Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

The ABI network and other problems [CLOSED]


  • This topic is locked This topic is locked

#1
Anthony H

Anthony H

    New Member

  • Member
  • Pip
  • 2 posts
Yesterday while using internet explorer i managed to gain a horde of problems, and was hoping someone could help me :tazz:

I downloaded hijackthis and here's my log

Logfile of HijackThis v1.99.1
Scan saved at 12:00:55, on 26/07/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\hidserv.exe
C:\WINNT\System32\NMSSvc.exe
C:\Program Files\NavNT\rtvscan.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\MsgSys.EXE
C:\WINNT\Explorer.EXE
c:\winnt\system32\zrotvev.exe
C:\WINNT\system32\atiptaxx.exe
C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
C:\WINNT\system32\Pelmiced.exe
C:\WINNT\System32\NILaunch.exe
C:\WINNT\System32\spool\DRIVERS\W32X86\2\fppdis1.exe
C:\WINNT\system32\ico.exe
C:\WINNT\System32\spool\DRIVERS\W32X86\2\fpdisp4.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\Messenger Plus! 3\MsgPlus.exe
C:\WINNT\system32\LVCOMSX.EXE
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\Program Files\Hello\Hello.exe
C:\WINNT\system32\spool\DRIVERS\W32X86\3\E_S4I0T1.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Media Gateway\MediaGateway.exe
C:\WINNT\system32\dsfdat.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINNT\system32\jnrjnq.exe
C:\WINNT\system\vsvorxwi.exe
C:\WINNT\system32\cewx32.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\SYSDOC32.EXE
C:\Program Files\Microsoft Encarta\Encarta Premium Suite 2003 DVD\EDICT.EXE
C:\Program Files\Spyware Doctor\spydoctor.exe
C:\Program Files\Google\ggverscheck67-15.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\PROGRA~1\WINZIP\winzip32.exe
C:\cleaning the computer\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.zpecialof...om/indexie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.zpecialoffer.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://community.surfya.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://mysearchnow.com/searchbar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://mysearchnow.com/searchbar.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.exactsearch.net/sidesearch
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.zpecialof....asp?keyword=%s
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by BTopenworld
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - C:\Program Files\SurfSideKick 3\SskBho.dll (file missing)
O2 - BHO: &EliteBar - {28CAEFF3-0F18-4036-B504-51D73BD81ABC} - C:\WINNT\EliteToolBar\EliteToolBar version 60.dll
O3 - Toolbar: &EliteBar - {825CF5BD-8862-4430-B771-0C15C5CA8DEF} - C:\WINNT\EliteToolBar\EliteToolBar version 60.dll
O4 - HKLM\..\Run: [tourpath] regedit /s c:\winnt\tour.reg
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE
O4 - HKLM\..\Run: [Daemon Spy] ICONSPY.EXE
O4 - HKLM\..\Run: [ConfigSafe] C:\CFGSAFE\NTFSCLUP.EXE
O4 - HKLM\..\Run: [CSScheduleCheck] C:\CFGSAFE\SCHWIZEX.EXE -CHECK
O4 - HKLM\..\Run: [FlashInstaller] D:\flashstart.exe D:\bt.exe run
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [Net-It Launcher] C:\WINNT\System32\NILaunch.exe
O4 - HKLM\..\Run: [pdfFactory Pro Dispatcher v1] C:\WINNT\System32\spool\DRIVERS\W32X86\2\fppdis1.exe
O4 - HKLM\..\Run: [FinePrint Dispatcher v4] C:\WINNT\System32\spool\DRIVERS\W32X86\2\fpdisp4.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [conscorr] C:\WINNT\conscorr.exe
O4 - HKLM\..\Run: [EPSON Stylus C46 Series] C:\WINNT\system32\spool\DRIVERS\W32X86\3\E_S4I0T1.EXE /P23 "EPSON Stylus C46 Series" /O6 "USB001" /M "Stylus C46"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [LVCOMSX] C:\WINNT\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [PicasaNet] "C:\Program Files\Hello\Hello.exe" -b
O4 - HKLM\..\Run: [\\NETVISTA\EPSON Stylus C46 Series] C:\WINNT\system32\spool\DRIVERS\W32X86\3\E_S4I0T1.EXE /P34 "\\NETVISTA\EPSON Stylus C46 Series" /O6 "USB001" /M "Stylus C46"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Media Gateway] C:\Program Files\Media Gateway\MediaGateway.exe
O4 - HKLM\..\Run: [PSof1] C:\WINNT\system32\PSof1.exe
O4 - HKLM\..\Run: [exp.exe] C:\WINNT\system32\exp.exe
O4 - HKLM\..\Run: [WinTask driver] C:\WINNT\system32\wintask.exe
O4 - HKLM\..\Run: [VBouncer] C:\PROGRA~1\VBOUNCER\VirtualBouncer.exe
O4 - HKLM\..\Run: [cfgmgr52] RunDLL32.EXE C:\WINNT\cfgmgr52.dll,DllRun
O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKLM\..\Run: [richup] C:\WINNT\system32\richup.exe
O4 - HKLM\..\Run: [checkrun] C:\winnt\system32\elitemix32.exe
O4 - HKLM\..\Run: [qp9f36S] dsfdat.exe
O4 - HKLM\..\Run: [exp] C:\WINNT\system32\exp
O4 - HKLM\..\Run: [winsync] C:\WINNT\system32\jnrjnq.exe reg_run
O4 - HKLM\..\Run: [C:\WINNT\VCMnet11.exe] C:\WINNT\VCMnet11.exe
O4 - HKLM\..\Run: [IEACCESS] C:\WINNT\system32\temp532.exe -N
O4 - HKLM\..\Run: [SAHBundle] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\bWestFrontier1002.exe run
O4 - HKLM\..\Run: [dgazki] c:\winnt\system32\zrotvev.exe r
O4 - HKLM\..\RunOnce: [SpyBotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKCU\..\Run: [Popup Defender] "C:\Program Files\Popup Defender\pd.exe" Minimize
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\spydoctor.exe" /Q
O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKCU\..\Run: [bEqpRWepW] cewx32.exe
O4 - Startup: Norton System Doctor.lnk = C:\Program Files\Norton SystemWorks\Norton Utilities\SYSDOC32.EXE
O4 - Startup: Dictionary Tools.lnk = C:\Program Files\Microsoft Encarta\Encarta Premium Suite 2003 DVD\EDICT.EXE
O4 - Startup: Spyware Doctor.lnk = C:\Program Files\Spyware Doctor\spydoctor.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Google Search - res://c:\winnt\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\winnt\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\winnt\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\winnt\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\winnt\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra button: Researcher - {9455301C-CF6B-11D3-A266-00C04F689C50} - C:\Program Files\Common Files\Microsoft Shared\Encarta Researcher\EROPROJ.DLL
O9 - Extra button: Share in Hello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll
O9 - Extra 'Tools' menuitem: Share in H&ello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: www.amazon.co.uk
O15 - Trusted Zone: http://news.bbc.co.uk
O15 - Trusted Zone: http://www.bbc.co.uk
O15 - Trusted Zone: http://www.bcg.com
O15 - Trusted Zone: http://www.bcglondon.com
O15 - Trusted Zone: http://www.blackwell-synergy.com
O15 - Trusted Zone: http://www.blogger.com
O15 - Trusted Zone: http://www.co-operativebank.co.uk
O15 - Trusted Zone: http://www.deloitte.co.uk
O15 - Trusted Zone: http://www.epson.co.uk
O15 - Trusted Zone: http://www.tfl.gov.uk
O15 - Trusted Zone: http://www.gsk.com
O15 - Trusted Zone: http://businessplus.hemscott.net
O15 - Trusted Zone: http://www.lmh-jcr.co.uk
O15 - Trusted Zone: http://membres.lycos.fr
O15 - Trusted Zone: http://www.mars.com
O15 - Trusted Zone: http://www.nitlc.com
O15 - Trusted Zone: http://hicks.nuff.ox.ac.uk
O15 - Trusted Zone: http://www.careers.ox.ac.uk
O15 - Trusted Zone: http://loginnet.passport.com
O15 - Trusted Zone: http://www.studentsupportdirect.co.uk
O15 - Trusted Zone: http://www.targetedgrad.com
O15 - Trusted Zone: http://www.thetrainline.com
O15 - Trusted Zone: http://www.timesonline.co.uk
O15 - Trusted Zone: http://www.ucl.ac.uk
O15 - Trusted Zone: http://*.windowsupdate.com
O16 - DPF: {037B3D58-D14A-4C41-BDFD-BD779B0B97BA} (vxiewer control) - http://www.thepaymen...ild/vxiewer.cab
O16 - DPF: {05D96F71-87C6-11D3-9BE4-00902742D6E0} (QuickPlace Class) - https://eshare.gsk.com/qp2.cab
O16 - DPF: {0B682CC1-FB40-4006-A5DD-99EDD3C9095D} (vbiewer control) - http://www.thepaymen...ild/vbiewer.cab
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windup...d27385372aa45d2
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windup.../bridge-c11.cab
O16 - DPF: {2048B51E-8D74-4762-82CE-B48CF545EEEA} (CAX Object) - http://62.4.84.150/data/sc.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zon...MineSweeper.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {6BEA1C48-1850-486C-8F58-C7354BA3165E} (Install Class) - http://updates.lifes...ll/pinstall.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {7A32634B-029C-4836-A023-528983982A49} (MSN Chat Control 4.2) - http://fdl.msn.com/p...t/msnchat42.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...StatsClient.cab
O16 - DPF: {972BB342-14A7-4660-83C1-51DDBEE171DB} - http://www.pacimedia...ll/pcs_0009.exe
O16 - DPF: {FF3F0F03-0F01-131A-A3F9-08F02B23E0CC} - http://66.117.37.13/gba842.exe
O20 - Winlogon Notify: NavLogon - C:\WINNT\System32\NavLogon.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NMS Service (NMSSvc) - Intel Corporation - C:\WINNT\System32\NMSSvc.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: Speed Disk service - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Speed Disk\nopdb.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINNT\svcproc.exe


Thanks to anyone who does help me
  • 0

Advertisements


#2
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Welcome to GTG.

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should 'not' have any open browsers when you are following the procedures below.

Go to My Computer->Tools/View->Folder Options->View tab and make sure that 'Show hidden files and folders' (or 'Show all files') is enabled. Also make sure that 'Display the contents of system folders' is checked. If you have Windows XP, the search feature is a little different. When you click on 'All files and folders' on the left pane, click on the 'More advanced options' at the bottom. Make sure that 'Search system folders', 'Search hidden files and folders', and 'Search subfolders' are checked.

For the options that you checked/enabled earlier, you may uncheck them after your log is clean. If we ask you to fix a program that you use or want to keep, please post back saying that (we don't know every program that exists, so we may tell you to delete a program that we think is bad to keep).

Download ETRemover and unzip it. Don't run it yet.

The Temp folders should be cleaned out periodically as installation programs and hijack programs leave a lot of junk there. OK, before we go on, I want you to take note of this first. This program will wipe out all files in your Temporary folders, any file extensions that have a tilde (~) in it, .bak files, .chk files, .tmp files and index.dat files. Most of you should be ok with this, but there may be some who need these files. If you are one of them, do not follow this step. Post back a reply telling us about this. So if that's ok, then download CleanUp! http://cleanup.stevengould.org/ (Alternate Link if main link don't work - http://www.greyknigh...spy/CleanUp.exe ) and install it. Don't run it yet.

Restart your computer and boot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work. Make sure to close any open browsers. Uninstall the following via the Add/Remove Panel (Start->(Settings)->Control Panel->Add/Remove Programs) if they exist:

VBouncer
SurfSideKick 3
EliteBar


Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.zpecialof...om/indexie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.zpecialoffer.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://community.surfya.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://mysearchnow.com/searchbar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://mysearchnow.com/searchbar.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.exactsearch.net/sidesearch
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.zpecialof....asp?keyword=%s
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - C:\Program Files\SurfSideKick 3\SskBho.dll (file missing)
O2 - BHO: &EliteBar - {28CAEFF3-0F18-4036-B504-51D73BD81ABC} - C:\WINNT\EliteToolBar\EliteToolBar version 60.dll
O3 - Toolbar: &EliteBar - {825CF5BD-8862-4430-B771-0C15C5CA8DEF} - C:\WINNT\EliteToolBar\EliteToolBar version 60.dll
O4 - HKLM\..\Run: [conscorr] C:\WINNT\conscorr.exe
O4 - HKLM\..\Run: [PSof1] C:\WINNT\system32\PSof1.exe
O4 - HKLM\..\Run: [exp.exe] C:\WINNT\system32\exp.exe
O4 - HKLM\..\Run: [WinTask driver] C:\WINNT\system32\wintask.exe
O4 - HKLM\..\Run: [VBouncer] C:\PROGRA~1\VBOUNCER\VirtualBouncer.exe
O4 - HKLM\..\Run: [cfgmgr52] RunDLL32.EXE C:\WINNT\cfgmgr52.dll,DllRun
O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKLM\..\Run: [richup] C:\WINNT\system32\richup.exe
O4 - HKLM\..\Run: [checkrun] C:\winnt\system32\elitemix32.exe
O4 - HKLM\..\Run: [qp9f36S] dsfdat.exe
O4 - HKLM\..\Run: [exp] C:\WINNT\system32\exp
O4 - HKLM\..\Run: [winsync] C:\WINNT\system32\jnrjnq.exe reg_run
O4 - HKLM\..\Run: [C:\WINNT\VCMnet11.exe] C:\WINNT\VCMnet11.exe
O4 - HKLM\..\Run: [IEACCESS] C:\WINNT\system32\temp532.exe -N
O4 - HKLM\..\Run: [SAHBundle] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\bWestFrontier1002.exe run
O4 - HKLM\..\Run: [dgazki] c:\winnt\system32\zrotvev.exe r - this file may change it's name, so if you can't find it, look for a random entry that ends the line with the letter r
O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKCU\..\Run: [bEqpRWepW] cewx32.exe
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windup...d27385372aa45d2
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windup.../bridge-c11.cab
O16 - DPF: {2048B51E-8D74-4762-82CE-B48CF545EEEA} (CAX Object) - http://62.4.84.150/data/sc.cab
O16 - DPF: {972BB342-14A7-4660-83C1-51DDBEE171DB} - http://www.pacimedia...ll/pcs_0009.exe
O16 - DPF: {FF3F0F03-0F01-131A-A3F9-08F02B23E0CC} - http://66.117.37.13/gba842.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINNT\svcproc.exe


Delete the following Files/Folders (delete folders if no filename is specified) according to their directory (if none, just do a search for them) and delete them if they exist:

C:\WINNT\system\vsvorxwi.exe
C:\WINNT\EliteToolBar\
C:\WINNT\conscorr.exe
C:\WINNT\system32\PSof1.exe
C:\WINNT\system32\exp.exe
C:\WINNT\system32\wintask.exe
C:\PROGRA~1\VBOUNCER\
C:\WINNT\cfgmgr52.dll
C:\WINNT\system32\richup.exe
C:\winnt\system32\elitemix32.exe
dsfdat.exe
C:\WINNT\system32\exp
C:\WINNT\system32\jnrjnq.exe
C:\WINNT\VCMnet11.exe
C:\WINNT\system32\temp532.exe
c:\winnt\system32\zrotvev.exe - this filename might change, so delete whatever the new filename is (see above HijackThis log for clues)
C:\Program Files\SurfSideKick 3\
cewx32.exe
C:\WINNT\svcproc.exe

Run CleanUp! and click on CleanUp! button. Once it's done, you may click the Close button. When asked if you want to logoff, choose No.

Run ETRemover.exe now.

Restart and run a new HijackThis scan. Save the log file and post it here.
  • 0

#3
Anthony H

Anthony H

    New Member

  • Topic Starter
  • Member
  • Pip
  • 2 posts
Thanks for all your help. Hopefully we've fixed the problem.

Here's a log from hijackthis.

Logfile of HijackThis v1.99.1
Scan saved at 13:25:02, on 27/07/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINNT\System32\svchost.exe
C:\cleaning the computer\security suite\ewidoctrl.exe
C:\cleaning the computer\security suite\ewidoguard.exe
C:\WINNT\system32\hidserv.exe
C:\WINNT\System32\NMSSvc.exe
C:\Program Files\NavNT\rtvscan.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Norton SystemWorks\Norton Speed Disk\nopdb.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\MsgSys.EXE
C:\WINNT\system32\atiptaxx.exe
C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
C:\WINNT\system32\Pelmiced.exe
C:\WINNT\system32\ico.exe
C:\WINNT\System32\NILaunch.exe
C:\WINNT\System32\spool\DRIVERS\W32X86\2\fppdis1.exe
C:\WINNT\System32\spool\DRIVERS\W32X86\2\fpdisp4.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\Messenger Plus! 3\MsgPlus.exe
C:\WINNT\system32\LVCOMSX.EXE
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\Program Files\Hello\Hello.exe
C:\WINNT\system32\spool\DRIVERS\W32X86\3\E_S4I0T1.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Spyware Doctor\spydoctor.exe
C:\WINNT\system32\cewx32.exe
C:\Program Files\CleanMyPC\Registry Cleaner\RCScheduler.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\SYSDOC32.EXE
C:\Program Files\Microsoft Encarta\Encarta Premium Suite 2003 DVD\EDICT.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Logitech\Video\AlbumDB2.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\cleaning the computer\HijackThis.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [tourpath] regedit /s c:\winnt\tour.reg
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE
O4 - HKLM\..\Run: [Daemon Spy] ICONSPY.EXE
O4 - HKLM\..\Run: [ConfigSafe] C:\CFGSAFE\NTFSCLUP.EXE
O4 - HKLM\..\Run: [CSScheduleCheck] C:\CFGSAFE\SCHWIZEX.EXE -CHECK
O4 - HKLM\..\Run: [FlashInstaller] D:\flashstart.exe D:\bt.exe run
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [Net-It Launcher] C:\WINNT\System32\NILaunch.exe
O4 - HKLM\..\Run: [pdfFactory Pro Dispatcher v1] C:\WINNT\System32\spool\DRIVERS\W32X86\2\fppdis1.exe
O4 - HKLM\..\Run: [FinePrint Dispatcher v4] C:\WINNT\System32\spool\DRIVERS\W32X86\2\fpdisp4.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [EPSON Stylus C46 Series] C:\WINNT\system32\spool\DRIVERS\W32X86\3\E_S4I0T1.EXE /P23 "EPSON Stylus C46 Series" /O6 "USB001" /M "Stylus C46"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [LVCOMSX] C:\WINNT\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [PicasaNet] "C:\Program Files\Hello\Hello.exe" -b
O4 - HKLM\..\Run: [\\NETVISTA\EPSON Stylus C46 Series] C:\WINNT\system32\spool\DRIVERS\W32X86\3\E_S4I0T1.EXE /P34 "\\NETVISTA\EPSON Stylus C46 Series" /O6 "USB001" /M "Stylus C46"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\spydoctor.exe" /Q
O4 - HKCU\..\Run: [bEqpRWepW] cewx32.exe
O4 - HKCU\..\Run: [Registry Cleaner Scheduler] "C:\Program Files\CleanMyPC\Registry Cleaner\RCScheduler.exe" /startup
O4 - Startup: Norton System Doctor.lnk = C:\Program Files\Norton SystemWorks\Norton Utilities\SYSDOC32.EXE
O4 - Startup: Dictionary Tools.lnk = C:\Program Files\Microsoft Encarta\Encarta Premium Suite 2003 DVD\EDICT.EXE
O4 - Startup: Spyware Doctor.lnk = C:\Program Files\Spyware Doctor\spydoctor.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Google Search - res://c:\winnt\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\winnt\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\winnt\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\winnt\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\winnt\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra button: Researcher - {9455301C-CF6B-11D3-A266-00C04F689C50} - C:\Program Files\Common Files\Microsoft Shared\Encarta Researcher\EROPROJ.DLL
O9 - Extra button: Share in Hello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll
O9 - Extra 'Tools' menuitem: Share in H&ello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: www.amazon.co.uk
O15 - Trusted Zone: http://news.bbc.co.uk
O15 - Trusted Zone: http://www.bbc.co.uk
O15 - Trusted Zone: http://www.bcg.com
O15 - Trusted Zone: http://www.bcglondon.com
O15 - Trusted Zone: http://www.blackwell-synergy.com
O15 - Trusted Zone: http://www.blogger.com
O15 - Trusted Zone: http://www.co-operativebank.co.uk
O15 - Trusted Zone: http://www.deloitte.co.uk
O15 - Trusted Zone: http://www.epson.co.uk
O15 - Trusted Zone: http://www.tfl.gov.uk
O15 - Trusted Zone: http://www.gsk.com
O15 - Trusted Zone: http://businessplus.hemscott.net
O15 - Trusted Zone: http://www.lmh-jcr.co.uk
O15 - Trusted Zone: http://membres.lycos.fr
O15 - Trusted Zone: http://www.mars.com
O15 - Trusted Zone: http://www.nitlc.com
O15 - Trusted Zone: http://hicks.nuff.ox.ac.uk
O15 - Trusted Zone: http://www.careers.ox.ac.uk
O15 - Trusted Zone: http://loginnet.passport.com
O15 - Trusted Zone: http://www.studentsupportdirect.co.uk
O15 - Trusted Zone: http://www.targetedgrad.com
O15 - Trusted Zone: http://www.thetrainline.com
O15 - Trusted Zone: http://www.timesonline.co.uk
O15 - Trusted Zone: http://www.ucl.ac.uk
O15 - Trusted Zone: http://*.windowsupdate.com
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O20 - Winlogon Notify: NavLogon - C:\WINNT\System32\NavLogon.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido security suite control - ewido networks - C:\cleaning the computer\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\cleaning the computer\security suite\ewidoguard.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NMS Service (NMSSvc) - Intel Corporation - C:\WINNT\System32\NMSSvc.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: Speed Disk service - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Speed Disk\nopdb.exe

If you wouldn't mind giving it another look to make sure everything's okay.
  • 0

#4
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
A little more to go...

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should 'not' have any open browsers when you are following the procedures below.

Restart your computer and boot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work. Make sure to close any open browsers. Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):

O4 - HKLM\..\Run: [FlashInstaller] D:\flashstart.exe D:\bt.exe run
O4 - HKCU\..\Run: [bEqpRWepW] cewx32.exe


Delete the following Files/Folders (delete folders if no filename is specified) according to their directory (if none, just do a search for them) and delete them if they exist:

C:\WINNT\system32\cewx32.exe
D:\flashstart.exe
D:\bt.exe


Restart and run an online virus scan at TrendMicro http://uk.trendmicro...call_launch.php. Just follow the instructions on the site to run the free online scan. If any viruses/trojans are detected, try to delete or clean them in that site. If any are not cleanable, copy and paste the infected files here. You may also use Panda ActiveScan at http://www.pandasoft...ucts/activescan. Post the log from the Panda scan here.

Restart and run a new HijackThis scan. Save the log file and post it here.
  • 0

#5
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP