Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Neededware always comes back

Started by Drag0nsGate , Jun 22 2005 11:35 AM

  • This topic is locked This topic is locked

#1
Drag0nsGate
Posted 22 June 2005 - 11:35 AM

Drag0nsGate

    New Member

  • Member
  • Pip
  • 2 posts
Got rid of Aurora, neededware pops up alot heres my log
removed it several times through FIxThis and tryed several cleaners like ccleaner and online scanners and things that worked for other people.



Logfile of HijackThis v1.99.1
Scan saved at 12:31:27 PM, on 6/22/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Death Knight\Desktop\hijackthis\HijackThis.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [bvz] C:\WINDOWS\system32\bvz.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: SysTray.lnk = ?
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\Program Files\AIM\aim.exe
O15 - Trusted Zone: http://www.neededware.com
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1117480167814
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
  • 0

Advertisements

#2
g2i2r4
Posted 23 June 2005 - 06:39 AM

g2i2r4

    retired HiJack Helper

  • Retired Staff
  • 5,080 posts
Welcome Drag0nsGate to Geeks to Go!

Please disable SpybotSD’s protection, as it may hinder the removal of the infection. You can enable it after you're clean.

Open Spybot and click on Mode and check Advanced Mode
Check yes to next window.
Click on Tools in bottom left hand corner.
Click on System Startup icon.
Uncheck Teatimer box and/or Uncheck Resident.
Click Allow Change box.

***

Download CleanUp!.
If that doesn’t work, use this link.
Here is a tutorial which describes its usage:
http://www.bleepingc...tutorial93.html

Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu). Set the program up as follows:
*Click "Options..."
*Move the arrow down to "Custom CleanUp!"
*Put a check next to the following:
  • Empty Recycle Bins
  • Delete Cookies
  • Delete Prefetch files
  • Scan local drives for temporary files
  • Cleanup! All Users
Click OK
Press the CleanUp! button to start the program.

Once it's done, press Close. Reboot the system. This will remove files that were in use during the scan.

***

Open HijackThis
Place a check against each of the following, making sure you get them all and not any others by mistake:

O4 - HKLM\..\Run: [bvz] C:\WINDOWS\system32\bvz.exe

O15 - Trusted Zone: http://www.neededware.com

Close all programs leaving only HijackThis running.
Click on Fix Checked when finished and exit HijackThis.

***

Download the Killbox.
Unzip it to the desktop

Double-click Killbox.exe to run it.

Select "Delete on Reboot".
Place the following line (complete path) in bold in the "Full Path of File to Delete" box in Killbox:
C:\WINDOWS\system32\bvz.exe
Put a mark next to "Delete on Reboot"
Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

***

Let the system reboot to normal mode.

***

Download: deldomains.
To use: right-click and select: Install (no need to restart)
Should the link above display the text instead of downloading the file, then copy & paste the text into notepad and save the file as DellDomains.inf
Note: This will remove all entries in the "Trusted Zone" and "Ranges" also.

***

Please download ewido security suite it is a trial version of the program.
  • Install ewido security suite
  • When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
  • Launch ewido, there should be an icon on your desktop double-click it.
  • The program will prompt you to update click the OK button
  • The program will now go to the main screen
You will need to update ewido to the latest definition files.
  • On the left hand side of the main screen click update
  • Click on Start
The update will start and a progress bar will show the updates being installed.
Once the updates are installed do the following:
  • Click on scanner
  • Make sure the following boxes are checked before scanning:
    • Binder
    • Crypter
    • Archives
  • Click on Start Scan
  • Let the program scan the machine
While the scan is in progress you will be prompted to clean files, click OK

Once the scan has completed, there will be a button located on the bottom of the screen named Save report
  • Click Save report
  • Save the report to your desktop
Reboot your machine and post back a new HJT log and the ewido.txt log file you saved by using Add Reply
  • 0

#3
Drag0nsGate
Posted 23 June 2005 - 11:25 AM

Drag0nsGate

    New Member

  • Topic Starter
  • Member
  • Pip
  • 2 posts
thanks,


---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 12:22:29 PM, 6/23/2005
+ Report-Checksum: D8225088

+ Date of database: 6/23/2005
+ Version of scan engine: v3.0

+ Duration: 58 min
+ Scanned Files: 144387
+ Speed: 40.85 Files/Second
+ Infected files: 5
+ Removed files: 5
+ Files put in quarantine: 5
+ Files that could not be opened: 0
+ Files that could not be cleaned: 0

+ Binder: Yes
+ Crypter: Yes
+ Archives: Yes

+ Scanned items:
C:\
D:\
E:\

+ Scan result:
C:\WINDOWS\Downloaded Program Files\EPXActiveX.ocx -> Spyware.Winsta -> Cleaned with backup
C:\WINDOWS\system32\bvzaeg05.dll -> TrojanDownloader.Lastad.h -> Cleaned with backup
C:\WINDOWS\system32\epx30105.exe -> TrojanDownloader.Lastad.p -> Cleaned with backup
C:\WINDOWS\system32\pcbon.exe -> TrojanDownloader.Lastad.h -> Cleaned with backup
D:\Documents and Settings\Death Knight\Local Settings\Temp\update.exe -> Spyware.Saha -> Cleaned with backup


::Report End




Logfile of HijackThis v1.99.1
Scan saved at 12:24:14 PM, on 6/23/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Death Knight\Desktop\hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft...er=6&ar=msnhome
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft...B_PVER}&ar=home
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [bvz] C:\WINDOWS\system32\bvz.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: SysTray.lnk = ?
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\Program Files\AIM\aim.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1117480167814
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
  • 0

#4
g2i2r4
Posted 23 June 2005 - 11:32 AM

g2i2r4

    retired HiJack Helper

  • Retired Staff
  • 5,080 posts
Double-click Killbox.exe to run it.

Select "Delete on Reboot".
Place the following line (complete path) in bold in the "Full Path of File to Delete" box in Killbox:
C:\WINDOWS\system32\bvz.exe
Put a mark next to "Delete on Reboot"
Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.



Download MWAW
Doubleclick the file.

This scan takes around 3 hours to finish when set to scan everything.

Put a check next to the items below before scanning:

*Memory
*Startup Folders
*Drive - All Local Drives
*Folder - then click "browse" to change the directory to C: (default is C:\Windows)
*Registry
*System Folders
*Services
*Include Sub-Directory
*Scan All Files

Please make sure ALL of these are checked, then press the scan button. This will take hours to complete.

**NOTE*** Sometimes MWav will pause and it appears to be finished, but it isn't done. Just let it run.

Highlight the portion of the scan that lists infected items and hold CTRL + C to Copy then paste it here. The whole log with be extremely big so there is no way to copy the whole thing. I just need the infected items list.



EDIT:
As there has been no reply from the original poster for more than two weeks this topic is now closed.

If you are the original poster and still need assistance, please send me a PM.

Edited by g2i2r4, 09 July 2005 - 11:30 AM.

  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP