Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

aurora - helkern - and trojans


  • Please log in to reply

#16
wioombeen

wioombeen

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
tj

house call found two that cold not be claened as they were bing used.

java bytever .a
java bytever .b

eddie
  • 0

Advertisements


#17
tj416

tj416

    Visiting Staff

  • Member
  • PipPipPip
  • 323 posts
Hi wioombeen,

I need you to download MWav to a convenient location.

This scan might take around 3+ hours to finish when set to scan everything.
I need you to run MWav by double-clicking on mwav.exe.
Put a check next to the below items before scanning:
  • Memory
  • Startup Folders
  • Drive - All Local Drives
  • Folder - then click "browse" to change the directory to C: (default is C:\Windows)
  • Registry
  • System Folders
  • Services
  • Include Sub-Directory
  • Scan All Files
Please make sure ALL of these are checked, then press the Scan button. This typically will take hours to complete.

**NOTE*** Sometimes MWav will pause and it appears to be finished, but it isn't done. Just let it run until it says it's complete.

On the bottom portion of the window, you will see the lower panel where MWav is listing "infected items", please highlight everything in that lower panel and copy them by holding CTRL + C then paste it here. The whole log will be extremely BIG so there is no way to post the log. I just need the infected items list.
  • 0

#18
wioombeen

wioombeen

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
Tj,

here is the log from Mwav.



Object "AltNet Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "Browser Hijack Object Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "iSearch Spyware/Adware" found in File System! Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "D:\Program Files\Ahead\CoverDesigner\covered-deu.nls". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "D:\Program Files\Ahead\Nero BackItUp\BackItUp-Deu.nls". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "D:\WINDOWS\System32\pxsfs.dll". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "D:\Program Files\Norton SystemWorks\Norton Utilities\nswcs.chm". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "D:\Program Files\Norton SystemWorks\Norton Utilities\ADV_PRTN.chm". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "D:\Program Files\Norton SystemWorks\Norton CleanSweep\ncscs.chm". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "D:\Program Files\Norton SystemWorks\NSWRes.dll". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "D:\Program Files\Symantec\Web Tools\CKA.exe". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "D:\Program Files\Symantec\Web Tools\GDIPlus.dll". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "D:\Program Files\Symantec\Web Tools\IEPlugIn.dll". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "D:\Program Files\Symantec\Web Tools\WCEngine.dll". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "D:\Program Files\Symantec\Web Tools\wcIntro.dll". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "D:\Program Files\Symantec\Web Tools\WTPlug.dll". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "D:\Program Files\Symantec\Web Tools\WCQuick.exe". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "D:\Program Files\Symantec\Web Tools\wtplug.nsi". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "D:\Program Files\Symantec\Web Tools\WCViewer.exe". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "D:\WINDOWS\system32\CTDetect.cpl". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "D:\Program Files\Enigma Software Group\SpyHunter\Uninstall.exe". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{0A74BEAE-3220-4EAF-A242-29D6495485A1}" refers to invalid object "D:\Program Files\Symantec\Web Tools\WTPlug.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{0C5B0CED-206B-4c39-B615-0EB23C824612}" refers to invalid object "C:\Program Files\Common Files\Adobe\Shell\AIIcon.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{0DED49D5-A8B7-4d5d-97A1-12B0C195874D}" refers to invalid object "BdaPlgin.ax". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{29FF67FF-8050-480f-9F30-CC41635F2F9D}" refers to invalid object "ADMWPROX.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{5F3605D3-D957-4B54-98E5-875469898B9B}" refers to invalid object "D:\Program Files\Symantec\Web Tools\WTPlug.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{70B51430-B6CA-11D0-B9B9-00A0C922E750}" refers to invalid object "ADMWPROX.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{8298d101-f992-43b7-8eca-5052d885b995}" refers to invalid object "ADMWPROX.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{A9E69612-B80D-11D0-B9B9-00A0C922E750}" refers to invalid object "ADMWPROX.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{B0693766-5278-4ec6-B9E1-3CE40560EF5A}" refers to invalid object "CaPlgin.ax". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{E2066AB8-E3FB-4114-958B-9BE999A464E4}" refers to invalid object "D:\Program Files\Symantec\Web Tools\WTPlug.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{EC483730-74D4-4224-A894-1EF53E8943EF}" refers to invalid object "D:\Program Files\Symantec\Web Tools\WTPlug.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{f612954d-3b0b-4c56-9563-227b7be624b4}" refers to invalid object "ADMWPROX.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{F83865C0-92C3-11d3-B41E-0010DC973BDB}" refers to invalid object "CamExL20.ax". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{F83865C2-92C3-11d3-B41E-0010DC973BDB}" refers to invalid object "CamExL20.ax". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{F83865C3-92C3-11d3-B41E-0010DC973BDB}" refers to invalid object "CamExL20.ax". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{FD0A5AF3-B41D-11d2-9C95-00C04F7971E0}" refers to invalid object "BdaPlgin.ax". Action Taken: No Action Taken.
Entry "HKCR\Alg.AlgSetup" refers to invalid object "{27D0BCCC-344D-4287-AF37-0C72C161C14C}". Action Taken: No Action Taken.
Entry "HKCR\Alg.AlgSetup.1" refers to invalid object "{27D0BCCC-344D-4287-AF37-0C72C161C14C}". Action Taken: No Action Taken.
Entry "HKCR\ComPlusMetaData.MsCorHost" refers to invalid object "{727CDF4F-3BA0-11D3-8738-00C04F79ED0D}". Action Taken: No Action Taken.
Entry "HKCR\ComPlusMetaData.MsCorHost.2" refers to invalid object "{727CDF4F-3BA0-11D3-8738-00C04F79ED0D}". Action Taken: No Action Taken.
Entry "HKCR\CSFastSave.FastAndSafe" refers to invalid object "{3F4B6C82-46CB-11D4-8785-00C04F48B4B5}". Action Taken: No Action Taken.
Entry "HKCR\CSFastSave.FastAndSafe.1" refers to invalid object "{3F4B6C82-46CB-11D4-8785-00C04F48B4B5}". Action Taken: No Action Taken.
Entry "HKCR\LVComSX.TriEditDocument.1" refers to invalid object "{72CEF763-E0F0-B4F6-797A-8DC4789D6648}". Action Taken: No Action Taken.
Entry "HKCR\NavPreCOM.NavAutoProtect" refers to invalid object "{2E7389A5-41EF-11D4-8785-00C04F48B4B5}". Action Taken: No Action Taken.
Entry "HKCR\NavPreCOM.NavAutoProtect.1" refers to invalid object "{2E7389A5-41EF-11D4-8785-00C04F48B4B5}". Action Taken: No Action Taken.
Entry "HKCR\NavPreCOM.NavDefFiles" refers to invalid object "{2E7389A2-41EF-11D4-8785-00C04F48B4B5}". Action Taken: No Action Taken.
Entry "HKCR\NavPreCOM.NavDefFiles.1" refers to invalid object "{2E7389A2-41EF-11D4-8785-00C04F48B4B5}". Action Taken: No Action Taken.
Entry "HKCR\NavPreCOM.NavLastScan" refers to invalid object "{2E7389A6-41EF-11D4-8785-00C04F48B4B5}". Action Taken: No Action Taken.
Entry "HKCR\NavPreCOM.NavLastScan.1" refers to invalid object "{2E7389A6-41EF-11D4-8785-00C04F48B4B5}". Action Taken: No Action Taken.
Entry "HKCR\Plenoptic.Plenoptic" refers to invalid object "{607C27E9-AB27-11d3-A116-A0EA50C10801}". Action Taken: No Action Taken.
Entry "HKCR\Plenoptic.Plenoptic.1" refers to invalid object "{607C27E9-AB27-11d3-A116-A0EA50C10801}". Action Taken: No Action Taken.
Entry "HKCR\QCImage.ComFilters.2" refers to invalid object "{7B3CF2E9-AC27-3DD2-830E-EC7E4619603D}". Action Taken: No Action Taken.
Entry "HKCR\RTCCore.RTCClient" refers to invalid object "{7a42ea29-a2b7-40c4-b091-f6f024aa89be}". Action Taken: No Action Taken.
Entry "HKCR\RTCCore.RTCClient.1" refers to invalid object "{7a42ea29-a2b7-40c4-b091-f6f024aa89be}". Action Taken: No Action Taken.
Entry "HKCR\SymWriter.pdb" refers to invalid object "{520DC67A-752E-11D3-8D56-00C04F680B2B}". Action Taken: No Action Taken.
Entry "HKCR\WDScnrLK.WinDoctorScannerLock" refers to invalid object "{2A36611E-A782-47A3-B335-85EE61D67BA2}". Action Taken: No Action Taken.
Entry "HKCR\WDScnrLK.WinDoctorScannerLock.1" refers to invalid object "{2A36611E-A782-47A3-B335-85EE61D67BA2}". Action Taken: No Action Taken.
Entry "HKCR\WMPPublsihCntr.WMPPublsihCntr" refers to invalid object "{939438A9-CF0F-44d8-9140-599736F0D3A2}". Action Taken: No Action Taken.
Entry "HKCR\WMPPublsihCntr.WMPPublsihCntr.1" refers to invalid object "{939438A9-CF0F-44d8-9140-599736F0D3A2}". Action Taken: No Action Taken.
Entry "HKCR\WTIntegratorPlugin.WTLauncher" refers to invalid object "{EDAC70F6-8BAA-413C-83D2-5494C0F55F9F}". Action Taken: No Action Taken.
Entry "HKCR\WTIntegratorPlugin.WTLauncher.1" refers to invalid object "{EDAC70F6-8BAA-413C-83D2-5494C0F55F9F}". Action Taken: No Action Taken.
File D:\WINDOWS\vyxmbc.exe tagged as "not-a-virus:AdWare.BetterInternet.c". Action Taken: No Action Taken.
File D:\WINDOWS\system32\KILLAPPS.EXE tagged as not-a-virus:Tool.Win32.KillApp.b. No Action Taken.
File D:\DOCUME~1\user\LOCALS~1\Temp\DJA\aurareco.exe tagged as "not-a-virus:AdWare.BetterInternet". Action Taken: No Action Taken.
File C:\bak\AAWSEPERSONAL.EXE tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\bak\POPUPSTOPPERFREE.EXE tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\bak\ZLSSETUP_55_094_000.EXE tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\MP3's\misc theme songs and soundtracks\godzilla.mp3 tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File D:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\BackWeblite1.zip infected by "Password-protected-EXE" Virus! Action Taken: No Action Taken.
File D:\Documents and Settings\user\Local Settings\Temp\DJA\aurareco.exe tagged as "not-a-virus:AdWare.BetterInternet". Action Taken: No Action Taken.
File D:\Program Files\2Wire\sy_apps\sbcybase.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File D:\Program Files\2Wire\sy_apps\sbcyess.EXE tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File D:\Program Files\2Wire\sy_apps\ybrowser_setup.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File D:\Program Files\2Wire\sy_apps\yfamily_setup.EXE tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File D:\Program Files\2Wire\sy_apps\ymsgr_sbcd.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File D:\Program Files\AIM\Unwise32.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File D:\Program Files\Creative\SBAudigy2\Program\WDM\COMMON\killapps.exe tagged as not-a-virus:Tool.Win32.KillApp.c. No Action Taken.
File D:\Program Files\Lavasoft\Ad-Aware SE Professional\UNWISE.EXE tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File D:\Program Files\Logitech\Print Service\UNWISE.EXE tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File D:\Program Files\MemTurbo\UNWISE.EXE tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File D:\Program Files\MemTurbo30\UNWISE.EXE tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File D:\Program Files\mIRC\mirc.exe tagged as not-a-virus:Client-IRC.Win32.mIRC.16. No Action Taken.
File D:\Program Files\Netscape\Communicator\Program\AIM\unwise32.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File D:\Program Files\Yahoo!\Common\unycust.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File D:\Program Files\Yahoo!\Installs\ymsgr7us.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File D:\Program Files\Yahoo!\Installs\ymsgrie.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File D:\Program Files\Yahoo!\Messenger\UNWISE.EXE tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File D:\Program Files\Yahoo!\YPSR\Unwise32.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File D:\Program Files\Yahoo!\YPSR\unypsr.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File D:\temp\New Folder\MemTurbo 3.0 Setup.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File D:\temp\New Folder\MemTurbo.v2.2 + Serial.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File D:\WINDOWS\system32\KILLAPPS.EXE tagged as not-a-virus:Tool.Win32.KillApp.b. No Action Taken.
File D:\WINDOWS\vyxmbc.exe tagged as "not-a-virus:AdWare.BetterInternet.c". Action Taken: No Action Taken.
File E:\document stuff on G\Kazaa Lite\Kazaa Hack 2.0.2.exe tagged as not-a-virus:CrackTool.Win32.HotHook. No Action Taken.
File E:\document stuff on G\stuff for eddie\Stuff\CJ3973LE.EXE tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File E:\document stuff on G\stuff for eddie\Stuff\CJXP73LE.EXE tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File E:\document stuff on G\stuff for eddie\Stuff\DivXPro502GAINBundle.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File E:\document stuff on G\stuff for eddie\Stuff2\cdripper_1.39.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File E:\document stuff on G\stuff for eddie\Stuff2\grokstersetupg.exe tagged as "not-a-virus:AdWare.Cydoor". Action Taken: No Action Taken.
File E:\document stuff on G\stuff for eddie\Stuff2\iplus34.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File E:\document stuff on G\stuff for eddie\Stuff2\Morph20.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File E:\Program files\Program\WDM\COMMON\killapps.exe tagged as not-a-virus:Tool.Win32.KillApp.c. No Action Taken.
File I:\stuff again from C\Nailfix\Process.exe tagged as not-a-virus:Tool.Win32.Processor.20. No Action Taken.
File I:\stuff again from C\Nailfix.zip tagged as not-a-virus:Tool.Win32.Processor.20. No Action Taken.
File I:\Stuff from c\My Pictures\pics to sort\Needs to be sorted\EAX4DRV_AUDIGY2_1_84_50.exe tagged as not-a-virus:Tool.Win32.KillApp.c. No Action Taken.
File I:\Stuff from c\My Pictures\pics to sort\Needs to be sorted\mirc616.exe tagged as not-a-virus:Client-IRC.Win32.mIRC.16. No Action Taken.
File c:\bak\AAWSEPERSONAL.EXE tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File c:\bak\POPUPSTOPPERFREE.EXE tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File c:\bak\ZLSSETUP_55_094_000.EXE tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File c:\MP3's\misc theme songs and soundtracks\godzilla.mp3 tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
  • 0

#19
tj416

tj416

    Visiting Staff

  • Member
  • PipPipPip
  • 323 posts
Hi wioombeen,
  • Download iSearchFix.
  • Install the program to its default location.
  • Boot into Safe mode. To boot into Safe mode:
    • Restart your computer and immediately begin tapping the F8 key on your keyboard.
    • If done right a Windows Advanced Options menu will appear. Select the Safe Mode option and press Enter.
  • Double-click isearch.bat which will be located in the iSearchFix's folder.
  • Restart in the normal mode.
  • Post the contents of isearchlog.txt in your reply.

Edited by tj416, 06 July 2005 - 05:44 AM.

  • 0

#20
wioombeen

wioombeen

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
sorry about the dely in my reply, i was out of town!
thanks for your patients.

here is the log from ifix


iSearch Removal Batch 1.00

by Atri

Looking for and terminating running processes


Fixing the registry

"Registry fix complete"

Removing the Delprot service
[SC] OpenService FAILED 1060:

The specified service does not exist as an installed service.



Unregistering and deleting isrvs dll's


Attempting to delete files and folders


Removing bad shortcuts from desktop

If there are "bad" shortcuts remaining on your desktop please report them with your logs!

Emptying the Trusted and Restricted zones


!!Please post this log as well as a new HijackThis log on the forum!!


AND HERE IS A NEW HIJACK THIS LOG:


Logfile of HijackThis v1.99.1
Scan saved at 3:45:52 AM, on 7/12/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\Ati2evxx.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\LEXBCES.EXE
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\system32\LEXPPS.EXE
D:\WINDOWS\system32\Ati2evxx.exe
D:\WINDOWS\Explorer.exe
D:\WINDOWS\SOUNDMAN.EXE
D:\WINDOWS\system32\CTHELPER.EXE
D:\WINDOWS\system32\rundll32.exe
D:\WINDOWS\system32\LVCOMSX.EXE
D:\Program Files\Logitech\Video\LogiTray.exe
D:\Program Files\Microsoft IntelliType Pro\type32.exe
D:\Program Files\Microsoft IntelliPoint\point32.exe
D:\Program Files\iTunes\iTunesHelper.exe
D:\Program Files\QuickTime\qttask.exe
D:\Program Files\Winamp\winampa.exe
D:\Program Files\ATI Technologies\ATI.ACE\cli.exe
D:\Program Files\Yahoo!\Messenger\ypager.exe
D:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-Watch.exe
D:\Program Files\Gadu-Gadu\gg.exe
D:\Program Files\Adobe\Acrobat 7.0\Acrobat\acrobat_sl.exe
D:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
D:\WINDOWS\system32\WTablet\TabUserW.exe
D:\Program Files\ePrompter\ePrompter.exe
D:\Program Files\Logitech\Video\FxSvr2.exe
D:\WINDOWS\system32\CTsvcCDA.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
D:\WINDOWS\system32\Tablet.exe
D:\WINDOWS\system32\MsPMSPSv.exe
D:\Program Files\iPod\bin\iPodService.exe
D:\Program Files\ATI Technologies\ATI.ACE\cli.exe
D:\WINDOWS\system32\wuauclt.exe
D:\PROGRA~1\MOZILL~1\FIREFOX.EXE
D:\Documents and Settings\user\Desktop\HIJACKTHIS\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/?.home=msgr
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.c...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
F2 - REG:system.ini: Shell=Explorer.exe D:\WINDOWS\Nail.exe
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - D:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn1\ycomp5_6_2_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - D:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - D:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - D:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn1\ycomp5_6_2_0.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [ATIPTA] D:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [NeroFilterCheck] D:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [ccApp] "D:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [KAVPersonal50] "D:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe" /minimize
O4 - HKLM\..\Run: [LVCOMSX] D:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] D:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] D:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [type32] "D:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [IntelliPoint] "D:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [iTunesHelper] "D:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WinampAgent] D:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [unpuxam] d:\windows\system32\wezwdf.exe r
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATICCC] "D:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [CTRegRun] D:\WINDOWS\CTRegRun.EXE
O4 - HKCU\..\Run: [Yahoo! Pager] D:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "D:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [AWMON] "D:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-Watch.exe"
O4 - HKCU\..\Run: [Gadu-Gadu] "D:\Program Files\Gadu-Gadu\gg.exe" /tray
O4 - HKCU\..\Run: [Creative WebCam Tray] D:\Program Files\Creative\Shared Files\CamTray.exe
O4 - Startup: Adobe Gamma.lnk = D:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: ePrompter.lnk = D:\Program Files\ePrompter\ePrompter.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: ATI CATALYST System Tray.lnk = D:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O4 - Global Startup: Spy Sweeper Fix.lnk = D:\Program Files\Webroot\Spy Sweeper\SpySweeperFix.bat
O4 - Global Startup: TabUserW.exe.lnk = D:\WINDOWS\system32\WTablet\TabUserW.exe
O8 - Extra context menu item: &Yahoo! Search - file:///D:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Convert link target to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///D:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///D:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///D:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - D:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @D:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @D:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - D:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1117806100875
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O18 - Filter: text/html - (no CLSID) - (no file)
O23 - Service: Adobe LM Service - Adobe Systems - D:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - D:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - D:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - D:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - D:\Program Files\iPod\bin\iPodService.exe
O23 - Service: kavsvc - Kaspersky Lab - D:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - D:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: STOPzilla Local Service - Unknown owner - C:\Program Files\STOPzilla!\szntsvc.exe (file missing)
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - D:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Symantec Core LC - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: TabletService - Wacom Technology, Corp. - D:\WINDOWS\system32\Tablet.exe










i still get a msg in when windows logs in saying it cant find nail.exe
i havent gotton a helkern in awhile.

thanks
wioombeen
  • 0

#21
tj416

tj416

    Visiting Staff

  • Member
  • PipPipPip
  • 323 posts
Hi wioombeen,

Sorry for my delayed response. I didn't recieve an email notification that you had replied. It looks like tha Nail infection has returned....

You may want to print out these instructions or save them to your desktop as a text file with Notepad because we will be restarting into Safe Mode later on in the fix and you might not be able to access the Internet.
  • Prepare Ewido Security Suite for use:
    • Download the trial version of Ewido Security Suite.
    • Install the Program.
    • Click on the "update" button on the left hand side of the window.
    • Click on "Start Update".
    • You should not run the program yet so Exit the program.
  • Prepare Nailfix for use:
    • Download Nailfix.
    • Unzip the contents of the zip file to your Desktop.
    • Do not run it yet.
  • Reboot into Safe mode. To reboot in Safe mode:
    • Restart your computer and immediately begin tapping the F8 key on your keyboard.
    • If done right a Windows Advanced Options menu will appear. Select the Safe Mode option and press Enter.
  • Run Nailfix:
    • Double-click on Nailfix.cmd.
    • Your desktop and icons will disappear and reappear, and a window should open and close very quickly. Don't be alarmed, this is normal.
  • Run Ewido Security Suite:
    • Open Ewido Security Suite.
    • Click on the "scanner" button on the left hand side of the window.
    • Click on "Complete System Scan".
    • After the scan is completed, save the logfile from the scan.
  • Run HijackThis:
    • Open HijackThis, run a scan and check this item:
      • F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
    • Close all windows and browsers, except HijackThis, and have HijackThis fix them by clicking on Fix Checked.
  • Restart your computer normally to return to normal mode.
  • Prepare in your reply:
    • Please post a fresh HijackThis log.
    • Please post the Ewido Security Suite log.

  • 0

#22
wioombeen

wioombeen

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
Tj,

Yeah this nail thing just doesnt want to leave. here is the new hijack this log followed by the ewido log. thanks




Logfile of HijackThis v1.99.1
Scan saved at 10:57:45 PM, on 7/23/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\Ati2evxx.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\LEXBCES.EXE
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\system32\LEXPPS.EXE
D:\WINDOWS\system32\Ati2evxx.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\SOUNDMAN.EXE
D:\WINDOWS\system32\CTHELPER.EXE
D:\WINDOWS\system32\rundll32.exe
D:\Program Files\Common Files\Symantec Shared\ccApp.exe
D:\WINDOWS\system32\LVCOMSX.EXE
D:\Program Files\Logitech\Video\LogiTray.exe
D:\Program Files\Microsoft IntelliType Pro\type32.exe
D:\Program Files\Microsoft IntelliPoint\point32.exe
D:\Program Files\iTunes\iTunesHelper.exe
D:\Program Files\QuickTime\qttask.exe
D:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
D:\Program Files\Yahoo!\Messenger\ypager.exe
D:\Program Files\Gadu-Gadu\gg.exe
D:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-Watch.exe
D:\Program Files\Adobe\Acrobat 7.0\Acrobat\acrobat_sl.exe
D:\WINDOWS\system32\WTablet\TabUserW.exe
D:\Program Files\ePrompter\ePrompter.exe
D:\Program Files\Logitech\Video\FxSvr2.exe
D:\WINDOWS\system32\CTsvcCDA.exe
D:\Program Files\ewido\security suite\ewidoctrl.exe
D:\Program Files\ewido\security suite\ewidoguard.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
D:\WINDOWS\system32\Tablet.exe
D:\WINDOWS\system32\MsPMSPSv.exe
D:\Program Files\iPod\bin\iPodService.exe
D:\WINDOWS\system32\wuauclt.exe
D:\Documents and Settings\user\Desktop\HIJACKTHIS\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/?.home=msgr
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.c...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
F2 - REG:system.ini: Shell=Explorer.exe D:\WINDOWS\Nail.exe
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - D:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn1\ycomp5_6_2_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - D:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - D:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - D:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn1\ycomp5_6_2_0.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] D:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [ccApp] "D:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [KAVPersonal50] "D:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe" /minimize
O4 - HKLM\..\Run: [LVCOMSX] D:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] D:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] D:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [type32] "D:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [IntelliPoint] "D:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [iTunesHelper] "D:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [unpuxam] d:\windows\system32\wezwdf.exe r
O4 - HKLM\..\Run: [CTRegRun] D:\WINDOWS\CTRegRun.EXE
O4 - HKLM\..\Run: [ATIPTA] "D:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [Yahoo! Pager] D:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "D:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [Gadu-Gadu] "D:\Program Files\Gadu-Gadu\gg.exe" /tray
O4 - HKCU\..\Run: [Creative WebCam Tray] D:\Program Files\Creative\Shared Files\CamTray.exe
O4 - HKCU\..\Run: [AWMON] "D:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-Watch.exe"
O4 - Startup: Adobe Gamma.lnk = D:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: ePrompter.lnk = D:\Program Files\ePrompter\ePrompter.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Spy Sweeper Fix.lnk = D:\Program Files\Webroot\Spy Sweeper\SpySweeperFix.bat
O4 - Global Startup: TabUserW.exe.lnk = D:\WINDOWS\system32\WTablet\TabUserW.exe
O8 - Extra context menu item: &Yahoo! Search - file:///D:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Convert link target to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///D:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///D:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///D:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - D:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @D:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @D:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - D:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1117806100875
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O18 - Filter: text/html - (no CLSID) - (no file)
O23 - Service: Adobe LM Service - Adobe Systems - D:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - D:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - D:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - D:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: ewido security suite control - ewido networks - D:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - D:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - D:\Program Files\iPod\bin\iPodService.exe
O23 - Service: kavsvc - Kaspersky Lab - D:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - D:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: STOPzilla Local Service - Unknown owner - C:\Program Files\STOPzilla!\szntsvc.exe (file missing)
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - D:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Symantec Core LC - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: TabletService - Wacom Technology, Corp. - D:\WINDOWS\system32\Tablet.exe






---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 9:26:22 AM, 7/23/2005
+ Report-Checksum: 467897

+ Scan result:

:mozilla.336:D:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\w3sbj9x3.default\cookies.txt -> Spyware.Cookie.Targetnet : Cleaned with backup


::Report End


i no longer get any problems with aurora due to nail. nail does nothing to my system except display a msg whenever i reboot my system saying nail.exe cannot be found press browse to find it manually.

i havent recieved any helkern attacks in a few weeks which is awsome.
also what do you recomend for a security set up as far as antivirus and spyware. i currently run adwatch,xsoft,search and destory and i use kespersky as my antivirus.

thanks for your time!

wioombeen

Edited by wioombeen, 23 July 2005 - 09:05 PM.

  • 0

#23
tj416

tj416

    Visiting Staff

  • Member
  • PipPipPip
  • 323 posts
Hi wioombeen,
  • First of all, you have two anti-virus softwares running. Disable one of them (it doesn't matter which). Two softwares can conflict with each other.
  • Disable Ad-watch and SpySweeper as they may interfere with the fixes that we need to make:
    • To disable Ad-Watch:
      • Open AdAware SE.
      • Go to AdWatch User Interface.
      • Go to Tools and Preferences.
      • At the bottom of the screen you will see 2 options Active and Automatic.
      • Active: This will turn Ad-Watch On\Off without closing it
      • Automatic: Suspicious activity will be blocked automatically
      • Uncheck both options. You can enable these after resolving your problem.
    • To disable SpySweeper:
      • Open it click >Options over to the left then >Program Options >Uncheck "load at windows startup".
      • Over to the left click "shields" and uncheck all there.
      • Uncheck "home page shield".
      • Uncheck "automatically restore default without notification".
  • Boot into Safe Mode:
    • Restart your computer and immediately begin tapping the F8 key on your keyboard.
    • If done right a Windows Advanced Options menu will appear. Select the Safe Mode option and press Enter.
  • Run Nailfix:
    • Double-click on Nailfix.cmd.
    • Your desktop and icons will disappear and reappear, and a window should open and close very quickly. Don't be alarmed, this is normal.
  • Run Ewido Security Suite:
    • Open Ewido Security Suite.
    • Click on the "scanner" button on the left hand side of the window.
    • Click on "Complete System Scan".
    • Once the scan has completed, there will be a button located on the bottom of the screen named Save report
    • Click Save report.
    • Save the report .txt file to your desktop.
  • Fix malicious entries with HijackThis v1.99.1:
    • Open HijackThis and click Scan.
    • Place checkmarks in the boxes next to these entries (if present):
      • R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
      • R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.c...//www.yahoo.com
      • R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
      • F2 - REG:system.ini: Shell=Explorer.exe D:\WINDOWS\Nail.exe
      • O4 - HKLM\..\Run: [unpuxam] d:\windows\system32\wezwdf.exe r
      • O18 - Filter: text/html - (no CLSID) - (no file)
    • Once you have placed a checkmark next to each one of them, close all Windows and Browsers and click Fix Checked.
  • Delete this file (if present):
    • d:\windows\system32\wezwdf.exe
  • Restart your computer normally to return to normal mode.
  • Prepare in your reply:
    • Please post a fresh HijackThis log.
    • Please post the Ewido Security Suite log.

Edited by tj416, 26 July 2005 - 01:23 AM.

  • 0

#24
wioombeen

wioombeen

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
Tj,

I tried to get my ewido to work but it always comes up program not responding so i will try and reinstall it! i did the hijack this portion of it! here is the new log!

thanks wioombeen



Logfile of HijackThis v1.99.1
Scan saved at 1:20:23 AM, on 8/5/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\Ati2evxx.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\LEXBCES.EXE
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\system32\LEXPPS.EXE
D:\WINDOWS\system32\Ati2evxx.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\SOUNDMAN.EXE
D:\WINDOWS\system32\CTHELPER.EXE
D:\WINDOWS\system32\rundll32.exe
D:\WINDOWS\system32\LVCOMSX.EXE
D:\Program Files\Logitech\Video\LogiTray.exe
D:\Program Files\Microsoft IntelliType Pro\type32.exe
D:\Program Files\Microsoft IntelliPoint\point32.exe
D:\Program Files\QuickTime\qttask.exe
D:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
D:\Program Files\iTunes\iTunesHelper.exe
D:\Program Files\Winamp\winampa.exe
D:\Program Files\Yahoo!\Messenger\ypager.exe
D:\Program Files\Gadu-Gadu\gg.exe
D:\WINDOWS\system32\WTablet\TabUserW.exe
D:\Program Files\ePrompter\ePrompter.exe
D:\Program Files\Logitech\Video\FxSvr2.exe
D:\WINDOWS\system32\CTsvcCDA.exe
D:\Program Files\ewido\security suite\ewidoctrl.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\Tablet.exe
D:\WINDOWS\system32\MsPMSPSv.exe
D:\Program Files\iPod\bin\iPodService.exe
D:\WINDOWS\system32\wuauclt.exe
D:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-Watch.exe
D:\Program Files\Mozilla Firefox\firefox.exe
D:\Documents and Settings\user\Desktop\HIJACKTHIS\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapp...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/?.home=msgr
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - D:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn1\ycomp5_6_2_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - D:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - D:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - D:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn1\ycomp5_6_2_0.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] D:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [ccApp] "D:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [KAVPersonal50] "D:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe" /minimize
O4 - HKLM\..\Run: [LVCOMSX] D:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] D:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] D:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [type32] "D:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [IntelliPoint] "D:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [CTRegRun] D:\WINDOWS\CTRegRun.EXE
O4 - HKLM\..\Run: [ATIPTA] "D:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [iTunesHelper] "D:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [WinampAgent] D:\Program Files\Winamp\winampa.exe
O4 - HKCU\..\Run: [Yahoo! Pager] D:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "D:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [Gadu-Gadu] "D:\Program Files\Gadu-Gadu\gg.exe" /tray
O4 - HKCU\..\Run: [Creative WebCam Tray] D:\Program Files\Creative\Shared Files\CamTray.exe
O4 - Startup: Adobe Gamma.lnk = D:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: ePrompter.lnk = D:\Program Files\ePrompter\ePrompter.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: TabUserW.exe.lnk = D:\WINDOWS\system32\WTablet\TabUserW.exe
O8 - Extra context menu item: &Yahoo! Search - file:///D:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Convert link target to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///D:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///D:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///D:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - D:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @D:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @D:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - D:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1117806100875
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O23 - Service: Adobe LM Service - Adobe Systems - D:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - D:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - D:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - D:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: ewido security suite control - ewido networks - D:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - D:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - D:\Program Files\iPod\bin\iPodService.exe
O23 - Service: kavsvc - Kaspersky Lab - D:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - D:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: STOPzilla Local Service - Unknown owner - C:\Program Files\STOPzilla!\szntsvc.exe (file missing)
O23 - Service: Symantec Core LC - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: TabletService - Wacom Technology, Corp. - D:\WINDOWS\system32\Tablet.exe
  • 0

#25
tj416

tj416

    Visiting Staff

  • Member
  • PipPipPip
  • 323 posts
Hi wioombeen,

Sorry it to me so long to get back to you. I was on holiday. Please post a fresh HijackThis log and I will be happy to take a look at it.
  • 0

Advertisements


#26
wioombeen

wioombeen

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
Tj,

No worries! heres the new hijack this log! thanks

Logfile of HijackThis v1.99.1
Scan saved at 5:51:58 AM, on 8/21/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\Ati2evxx.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\LEXBCES.EXE
D:\WINDOWS\system32\LEXPPS.EXE
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\system32\Ati2evxx.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\SOUNDMAN.EXE
D:\WINDOWS\system32\CTHELPER.EXE
D:\WINDOWS\system32\rundll32.exe
D:\WINDOWS\system32\LVCOMSX.EXE
D:\Program Files\Logitech\Video\LogiTray.exe
D:\Program Files\Microsoft IntelliType Pro\type32.exe
D:\Program Files\Microsoft IntelliPoint\point32.exe
D:\Program Files\QuickTime\qttask.exe
D:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
D:\Program Files\Winamp\winampa.exe
D:\Program Files\Gadu-Gadu\gg.exe
D:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe
D:\Program Files\Logitech\Video\FxSvr2.exe
D:\WINDOWS\system32\WTablet\TabUserW.exe
D:\Program Files\ePrompter\ePrompter.exe
D:\WINDOWS\system32\CTsvcCDA.exe
D:\Program Files\ewido\security suite\ewidoctrl.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\Tablet.exe
D:\WINDOWS\system32\MsPMSPSv.exe
D:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
D:\Program Files\AIM\aim.exe
D:\Program Files\Adobe\Acrobat 7.0\Distillr\AcroTray.exe
D:\Program Files\BitLord\BitLord.exe
D:\Program Files\iPod\bin\iPodService.exe
D:\Program Files\Yahoo!\Messenger\YPager.exe
D:\Program Files\Mozilla Firefox\firefox.exe
D:\Documents and Settings\user\Desktop\HIJACKTHIS\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapp...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/?.home=msgr
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/?.home=msgr
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - D:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn1\ycomp5_6_2_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - D:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - D:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: Viewpoint Toolbar BHO - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - D:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBarBHO.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - D:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn1\ycomp5_6_2_0.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - D:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] D:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [ccApp] "D:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [KAVPersonal50] "D:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe" /minimize
O4 - HKLM\..\Run: [LVCOMSX] D:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] D:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] D:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [type32] "D:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [IntelliPoint] "D:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [CTRegRun] D:\WINDOWS\CTRegRun.EXE
O4 - HKLM\..\Run: [ATIPTA] "D:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [iTunesHelper] "D:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [WinampAgent] D:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [ViewMgr] D:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\RunOnce: [InstallShieldSetup] D:\PROGRA~1\COMMON~1\INSTAL~1\Driver\8\INTEL3~1\IDriver.exe /reboot{654F0312-CB3D-4FE2-962C-6BB9752E9146} /z
O4 - HKCU\..\Run: [Yahoo! Pager] D:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "D:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [Gadu-Gadu] "D:\Program Files\Gadu-Gadu\gg.exe" /tray
O4 - HKCU\..\Run: [Creative WebCam Tray] D:\Program Files\Creative\Shared Files\CamTray.exe
O4 - HKCU\..\Run: [AIM] D:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [AWMON] "D:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe"
O4 - Startup: Adobe Gamma.lnk = D:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: ePrompter.lnk = D:\Program Files\ePrompter\ePrompter.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: TabUserW.exe.lnk = D:\WINDOWS\system32\WTablet\TabUserW.exe
O8 - Extra context menu item: &Viewpoint Search - res://D:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll/CXTSEARCH.HTML
O8 - Extra context menu item: &Yahoo! Search - file:///D:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Convert link target to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///D:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///D:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///D:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - D:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\Program Files\AIM\aim.exe
O9 - Extra button: @D:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @D:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - D:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1117806100875
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O23 - Service: Adobe LM Service - Adobe Systems - D:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - D:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - D:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - D:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: ewido security suite control - ewido networks - D:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - D:\Program Files\iPod\bin\iPodService.exe
O23 - Service: kavsvc - Kaspersky Lab - D:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - D:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: STOPzilla Local Service - Unknown owner - C:\Program Files\STOPzilla!\szntsvc.exe (file missing)
O23 - Service: Symantec Core LC - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: TabletService - Wacom Technology, Corp. - D:\WINDOWS\system32\Tablet.exe
  • 0

#27
tj416

tj416

    Visiting Staff

  • Member
  • PipPipPip
  • 323 posts
Hi wioombeen,

First of all, you have two anti-virus softwares running. Disable one of them (it doesn't matter which). Two softwares can conflict with each other.

Then, disable Ad-Watch as it may interfere with the fixes that we need to make:
  • Open AdAware SE.
  • Go to AdWatch User Interface.
  • Go to Tools and Preferences.
  • At the bottom of the screen you will see 2 options Active and Automatic.
  • Active: This will turn Ad-Watch On\Off without closing it
  • Automatic: Suspicious activity will be blocked automatically
  • Uncheck both options. You can enable these after resolving your problem.
Then, open HijackThis, run a scan and check these items:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapp...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com


Now please close all windows and browsers, except HijackThis, and have HijackThis fix them by clicking on Fix Checked.

Then, reboot and post a new log in this thread.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP