmmbc.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\idmmbc.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\idmmbc.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O12 - Plugin for .thp: C:\Program Files\Internet Explorer\Plugins\NPLM32.DLL
O15 - Trusted Zone: http://www.neededware.com
O16 - DPF: NDWCab - http://www.neededware.com/ndw2.cab
O16 - DPF: {11111111-1111-1111-1111-111111111111} - mhtml:file://C:NXSFT.MHT!http://66.117.38.54:...80/dexUS520.exe
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplane...DC_1_0_0_44.cab
O16 - DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A} (Microsoft.WinRep) - https://webresponse....iveX/winrep.cab
O16 - DPF: {70522FA2-4656-11D5-B0E9-0050DAC24E8F} (iWon Progressive Counter) - http://download.iwon...m_6_1,0,2,5.cab
O16 - DPF: {A7E092C3-692A-11D0-A7E5-08002B322F3B} (WebResponseAttachments Control) - https://webresponse....eX/FileXfer.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{20F1B0D1-BAD5-49F8-8149-7119A883C381}: NameServer = 64.33.128.10 209.143.0.10
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe

#2
tampabelle

Posted 08 June 2005 - 10:39 AM

Member 5k

Retired Staff
6,363 posts

Hi Darklighter,

Welcome to Geeks to Go !!! I will help you clean your PC.

I also read your other post about wanting to uninstall Internet Download Manager. I will presume that you still want to uninstall it. We will uninstall it safely :tazz:

along with other spyware / adware.

Let me study your log and revert to you with the complete fix.

Thanx for your patience.

#3
tampabelle

Posted 08 June 2005 - 11:19 AM

Member 5k

Retired Staff
6,363 posts

Hi Darklighter137,

We can definitely help you, but first you need to help us. The first step in this process is to apply Service Pack 1a for Windows XP. Without this update, you're wide open to re-infection, and we're both just wasting our time.

Click here

Apply the update, reboot, and post a fresh Hijack This log.

#4
Darklighter137

Posted 08 June 2005 - 03:36 PM

Member

Topic Starter
Member
18 posts

Hi! Thanks so much for posting a fast reply. I found the section of the update site that has the Service Pack on it. Before I install it, though, I have a quick question... I just got done reading the large, scary list of possible problems that can occur during or after the installation.

Will my PC be okay? What do I do if something scary does happen? I'm really sorry, I trust your advice, but I don't trust myself to know what to do if something happens. :tazz:

Thanks so much for everything!

#5
tampabelle

Posted 08 June 2005 - 04:07 PM

Member 5k

Retired Staff
6,363 posts

Hi Darklighter,

The problems you have read about pertain to installation of Service Pack 2 or SP2. Thats the reason why I am asking you to install SP1a only. We will install SP2 after the PC is clean.

Hope that clears your concerns. :-)

#6
Darklighter137

Posted 08 June 2005 - 06:56 PM

Member

Topic Starter
Member
18 posts

It does, thank you... Sadly, I have a new problem--I can't seem to find the Service Pack 1a download on the Windows Update site. When I finally get to the screen where it allows me to select what I wish to update, no such thing is listed. Instead, it lists several unique "fixes". Many of them--things like "malicious software finder" and files marked as "cannot be removed"--don't sound very appealing.

Could you please provide me with some direction? The site seems fairly straight-forward. Thus, I must conclude that I am missing something.

I'm really sorry. You have taken time out of your day to be nice and help me, and I repay you with many difficulties. :tazz:

#7
tampabelle

Posted 08 June 2005 - 08:58 PM

Member 5k

Retired Staff
6,363 posts

Hi Darklighter,

Lets try this -

*Please go here (Microsoft website) using Internet Explorer ( not Firefox or any other browser as they won't work)
*Click on "Windows Validation Assistant"
*Click on the "Validate Now" button.
*Be patient while the ActiveX loads, do not click on any links.
*Read the instructions on this page while it's loading. You will be prompted to install - click YES.
*Enter your product key then click "continue"
*When it says "Validation Complete" please click "Continue to return to your previous activity"
*Copy what it says and paste it here.

#8
Darklighter137

Posted 09 June 2005 - 02:37 PM

Member

Topic Starter
Member
18 posts

Okay. Thanks again. I hope I haven't messed up...

It says "Thank you for running the Windows Validation Assistant. It appears that your Windows Product Key is valid."

Following that text is some information on the benefits of not having pirated software.

I hope that helps. =)

#9
tampabelle

Posted 09 June 2005 - 04:51 PM

Member 5k

Retired Staff
6,363 posts

Thanx Darklighter for your patience.

I am currently working on the fix and will come back to you.

Cheers

#10
tampabelle

Posted 09 June 2005 - 06:12 PM

Member 5k

Retired Staff
6,363 posts

Hi Darklighter,

Please print these instructions or copy them into a text file on your Desktop as you will be asked to disconnect from the internet during the fix and you wont have access to this page.

1. Download Programs

Download the following programs and save them in a new directory on your Desktop.
LSPfix
CWShredder
Nailfix
Ewido Security Suite
Deldomains.inf

Update CWShredder

* Open CWShredder and click I AGREE
* Click Check For Update
* Close CWShredder

Install Ewido and update the definitions to the newest files.

Dont run any of the programs yet !!!!

2. Fix the LSP Chain

1. Run the LSPFix.exe that you have just finished downloading.
2. Check the I know what I'm doing box.
3. In the Keep box you should see one or more instances of idmmbc.dll.
4. Select every instance of idmmbc.dll and move each one to the Remove box by clicking the >> button.
6. When you are done click Finish>>.

Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

3. Remove the infections

Please double-click on Nailfix.cmd. Your desktop and icons will disappear and reappear, and a window should open and close very quickly --- this is normal.

Now run CWShredder. Click I Agree, then Fix and then Next, let it fix everything it asks about. Reboot your computer into normal windows.

Then please run Ewido, and run a full scan. Save the logfile from the scan.

4. Run Hijack This

Run Hijack This, while still in Safe mode and click Scan. The following items need to be fixed :

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drs...esearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drs...esearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drs...esearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drs...esearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drs...esearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drs...esearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\Program Files\Internet Download Manager\IDMIECC.dll
O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\systb.dll
O2 - BHO: iWon BHO - {C298FB42-E3E2-11D3-ADCD-0050DAC24E8F} - C:\Program Files\iWon\iWonBar\1.bin\IWONBAR.DLL
O3 - Toolbar: i&Won Co-Pilot - {CA0B9B71-C2AF-11D3-B376-0800460222F0} - C:\Program Files\iWon\iWonBar\1.bin\IWONBAR.DLL
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [ehgult] C:\WINDOWS\System32\ehgult.exe
O4 - HKCU\..\Run: [IDMan] C:\Program Files\Internet Download Manager\IDMan.exe /onboot
O8 - Extra context menu item: Download All Links with IDM - C:\Program Files\Internet Download Manager\IEGetAll.htm
O8 - Extra context menu item: Download with IDM - C:\Program Files\Internet Download Manager\IEExt.htm
O15 - Trusted Zone: http://www.neededware.com
O16 - DPF: NDWCab - http://www.neededware.com/ndw2.cab
O16 - DPF: {11111111-1111-1111-1111-111111111111} - mhtml:file://C:NXSFT.MHT!http://66.117.38.54:...80/dexUS520.exe
O16 - DPF: {70522FA2-4656-11D5-B0E9-0050DAC24E8F} (iWon Progressive Counter) - http://download.iwon...m_6_1,0,2,5.cab
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe

If you dont find any of the above entries, please proceed with the rest of the fix and let me know in you next post.

Check the boxes next to above items and click on fix checked.

5. Delete Rogue Files

Click on Start ---> Settings ---> Control Panel. Double Click on Add or Remove Programs. Locate the items - Internet Download Manager and iWon - and uninstall them.

Open Windows Explorer (right click on Start and then click on explore). Locate and delete the following files and folders, if found -

C:\WINDOWS\systb.dll
C:\WINDOWS\System32\ehgult.exe
c:\windows\system32\idmmbc.dll

C:\Program Files\Internet Download Manager -------> folder
C:\Program Files\iWon -------> folder

Reboot the PC normally.

Please run Hijack This and click on Scan. Post the ffresh HJT log file here along with Ewido scan report and any observations you had.

#11
Darklighter137

Posted 10 June 2005 - 12:11 PM

Member

Topic Starter
Member
18 posts

Thank you so much for taking the time to tell me what to do. I have a couple of questions before I proceed, just in case I happen to get stuck along the way:

1. Is there any possibility that IDM might still mess up my internet connection after I uninstall it? If that were to happen again, I couldn't get on the internet to get help... Should I make a system restore point before doing that, or will it be okay?

2. After fixing what you have requested, should I avoid using the internet entirely until we have fixed everything and gotten proper protective mesaures installed?

3. My dad likes to use the iwon website for contests, is that site on a whole to be avoided? Are there any other contest sites that he should avoid?

4. Do I need to disable my anti-virus software or system restore for any of these steps?

5. Oops, I almost forgot to add that I have something called the Wildtangent Web Driver installed on my computer (it came pre-installed with my HP computer). I turned it off before running Hijack this, because I have read that it can sometimes be mistaken as spyware because of the way it runs. Will it miss any of these files at all?

Thank you very much for everything. I don't mean to second guess you in any way, I just need to make sure I fully understand what is going on so I don't mess anything up (I'm clumsy). :tazz:

Edited by Darklighter137, 10 June 2005 - 12:21 PM.

#12
tampabelle

Posted 10 June 2005 - 12:45 PM

Member 5k

Retired Staff
6,363 posts

Hi Darklighter,

Let me answer your queries -

1. Did you notice the part about LSP fix ?? We are making sure that uninstalling IDM wont disrupt your internet connectivity.

2. In order to get proper measure installed you will need to get onto internet. Since we are doing it in a controlled manner, there wont be any problems. Anyway I am here to ensure that everything is properly done.

3. Please visit this site to read more about iWon. Should you and your dad decide to retain it, I will modify my fix accordingly. In that case dont go ahead with the fix.

4. Please dont disable your System Restore or any other protection you have.

5. I noticed WildTangent. It is an optional removal which I would have come to later. Since you want to keep it, I will keep that in mind.

It is good that you are clearing all your doubts. This also provides a checkpoint for us to ensure that everything is being done properly.

#13
Darklighter137

Posted 11 June 2005 - 11:51 AM

Member

Topic Starter
Member
18 posts

Hey! I just got done applying that perscribed steps. I hit a bit of a snag, though. I uninstalled IDM, and it rebooted (didn't expect that). So, the Iwon prize machine is still installed, and systb.dll, ehgult.exe, and idmmbc.dll are still on my PC. I also did not get a chance to clear the IDM and Iwon folders. Before attempting to do anything about it, I thought I should post my progress.

NOTE: Some other things listed for Hijack, like svcproc.exe didn't appear in the list... I hope they were minor. Note also that some Aurora programs appear to be running in the background. Finally, Aurora is BACK (due no doubt to me messing up the process). I included the WRONG log previously... Here is the correct one:

Hijack:

Logfile of HijackThis v1.99.1
Scan saved at 12:58:11 PM, on 6/11/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\Program Files\Norton AntiVirus\navapsvc.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
C:\Program Files\WildTangent\Apps\GameChannel.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\System32\ctfmon.exe
c:\windows\system32\bcsdnlx.exe
C:\Program Files\Broderbund\Mavis Beacon Teaches Typing 15\minimavis.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\NaviSearch\bin\nls.exe
C:\Program Files\BullsEye Network\bin\bargains.exe
C:\Justin's Folder\Downloads\Ad Ware Remover(s)\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us6.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us6.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us6.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us6.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://us6.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.exactsearch.net/sidesearch
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\systb.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: iWon Search Assistant BHO - {08E1C8E1-E565-44fc-A766-C9539BB3ABB7} - C:\Program Files\iWon\SrchAstt\1.bin\I1SRCHAS.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: NLS UrlCatcher Class - {AEECBFDA-12FA-4881-BDCE-8C3E1CE4B344} - C:\WINDOWS\System32\nvms.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: WinStat - {EE02B99B-1D55-48bc-B8DB-649A42CE45F6} - C:\WINDOWS\System32\WinStat12.dll
O2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINDOWS\System32\msbe.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [NAV Agent] c:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [checktime] c:\program files\HPSelect\Frontend\ct.exe
O4 - HKLM\..\Run: [WT GameChannel] C:\Program Files\WildTangent\Apps\GameChannel.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [Win Server Updt] C:\WINDOWS\wupdt.exe
O4 - HKLM\..\Run: [omnk] C:\WINDOWS\System32\omnk.exe
O4 - HKLM\..\Run: [usxseuw] c:\windows\system32\bcsdnlx.exe r
O4 - HKLM\..\Run: [BullsEye Network] C:\Program Files\BullsEye Network\bin\bargains.exe
O4 - HKLM\..\Run: [NaviSearch] C:\Program Files\NaviSearch\bin\nls.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: hp center UI.lnk = C:\Program Files\hp center\137903\Shadow\ShadowBar.exe
O4 - Global Startup: hp center.lnk = C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Personal Coach.lnk = ?
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O12 - Plugin for .thp: C:\Program Files\Internet Explorer\Plugins\NPLM32.DLL
O15 - Trusted Zone: http://www.neededware.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....204&clcid=0x409
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplane...DC_1_0_0_44.cab
O16 - DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A} (Microsoft.WinRep) - https://webresponse....iveX/winrep.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1118268226918
O16 - DPF: {A7E092C3-692A-11D0-A7E5-08002B322F3B} (WebResponseAttachments Control) - https://webresponse....eX/FileXfer.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe

Ewido:
---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 12:28:59 PM, 6/11/2005
+ Report-Checksum: 585C421F

+ Date of database: 6/11/2005
+ Version of scan engine: v3.0

+ Duration: 51 s
+ Scanned Files: 11
+ Speed: 0.21 Files/Second
+ Infected files: 1
+ Removed files: 0
+ Files put in quarantine: 0
+ Files that could not be opened: 0
+ Files that could not be cleaned: 0

+ Binder: Yes
+ Crypter: Yes
+ Archives: Yes

+ Scanned items:
Memory

+ Scan result:
c:\windows\system32\gdwnjmt.exe / PID: 788 -> Spyware.BetterInternet -> Ignored

::Report End

Thanks again! I'm sooo sorry... I should have remembered IDM would reboot the computer when unistalled. =(

Edited by Darklighter137, 11 June 2005 - 12:03 PM.

#14
tampabelle

Posted 11 June 2005 - 12:04 PM

Member 5k

Retired Staff
6,363 posts

Thats fine.

Please boot the PC in Safe Mode and continue with the rest of the fix and post a fresh HJT log when you are finished.

#15
Darklighter137

Posted 11 June 2005 - 06:14 PM

Member

Topic Starter
Member
18 posts

Hello again. I may have an additional problem(s)...

1. After I disconnected from the internet (right after posting), I got one of those "An Error Has Occured" message boxes regarding some strange program called "Downloader". I also took note of a new process called Bargain.exe (found via Ctrl + Alt + Delete). I have never seen these before, and they popped up just after I posted my logs.

2. A few weeks prior to receiving Aurora, Norton informed me that I had a "Trogan Downloader virus (or something like that) in my temp files. Since it said it got rid of it, and since it was there a week before I got any of this adware, I thought it had no significance... Does it?

3. I noticed that my new log seemed to have some new junk in it, and was significantly larger than the one I took in safe mode just after the fixes. Need I do anything about those at this point?

4. If I understand you correctly, you would like me to delete the Iwon and Internet Download Manager folders (there isn't actually any Iwon program listed in Add/Remove programs). Is this correct? Since there is no uninstallation involved, may I do it in normal mode, or must it be in safe mode?

5. Should I uninstall Viewpoint Manager and media player, since I couldn't find the related fix in Hijack? Will my system miss it? What is it even for (it either came pre-installed on my computer or installed itself)?

I am honestly very sorry. You have worked very hard to help me, and I have nothing but questions and difficulities. I am trying my best to understand the process so I don't make anything worse--this is my first attempt at fixing my computer. Thank you for your patience; please do not be offended by the large volume of questions... I did not know the power of the Dark Side of the Force. :tazz: