Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

need Nail Aurora help please [RESOLVED]


  • This topic is locked This topic is locked

#31
bivc

bivc

    Member

  • Topic Starter
  • Member
  • PipPip
  • 26 posts
Logfile of HijackThis v1.99.1
Scan saved at 3:14:22 PM, on 7/21/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\ojarbl.exe
C:\Documents and Settings\Nelson\Desktop\HJT\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dellnet.com/
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\System32\ojarbl.exe reg_run
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {A8683C98-5341-421B-B23C-8514C05354F1} (FujifilmUploader Class) - http://photo.walmart...ploadClient.cab
O23 - Service: AOL Connectivity Service (AOL ACS) - Unknown owner - C:\PROGRA~1\COMMON~1\aol\ACS\AOLacsd.exe (file missing)
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\Program Files\Common Files\AOL\AOL Spyware Protection\aolserv.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe



---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 2:35:32 PM, 7/21/2005
+ Report-Checksum: 2315026D

+ Scan result:

HKLM\SOFTWARE\Classes\CLSID\{01F44A8A-8C97-4325-A378-76E68DC4AB2E} -> Spyware.IEPlugin : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{6EC11407-5B2E-4E25-8BDF-77445B52AB37} -> Spyware.VX2 : Cleaned with backup
HKLM\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{6EC11407-5B2E-4E25-8BDF-77445B52AB37} -> Spyware.VX2 : Cleaned with backup
HKLM\SOFTWARE\Classes\IMIToolbar.BottomFrame -> Spyware.IEPlugin : Cleaned with backup
HKLM\SOFTWARE\Classes\IMIToolbar.BottomFrame\CLSID -> Spyware.IEPlugin : Cleaned with backup
HKLM\SOFTWARE\Classes\IMIToolbar.BottomFrame\CurVer -> Spyware.IEPlugin : Cleaned with backup
HKLM\SOFTWARE\Classes\IMIToolbar.LeftFrame -> Spyware.IEPlugin : Cleaned with backup
HKLM\SOFTWARE\Classes\IMIToolbar.LeftFrame\CLSID -> Spyware.IEPlugin : Cleaned with backup
HKLM\SOFTWARE\Classes\IMIToolbar.LeftFrame\CurVer -> Spyware.IEPlugin : Cleaned with backup
HKLM\SOFTWARE\Classes\IMIToolbar.PopupBrowser -> Spyware.IEPlugin : Cleaned with backup
HKLM\SOFTWARE\Classes\IMIToolbar.PopupBrowser\CLSID -> Spyware.IEPlugin : Cleaned with backup
HKLM\SOFTWARE\Classes\IMIToolbar.PopupBrowser\CurVer -> Spyware.IEPlugin : Cleaned with backup
HKLM\SOFTWARE\Classes\IMIToolbar.PopupWindow -> Spyware.IEPlugin : Cleaned with backup
HKLM\SOFTWARE\Classes\IMIToolbar.PopupWindow\CLSID -> Spyware.IEPlugin : Cleaned with backup
HKLM\SOFTWARE\Classes\IMIToolbar.PopupWindow\CurVer -> Spyware.IEPlugin : Cleaned with backup
HKLM\SOFTWARE\Classes\Wbho.Band -> Spyware.IEPlugin : Cleaned with backup
HKLM\SOFTWARE\Classes\Wbho.Band\CLSID -> Spyware.IEPlugin : Cleaned with backup
HKLM\SOFTWARE\Classes\Wbho.Band\CurVer -> Spyware.IEPlugin : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{01F44A8A-8C97-4325-A378-76E68DC4AB2E} -> Spyware.IEPlugin : Cleaned with backup
HKU\S-1-5-21-3289478746-3866634482-3106427759-1010\Software\intexp -> Spyware.IEPlugin : Cleaned with backup
HKU\S-1-5-21-3289478746-3866634482-3106427759-1010\Software\intexp\Config -> Spyware.IEPlugin : Cleaned with backup
HKU\S-1-5-21-3289478746-3866634482-3106427759-1010\Software\intexp\MyFileSystem2 -> Spyware.IEPlugin : Cleaned with backup
C:\Documents and Settings\Graciela\Cookies\graciela@linksynergy[2].txt -> Spyware.Cookie.Linksynergy : Cleaned with backup
C:\Documents and Settings\Nelson\Cookies\nelson@advertising[2].txt -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Documents and Settings\Nelson\Cookies\nelson@atdmt[2].txt -> Spyware.Cookie.Atdmt : Cleaned with backup
C:\Documents and Settings\Nelson\Cookies\nelson@centrport[1].txt -> Spyware.Cookie.Centrport : Cleaned with backup
C:\Documents and Settings\Nelson\Cookies\nelson@doubleclick[1].txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
C:\Documents and Settings\Nelson\Cookies\nelson@ehg-wachovia.hitbox[2].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Documents and Settings\Nelson\Cookies\nelson@fastclick[2].txt -> Spyware.Cookie.Fastclick : Cleaned with backup
C:\Documents and Settings\Nelson\Cookies\nelson@hitbox[2].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Documents and Settings\Nelson\Cookies\nelson@perf.overture[1].txt -> Spyware.Cookie.Overture : Cleaned with backup
C:\Documents and Settings\Nelson\Cookies\nelson@servedby.advertising[1].txt -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Documents and Settings\Nelson\Cookies\nelson@trafficmp[2].txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
C:\Documents and Settings\Nelson\Cookies\nelson@z1.adserver[1].txt -> Spyware.Cookie.Adserver : Cleaned with backup
C:\Documents and Settings\Nelson\Desktop\l2mfix\backup.zip/AZHPRXY.DLL -> Spyware.Look2Me : Error during cleaning
C:\Documents and Settings\Nelson\Desktop\l2mfix\backup.zip/CIMDLG32.DLL -> Spyware.Look2Me : Error during cleaning
C:\Documents and Settings\Nelson\Desktop\l2mfix\backup.zip/ciyptui.dll -> Spyware.Look2Me : Error during cleaning
C:\Documents and Settings\Nelson\Desktop\l2mfix\backup.zip/ICETCFG.DLL -> Spyware.Look2Me : Error during cleaning
C:\Documents and Settings\Nelson\Desktop\l2mfix\backup.zip/muxml4r.dll -> Spyware.Look2Me : Error during cleaning
C:\Documents and Settings\Nelson\Desktop\l2mfix\backup.zip/SZXCOINS.DLL -> Spyware.Look2Me : Error during cleaning
C:\RECYCLER\NPROTECT\00006797.exe -> Adware.BetterInternet : Cleaned with backup
C:\RECYCLER\NPROTECT\00006815.exe -> Adware.BetterInternet : Cleaned with backup
C:\RECYCLER\NPROTECT\00006819.exe -> Adware.BetterInternet : Cleaned with backup
C:\RECYCLER\NPROTECT\00006821.exe -> Adware.BetterInternet : Cleaned with backup
C:\RECYCLER\NPROTECT\00006941.exe -> Adware.BetterInternet : Cleaned with backup
C:\RECYCLER\NPROTECT\00007134.exe -> Adware.BetterInternet : Cleaned with backup
C:\RECYCLER\NPROTECT\00007136.exe -> Adware.BetterInternet : Cleaned with backup
C:\RECYCLER\NPROTECT\00007159.exe -> Adware.BetterInternet : Cleaned with backup
C:\RECYCLER\NPROTECT\00007380.TXT -> Spyware.Cookie.Linksynergy : Cleaned with backup
C:\RECYCLER\NPROTECT\00007381.TXT -> Spyware.Cookie.Linksynergy : Cleaned with backup
C:\RECYCLER\NPROTECT\00007382.TXT -> Spyware.Cookie.Linksynergy : Cleaned with backup
C:\RECYCLER\NPROTECT\00007483.exe -> Adware.BetterInternet : Cleaned with backup
C:\RECYCLER\NPROTECT\00007484.exe -> Adware.BetterInternet : Cleaned with backup
C:\RECYCLER\NPROTECT\00007485.exe -> Adware.BetterInternet : Cleaned with backup
C:\RECYCLER\NPROTECT\00007517.exe -> Adware.BetterInternet : Cleaned with backup
C:\WINDOWS\systb.dll -> Spyware.ImiBar : Cleaned with backup
C:\WINDOWS\SYSTEM32\dvqjiv.exe -> Adware.BetterInternet : Cleaned with backup
C:\WINDOWS\tdtb.exe -> Trojan.Imiserv.c : Cleaned with backup
C:\WINDOWS\wupdt.exe -> TrojanDownloader.Intexp.c : Cleaned with backup


::Report End
  • 0

Advertisements


#32
Trevuren

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
Now for a newer infection, or should I say a variant of an older infection

Please Download the following tools to assist us in removing this infection!
  • Download WinPFind
    • Right Click the Zip Folder and Select "Extract All"
    • Extract it somewhere you will remember like the Desktop
    • Dont do anything with it yet!
  • Download Track qoo
    • Save it somewhere you will remember like the Desktop
Reboot into Safe Mode

Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

Doubleclick WinPFind.exe
  • Click "Start Scan"
  • It will scan the entire System, so please be patient!
  • Once the Scan is Complete
  • Go to the WinPFind folder
  • Locate WinPFind.txt
  • Place those results in the next post!
Reboot back to Normal Mode!

Double Click on "Track qoo.vbs"

Note - If you Antivirus has Script Blocking, you will get a Pop Up Windows asking you what to do. Allow this Entire Script to Run, its harmless!

Wait a few seconds and a notepad page will pop up. Copy & Paste those results and place them in the next post along with the results of WinPFind!

Regards,

Trevuren

  • 0

#33
bivc

bivc

    Member

  • Topic Starter
  • Member
  • PipPip
  • 26 posts
Hi The download link to track goo is not working,
This is the WinPfind.

WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»

Checking %SystemDrive% folder...

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...
abetterinternet.com 10/19/2001 2:59:58 AM 3278 C:\WINDOWS\abiuninst.htm
PECompact2 7/14/2005 5:52:10 PM 15334915 C:\WINDOWS\LPT$VPN.729
qoologic 7/14/2005 5:52:10 PM 15334915 C:\WINDOWS\LPT$VPN.729
SAHAgent 7/14/2005 5:52:10 PM 15334915 C:\WINDOWS\LPT$VPN.729
UPX! 7/14/2005 5:52:10 PM 170053 C:\WINDOWS\tsc.exe
UPX! 3/26/2002 6:29:56 PM 80384 C:\WINDOWS\vdkkytpulnw.exe
buddy.exe 3/26/2002 6:29:56 PM 80384 C:\WINDOWS\vdkkytpulnw.exe
PECompact2 7/14/2005 5:52:10 PM 15334915 C:\WINDOWS\VPTNFILE.729
qoologic 7/14/2005 5:52:10 PM 15334915 C:\WINDOWS\VPTNFILE.729
SAHAgent 7/14/2005 5:52:10 PM 15334915 C:\WINDOWS\VPTNFILE.729
UPX! 7/14/2005 5:52:10 PM 1044560 C:\WINDOWS\vsapi32.dll
aspack 7/14/2005 5:52:10 PM 1044560 C:\WINDOWS\vsapi32.dll

Checking %System% folder...
UPX! 6/29/2005 10:47:28 AM 94208 C:\WINDOWS\SYSTEM32\adlinstallwin32.exe
69.59.186.63 7/15/2005 5:49:30 PM 9728 C:\WINDOWS\SYSTEM32\bjona.dll
209.66.67.134 7/15/2005 5:49:30 PM 9728 C:\WINDOWS\SYSTEM32\bjona.dll
web-nex 7/15/2005 5:49:30 PM 9728 C:\WINDOWS\SYSTEM32\bjona.dll
winsync 7/15/2005 5:49:30 PM 9728 C:\WINDOWS\SYSTEM32\bjona.dll
69.59.186.63 7/15/2005 2:53:48 PM 29184 C:\WINDOWS\SYSTEM32\datadx.dll
209.66.67.134 7/15/2005 2:53:48 PM 29184 C:\WINDOWS\SYSTEM32\datadx.dll
66.63.167.97 7/15/2005 2:53:48 PM 29184 C:\WINDOWS\SYSTEM32\datadx.dll
66.63.167.77 7/15/2005 2:53:48 PM 29184 C:\WINDOWS\SYSTEM32\datadx.dll
web-nex 7/15/2005 2:53:48 PM 29184 C:\WINDOWS\SYSTEM32\datadx.dll
winsync 7/15/2005 2:53:48 PM 29184 C:\WINDOWS\SYSTEM32\datadx.dll
rec2_run 7/15/2005 2:53:48 PM 29184 C:\WINDOWS\SYSTEM32\datadx.dll
PEC2 8/29/2002 6:00:00 AM 41397 C:\WINDOWS\SYSTEM32\DFRG.MSC
UPX! 2/15/2001 4:13:26 PM 83456 C:\WINDOWS\SYSTEM32\dkkhoe.exe
69.59.186.63 7/15/2005 5:49:30 PM 26624 C:\WINDOWS\SYSTEM32\ldjghwk.dll
209.66.67.134 7/15/2005 5:49:30 PM 26624 C:\WINDOWS\SYSTEM32\ldjghwk.dll
web-nex 7/15/2005 5:49:30 PM 26624 C:\WINDOWS\SYSTEM32\ldjghwk.dll
winsync 7/15/2005 5:49:30 PM 26624 C:\WINDOWS\SYSTEM32\ldjghwk.dll
Umonitor 8/29/2002 6:00:00 AM 631808 C:\WINDOWS\SYSTEM32\RASDLG.DLL
FSG! 7/5/2005 6:09:42 PM 398742 C:\WINDOWS\SYSTEM32\Vtmgtck1.xml
winsync 8/29/2002 6:00:00 AM 1309184 C:\WINDOWS\SYSTEM32\WBDBASE.DEU

Checking %System%\Drivers folder and sub-folders...

Checking the Windows folder for system and hidden files within the last 60 days...
7/12/2005 5:44:54 PM 54156 C:\WINDOWS\QTFont.qfn
7/13/2005 2:37:36 PM 0 C:\WINDOWS\INF\oem17.inf
7/22/2005 4:14:04 PM 66704 C:\WINDOWS\Minidump\Mini072205-01.dmp
7/27/2005 4:43:56 PM 0 C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\7f9ed00b8ab9f384a670920f20096ec5\BIT2.tmp
7/27/2005 4:43:50 PM 0 C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\ca1c9a5f6bfb5c940f7b592a816e164e\BIT4.tmp
7/27/2005 4:48:28 PM 8192 C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT.LOG
7/27/2005 4:49:34 PM 1024 C:\WINDOWS\SYSTEM32\CONFIG\SAM.LOG
7/27/2005 4:48:40 PM 16384 C:\WINDOWS\SYSTEM32\CONFIG\SECURITY.LOG
7/27/2005 4:49:52 PM 81920 C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE.LOG
7/27/2005 4:48:38 PM 835584 C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM.LOG
7/21/2005 4:22:02 PM 67 C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\10WDW6QL\desktop.ini
7/21/2005 4:22:02 PM 67 C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\62LN5PYO\desktop.ini
7/21/2005 4:22:02 PM 67 C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\L0TFMMXX\desktop.ini
7/21/2005 4:22:02 PM 67 C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\X9AO4CUV\desktop.ini
7/12/2005 10:10:40 PM 388 C:\WINDOWS\SYSTEM32\Microsoft\Protect\S-1-5-18\User\c50d1d80-d4cb-4cd1-975e-154ca53285f2
7/12/2005 10:10:40 PM 24 C:\WINDOWS\SYSTEM32\Microsoft\Protect\S-1-5-18\User\Preferred
7/27/2005 4:47:52 PM 6 C:\WINDOWS\Tasks\SA.DAT

»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»

Checking files in %ALLUSERSPROFILE%\Startup folder...
7/21/2005 2:40:08 PM 61952 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\tnpk.exe

Checking files in %ALLUSERSPROFILE%\Application Data folder...
4/20/2004 7:57:36 AM 7 C:\Documents and Settings\All Users\Application Data\DirectCDUserNameD.txt

Checking files in %USERPROFILE%\Startup folder...

Checking files in %USERPROFILE%\Application Data folder...
2/16/2005 5:04:58 PM 74432 C:\Documents and Settings\Nelson\Application Data\GDIPFONTCACHEV1.DAT
7/12/2005 10:08:30 PM 636 C:\Documents and Settings\Nelson\Application Data\Sskdmns.dll
7/5/2005 7:37:10 PM 401625 C:\Documents and Settings\Nelson\Application Data\Sskknwrd.dll
7/5/2005 11:07:32 PM 59 C:\Documents and Settings\Nelson\Application Data\Sskuknwrd.dll

»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform\SV1
SV1 =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\DecExt
{a90d5ea0-a1d7-11cf-8dc1-00805fc2353f} = C:\tools\decext\decext.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\ewido
{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E} = C:\Program Files\ewido\security suite\context.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\qftnxkmx
{597d5d21-8ab6-4b31-8555-6f7dfcbd37a1} = C:\WINDOWS\System32\bjona.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Symantec.Norton.Antivirus.IEContextMenu
{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2} = C:\Program Files\Norton AntiVirus\NavShExt.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\TDS-3
{E8ADA3E1-CE9B-44A0-A165-997304EF4E18} = C:\WINDOWS\System32\tds3shl.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin = %SystemRoot%\system32\SHELL32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\Symantec.Norton.Antivirus.IEContextMenu
{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2} = C:\Program Files\Norton AntiVirus\NavShExt.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= %SystemRoot%\system32\SHELL32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
TkBellExe "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
winsync C:\WINDOWS\System32\ojarbl.exe reg_run

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents
IMAIL
MAPI
MSFS

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\{BDEADF00-C265-11D0-BCED-00A0C90AB50F}
= C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF}
=
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\{0DF44EAA-FF21-4412-828E-260A8728E7F1}
=
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
dontdisplaylastusername 0
legalnoticecaption
legalnoticetext
shutdownwithoutlogon 1
undockwithoutlogon 1

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoDriveTypeAutoRun 145
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
scjnoh.exe C:\WINDOWS\system\scjnoh.exe
cnebca C:\WINDOWS\System32\cnebca.exe


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
UserInit = C:\WINDOWS\system32\userinit.exe,
Shell = explorer.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
= crypt32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
= cryptnet.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
= cscdll.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp
= wlnotify.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule
= wlnotify.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
= sclgntfy.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
= WlNotify.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv
= wlnotify.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\PostBootReminder
{7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\CDBurn
{fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\WebCheck
{E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\SysTray
{35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\System32\stobject.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
Debugger = ntsd -d

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
AppInit_DLLs

»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
WinPFind v1.2.4 - Log file written to "WinPFind.Txt" in the WinPFind folder.
  • 0

#34
Trevuren

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
Please make sure that you are logged into Geeks to Go when you attempt thr download of Track Goo

I just tried the link and it is working now


Trevuren
  • 0

#35
bivc

bivc

    Member

  • Topic Starter
  • Member
  • PipPip
  • 26 posts
Hi,
Im logged in but it says i dont have permission.
See attached file.
Thanks.

Attached Thumbnails

  • goo.JPG

  • 0

#36
Trevuren

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
Probably just a temporary glitch in the system. You can post, the proof is I received your message.


Trevuren
  • 0

#37
bivc

bivc

    Member

  • Topic Starter
  • Member
  • PipPip
  • 26 posts
Is there another link to the file.
Because since yesterday i cant download it, even though im logged in.

Thanks.
  • 0

#38
Trevuren

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
I have no trouble downloading from the site. I have asked what is happening with your case. I will get back to you as soon as possible


Trevuren

Edited by Trevuren, 28 July 2005 - 02:50 PM.

  • 0

#39
Trevuren

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
Try here:

TrackGoo
  • 0

#40
bivc

bivc

    Member

  • Topic Starter
  • Member
  • PipPip
  • 26 posts
Here it is. Thanks.

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"winsync"="C:\\WINDOWS\\System32\\ojarbl.exe reg_run"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

-----------------
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers


Subkey --- DecExt
{a90d5ea0-a1d7-11cf-8dc1-00805fc2353f}
C:\tools\decext\decext.dll

Subkey --- ewido
{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}
C:\Program Files\ewido\security suite\context.dll

Subkey --- Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03}
C:\WINDOWS\System32\cscui.dll

Subkey --- Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936}
C:\WINDOWS\system32\SHELL32.dll

Subkey --- Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46}
C:\WINDOWS\system32\SHELL32.dll

Subkey --- qftnxkmx
{597d5d21-8ab6-4b31-8555-6f7dfcbd37a1}
C:\WINDOWS\System32\bjona.dll

Subkey --- Symantec.Norton.Antivirus.IEContextMenu
{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2}
C:\Program Files\Norton AntiVirus\NavShExt.dll

Subkey --- TDS-3
{E8ADA3E1-CE9B-44A0-A165-997304EF4E18}
C:\WINDOWS\System32\tds3shl.dll

Subkey --- {a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin
C:\WINDOWS\system32\SHELL32.dll

=====================

HKEY_CLASSES_ROOT\Folder\shellex\ColumnHandlers


Subkey --- {0D2E74C4-3C34-11d2-A27E-00C04FC30871}
C:\WINDOWS\system32\SHELL32.dll

Subkey --- {24F14F01-7B1C-11d1-838f-0000F80461CF}
C:\WINDOWS\system32\SHELL32.dll

Subkey --- {24F14F02-7B1C-11d1-838f-0000F80461CF}
C:\WINDOWS\system32\SHELL32.dll

Subkey --- {66742402-F9B9-11D1-A202-0000F81FEDEE}
C:\WINDOWS\system32\SHELL32.dll

==============================
C:\Documents and Settings\All Users\Start Menu\Programs\Startup

DESKTOP.INI
==============================
C:\Documents and Settings\Nelson\Start Menu\Programs\Startup

DESKTOP.INI
DESKTOP.INI
==============================
C:\WINDOWS\SYSTEM32 cpl files


ACCESS.CPL Microsoft Corporation
APPWIZ.CPL Microsoft Corporation
B57exp.cpl Broadcom Corporation
BCMWLCPL.CPL Broadcom Corporation
bdeadmin.cpl Borland Software Corporation
conres.cpl
DESK.CPL Microsoft Corporation
HDWWIZ.CPL Microsoft Corporation
INETCPL.CPL Microsoft Corporation
INTL.CPL Microsoft Corporation
JOY.CPL Microsoft Corporation
jpicpl32.cpl Sun Microsystems
MAIN.CPL Microsoft Corporation
MMSYS.CPL Microsoft Corporation
NCPA.CPL Microsoft Corporation
NUSRMGR.CPL Microsoft Corporation
ODBCCP32.CPL Microsoft Corporation
P2P Networking v126.cpl Squid Software OÜ
POWERCFG.CPL Microsoft Corporation
QuickTime.cpl Apple Computer, Inc.
STAC97.cpl SigmaTel Inc.
SYSDM.CPL Microsoft Corporation
TELEPHON.CPL Microsoft Corporation
TIMEDATE.CPL Microsoft Corporation
wuaucpl.cpl Microsoft Corporation
  • 0

Advertisements


#41
Trevuren

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
So much time has elapsed since your last HJT log, I must make sure that my information is current. Sorry, would you please post a fresh HJT log


Thanks,


Trevuren

  • 0

#42
bivc

bivc

    Member

  • Topic Starter
  • Member
  • PipPip
  • 26 posts
here you go..

Logfile of HijackThis v1.99.1
Scan saved at 11:21:09 AM, on 8/1/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\ojarbl.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Documents and Settings\Nelson\Desktop\HJT\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dellnet.com/
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\System32\ojarbl.exe reg_run
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {A8683C98-5341-421B-B23C-8514C05354F1} (FujifilmUploader Class) - http://photo.walmart...ploadClient.cab
O23 - Service: AOL Connectivity Service (AOL ACS) - Unknown owner - C:\PROGRA~1\COMMON~1\aol\ACS\AOLacsd.exe (file missing)
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\Program Files\Common Files\AOL\AOL Spyware Protection\aolserv.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
  • 0

#43
Trevuren

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
We will try the easy way first.

Please follow the instructions provided, you may want to print out these instructions and use them as a reference.
  • Open Ewido

  • You will need to update ewido to the latest definition files.
    • On the left hand side of the main screen click update
    • Click on Start
    • The update will start and a progress bar will show the updates being installed.
  • Once the updates are installed do the following:
    • REBOOT into Safe Mode
    • Run EWIDO
    • Click on scanner
    • Click on Start Scan
    • Let the program scan the machine
    • While the scan is in progress you will be prompted to clean files, click OK
  • Once the scan has completed, there will be a button located on the bottom of the screen named Save report
    • Click Save report
    • Save the report to your desktop
  • Reboot your machine and post back a new HJT log and the ewido .txt log file you saved by using Add Reply
Regards,

Trevuren

  • 0

#44
bivc

bivc

    Member

  • Topic Starter
  • Member
  • PipPip
  • 26 posts
---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 12:46:13 PM, 8/1/2005
+ Report-Checksum: 2D25A9A6

+ Scan result:

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\tnpk.exe -> TrojanDownloader.Qoologic.n : Cleaned without backup
C:\Documents and Settings\Claudia\Cookies\claudia@doubleclick[2].txt -> Spyware.Cookie.Doubleclick : Cleaned without backup
C:\Documents and Settings\Claudia\Cookies\claudia@ehg-wachovia.hitbox[2].txt -> Spyware.Cookie.Hitbox : Cleaned without backup
C:\Documents and Settings\Claudia\Cookies\claudia@hitbox[2].txt -> Spyware.Cookie.Hitbox : Cleaned without backup
C:\Documents and Settings\Nelson\Cookies\nelson@ad.yieldmanager[1].txt -> Spyware.Cookie.Yieldmanager : Cleaned without backup
C:\Documents and Settings\Nelson\Cookies\nelson@ads.addynamix[1].txt -> Spyware.Cookie.Addynamix : Cleaned without backup
C:\Documents and Settings\Nelson\Cookies\nelson@advertising[2].txt -> Spyware.Cookie.Advertising : Cleaned without backup
C:\Documents and Settings\Nelson\Cookies\nelson@atdmt[2].txt -> Spyware.Cookie.Atdmt : Cleaned without backup
C:\Documents and Settings\Nelson\Cookies\nelson@data.coremetrics[1].txt -> Spyware.Cookie.Coremetrics : Cleaned without backup
C:\Documents and Settings\Nelson\Cookies\nelson@doubleclick[1].txt -> Spyware.Cookie.Doubleclick : Cleaned without backup
C:\Documents and Settings\Nelson\Cookies\nelson@ehg-wachovia.hitbox[2].txt -> Spyware.Cookie.Hitbox : Cleaned without backup
C:\Documents and Settings\Nelson\Cookies\nelson@hitbox[2].txt -> Spyware.Cookie.Hitbox : Cleaned without backup
C:\Documents and Settings\Nelson\Cookies\nelson@mediaplex[1].txt -> Spyware.Cookie.Mediaplex : Cleaned without backup
C:\Documents and Settings\Nelson\Cookies\nelson@perf.overture[1].txt -> Spyware.Cookie.Overture : Cleaned without backup
C:\Documents and Settings\Nelson\Cookies\nelson@qksrv[2].txt -> Spyware.Cookie.Qksrv : Cleaned without backup
C:\Documents and Settings\Nelson\Cookies\nelson@servedby.advertising[1].txt -> Spyware.Cookie.Advertising : Cleaned without backup
C:\Documents and Settings\Nelson\Cookies\nelson@trafficmp[2].txt -> Spyware.Cookie.Trafficmp : Cleaned without backup
C:\Documents and Settings\Nelson\Cookies\nelson@z1.adserver[1].txt -> Spyware.Cookie.Adserver : Cleaned without backup
C:\Documents and Settings\Nelson\Desktop\HJT\Hijackthis\backups\backup-20050721-143757-729-tnpk.exe -> TrojanDownloader.Qoologic.n : Cleaned without backup
C:\Documents and Settings\Nelson\Desktop\HJT\Hijackthis\backups\backup-20050721-143935-775-tnpk.exe -> TrojanDownloader.Qoologic.n : Cleaned without backup
C:\Documents and Settings\Nelson\Desktop\l2mfix\backup.zip/AZHPRXY.DLL -> Spyware.Look2Me : Cleaned without backup
C:\Documents and Settings\Nelson\Desktop\l2mfix\backup.zip/CIMDLG32.DLL -> Spyware.Look2Me : Cleaned without backup
C:\Documents and Settings\Nelson\Desktop\l2mfix\backup.zip/ciyptui.dll -> Spyware.Look2Me : Cleaned without backup
C:\Documents and Settings\Nelson\Desktop\l2mfix\backup.zip/ICETCFG.DLL -> Spyware.Look2Me : Cleaned without backup
C:\Documents and Settings\Nelson\Desktop\l2mfix\backup.zip/muxml4r.dll -> Spyware.Look2Me : Cleaned without backup
C:\Documents and Settings\Nelson\Desktop\l2mfix\backup.zip/SZXCOINS.DLL -> Spyware.Look2Me : Cleaned without backup
C:\RECYCLER\NPROTECT\00007659.TXT -> Spyware.Cookie.Doubleclick : Cleaned without backup
C:\RECYCLER\NPROTECT\00007660.TXT -> Spyware.Cookie.Hitbox : Cleaned without backup
C:\RECYCLER\NPROTECT\00007661.TXT -> Spyware.Cookie.Hitbox : Cleaned without backup
C:\RECYCLER\NPROTECT\00007662.TXT -> Spyware.Cookie.Hitbox : Cleaned without backup
C:\RECYCLER\NPROTECT\00007663.TXT -> Spyware.Cookie.Hitbox : Cleaned without backup
C:\RECYCLER\NPROTECT\00007664.TXT -> Spyware.Cookie.Hitbox : Cleaned without backup
C:\RECYCLER\NPROTECT\00007665.TXT -> Spyware.Cookie.Hitbox : Cleaned without backup
C:\RECYCLER\NPROTECT\00007666.TXT -> Spyware.Cookie.Hitbox : Cleaned without backup
C:\RECYCLER\NPROTECT\00007667.TXT -> Spyware.Cookie.Hitbox : Cleaned without backup
C:\RECYCLER\NPROTECT\00007668.TXT -> Spyware.Cookie.Hitbox : Cleaned without backup
C:\RECYCLER\NPROTECT\00007669.TXT -> Spyware.Cookie.Hitbox : Cleaned without backup
C:\RECYCLER\NPROTECT\00007670.TXT -> Spyware.Cookie.Hitbox : Cleaned without backup
C:\RECYCLER\NPROTECT\00007671.TXT -> Spyware.Cookie.Hitbox : Cleaned without backup
C:\RECYCLER\NPROTECT\00007672.TXT -> Spyware.Cookie.Hitbox : Cleaned without backup
C:\RECYCLER\NPROTECT\00007673.TXT -> Spyware.Cookie.Hitbox : Cleaned without backup
C:\RECYCLER\NPROTECT\00007675.TXT -> Spyware.Cookie.Hitbox : Cleaned without backup
C:\RECYCLER\NPROTECT\00007676.TXT -> Spyware.Cookie.Hitbox : Cleaned without backup
C:\RECYCLER\NPROTECT\00007677.TXT -> Spyware.Cookie.Hitbox : Cleaned without backup
C:\RECYCLER\NPROTECT\00007678.TXT -> Spyware.Cookie.Hitbox : Cleaned without backup
C:\RECYCLER\NPROTECT\00007679.TXT -> Spyware.Cookie.Hitbox : Cleaned without backup
C:\RECYCLER\NPROTECT\00007680.TXT -> Spyware.Cookie.Hitbox : Cleaned without backup
C:\RECYCLER\NPROTECT\00007681.TXT -> Spyware.Cookie.Hitbox : Cleaned without backup
C:\RECYCLER\NPROTECT\00007682.TXT -> Spyware.Cookie.Hitbox : Cleaned without backup
C:\WINDOWS\ddhnmkk.exe -> Adware.BetterInternet : Cleaned without backup
C:\WINDOWS\SYSTEM32\adlinstallwin32.exe -> Spyware.Downloadware : Cleaned without backup
C:\WINDOWS\SYSTEM32\bjona.dll -> TrojanDownloader.Qoologic.n : Cleaned without backup
C:\WINDOWS\SYSTEM32\conres.cpl -> TrojanDownloader.Qoologic.p : Cleaned without backup
C:\WINDOWS\SYSTEM32\datadx.dll -> TrojanDownloader.Qoologic.p : Cleaned without backup
C:\WINDOWS\SYSTEM32\dkkhoe.exe -> Adware.BetterInternet : Cleaned without backup
C:\WINDOWS\SYSTEM32\ldjghwk.dll -> TrojanDownloader.Qoologic.n : Cleaned without backup
C:\WINDOWS\SYSTEM32\obrnmqd.exe -> TrojanDownloader.Qoologic.n : Cleaned without backup
C:\WINDOWS\SYSTEM32\ojarbl.exe -> TrojanDownloader.Qoologic.n : Cleaned without backup
C:\WINDOWS\SYSTEM32\redtrsha.dll -> Spyware.SafeSurfing : Cleaned without backup
C:\WINDOWS\vdkkytpulnw.exe -> Adware.BetterInternet : Cleaned without backup


::Report End



Logfile of HijackThis v1.99.1
Scan saved at 12:59:34 PM, on 8/1/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Documents and Settings\Nelson\Desktop\HJT\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dellnet.com/
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\System32\ojarbl.exe reg_run
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {A8683C98-5341-421B-B23C-8514C05354F1} (FujifilmUploader Class) - http://photo.walmart...ploadClient.cab
O23 - Service: AOL Connectivity Service (AOL ACS) - Unknown owner - C:\PROGRA~1\COMMON~1\aol\ACS\AOLacsd.exe (file missing)
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\Program Files\Common Files\AOL\AOL Spyware Protection\aolserv.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
  • 0

#45
Trevuren

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order in which they are mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes.
  • First we need to make all files and folders VISIBLE:
    • Go to start>control panel>folder options>view (tab)
    • Choose to "show hidden files and folders,"
    • Uncheck the "hide protected operating system files" and the "hide extensions for know file types" boxes.
    • Close the window with ok
  • Please RUN HijackThis.
    . Click the SCAN button to produce a log.

  • Place a check mark beside each one of the following items:

    O4 - HKLM\..\Run: [winsync] C:\WINDOWS\System32\ojarbl.exe reg_run

  • Now with all the items selected, and all windows closed except for HJT, delete them by clicking the FIX checked button. Close the HijackThis window.

  • Reboot Your System in Safe Mode

    How to use the F8 method to Start Your Computer in Safe Mode
    • Restart the computer.
    • As soon as BIOS is loaded begin tapping the F8 key until the Advanced Options menu appears.
    • Use the arrow keys to select the Safe mode menu item
    • Press Enter.
  • Using Windows Explorer, locate the following files/folders, and DELETE them (if they are present):

    C:\WINDOWS\System32\ojarbl.exe

  • Exit Explorer, and REBOOT BACK INTO NORMAL MODE

  • Finally, RUN Hijackthis again and produce a new HJT log. Post it in the forum so we can check how everything looks now.
Regards,

Trevuren

  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP