Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Rapidly changing name exe...aurora? [RESOLVED]


  • This topic is locked This topic is locked

#1
koniord

koniord

    Member

  • Member
  • PipPip
  • 49 posts
Hallo,

This is a great site and I read some topics...you are doing a great job. Thanks in advance. I saw the donation link and I will use it as soon as I recover because it is very hard to find such help online.

I'm working on XP, no service packs installed. If needed I do not want to install sp2 because some audio applications I use have problems with it. No problem with SP1 .

After reading before posting....
I downloaded Ad-aware-spybot and fix-cwShredder-tds-3-clean up- hijackThis installed them after deinstalling all other relevant progs and did what the steps indicated.
Did I forget something?



My problem insists:

Logfile of HijackThis v1.99.1
Scan saved at 8:43:58 μμ, on 12/7/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\WINDOWS\system32\crypserv.exe
C:\WINDOWS\System32\emitray.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
c:\windows\system32\gcvlrdn.exe
C:\DOCUME~1\KWSTAS\LOCALS~1\Temp\CMB\aurareco.exe
C:\DOCUME~1\KWSTAS\LOCALS~1\Temp\D280\abiuninst.exe
C:\Documents and Settings\KWSTAS\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.com.gr
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com.gr
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.com.gr
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com.gr
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [jjthfoz] c:\windows\system32\xwafhkl.exe
O4 - HKLM\..\Run: [ukzkhfi] c:\windows\system32\nslkdrt.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [qjxkmbh] c:\windows\system32\rozxgl.exe r
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Add to AD Black List - c:\program files\avant browser\AddToADBlackList.htm
O8 - Extra context menu item: Block All Images from the Same Server - c:\program files\avant browser\AddAllToADBlackList.htm
O8 - Extra context menu item: Highlight - c:\program files\avant browser\Highlight.htm
O8 - Extra context menu item: Open All Links in This Page... - c:\program files\avant browser\OpenAllLinks.htm
O8 - Extra context menu item: Search - c:\program files\avant browser\Search.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...ip/RdxIE601.cab
O23 - Service: Crypkey License - CrypKey (Canada) Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: Emagic EMI 2|6 System Tray Service (emitray) - Emagic Soft- und Hardware GmbH - C:\WINDOWS\System32\emitray.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe (file missing)

I will not touch anything before I have an answer.
Thank you

Edited by koniord, 12 July 2005 - 07:24 PM.

  • 0

Advertisements


#2
kool808

kool808

    Visiting Staff

  • Member
  • PipPipPipPip
  • 1,690 posts
Hello and welcome to Geeks to Go! :tazz: I'm kool808 and I will be helping you today.

I am working on your log. As soon as I made a good fix for this, I will post a reply. Thank you for your patience.
  • 0

#3
kool808

kool808

    Visiting Staff

  • Member
  • PipPipPipPip
  • 1,690 posts
hi there koniord, thank you very much for the compliments we are very glad to help you! We are happy with our job helping other people.

We can definitely help you, but first you need to help us. The first step in this process is to apply Service Pack 1a for Windows XP, or Service Pack 4 if you are running Win2k. Without this update, you're wide open to re-infection.
Click here
Apply the update, reboot, and post a fresh Hijack This log.

In case you only want the sp1a please do download and install it.
SP1a
========================================
http://www.softpedia...Pack-SP1a.shtml
========================================

Edited by kool808, 14 July 2005 - 08:15 AM.

  • 0

#4
koniord

koniord

    Member

  • Topic Starter
  • Member
  • PipPip
  • 49 posts
Hallo kool808 and thank you for your prompt reply.
I installed sp1.

Logfile of HijackThis v1.99.1
Scan saved at 1:23:22 πμ, on 15/7/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\crypserv.exe
C:\WINDOWS\System32\emitray.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\msiexec.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Documents and Settings\KWSTAS\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.com.gr
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com.gr
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.com.gr
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com.gr
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [jjthfoz] c:\windows\system32\xwafhkl.exe
O4 - HKLM\..\Run: [ukzkhfi] c:\windows\system32\nslkdrt.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [qjxkmbh] c:\windows\system32\rozxgl.exe r
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...ip/RdxIE601.cab
O23 - Service: Crypkey License - CrypKey (Canada) Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: Emagic EMI 2|6 System Tray Service (emitray) - Emagic Soft- und Hardware GmbH - C:\WINDOWS\System32\emitray.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe (file missing)

Hope to hear from you soon.
The pop ups have stopped already by the way.

Thanks again
  • 0

#5
kool808

kool808

    Visiting Staff

  • Member
  • PipPipPipPip
  • 1,690 posts
That is good to hear. Please SAVE THIS PAGE or secure a PRINT COPY of the instructions for reference later.
=====================================
Please download the trial version of Ewido Security Suite [ HERE ]
Please read Ewido Setup Instructions
Install it, and update the definitions to the newest files. Do NOT run a scan yet.

Please download Nailfix from [ HERE ]
Unzip it to the desktop but please DO NOT run it yet.

Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.

For additional help in booting into Safe Mode, see the following site:
(How to boot in Safe Mode...)

Once in Safe Mode, please double-click on Nailfix.cmd. Your desktop and icons will disappear and reappear, and a window should open and close very quickly --- this is normal.

Then please run Ewido, and run a full scan. Save the logfile from the scan.

Next please run HijackThis, click Scan, and check:

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe

Close all open windows except for HijackThis and click Fix Checked.

Restart your computer in normal mode and please post a new HijackThis log, as well as the log from the Ewido scan.
  • 0

#6
koniord

koniord

    Member

  • Topic Starter
  • Member
  • PipPip
  • 49 posts
Ηallo kool808,

The nailfix link has a problem.
Also, I'm already using Ewido trial. Should I unistall it and then do the above?

Thanks,
koniord
  • 0

#7
kool808

kool808

    Visiting Staff

  • Member
  • PipPipPipPip
  • 1,690 posts

Also, I'm already using Ewido trial. Should I unistall it and then do the above?

We will be using this program for the moment since it has the very potential to disinfect our problem. Keep it for a moment and after we had cleaned your system you can safely uninstall it.

The nailfix link has a problem.

I am sorry for the link, the server must be down at that time. I changed the link, please continue with the next procedures.

Please SAVE THIS PAGE or secure a PRINT COPY of the instructions for reference later.
=================================

There are actually 3 links:
http://www.noidea.us...050515010747824  <-- downserver
http://users.pandora...chy/nailfix.zip  <-- the zip version
http://users.pandora...chy/nailfix.exe  <-- the exe selfextracting version


Please download Nailfix from Here
Unzip it to the desktop but please DO NOT run it yet.

Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.

For additional help in booting into Safe Mode, see the following site:
(How to boot in Safe Mode...)

Once in Safe Mode, please double-click on Nailfix.cmd. Your desktop and icons will disappear and reappear, and a window should open and close very quickly --- this is normal.

Then please run Ewido, and run a full scan. Save the logfile from the scan.

Next please run HijackThis, click Scan, and check:

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe

Close all open windows except for HijackThis and click Fix Checked.

Restart your computer in normal mode and please post a new HijackThis log, as well as the log from the Ewido scan.
  • 0

#8
koniord

koniord

    Member

  • Topic Starter
  • Member
  • PipPip
  • 49 posts
Hallo,

Starting in safe mode was a bit tricky because I fell into a loop of rebooting but after I managed to start windows again I did it from the msconfig.
Heres the new logs:

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 3:07:14 μμ, 15/7/2005
+ Report-Checksum: 306A17CB

+ Scan result:

C:\Documents and Settings\KWSTAS\Cookies\kwstas@casinotropez[1].txt -> Spyware.Cookie.Casinotropez : Cleaned with backup
C:\Documents and Settings\KWSTAS\Cookies\kwstas@tribalfusion[1].txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
C:\Documents and Settings\KWSTAS\Cookies\kwstas@xxxcounter[2].txt -> Spyware.Cookie.Xxxcounter : Cleaned with backup
C:\Documents and Settings\KWSTAS\Cookies\kwstas@z1.adserver[1].txt -> Spyware.Cookie.Adserver : Cleaned with backup
C:\Documents and Settings\KWSTAS\Local Settings\Temp\D280\abiuninst.exe -> Adware.BetterInternet : Cleaned with backup
C:\WINDOWS\system32\gcvlrdn.exe -> Adware.BetterInternet : Cleaned with backup


::Report End



Logfile of HijackThis v1.99.1
Scan saved at 3:14:26 μμ, on 15/7/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\WINDOWS\system32\crypserv.exe
C:\WINDOWS\System32\emitray.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\rundll32.exe
C:\Documents and Settings\KWSTAS\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.com.gr
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com.gr
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.com.gr
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com.gr
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [jjthfoz] c:\windows\system32\xwafhkl.exe
O4 - HKLM\..\Run: [ukzkhfi] c:\windows\system32\nslkdrt.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [qjxkmbh] c:\windows\system32\rozxgl.exe r
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...ip/RdxIE601.cab
O23 - Service: Crypkey License - CrypKey (Canada) Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: Emagic EMI 2|6 System Tray Service (emitray) - Emagic Soft- und Hardware GmbH - C:\WINDOWS\System32\emitray.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe


I have a question.
During my attempts to start windows after the problem with F8 and starting in safe mode something changed and now when the computer boots it makes a noise coming from the floppy drive....this particular noise is enough to make me go crazy.
I had disabled booting from the floppy drive and this had stopped but now it does not work this way. What should I do?

thanks again
  • 0

#9
kool808

kool808

    Visiting Staff

  • Member
  • PipPipPipPip
  • 1,690 posts

I have a question.
During my attempts to start windows after the problem with F8 and starting in safe mode something changed and now when the computer boots it makes a noise coming from the floppy drive....this particular noise is enough to make me go crazy.
I had disabled booting from the floppy drive and this had stopped but now it does not work this way. What should I do?


Can you describe in details what you configured in the msconfig?
  • 0

#10
koniord

koniord

    Member

  • Topic Starter
  • Member
  • PipPip
  • 49 posts
I changed nothing in the msconfig window.
I went straight to Boot.ini, ticked /SAFEBOOT and restarted the pc.

When I finished working in safe mode I unticked /SAFEBOOT and restarted the pc in normal mode.
  • 0

Advertisements


#11
koniord

koniord

    Member

  • Topic Starter
  • Member
  • PipPip
  • 49 posts
Oh I'm sorry...when I said I had disabled booting from the floppy drive I ment from the BIOS and this happened a long time ago.
To be more accurate...1st boot devive:cd rom, 2nd boot device: Hard disk 3:cd rom ....I'm not sure about the exact terms but that is the order.
  • 0

#12
kool808

kool808

    Visiting Staff

  • Member
  • PipPipPipPip
  • 1,690 posts
Does it still make any noises?

Let us deal first with the infections, then let us troubleshoot that afterwards.
======================================
Please SAVE THIS PAGE or secure a PRINT COPY of the instructions for reference.

Download the latest version of Ad-Aware from HERE (if you already have Ad-Aware installed, make sure that it is the latest version and always go online and update it before you run it).
Follow the procedures for updates and setup here: Ad-Aware SE Setup
Do NOT run the scan yet!

Download Lavasoft's VX2 Cleaner plug-in HERE
  • Install the VX2 Cleaner
  • Start Ad-Aware SE
  • Go to "Plug-ins"
  • Select the VX2 Cleaner plug-in and click "Run Plugin"
  • If your computer isn't infected, click "Close".
If your computer is infected
  • Select "Clean system"
  • Reboot your computer
  • Scan your computer with Ad-Aware, full system scan.
  • Remove any VX2 objects detected
  • Reboot your computer again
  • Run a second scan to make sure the files have been removed from your computer
Reboot in SAFE MODE. (How to boot in Safe Mode...)
================================
We will now fix the remaining problems with HijackThis. Please close all remaining windows, disconnect from the internet, open HijackThis then click SCAN. Please put a check on the following items listed below:

O4 - HKLM\..\Run: [jjthfoz] c:\windows\system32\xwafhkl.exe
O4 - HKLM\..\Run: [ukzkhfi] c:\windows\system32\nslkdrt.exe
O4 - HKLM\..\Run: [qjxkmbh] c:\windows\system32\rozxgl.exe r

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...ip/RdxIE601.cab

Make sure to double check the items you have selected,then click Fix Checked.

Open Ad-Aware 1.06r , then performa a full system scan.


Be sure to View Hidden and System Files.

Through Windows Explorer, delete the following folder(s) or files(s) if they exist (in bold):
  • c:\windows\system32\xwafhkl.exe
  • c:\windows\system32\nslkdrt.exe
  • c:\windows\system32\rozxgl.exe
Finally, Empty Recycle Bin
======================================
Reboot in NORMAL MODE.

To make sure it is perfectly clean let us have the final check.
  • Close all windows, open HijackThis then SCAN.
  • Post a NEW HijackThis Log.
  • Please tell me how your system is working now.

  • 0

#13
koniord

koniord

    Member

  • Topic Starter
  • Member
  • PipPip
  • 49 posts
Hallo
The system is working

Logfile of HijackThis v1.99.1
Scan saved at 6:12:57 μμ, on 15/7/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\WINDOWS\system32\crypserv.exe
C:\WINDOWS\System32\emitray.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\imapi.exe
C:\Documents and Settings\KWSTAS\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.com.gr
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com.gr
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.com.gr
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com.gr
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O23 - Service: Crypkey License - CrypKey (Canada) Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: Emagic EMI 2|6 System Tray Service (emitray) - Emagic Soft- und Hardware GmbH - C:\WINDOWS\System32\emitray.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

Please let me know about the gloppy noise thing.
Thank you very much
  • 0

#14
kool808

kool808

    Visiting Staff

  • Member
  • PipPipPipPip
  • 1,690 posts
Hi koniord, very good you did a great job! Your log is much much better now. There is one more thing I need to verify.

Emagic Soft- und Hardware GmbH - C:\WINDOWS\System32\emitray.exe

Are you familiar with this? Did you install it on your system?

If you are not sure with this then I shall proceed with my next fix for you, otherwise if you are familiar with it then we proceed with the final clean up and prevention tips. :tazz:

We will deal with the mousy thing later, will that be fine with you?
  • 0

#15
koniord

koniord

    Member

  • Topic Starter
  • Member
  • PipPip
  • 49 posts
That is absolutely fine with me.
Emagic (model name:EMI 2|6) is a usb soundcard I use for music listening but I'm not sure what this exe is. I would prefer to keep it.

Edited by koniord, 15 July 2005 - 06:09 PM.

  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP