Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

cant remove Aurora ABI


  • Please log in to reply

#1
torvie

torvie

    New Member

  • Member
  • Pip
  • 8 posts
Please help hijackthis log.

<<>>
Logfile of HijackThis v1.99.1
Scan saved at 09:31:01, on 2005-08-01
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program\Delade filer\Symantec Shared\ccEvtMgr.exe
C:\Program\Delade filer\Microsoft Shared\VS7Debug\mdm.exe
C:\Program\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\RegSrvc.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\Program\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program\Delade filer\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program\Delade filer\Symantec Shared\ccApp.exe
C:\Program\Winamp3\winampa.exe
C:\Program\Java\j2re1.4.2_06\bin\jusched.exe
C:\Program\QuickTime\qttask.exe
C:\Program\ICQLite\ICQLite.exe
C:\Program\Delade filer\Real\Update_OB\realsched.exe
C:\program\powerstrip\pstrip.exe
C:\WINDOWS\System32\svchost.exe
c:\windows\system32\cvkjuu.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program\Personal\bin\Personal.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program\Internet Explorer\iexplore.exe
C:\WINDOWS\wkjquumuqzz.exe
C:\Documents and Settings\Fredrik\Mina dokument\fredrik\hijackthis_199\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.hp.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.hp.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program\Norton AntiVirus\NavShExt.dll
O2 - BHO: Private view Helper - {E003FE73-C578-43F1-86D3-26BDE04C44AC} - C:\PROGRA~1\FILESY~1\SYSTEM~1\Plugin.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [PreloadApp] c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [ATIPTA] atiptaxx.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program\Delade filer\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program\Delade filer\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [WinampAgent] "C:\Program\Winamp3\winampa.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [Shut Down or Restart Now Eval] C:\Program\JENYKS~1\SHUTDO~1\Shut Down or Restart Now Evaluation Version.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\Program\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ICQ Lite] C:\Program\ICQLite\ICQLite.exe -minimize
O4 - HKLM\..\Run: [TkBellExe] "C:\Program\Delade filer\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [PowerStrip] c:\program\powerstrip\pstrip.exe
O4 - HKLM\..\Run: [PVUnInst1] C:\Program Files\PVUnInst1.exe
O4 - HKLM\..\Run: [unrznq] c:\windows\system32\cvkjuu.exe r
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\RunOnce: [ICQ Lite] C:\Program\ICQLite\ICQLite.exe -trayboot
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Personal.lnk = C:\Program\Personal\bin\Personal.exe
O8 - Extra context menu item: E&xportera till Microsoft Excel - res://C:\Program\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java-konsol - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: ICQ 4 - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program\ICQLite\ICQLite.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.hp.com
O15 - Trusted Zone: *.sf-anytime.com
O16 - DPF: {05D96F71-87C6-11D3-9BE4-00902742D6E0} (QuickPlace Class) - https://ak1.projects...son.net/qp2.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...ip/RdxIE601.cab
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.ofoto.com..._1/axofupld.cab
O16 - DPF: {6F7864F9-DB33-11D3-8166-0060B0F885E6} (VSPTA Class) - https://eleg.trust.t....com/vspta3.cab
O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - http://www-307.ibm.c...rt/IbmEgath.cab
O16 - DPF: {A18962F6-E6ED-40B1-97C9-1FB36F38BFA8} (Aurigma Image Uploader 3.0 Control) - https://ssl.extrafil...geUploader3.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.syma...n/bin/cabsa.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{74B2A495-29E0-472C-AB08-417DC474E317}: Domain = bredbandsbolaget.se
O17 - HKLM\System\CCS\Services\Tcpip\..\{74B2A495-29E0-472C-AB08-417DC474E317}: NameServer = 195.54.122.204,195.54.122.200
O20 - Winlogon Notify: PCANotify - C:\WINDOWS\SYSTEM32\PCANotify.dll
O20 - Winlogon Notify: Sebring - C:\WINDOWS\System32\LgNotify.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\ccPwdSvc.exe
O23 - Service: .NET Framework Support Service (CORRTSvc) - Unknown owner - %WinDIR%\System32\svchost.exe (file missing)
O23 - Service: Visual Studio Debugger Proxy Service (DbgProxy) - Unknown owner - C:\Program\Microsoft Visual Studio.NET\Common7\Packages\Debugger\dbgproxy.exe (file missing)
O23 - Service: Firebird Server - DefaultInstance (FirebirdServerDefaultInstance) - The Firebird Project - C:\Program\IPCheck Server Monitor 4\Firebird\bin\fbserver.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program\Intel\NCS\Sync\NetSvc.exe
O23 - Service: RadClock - Unknown owner - C:\WINDOWS\system32\RadClock.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\Program\DELADE~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe (file missing)
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\Security Center\SymWSC.exe

<<>>
/torvie

Edited by torvie, 01 August 2005 - 11:41 AM.

  • 0

Advertisements


#2
torvie

torvie

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
And could someone explain how i got it in the first place? (I'm using norton Anti virus scanner and ad-aware)

Thanks!
/torvie

Edited by torvie, 01 August 2005 - 11:43 AM.

  • 0

#3
torvie

torvie

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Do anyone know what will do to my computer?

/torvie
  • 0

#4
torvie

torvie

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Hi

I ran spybot and the system seems to run ok.

here is my latest logg

Logfile of HijackThis v1.99.1
Scan saved at 21:59:27, on 2005-08-02
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program\Delade filer\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\RegSrvc.exe
C:\Program\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program\Winamp3\winampa.exe
C:\Program\Java\j2re1.4.2_06\bin\jusched.exe
C:\Program\QuickTime\qttask.exe
C:\Program\ICQLite\ICQLite.exe
C:\Program\Delade filer\Real\Update_OB\realsched.exe
C:\program\powerstrip\pstrip.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program\Personal\bin\Personal.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program\Internet Explorer\iexplore.exe
C:\Documents and Settings\Fredrik\Mina dokument\fredrik\hijackthis_199\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.hp.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.hp.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program\SPYBOT~1\SDHelper.dll
O2 - BHO: Private view Helper - {E003FE73-C578-43F1-86D3-26BDE04C44AC} - C:\PROGRA~1\FILESY~1\SYSTEM~1\Plugin.dll
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [PreloadApp] c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [ATIPTA] atiptaxx.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program\Winamp3\winampa.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [Shut Down or Restart Now Eval] C:\Program\JENYKS~1\SHUTDO~1\Shut Down or Restart Now Evaluation Version.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ICQ Lite] C:\Program\ICQLite\ICQLite.exe -minimize
O4 - HKLM\..\Run: [TkBellExe] "C:\Program\Delade filer\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [PowerStrip] c:\program\powerstrip\pstrip.exe
O4 - HKLM\..\Run: [PVUnInst1] C:\Program Files\PVUnInst1.exe
O4 - HKLM\..\Run: [KAVPersonal50] "C:\Program\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe" /minimize
O4 - HKLM\..\Run: [uxlrak] c:\windows\system32\xsvxasl.exe r
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\RunOnce: [ICQ Lite] C:\Program\ICQLite\ICQLite.exe -trayboot
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Personal.lnk = C:\Program\Personal\bin\Personal.exe
O8 - Extra context menu item: E&xportera till Microsoft Excel - res://C:\Program\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java-konsol - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: ICQ 4 - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program\ICQLite\ICQLite.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.hp.com
O15 - Trusted Zone: *.sf-anytime.com
O16 - DPF: {05D96F71-87C6-11D3-9BE4-00902742D6E0} (QuickPlace Class) - https://ak1.projects...son.net/qp2.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...ip/RdxIE601.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1122917047902
O16 - DPF: {6F7864F9-DB33-11D3-8166-0060B0F885E6} (VSPTA Class) - https://eleg.trust.t....com/vspta3.cab
O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - http://www-307.ibm.c...rt/IbmEgath.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O16 - DPF: {A18962F6-E6ED-40B1-97C9-1FB36F38BFA8} (Aurigma Image Uploader 3.0 Control) - https://ssl.extrafil...geUploader3.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.syma...n/bin/cabsa.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{74B2A495-29E0-472C-AB08-417DC474E317}: Domain = bredbandsbolaget.se
O17 - HKLM\System\CCS\Services\Tcpip\..\{74B2A495-29E0-472C-AB08-417DC474E317}: NameServer = 195.54.122.204,195.54.122.200
O20 - Winlogon Notify: PCANotify - C:\WINDOWS\SYSTEM32\PCANotify.dll
O20 - Winlogon Notify: Sebring - C:\WINDOWS\System32\LgNotify.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program\Symantec\pcAnywhere\awhost32.exe
O23 - Service: .NET Framework Support Service (CORRTSvc) - Unknown owner - %WinDIR%\System32\svchost.exe (file missing)
O23 - Service: Visual Studio Debugger Proxy Service (DbgProxy) - Unknown owner - C:\Program\Microsoft Visual Studio.NET\Common7\Packages\Debugger\dbgproxy.exe (file missing)
O23 - Service: Firebird Server - DefaultInstance (FirebirdServerDefaultInstance) - The Firebird Project - C:\Program\IPCheck Server Monitor 4\Firebird\bin\fbserver.exe
O23 - Service: kavsvc - Kaspersky Lab - C:\Program\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program\Intel\NCS\Sync\NetSvc.exe
O23 - Service: RadClock - Unknown owner - C:\WINDOWS\system32\RadClock.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\Security Center\SymWSC.exe
  • 0

#5
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,675 posts
Hoi torvie,

Download APT
Open apt and search in the window for the c:\windows\system32\xsvxasl.exe.
Click Start > Run and copy this command
EXPLORER.EXE /n,/e,/select, C:\windows\system32\xsvxasl.exe
and click OK
It will open the System32 folder with the trojan selected.
Don't delete it yet, just leave the system32 folder open so you can see the bad file.
In APT again, Select c:\windows\system32\xsvxasl.exe and Click Kill3

Then immediately delete xsvxasl.exe from your system32 folder.

Run HiJackThis. Place a check next to this item and click FIX CHECKED:

O4 - HKLM\..\Run: [uxlrak] c:\windows\system32\xsvxasl.exe r

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...ip/RdxIE601.cab


Rescan with HiJackThis and post the new log.

Do you know what this is for?

O4 - HKLM\..\Run: [PVUnInst1] C:\Program Files\PVUnInst1.exe

I've never seen that one before.

Regards,
  • 0

#6
torvie

torvie

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Hi
and thanks for the attention. I cannt find the process that you asked for. Here is a new logg.

Logfile of HijackThis v1.99.1
Scan saved at 21:57:58, on 2005-08-12
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program\Delade filer\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\RegSrvc.exe
C:\Program\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program\Winamp3\winampa.exe
C:\Program\Java\j2re1.4.2_06\bin\jusched.exe
C:\Program\QuickTime\qttask.exe
C:\Program\ICQLite\ICQLite.exe
C:\Program\Delade filer\Real\Update_OB\realsched.exe
C:\program\powerstrip\pstrip.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program\Personal\bin\Personal.exe
C:\WINDOWS\System32\svchost.exe
C:\Program\Internet Explorer\iexplore.exe
C:\Documents and Settings\Fredrik\Mina dokument\fredrik\hijackthis_199\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.hp.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.hp.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program\SPYBOT~1\SDHelper.dll
O2 - BHO: Private view Helper - {E003FE73-C578-43F1-86D3-26BDE04C44AC} - C:\PROGRA~1\FILESY~1\SYSTEM~1\Plugin.dll
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [PreloadApp] c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [ATIPTA] atiptaxx.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program\Winamp3\winampa.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [Shut Down or Restart Now Eval] C:\Program\JENYKS~1\SHUTDO~1\Shut Down or Restart Now Evaluation Version.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ICQ Lite] C:\Program\ICQLite\ICQLite.exe -minimize
O4 - HKLM\..\Run: [TkBellExe] "C:\Program\Delade filer\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [PowerStrip] c:\program\powerstrip\pstrip.exe
O4 - HKLM\..\Run: [PVUnInst1] C:\Program Files\PVUnInst1.exe
O4 - HKLM\..\Run: [KAVPersonal50] "C:\Program\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe" /minimize
O4 - HKLM\..\Run: [uxlrak] c:\windows\system32\xsvxasl.exe r
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\RunOnce: [ICQ Lite] C:\Program\ICQLite\ICQLite.exe -trayboot
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Personal.lnk = C:\Program\Personal\bin\Personal.exe
O8 - Extra context menu item: E&xportera till Microsoft Excel - res://C:\Program\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java-konsol - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program\ICQLite\ICQLite.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.hp.com
O15 - Trusted Zone: *.sf-anytime.com
O16 - DPF: {05D96F71-87C6-11D3-9BE4-00902742D6E0} (QuickPlace Class) - https://ak1.projects...son.net/qp2.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...ip/RdxIE601.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1122917047902
O16 - DPF: {6F7864F9-DB33-11D3-8166-0060B0F885E6} (VSPTA Class) - https://eleg.trust.t....com/vspta3.cab
O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - http://www-307.ibm.c...rt/IbmEgath.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O16 - DPF: {A18962F6-E6ED-40B1-97C9-1FB36F38BFA8} (Aurigma Image Uploader 3.0 Control) - https://ssl.extrafil...geUploader3.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.syma...n/bin/cabsa.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{74B2A495-29E0-472C-AB08-417DC474E317}: Domain = bredbandsbolaget.se
O17 - HKLM\System\CCS\Services\Tcpip\..\{74B2A495-29E0-472C-AB08-417DC474E317}: NameServer = 195.54.122.204,195.54.122.200
O20 - Winlogon Notify: PCANotify - C:\WINDOWS\SYSTEM32\PCANotify.dll
O20 - Winlogon Notify: Sebring - C:\WINDOWS\System32\LgNotify.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program\Symantec\pcAnywhere\awhost32.exe
O23 - Service: .NET Framework Support Service (CORRTSvc) - Unknown owner - %WinDIR%\System32\svchost.exe (file missing)
O23 - Service: Visual Studio Debugger Proxy Service (DbgProxy) - Unknown owner - C:\Program\Microsoft Visual Studio.NET\Common7\Packages\Debugger\dbgproxy.exe (file missing)
O23 - Service: Firebird Server - DefaultInstance (FirebirdServerDefaultInstance) - The Firebird Project - C:\Program\IPCheck Server Monitor 4\Firebird\bin\fbserver.exe
O23 - Service: kavsvc - Kaspersky Lab - C:\Program\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program\Intel\NCS\Sync\NetSvc.exe
O23 - Service: RadClock - Unknown owner - C:\WINDOWS\system32\RadClock.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\Security Center\SymWSC.exe



Thanks!

/Torvie
  • 0

#7
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,675 posts
Hi Torvie,

If you use HijackThis to fix:
O4 - HKLM\..\Run: [uxlrak] c:\windows\system32\xsvxasl.exe r

Then reboot.

The entry I asked about:
O4 - HKLM\..\Run: [PVUnInst1] C:\Program Files\PVUnInst1.exe
looks like it could be related to:
O2 - BHO: Private view Helper - {E003FE73-C578-43F1-86D3-26BDE04C44AC} - C:\PROGRA~1\FILESY~1\SYSTEM~1\Plugin.dll

Any ideas about which software they might belong to?

Regards,
  • 0

#8
torvie

torvie

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Hi

And thanks for the help. PVUnInst1.exe is related to an installed and uninstalled applciation pricacy view something. this should be removed i guess.

I removed the line from above and re ran hijackthis, here is the log.

<<<>>>
Logfile of HijackThis v1.99.1
Scan saved at 21:00:11, on 2005-08-14
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program\Delade filer\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\RegSrvc.exe
C:\Program\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program\Winamp3\winampa.exe
C:\Program\Java\j2re1.4.2_06\bin\jusched.exe
C:\Program\QuickTime\qttask.exe
C:\Program\ICQLite\ICQLite.exe
C:\Program\Delade filer\Real\Update_OB\realsched.exe
C:\program\powerstrip\pstrip.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program\Personal\bin\Personal.exe
C:\WINDOWS\System32\svchost.exe
C:\Program\Real\RealOne Player\RealPlay.exe
C:\Program\Internet Explorer\iexplore.exe
C:\Documents and Settings\Fredrik\Mina dokument\fredrik\hijackthis_199\HijackThis.exe
C:\Documents and Settings\Fredrik\Mina dokument\fredrik\hijackthis_199\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.hp.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.hp.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program\SPYBOT~1\SDHelper.dll
O2 - BHO: Private view Helper - {E003FE73-C578-43F1-86D3-26BDE04C44AC} - C:\PROGRA~1\FILESY~1\SYSTEM~1\Plugin.dll
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [PreloadApp] c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [ATIPTA] atiptaxx.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program\Winamp3\winampa.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [Shut Down or Restart Now Eval] C:\Program\JENYKS~1\SHUTDO~1\Shut Down or Restart Now Evaluation Version.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ICQ Lite] C:\Program\ICQLite\ICQLite.exe -minimize
O4 - HKLM\..\Run: [TkBellExe] "C:\Program\Delade filer\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [PowerStrip] c:\program\powerstrip\pstrip.exe
O4 - HKLM\..\Run: [KAVPersonal50] "C:\Program\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe" /minimize
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Personal.lnk = C:\Program\Personal\bin\Personal.exe
O8 - Extra context menu item: E&xportera till Microsoft Excel - res://C:\Program\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java-konsol - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program\ICQLite\ICQLite.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.hp.com
O15 - Trusted Zone: *.sf-anytime.com
O16 - DPF: {05D96F71-87C6-11D3-9BE4-00902742D6E0} (QuickPlace Class) - https://ak1.projects...son.net/qp2.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...ip/RdxIE601.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1122917047902
O16 - DPF: {6F7864F9-DB33-11D3-8166-0060B0F885E6} (VSPTA Class) - https://eleg.trust.t....com/vspta3.cab
O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - http://www-307.ibm.c...rt/IbmEgath.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O16 - DPF: {A18962F6-E6ED-40B1-97C9-1FB36F38BFA8} (Aurigma Image Uploader 3.0 Control) - https://ssl.extrafil...geUploader3.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.syma...n/bin/cabsa.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{74B2A495-29E0-472C-AB08-417DC474E317}: Domain = bredbandsbolaget.se
O17 - HKLM\System\CCS\Services\Tcpip\..\{74B2A495-29E0-472C-AB08-417DC474E317}: NameServer = 195.54.122.204,195.54.122.200
O20 - Winlogon Notify: PCANotify - C:\WINDOWS\SYSTEM32\PCANotify.dll
O20 - Winlogon Notify: Sebring - C:\WINDOWS\System32\LgNotify.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program\Symantec\pcAnywhere\awhost32.exe
O23 - Service: .NET Framework Support Service (CORRTSvc) - Unknown owner - %WinDIR%\System32\svchost.exe (file missing)
O23 - Service: Visual Studio Debugger Proxy Service (DbgProxy) - Unknown owner - C:\Program\Microsoft Visual Studio.NET\Common7\Packages\Debugger\dbgproxy.exe (file missing)
O23 - Service: Firebird Server - DefaultInstance (FirebirdServerDefaultInstance) - The Firebird Project - C:\Program\IPCheck Server Monitor 4\Firebird\bin\fbserver.exe
O23 - Service: kavsvc - Kaspersky Lab - C:\Program\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program\Intel\NCS\Sync\NetSvc.exe
O23 - Service: RadClock - Unknown owner - C:\WINDOWS\system32\RadClock.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\Security Center\SymWSC.exe

<<<>>>

Thanks a lot!

regards,
Torvie
  • 0

#9
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,675 posts
Do you have a link where I can find that application or a see a description of it?

If you uninstalled it, you might as well fix this one too.

O2 - BHO: Private view Helper - {E003FE73-C578-43F1-86D3-26BDE04C44AC} - C:\PROGRA~1\FILESY~1\SYSTEM~1\Plugin.dll

That must have been installed by the same program.

The rest looks good.
Is your computer behaving like that as well?

Regards,
  • 0

#10
torvie

torvie

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Hi
www.privacyview.com/

And yes my computer works as expected. Thanks alot for the help.

Regards,
/Torvie
  • 0

#11
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,675 posts
Thank you for the info. :tazz:

Please do have a look at my site about removing and preventing spyware.

Regards,
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP