Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Unterminable Process! [RESOLVED]

Started by retroghost , Jun 08 2005 10:06 AM

  • This topic is locked This topic is locked

#1
retroghost
Posted 08 June 2005 - 10:06 AM

retroghost

    New Member

  • Member
  • Pip
  • 9 posts
Im new in this forum (not sure if I have placed the topic in the correct room... sorry if I didn't), I have placed this same problem in diverse forums and noone has found a way to solve it.... ive tried everything I could think of and nothing works... i've tried deleting the file from Safe Mode, via Command Promp, blocking it via "msconfig" etc. etc., the weird thing is that neither Spy/Ad aware software or Antivirus (Panda in this case) take like a malicious file not even close to a virus, im desperate already, it doesn't really do anything to my pc but its just frustating to have it in..... tha problem with it is that when I use the taskmanager and end the process it immediately changes name (.exe) and continues to run...... ANY HELP will be greatly appreciated.... this are my running processes:

msnmsrg.exe
PAVPROXY.exe (Panda)
mim.exe (musicmatch)
alg.exe
MMDiag.exe (musicmatch)
CLI.exe (creative software from my sound card)
CTHELPER.exe (look previous)
jbxwyy.exe ( :tazz: THIS IS THE PROBLEM.... IF I TERMINATE IT CHANGES NAME TO WHATEVER IT CAN FIND TO CALL ITSELF)
wdfmgr.exe
svchost.exe
CLI.exe
CTDVDDET.exe (creative)
CTSysVol.exe (creative)
PAVSR51.EXE (Panda)
PAVFIRES.EXE (Panda)
MsgPlus.exe (messenger)
CTSVCCDA.exe (creative)
spoolsv.exe
AVPXDWIN.EXE (Panda)
svchost.exe LOCAL SERVICE
explorer.exe
svchost.exe NETWORK SERVICE
svchost.exe SYSTEM
svchost.exe NETWORK SERVICE
svchost.exe SYSTEM
ati2evxx.exe (ATI video card)
ati2evxx.exe
lsass.exe
services.exe
winlogon.exe
csrss.exe
smss.exe
AVENGINE.EXE
System
System Idle Process

PLEASE HELP! I Really don't know what to do anymore.......... ;) ;)
  • 0

Advertisements

#2
retroghost
Posted 08 June 2005 - 10:52 AM

retroghost

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
Ahhh theres something else I wanted to add to this....... the file is an only .exe file in the windows\system32 folder...... please I really need help :tazz: if you need the hijackthis file here it is although, its not an internet access bug ;):

Logfile of HijackThis v1.99.1
Scan saved at 11:14:26 AM, on 6/8/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\CTsvcCDA.exe
D:\Panda\Firewall\PavFires.exe
D:\Panda\pavsrv51.exe
C:\WINDOWS\system32\svchost.exe
D:\Panda\AVENGINE.EXE
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.exe
D:\Panda\APVXDWIN.EXE
D:\MsgPlus\MsgPlus.exe
C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDet.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
c:\windows\system32\jbxwyy.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
D:\MUSICM~1\MMDiag.exe
D:\Musicmatch\mim.exe
D:\Panda\pavProxy.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
D:\BitLord\BitLord.exe
D:\Ares Lite Edition\Ares\Ares.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\iexplore.exe
E:\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.iscqgfbyj...LfC6u9Hin7X.jsp
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nkjunrnzi...537ZSnDoMo.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\WINDOWS\pchealth\helpctr\System\panels\blank.htm
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - d:\acrobat reader\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {B51E64E4-9E56-3E68-C401-629CD2A9335E} - C:\DOCUME~1\ADALBE~1\APPLIC~1\partknob\toolerror.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [SCANINICIO] "D:\Panda\Inicio.exe"
O4 - HKLM\..\Run: [APVXDWIN] "D:\Panda\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [CorelDRAW Graphics Suite 11b] D:\Corel\Languages\EN\Programs\Registration.exe /title="CorelDRAW Graphics Suite 12" /date=061205 serial=dr12wex-1504397-kty lang=EN
O4 - HKLM\..\Run: [MessengerPlus3] "D:\MsgPlus\MsgPlus.exe"
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTDVDDET] C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [MimBoot] D:\MUSICM~1\mimboot.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [lgskkk] c:\windows\system32\jbxwyy.exe r
O4 - HKCU\..\Run: [MessengerPlus3] "D:\MsgPlus\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://ny.contentmatch.net (HKLM)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Panda Firewall Service (PAVFIRES) - Panda Software - D:\Panda\Firewall\PavFires.exe
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software - D:\Panda\pavsrv51.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - c:\windows\SvcProc.exe

Edited by retroghost, 08 June 2005 - 11:18 AM.

  • 0

#3
retroghost
Posted 08 June 2005 - 02:27 PM

retroghost

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
Isn't there anyone that can help me out :tazz:...... come on I really need help with this.........
  • 0

#4
retroghost
Posted 08 June 2005 - 05:16 PM

retroghost

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
I see that noone has posted anything yet :tazz:, im not sure if this has no solution or its just that noone cares for my post ;).... so ill ask one last time for help...... plz ppl I really need help in this....... I almost got rid of it but it came back...... so plz help out yes........
  • 0

#5
Metallica
Posted 14 June 2005 - 04:03 AM

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 33,101 posts
As you kept adding replies to your post everyone thought you were being helped.

Please download the trial version of Ewido Security Suite here:
http://www.ewido.net/en/download/
Install it, and update the definitions to the newest files. Do NOT run a scan yet.

Please download Nailfix from here:
http://www.noidea.us...050515010747824
Unzip it to the desktop but please do NOT run it yet.

Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.

For additional help in booting into Safe Mode, see the following site:
http://www.pchell.co.../safemode.shtml


Once in Safe Mode, please double-click on Nailfix.cmd. Your desktop and icons will disappear and reappear, and a window should open and close very quickly --- this is normal.

Then please run Ewido, and run a full scan. Save the logfile from the scan.

Next please run HijackThis, click Scan, and check:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.iscqgfbyj...LfC6u9Hin7X.jsp
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nkjunrnzi...537ZSnDoMo.html

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe

O2 - BHO: (no name) - {B51E64E4-9E56-3E68-C401-629CD2A9335E} - C:\DOCUME~1\ADALBE~1\APPLIC~1\partknob\toolerror.exe

O4 - HKLM\..\Run: [lgskkk] c:\windows\system32\jbxwyy.exe r

O23 - Service: System Startup Service (SvcProc) - Unknown owner - c:\windows\SvcProc.exe

Close all open windows except for HijackThis and click Fix Checked.

Restart your computer in normal mode and please post a new HijackThis log, as well as the log from the Ewido scan.

Download and unzip to one folder:
http://metallica.gee...com/findlop.zip

Inside the folder find findlop.bat

Doubleclick it and it will create the file C:\findlop.txt
Find that file and copy the content into your next post as well.

Regards,
  • 0

#6
retroghost
Posted 15 June 2005 - 03:59 PM

retroghost

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
Sorry for the before replies I really did not know that becuase of it there were no replies......... thanks for the help but I tried everything exactly as you suggested and it still didn't clean up the pesky little thing, ewidos report said that there was an error while trying to clean up several trackers, scanned again and still had trouble cleaning them up.... as soon as I restarted my computer in normal mode ewido caught it, stopped it and cleaned it, but as soon as it did the process renamed itself again and continued to try and run ewido caught it again its been being doing it ever since.... the process just won't stop to appear :tazz:....... im truly getting desperate..... here are the logs that you asked for:

Before clean up Hijack this log:
Logfile of HijackThis v1.99.1
Scan saved at 3:39:33 PM, on 6/15/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\explorer.exe
c:\windows\system32\zjyzgx.exe
E:\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.iscqgfbyj...LfC6u9Hin7X.jsp
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nkjunrnzi...537ZSnDoMo.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\WINDOWS\pchealth\helpctr\System\panels\blank.htm
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - d:\Adobe\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - d:\Adobe\Acrobat\AcroIEFavClient.dll
O2 - BHO: (no name) - {B51E64E4-9E56-3E68-C401-629CD2A9335E} - C:\DOCUME~1\ADALBE~1\APPLIC~1\partknob\toolerror.exe
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - d:\Adobe\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [SCANINICIO] "D:\Panda\Inicio.exe"
O4 - HKLM\..\Run: [APVXDWIN] "D:\Panda\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [CorelDRAW Graphics Suite 11b] D:\Corel\Languages\EN\Programs\Registration.exe /title="CorelDRAW Graphics Suite 12" /date=062705 serial=dr12wex-1504397-kty lang=EN
O4 - HKLM\..\Run: [MessengerPlus3] "D:\MsgPlus\MsgPlus.exe"
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTDVDDET] C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "d:\Adobe\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [bltybp] c:\windows\system32\zjyzgx.exe r
O4 - HKCU\..\Run: [MessengerPlus3] "D:\MsgPlus\MsgPlus.exe" /WinStart
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://d:\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://d:\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://d:\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://d:\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://d:\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://d:\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://d:\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://d:\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://ny.contentmatch.net (HKLM)
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...kr.cab31267.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: ewido security suite control - ewido networks - D:\Ewido\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - D:\Ewido\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Panda Firewall Service (PAVFIRES) - Panda Software - D:\Panda\Firewall\PavFires.exe
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software - D:\Panda\pavsrv51.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - c:\windows\SvcProc.exe (file missing)


After clean up HijackThis log:
Logfile of HijackThis v1.99.1
Scan saved at 3:43:45 PM, on 6/15/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\explorer.exe
E:\hijackthis\HijackThis.exe
c:\windows\system32\vkdihm.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\WINDOWS\pchealth\helpctr\System\panels\blank.htm
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - d:\Adobe\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - d:\Adobe\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - d:\Adobe\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [SCANINICIO] "D:\Panda\Inicio.exe"
O4 - HKLM\..\Run: [APVXDWIN] "D:\Panda\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [CorelDRAW Graphics Suite 11b] D:\Corel\Languages\EN\Programs\Registration.exe /title="CorelDRAW Graphics Suite 12" /date=062705 serial=dr12wex-1504397-kty lang=EN
O4 - HKLM\..\Run: [MessengerPlus3] "D:\MsgPlus\MsgPlus.exe"
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTDVDDET] C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "d:\Adobe\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [qaenrt] c:\windows\system32\vkdihm.exe r
O4 - HKCU\..\Run: [MessengerPlus3] "D:\MsgPlus\MsgPlus.exe" /WinStart
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://d:\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://d:\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://d:\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://d:\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://d:\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://d:\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://d:\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://d:\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://ny.contentmatch.net (HKLM)
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...kr.cab31267.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: ewido security suite control - ewido networks - D:\Ewido\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - D:\Ewido\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Panda Firewall Service (PAVFIRES) - Panda Software - D:\Panda\Firewall\PavFires.exe
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software - D:\Panda\pavsrv51.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - c:\windows\SvcProc.exe (file missing)

Ewido log:
---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 3:38:38 PM, 6/15/2005
+ Report-Checksum: B84B39A4

+ Date of database: 6/15/2005
+ Version of scan engine: v3.0

+ Duration: 52 min
+ Scanned Files: 266720
+ Speed: 84.76 Files/Second
+ Infected files: 28
+ Removed files: 15
+ Files put in quarantine: 15
+ Files that could not be opened: 0
+ Files that could not be cleaned: 13

+ Binder: Yes
+ Crypter: Yes
+ Archives: Yes

+ Scanned items:
C:\
D:\
E:\
F:\
C:\
D:\
E:\
F:\

+ Scan result:
C:\Documents and Settings\Adalberto\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Adalberto\Cookies\adalberto@atdmt[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Adalberto\Cookies\adalberto@doubleclick[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Adalberto\Cookies\adalberto@mediaplex[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Adalberto\Cookies\adalberto@tradedoubler[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Adalberto\Local Settings\Temp\124.tmp\thnall1ac.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\Program Files\Common Files\tsa\tsl2.exe -> TrojanDownloader.TSUpdate.j -> Cleaned with backup
C:\WINDOWS\Nail.exe -> Trojan.Nail -> Cleaned with backup
C:\WINDOWS\svcproc.exe -> Trojan.Stervis.c -> Cleaned with backup
C:\WINDOWS\system32\DrPMon.dll -> Trojan.Agent.db -> Cleaned with backup
C:\WINDOWS\system32\tcmaol.exe -> Spyware.BetterInternet -> Cleaned with backup
E:\GUILD.WARS.FIX.XIAO.FIX\Guild Wars AccessKey.Bypass.exe -> TrojanSpy.Harvester.2005.01 -> Cleaned with backup
E:\SmileyCentralFFSetup2.0.3.20.exe -> Spyware.MyWebSearch -> Cleaned with backup
F:\Guild Wars\Guild Wars AccessKey.Bypass.exe -> TrojanSpy.Harvester.2005.01 -> Cleaned with backup
C:\Documents and Settings\Adalberto\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Error during cleaning
C:\Documents and Settings\Adalberto\Cookies\adalberto@atdmt[2].txt -> Spyware.Tracking-Cookie -> Error during cleaning
C:\Documents and Settings\Adalberto\Cookies\adalberto@doubleclick[2].txt -> Spyware.Tracking-Cookie -> Error during cleaning
C:\Documents and Settings\Adalberto\Cookies\adalberto@mediaplex[1].txt -> Spyware.Tracking-Cookie -> Error during cleaning
C:\Documents and Settings\Adalberto\Cookies\adalberto@tradedoubler[1].txt -> Spyware.Tracking-Cookie -> Error during cleaning
C:\Documents and Settings\Adalberto\Local Settings\Temp\124.tmp\thnall1ac.exe -> Spyware.BetterInternet -> Error during cleaning
C:\Program Files\Common Files\tsa\tsl2.exe -> TrojanDownloader.TSUpdate.j -> Error during cleaning
C:\WINDOWS\Nail.exe -> Trojan.Nail -> Cleaned with backup
C:\WINDOWS\svcproc.exe -> Trojan.Stervis.c -> Error during cleaning
C:\WINDOWS\system32\DrPMon.dll -> Trojan.Agent.db -> Error during cleaning
C:\WINDOWS\system32\tcmaol.exe -> Spyware.BetterInternet -> Error during cleaning
E:\GUILD.WARS.FIX.XIAO.FIX\Guild Wars AccessKey.Bypass.exe -> TrojanSpy.Harvester.2005.01 -> Error during cleaning
E:\SmileyCentralFFSetup2.0.3.20.exe -> Spyware.MyWebSearch -> Error during cleaning
F:\Guild Wars\Guild Wars AccessKey.Bypass.exe -> TrojanSpy.Harvester.2005.01 -> Error during cleaning


::Report End

Findlop log:
[TRACE] Enumerating jobs and queues
[TRACE] Activating job 'A352468490B5F7D4.job'
[TRACE] Printing all job properties

ApplicationName: 'c:\docume~1\adalbe~1\applic~1\pokewa~1\eggsgreatthat.exe'
Parameters: ''
WorkingDirectory: ''
Comment: ''
Creator: 'Adalberto'
Priority: NORMAL
MaxRunTime: 259200000 (3d 0:00:00)
IdleWait: 10
IdleDeadline: 60
MostRecentRun: 06/15/2005 14:00:00
NextRun: 06/15/2005 16:00:00
StartError: S_OK
ExitCode: 0
Status: SCHED_S_TASK_READY
ScheduledWorkItem Flags:
DeleteWhenDone = 0
Suspend = 0
StartOnlyIfIdle = 0
KillOnIdleEnd = 0
RestartOnIdleResume = 0
DontStartIfOnBatteries = 0
KillIfGoingOnBatteries = 0
RunOnlyIfLoggedOn = 1
SystemRequired = 0
Hidden = 1
TaskFlags: 0

1 Trigger

Trigger 0:
Type: Daily
DaysInterval: 1
StartDate: 10/10/1999
EndDate: 00/00/0000
StartTime: 00:00
MinutesDuration: 1440
MinutesInterval: 60
Flags:
HasEndDate = 0
KillAtDuration = 0
Disabled = 0
  • 0

#7
retroghost
Posted 15 June 2005 - 08:12 PM

retroghost

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
I was finally able to eliminate the problem ;) ............. THANKS METALLICA FOR YOUR HELP!! ;) ...... it did help a lot....... I just had to be patient.... ewido did the rest......... what an outstanding program....... well anyways I just wanted to thank you again and again man..... you don't know how much I appreciate this........ thanks again

PS now I see that you truly are a "malware EXPERT!!!!" :tazz:

Edited by retroghost, 15 June 2005 - 08:14 PM.

  • 0

#8
Metallica
Posted 16 June 2005 - 12:08 AM

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 33,101 posts
One more thing I'd like you to do.

Copy the text in bold below into notepad and save it as remjobs.bat
Set filetype to "All files"

@echo off
jt /sd A352468490B5F7D4.job
if exist c:\tasks.txt del c:\tasks.txt
jt /se >>c:\tasks.txt


Doubleclick that file and post a new HijackTHis log.

Regards,
  • 0

#9
retroghost
Posted 16 June 2005 - 10:09 AM

retroghost

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
Ok Metallica thanks once again I did what you requested :tazz:........ heres the new hijackthis log:

Logfile of HijackThis v1.99.1
Scan saved at 10:07:55 AM, on 6/16/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\CTsvcCDA.exe
D:\Ewido\ewidoctrl.exe
D:\Ewido\ewidoguard.exe
D:\Panda\Firewall\PavFires.exe
D:\Panda\pavsrv51.exe
C:\WINDOWS\system32\svchost.exe
D:\Panda\AVENGINE.EXE
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
D:\Panda\APVXDWIN.EXE
D:\MsgPlus\MsgPlus.exe
C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDet.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
D:\Panda\pavProxy.exe
D:\BitLord\BitLord.exe
C:\Program Files\Mozilla Firefox\firefox.exe
E:\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\WINDOWS\pchealth\helpctr\System\panels\blank.htm
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - d:\Adobe\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - d:\Adobe\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - d:\Adobe\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [SCANINICIO] "D:\Panda\Inicio.exe"
O4 - HKLM\..\Run: [APVXDWIN] "D:\Panda\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [CorelDRAW Graphics Suite 11b] D:\Corel\Languages\EN\Programs\Registration.exe /title="CorelDRAW Graphics Suite 12" /date=062705 serial=dr12wex-1504397-kty lang=EN
O4 - HKLM\..\Run: [MessengerPlus3] "D:\MsgPlus\MsgPlus.exe"
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTDVDDET] C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKCU\..\Run: [MessengerPlus3] "D:\MsgPlus\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://d:\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://d:\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://d:\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://d:\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://d:\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://d:\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://d:\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://d:\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://ny.contentmatch.net (HKLM)
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...kr.cab31267.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: ewido security suite control - ewido networks - D:\Ewido\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - D:\Ewido\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Panda Firewall Service (PAVFIRES) - Panda Software - D:\Panda\Firewall\PavFires.exe
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software - D:\Panda\pavsrv51.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe

........... thanks once again for the help ;)
  • 0

#10
Metallica
Posted 16 June 2005 - 11:33 AM

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 33,101 posts
Excellent. :tazz:

Be carefull when you upgrade to the next version of MessengerPlus.
That will come with the next version of LOP as well.

Please do have a look at my site about removing and preventing spyware.

Regards,
  • 0

#11
retroghost
Posted 16 June 2005 - 11:49 AM

retroghost

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
Metallica thanks so, so, so much!!........ I hugely appreciate your help man.....by the way I took a look at your website and it is EXCELLENT kudos on it and keep up the good work!!.............
Thanks again dude....... I hope that if in any future I run into some trouble again (hope not ;))...... I can get your wisdom for help :tazz:......... thanks again metallica or Pieter as it seems to be your name ;)........ not that I think you wanna know mine but its Adalberto by the way............ and I know that this is not a thing that you might wanna do wither but if in anything that I can help you out with my hotmail is removed before the spambots find it - Metallica
  • 0

#12
Metallica
Posted 16 June 2005 - 12:05 PM

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 33,101 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :tazz:

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP