Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

aurora and nail.exe [RESOLVED]


  • This topic is locked This topic is locked

#1
weStone

weStone

    Member

  • Member
  • PipPip
  • 24 posts
i HATE aurora. i just can't stand it anymore. it has infected my computer with several other programs that i'm not really aware of. heres my hijackthis log

Logfile of HijackThis v1.99.1
Scan saved at 4:50:48 AM, on 8/3/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\program files\valve\steam\steam.exe
c:\windows\system32\afkzrb.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\wintask.exe
C:\WINDOWS\system32\exp.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {FFFFFEF0-5B30-21D4-945D-000000000000} - C:\PROGRA~1\STARDO~1\SDIEInt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [HPHmon04] C:\WINDOWS\System32\hphmon04.exe
O4 - HKLM\..\Run: [HPHUPD04] "C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [WinPatrol] C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
O4 - HKLM\..\Run: [mknkxb] c:\windows\system32\fpcmsk.exe r
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Steam] "c:\program files\valve\steam\steam.exe" -silent
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Download with Star Downloader - C:\Program Files\Star Downloader\sdie.htm
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Plug-in 1.4.1_02) -
O16 - DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA} (Java Plug-in 1.4.1_02) -
O20 - Winlogon Notify: Uninstall - C:\WINDOWS\system32\wonstrm.dll
O23 - Service: CWShredder Service - InterMute, Inc. - C:\Program Files\InterMute\SpySubtract\CWShredder.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\System32\HPHipm11.exe
  • 0

Advertisements


#2
therock247uk

therock247uk

    Expert

  • Expert
  • 14,671 posts
  • MVP
You have the latest version of VX2. Download L2mfix from

http://www.atribune....oads/l2mfix.exe

Save the file to your desktop and double click l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop. Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing enter. This will scan your computer and it may appear nothing is happening, then, after a minute or 2, notepad will open with a log. Copy the contents of that log and paste it into this thread.

IMPORTANT: Do NOT run option #2 OR any other files in the l2mfix folder until you are asked to do so!
  • 0

#3
weStone

weStone

    Member

  • Topic Starter
  • Member
  • PipPip
  • 24 posts
thanks for responding, heres my l2mfix.bat log:

L2MFIX find log 1.03
These are the registry keys present
**********************************************************************************
Winlogon/notify:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

**********************************************************************************
useragent:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{E158131F-6D40-0930-2365-1F14F56284B9}"=""

**********************************************************************************
Shell Extension key:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{00022613-0000-0000-C000-000000000046}"="Multimedia File Property Sheet"
"{176d6597-26d3-11d1-b350-080036a75b03}"="ICM Scanner Management"
"{1F2E5C40-9550-11CE-99D2-00AA006E086C}"="NTFS Security Page"
"{3EA48300-8CF6-101B-84FB-666CCB9BCD32}"="OLE Docfile Property Page"
"{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"="Shell extensions for sharing"
"{41E300E0-78B6-11ce-849B-444553540000}"="PlusPack CPL Extension"
"{42071712-76d4-11d1-8b24-00a0c9068ff3}"="Display Adapter CPL Extension"
"{42071713-76d4-11d1-8b24-00a0c9068ff3}"="Display Monitor CPL Extension"
"{42071714-76d4-11d1-8b24-00a0c9068ff3}"="Display Panning CPL Extension"
"{4E40F770-369C-11d0-8922-00A024AB2DBB}"="DS Security Page"
"{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"="Compatibility Page"
"{56117100-C0CD-101B-81E2-00AA004AE837}"="Shell Scrap DataHandler"
"{59099400-57FF-11CE-BD94-0020AF85B590}"="Disk Copy Extension"
"{59be4990-f85c-11ce-aff7-00aa003ca9f6}"="Shell extensions for Microsoft Windows Network objects"
"{5DB2625A-54DF-11D0-B6C4-0800091AA605}"="ICM Monitor Management"
"{675F097E-4C4D-11D0-B6C1-0800091AA605}"="ICM Printer Management"
"{764BF0E1-F219-11ce-972D-00AA00A14F56}"="Shell extensions for file compression"
"{77597368-7b15-11d0-a0c2-080036af3f03}"="Web Printer Shell Extension"
"{7988B573-EC89-11cf-9C00-00AA00A14F56}"="Disk Quota UI"
"{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}"="Encryption Context Menu"
"{85BBD920-42A0-1069-A2E4-08002B30309D}"="Briefcase"
"{88895560-9AA2-1069-930E-00AA0030EBC8}"="HyperTerminal Icon Ext"
"{BD84B380-8CA2-1069-AB1D-08000948F534}"="Fonts"
"{DBCE2480-C732-101B-BE72-BA78E9AD5B27}"="ICC Profile"
"{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}"="Printers Security Page"
"{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"="Shell extensions for sharing"
"{f92e8c40-3d33-11d2-b1aa-080036a75b03}"="Display TroubleShoot CPL Extension"
"{7444C717-39BF-11D1-8CD9-00C04FC29D45}"="Crypto PKO Extension"
"{7444C719-39BF-11D1-8CD9-00C04FC29D45}"="Crypto Sign Extension"
"{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="Network Connections"
"{992CFFA0-F557-101A-88EC-00DD010CCC48}"="Network Connections"
"{E211B736-43FD-11D1-9EFB-0000F8757FCD}"="Scanners & Cameras"
"{FB0C9C8A-6C50-11D1-9F1D-0000F8757FCD}"="Scanners & Cameras"
"{905667aa-acd6-11d2-8080-00805f6596d2}"="Scanners & Cameras"
"{3F953603-1008-4f6e-A73A-04AAC7A992F1}"="Scanners & Cameras"
"{83bbcbf3-b28a-4919-a5aa-73027445d672}"="Scanners & Cameras"
"{F0152790-D56E-4445-850E-4F3117DB740C}"="Remote Sessions CPL Extension"
"{5F327514-6C5E-4d60-8F16-D07FA08A78ED}"="Auto Update Property Sheet Extension"
"{60254CA5-953B-11CF-8C96-00AA00B8708C}"="Shell extensions for Windows Script Host"
"{2206CDB2-19C1-11D1-89E0-00C04FD7A829}"="Microsoft Data Link"
"{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Icon Handler"
"{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Shell Extension"
"{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="Scheduled Tasks"
"{0DF44EAA-FF21-4412-828E-260A8728E7F1}"="Taskbar and Start Menu"
"{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}"="Search"
"{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}"="Run..."
"{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}"="Internet"
"{2559a1f5-21d7-11d4-bdaf-00c04f60b9f0}"="E-mail"
"{D20EA4E1-3957-11d2-A40B-0C5020524152}"="Fonts"
"{D20EA4E1-3957-11d2-A40B-0C5020524153}"="Administrative Tools"
"{875CB1A1-0F29-45de-A1AE-CFB4950D0B78}"="Audio Media Properties Handler"
"{40C3D757-D6E4-4b49-BB41-0E5BBEA28817}"="Video Media Properties Handler"
"{E4B29F9D-D390-480b-92FD-7DDB47101D71}"="Wav Properties Handler"
"{87D62D94-71B3-4b9a-9489-5FE6850DC73E}"="Avi Properties Handler"
"{A6FD9E45-6E44-43f9-8644-08598F5A74D9}"="Midi Properties Handler"
"{c5a40261-cd64-4ccf-84cb-c394da41d590}"="Video Thumbnail Extractor"
"{5E6AB780-7743-11CF-A12B-00AA004AE837}"="Microsoft Internet Toolbar"
"{22BF0C20-6DA7-11D0-B373-00A0C9034938}"="Download Status"
"{91EA3F8B-C99B-11d0-9815-00C04FD91972}"="Augmented Shell Folder"
"{6413BA2C-B461-11d1-A18A-080036B11A03}"="Augmented Shell Folder 2"
"{F61FFEC1-754F-11d0-80CA-00AA005B4383}"="BandProxy"
"{7BA4C742-9E81-11CF-99D3-00AA004AE837}"="Microsoft BrowserBand"
"{30D02401-6A81-11d0-8274-00C04FD5AE38}"="Search Band"
"{32683183-48a0-441b-a342-7c2a440a9478}"="Media Band"
"{169A0691-8DF9-11d1-A1C4-00C04FD75D13}"="In-pane search"
"{07798131-AF23-11d1-9111-00A0C98BA67D}"="Web Search"
"{AF4F6510-F982-11d0-8595-00AA004CD6D8}"="Registry Tree Options Utility"
"{01E04581-4EEE-11d0-BFE9-00AA005B4383}"="&Address"
"{A08C11D2-A228-11d0-825B-00AA005B4383}"="Address EditBox"
"{00BB2763-6A77-11D0-A535-00C04FD7D062}"="Microsoft AutoComplete"
"{7376D660-C583-11d0-A3A5-00C04FD706EC}"="TridentImageExtractor"
"{6756A641-DE71-11d0-831B-00AA005B4383}"="MRU AutoComplete List"
"{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}"="Custom MRU AutoCompleted List"
"{7e653215-fa25-46bd-a339-34a2790f3cb7}"="Accessible"
"{acf35015-526e-4230-9596-becbe19f0ac9}"="Track Popup Bar"
"{E0E11A09-5CB8-4B6C-8332-E00720A168F2}"="Address Bar Parser"
"{00BB2764-6A77-11D0-A535-00C04FD7D062}"="Microsoft History AutoComplete List"
"{03C036F1-A186-11D0-824A-00AA005B4383}"="Microsoft Shell Folder AutoComplete List"
"{00BB2765-6A77-11D0-A535-00C04FD7D062}"="Microsoft Multiple AutoComplete List Container"
"{ECD4FC4E-521C-11D0-B792-00A0C90312E1}"="Shell Band Site Menu"
"{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}"="Shell DeskBarApp"
"{ECD4FC4C-521C-11D0-B792-00A0C90312E1}"="Shell DeskBar"
"{ECD4FC4D-521C-11D0-B792-00A0C90312E1}"="Shell Rebar BandSite"
"{DD313E04-FEFF-11d1-8ECD-0000F87A470C}"="User Assist"
"{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}"="Global Folder Settings"
"{EFA24E61-B078-11d0-89E4-00C04FC9E26E}"="Favorites Band"
"{0A89A860-D7B1-11CE-8350-444553540000}"="Shell Automation Inproc Service"
"{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}"="Shell DocObject Viewer"
"{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}"="Microsoft Browser Architecture"
"{FBF23B40-E3F0-101B-8488-00AA003E56F8}"="InternetShortcut"
"{3C374A40-BAE4-11CF-BF7D-00AA006946EE}"="Microsoft Url History Service"
"{FF393560-C2A7-11CF-BFF4-444553540000}"="History"
"{7BD29E00-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{7BD29E01-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="Microsoft Url Search Hook"
"{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}"="IE4 Suite Splash Screen"
"{67EA19A0-CCEF-11d0-8024-00C04FD75D13}"="CDF Extension Copy Hook"
"{131A6951-7F78-11D0-A979-00C04FD705A2}"="ISFBand OC"
"{9461b922-3c5a-11d2-bf8b-00c04fb93661}"="Search Assistant OC"
"{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}"="The Internet"
"{871C5380-42A0-1069-A2EA-08002B30309D}"="Internet Name Space"
"{EFA24E64-B078-11d0-89E4-00C04FC9E26E}"="Explorer Band"
"{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{88C6C381-2E85-11D0-94DE-444553540000}"="ActiveX Cache Folder"
"{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"="WebCheck"
"{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}"="Subscription Mgr"
"{F5175861-2688-11d0-9C5E-00AA00A45957}"="Subscription Folder"
"{08165EA0-E946-11CF-9C87-00AA005127ED}"="WebCheckWebCrawler"
"{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}"="WebCheckChannelAgent"
"{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}"="TrayAgent"
"{7D559C10-9FE9-11d0-93F7-00AA0059CE02}"="Code Download Agent"
"{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}"="ConnectionAgent"
"{D8BD2030-6FC9-11D0-864F-00AA006809D9}"="PostAgent"
"{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}"="WebCheck SyncMgr Handler"
"{352EC2B7-8B9A-11D1-B8AE-006008059382}"="Shell Application Manager"
"{0B124F8F-91F0-11D1-B8B5-006008059382}"="Installed Apps Enumerator"
"{CFCCC7A0-A282-11D1-9082-006008059382}"="Darwin App Publisher"
"{e84fda7c-1d6a-45f6-b725-cb260c236066}"="Shell Image Verbs"
"{66e4e4fb-f385-4dd0-8d74-a2efd1bc6178}"="Shell Image Data Factory"
"{3F30C968-480A-4C6C-862D-EFC0897BB84B}"="GDI+ file thumbnail extractor"
"{9DBD2C50-62AD-11d0-B806-00C04FD706EC}"="Summary Info Thumbnail handler (DOCFILES)"
"{EAB841A0-9550-11cf-8C16-00805F1408F3}"="HTML Thumbnail Extractor"
"{eb9b1153-3b57-4e68-959a-a3266bc3d7fe}"="Shell Image Property Handler"
"{CC6EEFFB-43F6-46c5-9619-51D571967F7D}"="Web Publishing Wizard"
"{add36aa8-751a-4579-a266-d66f5202ccbb}"="Print Ordering via the Web"
"{6b33163c-76a5-4b6c-bf21-45de9cd503a1}"="Shell Publishing Wizard Object"
"{58f1f272-9240-4f51-b6d4-fd63d1618591}"="Get a Passport Wizard"
"{7A9D77BD-5403-11d2-8785-2E0420524153}"="User Accounts"
"{BD472F60-27FA-11cf-B8B4-444553540000}"="Compressed (zipped) Folder Right Drag Handler"
"{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}"="Compressed (zipped) Folder SendTo Target"
"{f39a0dc0-9cc8-11d0-a599-00c04fd64433}"="Channel File"
"{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}"="Channel Shortcut"
"{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}"="Channel Handler Object"
"{f3da0dc0-9cc8-11d0-a599-00c04fd64437}"="Channel Menu"
"{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}"="Channel Properties"
"{63da6ec0-2e98-11cf-8d82-444553540000}"="FTP Folders Webview"
"{883373C3-BF89-11D1-BE35-080036B11A03}"="Microsoft DocProp Shell Ext"
"{A9CF0EAE-901A-4739-A481-E35B73E47F6D}"="Microsoft DocProp Inplace Edit Box Control"
"{8EE97210-FD1F-4B19-91DA-67914005F020}"="Microsoft DocProp Inplace ML Edit Box Control"
"{0EEA25CC-4362-4A12-850B-86EE61B0D3EB}"="Microsoft DocProp Inplace Droplist Combo Control"
"{6A205B57-2567-4A2C-B881-F787FAB579A3}"="Microsoft DocProp Inplace Calendar Control"
"{28F8A4AC-BBB3-4D9B-B177-82BFC914FA33}"="Microsoft DocProp Inplace Time Control"
"{8A23E65E-31C2-11d0-891C-00A024AB2DBB}"="Directory Query UI"
"{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}"="Shell properties for a DS object"
"{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}"="Directory Object Find"
"{F020E586-5264-11d1-A532-0000F8757D7E}"="Directory Start/Search Find"
"{0D45D530-764B-11d0-A1CA-00AA00C16E65}"="Directory Property UI"
"{62AE1F9A-126A-11D0-A14B-0800361B1103}"="Directory Context Menu Verbs"
"{ECF03A33-103D-11d2-854D-006008059367}"="MyDocs Copy Hook"
"{ECF03A32-103D-11d2-854D-006008059367}"="MyDocs Drop Target"
"{4a7ded0a-ad25-11d0-98a8-0800361b1103}"="MyDocs Properties"
"{750fdf0e-2a26-11d1-a3ea-080036587f03}"="Offline Files Menu"
"{10CFC467-4392-11d2-8DB4-00C04FA31A66}"="Offline Files Folder Options"
"{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}"="Offline Files Folder"
"{143A62C8-C33B-11D1-84FE-00C04FA34A14}"="Microsoft Agent Character Property Sheet Handler"
"{ECCDF543-45CC-11CE-B9BF-0080C87CDBA6}"="DfsShell"
"{60fd46de-f830-4894-a628-6fa81bc0190d}"="%DESC_PublishDropTarget%"
"{7A80E4A8-8005-11D2-BCF8-00C04F72C717}"="MMC Icon Handler"
"{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}"=".CAB file viewer"
"{32714800-2E5F-11d0-8B85-00AA0044F941}"="For &People..."
"{8DD448E6-C188-4aed-AF92-44956194EB1F}"="Windows Media Player Play as Playlist Context Menu Handler"
"{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C}"="Windows Media Player Burn Audio CD Context Menu Handler"
"{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD}"="Windows Media Player Add to Playlist Context Menu Handler"
"{BDEADF00-C265-11D0-BCED-00A0C90AB50F}"="Web Folders"
"{42042206-2D85-11D3-8CFF-005004838597}"="Microsoft Office HTML Icon Handler"
"{e57ce731-33e8-4c51-8354-bb4de9d215d1}"="Universal Plug and Play Devices"
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}"="Shell Extensions for RealOne Player"
"{1CDB2949-8F65-4355-8456-263E7C208A5D}"="Desktop Explorer"
"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}"="Desktop Explorer Menu"
"{B8323370-FF27-11D2-97B6-204C4F4F5020}"="SmartFTP Shell Extension DLL"
"{2559a1f7-21d7-11d4-bdaf-00c04f60b9f0}"="Set Program Access and Defaults"
"{596AB062-B4D2-4215-9F74-E9109B0A8153}"="Previous Versions Property Page"
"{9DB7A13C-F208-4981-8353-73CC61AE2783}"="Previous Versions"
"{692F0339-CBAA-47e6-B5B5-3B84DB604E87}"="Extensions Manager Folder"
"{640167b4-59b0-47a6-b335-a6b3c0695aea}"="Portable Media Devices"
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}"="Portable Media Devices Menu"
"{8FF88D21-7BD0-11D1-BFB7-00AA00262A11}"="WinAce Archiver 2.2 Context Menu Shell Extension"
"{8FF88D25-7BD0-11D1-BFB7-00AA00262A11}"="WinAce Archiver 2.2 DragDrop Shell Extension"
"{8FF88D27-7BD0-11D1-BFB7-00AA00262A11}"="WinAce Archiver 2.2 Context Menu Shell Extension"
"{8FF88D23-7BD0-11D1-BFB7-00AA00262A11}"="WinAce Archiver 2.2 Property Sheet Shell Extension"
"{32020A01-506E-484D-A2A8-BE3CF17601C3}"="AlcoholShellEx"
"{FED7043D-346A-414D-ACD7-550D052499A7}"="dBpowerAMP Music Converter 1"
"{2C49B5D0-ACE7-4D17-9DF0-A254A6C5A0C5}"="dBpowerAMP Music Converter"
"{1D2680C9-0E2A-469d-B787-065558BC7D43}"="Fusion Cache"
"{5E44E225-A408-11CF-B581-008029601108}"="Adaptec DirectCD Shell Extension"

**********************************************************************************
HKEY ROOT CLASSIDS:
**********************************************************************************
Files Found are not all bad files:

C:\WINDOWS\SYSTEM32\
aunps2.dll Wed Aug 3 2005 4:09:20a A.... 24,576 24.00 K
cdm.dll Thu May 26 2005 4:16:24a A.... 75,544 73.77 K
datadx.dll Wed Aug 3 2005 5:52:50a A.... 29,696 29.00 K
divx.dll Thu Jun 9 2005 1:32:28p A.... 692,736 676.50 K
dtu100.dll Wed May 18 2005 2:40:22p A.... 200,704 196.00 K
hhsetup.dll Thu May 26 2005 7:04:28p A.... 41,472 40.50 K
icm32.dll Tue Jun 28 2005 6:46:00p A.... 254,976 249.00 K
itircl.dll Thu May 26 2005 7:04:28p A.... 155,136 151.50 K
itss.dll Thu May 26 2005 7:04:28p A.... 137,216 134.00 K
iuengine.dll Thu May 26 2005 4:16:24a A.... 198,424 193.77 K
ivrwn.dll Wed Aug 3 2005 5:52:50a A.... 16,384 16.00 K
mdvidctl.dll Wed Aug 3 2005 4:20:28a ..S.R 417,792 408.00 K
mscms.dll Tue Jun 28 2005 6:46:00p A.... 74,240 72.50 K
ncepuoo.dll Wed Aug 3 2005 5:52:50a A.... 34,816 34.00 K
nnprovau.dll Wed Aug 3 2005 4:27:48a ..S.R 417,792 408.00 K
sporder.dll Thu Jul 28 2005 1:55:16p A.... 8,464 8.27 K
wuapi.dll Thu May 26 2005 4:16:30a A.... 465,176 454.27 K
wuaueng.dll Thu May 26 2005 4:16:30a A.... 1,343,768 1.28 M
wuaueng1.dll Thu May 26 2005 4:16:30a A.... 194,328 189.77 K
wucltui.dll Thu May 26 2005 4:16:30a A.... 127,256 124.27 K
wups.dll Thu May 26 2005 4:16:30a A.... 41,240 40.27 K
wups2.dll Thu May 26 2005 4:16:30a A.... 18,200 17.77 K
wuweb.dll Thu May 26 2005 4:16:30a A.... 173,536 169.47 K
xpsp3res.dll Mon May 16 2005 5:25:36p ..... 15,360 15.00 K

24 items found: 24 files (2 H/S), 0 directories.
Total of file sizes: 5,158,832 bytes 4.92 M
Locate .tmp files:

C:\WINDOWS\SYSTEM32\
guard.tmp Wed Aug 3 2005 4:21:28a ..S.R 417,792 408.00 K

1 item found: 1 file (1 H/S), 0 directories.
Total of file sizes: 417,792 bytes 408.00 K
**********************************************************************************
Directory Listing of system files:
Volume in drive C has no label.
Volume Serial Number is E413-1384

Directory of C:\WINDOWS\System32

08/03/2005 04:27 AM 417,792 nnprovau.dll
08/03/2005 04:21 AM 417,792 guard.tmp
08/03/2005 04:20 AM 417,792 mdvidctl.dll
07/04/2005 07:04 PM <DIR> DLLCACHE
04/12/2005 12:11 AM 5,632 Thumbs.db
08/09/2003 08:50 PM <DIR> Microsoft
4 File(s) 1,259,008 bytes
2 Dir(s) 45,090,873,344 bytes free
  • 0

#4
therock247uk

therock247uk

    Expert

  • Expert
  • 14,671 posts
  • MVP
Close any programs you have open since this step requires a reboot.

From the l2mfix folder on your desktop, double click l2mfix.bat and select option #2 for Run Fix by typing 2 and then pressing enter, then press any key to reboot your computer. After a reboot, your desktop and icons will appear, then disappear (this is normal). L2mfix will continue to scan your computer and when it's finished, notepad will open with a log. Copy the contents of that log and paste it back into this thread, along with a new hijackthis log, and we'll clean up what's left. :tazz:

IMPORTANT: Do NOT run any other files in the l2mfix folder unless you are asked to do so!
  • 0

#5
weStone

weStone

    Member

  • Topic Starter
  • Member
  • PipPip
  • 24 posts
heres the l2mfix log:

L2Mfix 1.03a

Running From:
C:\Documents and Settings\weStone\Desktop\l2mfix



RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER



Setting registry permissions:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!


Denying C(CI) access for predefined group "Administrators"
- adding new ACCESS DENY entry


Registry Permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(CI) DENY --C------- BUILTIN\Administrators
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER



Setting up for Reboot


Starting Reboot!

C:\Documents and Settings\weStone\Desktop\l2mfix
System Rebooted!

Running From:
C:\Documents and Settings\weStone\Desktop\l2mfix

killing explorer and rundll32.exe

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 1560 'explorer.exe'
Killing PID 1560 'explorer.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 Craig.Peacock@beyondlogic.org
Error, Cannot find a process with an image name of rundll32.exe

Scanning First Pass. Please Wait!

First Pass Completed

Second Pass Scanning

Second pass Completed!
Backing Up: C:\WINDOWS\system32\mdvidctl.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\mdvidctl.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\nnprovau.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\nnprovau.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\guard.tmp
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\guard.tmp
1 file(s) copied.
deleting: C:\WINDOWS\system32\mdvidctl.dll
Successfully Deleted: C:\WINDOWS\system32\mdvidctl.dll
deleting: C:\WINDOWS\system32\mdvidctl.dll
Successfully Deleted: C:\WINDOWS\system32\mdvidctl.dll
deleting: C:\WINDOWS\system32\nnprovau.dll
Successfully Deleted: C:\WINDOWS\system32\nnprovau.dll
deleting: C:\WINDOWS\system32\nnprovau.dll
Successfully Deleted: C:\WINDOWS\system32\nnprovau.dll
deleting: C:\WINDOWS\system32\guard.tmp
Successfully Deleted: C:\WINDOWS\system32\guard.tmp
deleting: C:\WINDOWS\system32\guard.tmp
Successfully Deleted: C:\WINDOWS\system32\guard.tmp


Zipping up files for submission:
adding: mdvidctl.dll (164 bytes security) (deflated 48%)
adding: nnprovau.dll (164 bytes security) (deflated 48%)
adding: guard.tmp (164 bytes security) (deflated 48%)
adding: clear.reg (164 bytes security) (deflated 2%)
adding: echo.reg (164 bytes security) (deflated 9%)
adding: direct.txt (164 bytes security) (stored 0%)
adding: lo2.txt (164 bytes security) (deflated 76%)
adding: readme.txt (164 bytes security) (deflated 49%)
adding: report.txt (164 bytes security) (deflated 60%)
adding: test.txt (164 bytes security) (deflated 73%)
adding: test2.txt (164 bytes security) (stored 0%)
adding: test3.txt (164 bytes security) (stored 0%)
adding: test5.txt (164 bytes security) (stored 0%)
adding: xfind.txt (164 bytes security) (deflated 70%)
adding: backregs/shell.reg (164 bytes security) (deflated 74%)

Restoring Registry Permissions:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!


Revoking access for predefined group "Administrators"
Inherited ACE can not be revoked here!
Inherited ACE can not be revoked here!


Registry permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER


Restoring Sedebugprivilege:

Granting SeDebugPrivilege to Administrators ... successful

deleting local copy: mdvidctl.dll
deleting local copy: mdvidctl.dll
deleting local copy: nnprovau.dll
deleting local copy: nnprovau.dll
deleting local copy: guard.tmp
deleting local copy: guard.tmp

The following Is the Current Export of the Winlogon notify key:
****************************************************************************
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]


The following are the files found:
****************************************************************************
C:\WINDOWS\system32\mdvidctl.dll
C:\WINDOWS\system32\mdvidctl.dll
C:\WINDOWS\system32\nnprovau.dll
C:\WINDOWS\system32\nnprovau.dll
C:\WINDOWS\system32\guard.tmp
C:\WINDOWS\system32\guard.tmp

Registry Entries that were Deleted:
Please verify that the listing looks ok.
If there was something deleted wrongly there are backups in the backreg folder.
****************************************************************************
REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"SV1"=""
****************************************************************************
Desktop.ini Contents:
****************************************************************************
****************************************************************************


heres the hijackthis log:

Logfile of HijackThis v1.99.1
Scan saved at 10:46:59 AM, on 8/4/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\hukjmn.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\program files\valve\steam\steam.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\NOTEPAD.EXE
c:\windows\system32\lkgzlw.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {FFFFFEF0-5B30-21D4-945D-000000000000} - C:\PROGRA~1\STARDO~1\SDIEInt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [HPHmon04] C:\WINDOWS\System32\hphmon04.exe
O4 - HKLM\..\Run: [HPHUPD04] "C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [WinPatrol] C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\system32\hukjmn.exe reg_run
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Steam] "c:\program files\valve\steam\steam.exe" -silent
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Download with Star Downloader - C:\Program Files\Star Downloader\sdie.htm
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {4208FB4D-4E53-4F5A-BF7A-3E047DDB5281} -
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Plug-in 1.4.1_02) -
O16 - DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA} (Java Plug-in 1.4.1_02) -
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\System32\HPHipm11.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe

Edited by weStone, 04 August 2005 - 08:47 AM.

  • 0

#6
therock247uk

therock247uk

    Expert

  • Expert
  • 14,671 posts
  • MVP
Uninstall your current version of Ewido then follow this.

First:
Please download ewido security suite it is a free version of the program.
  • Install ewido security suite
  • When installing, under "Additional Options" uncheck..
    • Install background guard
    • Install scan via context menu
  • Launch ewido, there should be an icon on your desktop, double-click it.
  • The program will now open to the main screen.
  • When you run ewido for the first time, you will get a warning "Database could not be found!". Click OK. We will fix this in a moment.
  • You will need to update ewido to the latest definition files.
    • On the left hand side of the main screen click update.
    • Then click on Start Update.
  • The update will start and a progress bar will show the updates being installed.
    (the status bar at the bottom will display "Update successful")
  • Exit ewido. DO NOT scan yet.
If you are having problems with the updater, you can use this link to manually update ewido.
ewido manual updates

Download CCleaner and install it, but do not run it yet.

Please download this file: Revised Installer for the Nailfix Utility
Save it to your desktop.
DO NOT run it yet.

To reboot into SafeMode with Windows XP, you can follow these steps from Microsoft:

Next, please reboot your computer in SafeMode by doing the following:
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
  • Instead of Windows loading as normal, a menu should appear
  • Select the first option, to run Windows in Safe Mode.
Once in Safe Mode, please double-click on nailfix.exe.
Click "Next" in the setup, then make sure "Run Nailfix" is checked and click "Finish".
Your desktop and icons will disappear and reappear, and a window should open and close very quickly --- this is normal.

Now open ewido and do a scan of your system.
  • Click on scanner
  • Click on Complete System Scan and the scan will begin.
  • NOTE: During some scans with ewido it is finding cases of false positives.**
    • You will need to step through the process of cleaning files one-by-one.
    • If ewido detects a file you KNOW to be legitimate, select none as the action.
    • DO NOT select "Perform action on all infections"
    • If you are unsure of any entry found select none for now as the action.
  • Once the scan has completed, there will be a button located on the bottom of the screen named Save report
  • Click Save report.
  • Save the report .txt file to your desktop or a location where you can find it easily.
Now run HijackThis, click Scan, and place a checkmark next to each of the following items:

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O4 - HKLM\..\Run: [random] C:\windows\system32\random.exe r

Close all open windows except for HJT, then click the Fix Checked button. Close HJT.
NOTE: The 04 entry may have changed names if you have rebooted since posting the log; look for an entry with a similar format, that will always in in a single letter r.

Locate and delete the following File in BOLD:
c:\windows\system32\random.exe (or whatever the name may have changed to, as noted above).

Now run CCleaner.
  • Uncheck "Cookies" under "Internet Explorer".
  • If running Firefox: click on the "Applications" tab and uncheck "Cookies" under "Firefox".
  • Click on Run Cleaner in the lower right-hand corner. This can take quite a while to run.
Finally, restart your computer in normal mode and please post a new HijackThis log, as well as the report log from the Ewido scan by using Add Reply
  • 0

#7
weStone

weStone

    Member

  • Topic Starter
  • Member
  • PipPip
  • 24 posts
heres my hijackthis log:

Logfile of HijackThis v1.99.1
Scan saved at 3:27:28 PM, on 8/4/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\program files\valve\steam\steam.exe
C:\Program Files\AIM\aim.exe
C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\rcdk.exe
C:\WINDOWS\system32\wuauclt.exe
c:\windows\system32\bfdacrw.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {FFFFFEF0-5B30-21D4-945D-000000000000} - C:\PROGRA~1\STARDO~1\SDIEInt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [HPHmon04] C:\WINDOWS\System32\hphmon04.exe
O4 - HKLM\..\Run: [HPHUPD04] "C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [WinPatrol] C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\system32\hukjmn.exe reg_run
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Steam] "c:\program files\valve\steam\steam.exe" -silent
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Download with Star Downloader - C:\Program Files\Star Downloader\sdie.htm
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {4208FB4D-4E53-4F5A-BF7A-3E047DDB5281} -
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Plug-in 1.4.1_02) -
O16 - DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA} (Java Plug-in 1.4.1_02) -
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\System32\HPHipm11.exe

heres my ewido scan report:

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 3:15:28 PM, 8/4/2005
+ Report-Checksum: A4610EBE

+ Scan result:

HKLM\SOFTWARE\Classes\AppID\eZulaBootExe.EXE -> Spyware.eZula : Cleaned with backup
HKLM\SOFTWARE\Classes\AppID\{C0335198-6755-11D4-8A73-0050DA2EE1BE} -> Spyware.eZula : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{417386C3-8D4A-4611-9B91-E57E89D603AC} -> Spyware.AdDestroyer : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{6EC11407-5B2E-4E25-8BDF-77445B52AB37} -> Spyware.VX2 : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{C03351A4-6755-11D4-8A73-0050DA2EE1BE} -> Spyware.eZula : Cleaned with backup
HKLM\SOFTWARE\Classes\EZulaBootExe.InstallCtrl -> Spyware.eZula : Cleaned with backup
HKLM\SOFTWARE\Classes\EZulaBootExe.InstallCtrl\CLSID -> Spyware.eZula : Cleaned with backup
HKLM\SOFTWARE\Classes\EZulaBootExe.InstallCtrl\CurVer -> Spyware.eZula : Cleaned with backup
HKLM\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{6EC11407-5B2E-4E25-8BDF-77445B52AB37} -> Spyware.VX2 : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{10D7DB96-56DC-4617-8EAB-EC506ABE6C7E} -> Spyware.AdDestroyer : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{370F6327-41C4-4FA6-A2DF-1BA57EE0FBB9} -> Spyware.eZula : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{6CDC3337-01F7-4A79-A4AF-0B19303CC0BE} -> Spyware.AdDestroyer : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{795398D0-DC2F-4118-A69C-592273BA9C2B} -> Spyware.AdDestroyer : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{8EEE58D5-130E-4CBD-9C83-35A0564E1357} -> Spyware.NaviSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{B288F21C-A144-4CA2-9B70-8AFA1FAE4B06} -> Spyware.AdDestroyer : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{C03351A3-6755-11D4-8A73-0050DA2EE1BE} -> Spyware.eZula : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{C6906A23-4717-4E1F-B6FD-F06EBED11357} -> Spyware.NaviSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\NLS.UrlCatcher -> Spyware.NaviSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\NLS.UrlCatcher\CLSID -> Spyware.NaviSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\PopOops2.PopOops -> Spyware.AdDestroyer : Cleaned with backup
HKLM\SOFTWARE\Classes\PopOops2.PopOops\Clsid -> Spyware.AdDestroyer : Cleaned with backup
HKLM\SOFTWARE\Classes\SWLAD1.SWLAD -> Spyware.AdDestroyer : Cleaned with backup
HKLM\SOFTWARE\Classes\SWLAD1.SWLAD\Clsid -> Spyware.AdDestroyer : Cleaned with backup
HKLM\SOFTWARE\Classes\TypeLib\{4EB7BBE8-2E15-424B-9DDB-2CDB9516C2E3} -> Spyware.NaviSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\TypeLib\{BAF13496-8F72-47A1-9CEE-09238EFC75F0} -> Spyware.eZula : Cleaned with backup
HKLM\SOFTWARE\Classes\TypeLib\{C0335197-6755-11D4-8A73-0050DA2EE1BE} -> Spyware.eZula : Cleaned with backup
HKLM\SOFTWARE\Classes\TypeLib\{D0C29A75-7146-4737-98EE-BC4D7CF44AF9} -> Spyware.AdDestroyer : Cleaned with backup
HKLM\SOFTWARE\Classes\TypeLib\{E0D3B292-A0B0-4640-975C-2F882E039F52} -> Spyware.AdDestroyer : Cleaned with backup
HKU\S-1-5-21-1390067357-1770027372-839522115-1004\Software\eZula -> Spyware.eZula : Cleaned with backup
HKU\S-1-5-21-1390067357-1770027372-839522115-1004\Software\eZula\Setup -> Spyware.eZula : Cleaned with backup
HKU\S-1-5-21-1390067357-1770027372-839522115-1004\Software\eZula\Setup\ID -> Spyware.eZula : Cleaned with backup
HKU\S-1-5-21-1390067357-1770027372-839522115-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{0019C3E2-DD48-4A6D-ABCD-8D32436323D9} -> Spyware.BookedSpace : Cleaned with backup
HKU\S-1-5-21-1390067357-1770027372-839522115-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{AEECBFDA-12FA-4881-BDCE-8C3E1CE4B344} -> Spyware.BargainBuddy : Cleaned with backup
HKU\S-1-5-21-1390067357-1770027372-839522115-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{CE188402-6EE7-4022-8868-AB25173A3E14} -> Spyware.BargainBuddy : Cleaned with backup
HKU\S-1-5-21-1390067357-1770027372-839522115-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{F4E04583-354E-4076-BE7D-ED6A80FD66DA} -> Spyware.BargainBuddy : Cleaned with backup
HKU\S-1-5-21-1390067357-1770027372-839522115-1004\Software\VB and VBA Program Settings\VBouncer -> Spyware.VirtualBouncer : Cleaned with backup
HKU\S-1-5-21-1390067357-1770027372-839522115-1004\Software\VB and VBA Program Settings\VBouncer\Settings -> Spyware.VirtualBouncer : Cleaned with backup
[808] c:\windows\system32\jnwrys.exe -> Adware.BetterInternet : Cleaned with backup
:mozilla.15:C:\Documents and Settings\weStone\Application Data\Mozilla\Firefox\Profiles\mx7k3mbz.weStone\cookies.txt -> Spyware.Cookie.Fastclick : Cleaned with backup
:mozilla.24:C:\Documents and Settings\weStone\Application Data\Mozilla\Firefox\Profiles\mx7k3mbz.weStone\cookies.txt -> Spyware.Cookie.Valueclick : Cleaned with backup
:mozilla.25:C:\Documents and Settings\weStone\Application Data\Mozilla\Firefox\Profiles\mx7k3mbz.weStone\cookies.txt -> Spyware.Cookie.Valueclick : Cleaned with backup
:mozilla.26:C:\Documents and Settings\weStone\Application Data\Mozilla\Firefox\Profiles\mx7k3mbz.weStone\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
:mozilla.47:C:\Documents and Settings\weStone\Application Data\Mozilla\Firefox\Profiles\mx7k3mbz.weStone\cookies.txt -> Spyware.Cookie.Falkag : Cleaned with backup
:mozilla.83:C:\Documents and Settings\weStone\Application Data\Mozilla\Firefox\Profiles\mx7k3mbz.weStone\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.84:C:\Documents and Settings\weStone\Application Data\Mozilla\Firefox\Profiles\mx7k3mbz.weStone\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.85:C:\Documents and Settings\weStone\Application Data\Mozilla\Firefox\Profiles\mx7k3mbz.weStone\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.86:C:\Documents and Settings\weStone\Application Data\Mozilla\Firefox\Profiles\mx7k3mbz.weStone\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.87:C:\Documents and Settings\weStone\Application Data\Mozilla\Firefox\Profiles\mx7k3mbz.weStone\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.88:C:\Documents and Settings\weStone\Application Data\Mozilla\Firefox\Profiles\mx7k3mbz.weStone\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.89:C:\Documents and Settings\weStone\Application Data\Mozilla\Firefox\Profiles\mx7k3mbz.weStone\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.90:C:\Documents and Settings\weStone\Application Data\Mozilla\Firefox\Profiles\mx7k3mbz.weStone\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.91:C:\Documents and Settings\weStone\Application Data\Mozilla\Firefox\Profiles\mx7k3mbz.weStone\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.92:C:\Documents and Settings\weStone\Application Data\Mozilla\Firefox\Profiles\mx7k3mbz.weStone\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.93:C:\Documents and Settings\weStone\Application Data\Mozilla\Firefox\Profiles\mx7k3mbz.weStone\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.94:C:\Documents and Settings\weStone\Application Data\Mozilla\Firefox\Profiles\mx7k3mbz.weStone\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.95:C:\Documents and Settings\weStone\Application Data\Mozilla\Firefox\Profiles\mx7k3mbz.weStone\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.96:C:\Documents and Settings\weStone\Application Data\Mozilla\Firefox\Profiles\mx7k3mbz.weStone\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.97:C:\Documents and Settings\weStone\Application Data\Mozilla\Firefox\Profiles\mx7k3mbz.weStone\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.98:C:\Documents and Settings\weStone\Application Data\Mozilla\Firefox\Profiles\mx7k3mbz.weStone\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.99:C:\Documents and Settings\weStone\Application Data\Mozilla\Firefox\Profiles\mx7k3mbz.weStone\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.100:C:\Documents and Settings\weStone\Application Data\Mozilla\Firefox\Profiles\mx7k3mbz.weStone\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.101:C:\Documents and Settings\weStone\Application Data\Mozilla\Firefox\Profiles\mx7k3mbz.weStone\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.103:C:\Documents and Settings\weStone\Application Data\Mozilla\Firefox\Profiles\mx7k3mbz.weStone\cookies.txt -> Spyware.Cookie.Atdmt : Cleaned with backup
:mozilla.104:C:\Documents and Settings\weStone\Application Data\Mozilla\Firefox\Profiles\mx7k3mbz.weStone\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.105:C:\Documents and Settings\weStone\Application Data\Mozilla\Firefox\Profiles\mx7k3mbz.weStone\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.106:C:\Documents and Settings\weStone\Application Data\Mozilla\Firefox\Profiles\mx7k3mbz.weStone\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.107:C:\Documents and Settings\weStone\Application Data\Mozilla\Firefox\Profiles\mx7k3mbz.weStone\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.123:C:\Documents and Settings\weStone\Application Data\Mozilla\Firefox\Profiles\mx7k3mbz.weStone\cookies.txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
:mozilla.152:C:\Documents and Settings\weStone\Application Data\Mozilla\Firefox\Profiles\mx7k3mbz.weStone\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.178:C:\Documents and Settings\weStone\Application Data\Mozilla\Firefox\Profiles\mx7k3mbz.weStone\cookies.txt -> Spyware.Cookie.Adserver : Cleaned with backup
:mozilla.179:C:\Documents and Settings\weStone\Application Data\Mozilla\Firefox\Profiles\mx7k3mbz.weStone\cookies.txt -> Spyware.Cookie.Adserver : Cleaned with backup
:mozilla.180:C:\Documents and Settings\weStone\Application Data\Mozilla\Firefox\Profiles\mx7k3mbz.weStone\cookies.txt -> Spyware.Cookie.Adserver : Cleaned with backup
:mozilla.181:C:\Documents and Settings\weStone\Application Data\Mozilla\Firefox\Profiles\mx7k3mbz.weStone\cookies.txt -> Spyware.Cookie.Adserver : Cleaned with backup
:mozilla.214:C:\Documents and Settings\weStone\Application Data\Mozilla\Firefox\Profiles\mx7k3mbz.weStone\cookies.txt -> Spyware.Cookie.Euniverseads : Cleaned with backup
:mozilla.226:C:\Documents and Settings\weStone\Application Data\Mozilla\Firefox\Profiles\mx7k3mbz.weStone\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.227:C:\Documents and Settings\weStone\Application Data\Mozilla\Firefox\Profiles\mx7k3mbz.weStone\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.229:C:\Documents and Settings\weStone\Application Data\Mozilla\Firefox\Profiles\mx7k3mbz.weStone\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.241:C:\Documents and Settings\weStone\Application Data\Mozilla\Firefox\Profiles\mx7k3mbz.weStone\cookies.txt -> Spyware.Cookie.Cqcounter : Cleaned with backup
:mozilla.259:C:\Documents and Settings\weStone\Application Data\Mozilla\Firefox\Profiles\mx7k3mbz.weStone\cookies.txt -> Spyware.Cookie.Overture : Cleaned with backup
:mozilla.269:C:\Documents and Settings\weStone\Application Data\Mozilla\Firefox\Profiles\mx7k3mbz.weStone\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.286:C:\Documents and Settings\weStone\Application Data\Mozilla\Firefox\Profiles\mx7k3mbz.weStone\cookies.txt -> Spyware.Cookie.Spylog : Cleaned with backup
:mozilla.299:C:\Documents and Settings\weStone\Application Data\Mozilla\Firefox\Profiles\mx7k3mbz.weStone\cookies.txt -> Spyware.Cookie.Ivwbox : Cleaned with backup
:mozilla.305:C:\Documents and Settings\weStone\Application Data\Mozilla\Firefox\Profiles\mx7k3mbz.weStone\cookies.txt -> Spyware.Cookie.Targetnet : Cleaned with backup
:mozilla.308:C:\Documents and Settings\weStone\Application Data\Mozilla\Firefox\Profiles\mx7k3mbz.weStone\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.309:C:\Documents and Settings\weStone\Application Data\Mozilla\Firefox\Profiles\mx7k3mbz.weStone\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.310:C:\Documents and Settings\weStone\Application Data\Mozilla\Firefox\Profiles\mx7k3mbz.weStone\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.311:C:\Documents and Settings\weStone\Application Data\Mozilla\Firefox\Profiles\mx7k3mbz.weStone\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.312:C:\Documents and Settings\weStone\Application Data\Mozilla\Firefox\Profiles\mx7k3mbz.weStone\cookies.txt -> Spyware.Cookie.Statcounter : Cleaned with backup
:mozilla.321:C:\Documents and Settings\weStone\Application Data\Mozilla\Firefox\Profiles\mx7k3mbz.weStone\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.335:C:\Documents and Settings\weStone\Application Data\Mozilla\Firefox\Profiles\mx7k3mbz.weStone\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.367:C:\Documents and Settings\weStone\Application Data\Mozilla\Firefox\Profiles\mx7k3mbz.weStone\cookies.txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
:mozilla.393:C:\Documents and Settings\weStone\Application Data\Mozilla\Firefox\Profiles\mx7k3mbz.weStone\cookies.txt -> Spyware.Cookie.Valueclick : Cleaned with backup
:mozilla.399:C:\Documents and Settings\weStone\Application Data\Mozilla\Firefox\Profiles\mx7k3mbz.weStone\cookies.txt -> Spyware.Cookie.Centrport : Cleaned with backup
:mozilla.400:C:\Documents and Settings\weStone\Application Data\Mozilla\Firefox\Profiles\mx7k3mbz.weStone\cookies.txt -> Spyware.Cookie.Centrport : Cleaned with backup
:mozilla.401:C:\Documents and Settings\weStone\Application Data\Mozilla\Firefox\Profiles\mx7k3mbz.weStone\cookies.txt -> Spyware.Cookie.Questionmarket : Cleaned with backup
:mozilla.418:C:\Documents and Settings\weStone\Application Data\Mozilla\Firefox\Profiles\mx7k3mbz.weStone\cookies.txt -> Spyware.Cookie.Adition : Cleaned with backup
:mozilla.420:C:\Documents and Settings\weStone\Application Data\Mozilla\Firefox\Profiles\mx7k3mbz.weStone\cookies.txt -> Spyware.Cookie.Adition : Cleaned with backup
:mozilla.442:C:\Documents and Settings\weStone\Application Data\Mozilla\Firefox\Profiles\mx7k3mbz.weStone\cookies.txt -> Spyware.Cookie.Revenue : Cleaned with backup
:mozilla.446:C:\Documents and Settings\weStone\Application Data\Mozilla\Firefox\Profiles\mx7k3mbz.weStone\cookies.txt -> Spyware.Cookie.Adtech : Cleaned with backup
:mozilla.466:C:\Documents and Settings\weStone\Application Data\Mozilla\Firefox\Profiles\mx7k3mbz.weStone\cookies.txt -> Spyware.Cookie.Weborama : Cleaned with backup
:mozilla.477:C:\Documents and Settings\weStone\Application Data\Mozilla\Firefox\Profiles\mx7k3mbz.weStone\cookies.txt -> Spyware.Cookie.Paycounter : Cleaned with backup
:mozilla.510:C:\Documents and Settings\weStone\Application Data\Mozilla\Firefox\Profiles\mx7k3mbz.weStone\cookies.txt -> Spyware.Cookie.Bluestreak : Cleaned with backup
:mozilla.511:C:\Documents and Settings\weStone\Application Data\Mozilla\Firefox\Profiles\mx7k3mbz.weStone\cookies.txt -> Spyware.Cookie.Xhit : Cleaned with backup
:mozilla.512:C:\Documents and Settings\weStone\Application Data\Mozilla\Firefox\Profiles\mx7k3mbz.weStone\cookies.txt -> Spyware.Cookie.Xhit : Cleaned with backup
:mozilla.530:C:\Documents and Settings\weStone\Application Data\Mozilla\Firefox\Profiles\mx7k3mbz.weStone\cookies.txt -> Spyware.Cookie.Clickzs : Cleaned with backup
:mozilla.546:C:\Documents and Settings\weStone\Application Data\Mozilla\Firefox\Profiles\mx7k3mbz.weStone\cookies.txt -> Spyware.Cookie.Trafic : Cleaned with backup
:mozilla.571:C:\Documents and Settings\weStone\Application Data\Mozilla\Firefox\Profiles\mx7k3mbz.weStone\cookies.txt -> Spyware.Cookie.Tradedoubler : Cleaned with backup
:mozilla.664:C:\Documents and Settings\weStone\Application Data\Mozilla\Firefox\Profiles\mx7k3mbz.weStone\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.702:C:\Documents and Settings\weStone\Application Data\Mozilla\Firefox\Profiles\mx7k3mbz.weStone\cookies.txt -> Spyware.Cookie.Addynamix : Cleaned with backup
:mozilla.723:C:\Documents and Settings\weStone\Application Data\Mozilla\Firefox\Profiles\mx7k3mbz.weStone\cookies.txt -> Spyware.Cookie.Webtrendslive : Cleaned with backup
:mozilla.724:C:\Documents and Settings\weStone\Application Data\Mozilla\Firefox\Profiles\mx7k3mbz.weStone\cookies.txt -> Spyware.Cookie.Webtrendslive : Cleaned with backup
:mozilla.725:C:\Documents and Settings\weStone\Application Data\Mozilla\Firefox\Profiles\mx7k3mbz.weStone\cookies.txt -> Spyware.Cookie.Webtrendslive : Cleaned with backup
:mozilla.726:C:\Documents and Settings\weStone\Application Data\Mozilla\Firefox\Profiles\mx7k3mbz.weStone\cookies.txt -> Spyware.Cookie.Webtrendslive : Cleaned with backup
:mozilla.727:C:\Documents and Settings\weStone\Application Data\Mozilla\Firefox\Profiles\mx7k3mbz.weStone\cookies.txt -> Spyware.Cookie.Webtrendslive : Cleaned with backup
:mozilla.728:C:\Documents and Settings\weStone\Application Data\Mozilla\Firefox\Profiles\mx7k3mbz.weStone\cookies.txt -> Spyware.Cookie.Webtrendslive : Cleaned with backup
C:\Documents and Settings\weStone\Cookies\westone@abetterinternet[2].txt -> Spyware.Cookie.Abetterinternet : Cleaned with backup
C:\Documents and Settings\weStone\Desktop\l2mfix\backup.zip/mdvidctl.dll -> Spyware.Look2Me : Error during cleaning
C:\Documents and Settings\weStone\Desktop\l2mfix\backup.zip/nnprovau.dll -> Spyware.Look2Me : Error during cleaning
C:\Documents and Settings\weStone\Desktop\l2mfix\backup.zip/guard.tmp -> Spyware.Look2Me : Error during cleaning
C:\Program Files\eZula -> Adware.eZula : Cleaned with backup
C:\Program Files\eZula\eabh.dll -> Adware.eZula : Cleaned with backup
C:\Program Files\eZula\seng.dll -> Adware.eZula : Cleaned with backup
C:\WINDOWS\bootstat.dat:hfyoh -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\cfgmgr52.dll -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\dsr.dll -> Spyware.Hijacker.Generic : Cleaned with backup
C:\WINDOWS\dsr.exe -> Trojan.Imiserv.c : Cleaned with backup
C:\WINDOWS\FeatherTexture.bmp:kabaj -> TrojanDownloader.Agent.db : Cleaned with backup
C:\WINDOWS\Greenstone.bmp:pptzh -> TrojanDownloader.Agent.db : Cleaned with backup
C:\WINDOWS\KB828741.log:winfx -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\KB840987.log:xjgkd -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\KB841356.log:piylz -> TrojanDownloader.Agent.ap : Cleaned with backup
C:\WINDOWS\kzvalw.exe -> Adware.BetterInternet : Cleaned with backup
C:\WINDOWS\ntdtcsetup.log:ihual -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\ntdtcsetup.log:mwaow -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\ocgen.log:xdwui -> TrojanDownloader.Agent.ap : Cleaned with backup
C:\WINDOWS\Prairie Wind.bmp:onsxk -> TrojanDownloader.Agent.db : Cleaned with backup
C:\WINDOWS\regopt.log:bzfqe -> TrojanDownloader.Agent.ap : Cleaned with backup
C:\WINDOWS\regopt.log:hokdn -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\regopt.log:htdxo -> TrojanDownloader.Agent.db : Cleaned with backup
C:\WINDOWS\River Sumida.bmp:fhorp -> TrojanDownloader.Agent.ap : Cleaned with backup
C:\WINDOWS\River Sumida.bmp:zuwci -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\setupact.log:qufop -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\setupapi.log.0.old:jsayk -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\setuperr.log:soypw -> TrojanDownloader.Agent.db : Cleaned with backup
C:\WINDOWS\Sti_Trace.log:prwzm -> TrojanDownloader.Agent.db : Cleaned with backup
C:\WINDOWS\SYSTEM32\AUNPS2.dll -> Spyware.Hijacker.Generic : Cleaned with backup
C:\WINDOWS\SYSTEM32\conres.cpl -> TrojanDownloader.Qoologic.p : Cleaned with backup
C:\WINDOWS\SYSTEM32\exp.exe -> TrojanDownloader.Small.abd : Cleaned with backup
C:\WINDOWS\SYSTEM32\ezPopStub.exe -> Adware.eZula : Cleaned with backup
C:\WINDOWS\SYSTEM32\ezstub.exe -> Adware.EZula : Cleaned with backup
C:\WINDOWS\SYSTEM32\jnwrys.exe -> Adware.BetterInternet : Cleaned with backup
C:\WINDOWS\SYSTEM32\PopOops.dll -> Spyware.VirtualBouncer : Cleaned with backup
C:\WINDOWS\SYSTEM32\PopOops2.dll -> Spyware.VirtualBouncer : Cleaned with backup
C:\WINDOWS\SYSTEM32\rk.bin -> Spyware.RK : Cleaned with backup
C:\WINDOWS\SYSTEM32\SWLAD1.dll -> Spyware.VirtualBouncer : Cleaned with backup
C:\WINDOWS\SYSTEM32\SWLAD2.dll -> Spyware.VirtualBouncer : Cleaned with backup
C:\WINDOWS\SYSTEM32\wintask.exe -> TrojanDownloader.Small.abd : Cleaned with backup
C:\WINDOWS\Windows Update.log:ieidp -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\WindowsUpdate.log:bhvmx -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\WindowsUpdate.log:dljfa -> TrojanDownloader.Agent.db : Cleaned with backup
C:\WINDOWS\WindowsUpdate.log:uftti -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\winnt.bmp:kxngi -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\winnt256.bmp:xefps -> TrojanDownloader.Agent.db : Cleaned with backup
C:\WINDOWS\Zapotec.bmp:esxmw -> TrojanDownloader.Agent.ap : Cleaned with backup
C:\WINDOWS\Zapotec.bmp:tkklx -> TrojanDownloader.Agent.bq : Cleaned with backup


::Report End



just to let you know.. i wasn't able to go through the procedure shown below, since the random.exe was recreating and renaming itself everytime i would delete it's registry key. and i wasn't able to delete the file[s] itself manually since the file[s] was running at all times.

Locate and delete the following File in BOLD:
c:\windows\system32\random.exe (or whatever the name may have changed to, as noted above).

also the nail.exe seems to come back whenever i delete it. i think these reactions makes it seem prominent that my computer has been infected with a Qoologic infection, which i've encountered before. i have forgotten the process of eliminating this infection so it would be much appreciated if you would help me out.

Edited by weStone, 04 August 2005 - 01:39 PM.

  • 0

#8
therock247uk

therock247uk

    Expert

  • Expert
  • 14,671 posts
  • MVP
1. Make sure your PC is set to show all hidden files and folders go here for instructions on how to do this. http://www.xtra.co.n...1916458,00.html

2. Boot into safemode to do this keep tapping F8 on your keyboard while your PC is starting up you will get a menu select safemode.

3. While in safemode open Hijackthis and click scan. Then tick and fix the following in Hijackthis with all windows closed except Hijackthis.

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\system32\hukjmn.exe reg_run
O16 - DPF: {4208FB4D-4E53-4F5A-BF7A-3E047DDB5281} -
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Plug-in 1.4.1_02) -
O16 - DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA} (Java Plug-in 1.4.1_02) -

4. Delete the files. (if present)

C:\WINDOWS\system32\hukjmn.exe

5. Reboot and post a new Hijackthis log here in a reply.
  • 0

#9
weStone

weStone

    Member

  • Topic Starter
  • Member
  • PipPip
  • 24 posts
here you go:
Logfile of HijackThis v1.99.1
Scan saved at 2:20:07 AM, on 8/5/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\program files\valve\steam\steam.exe
c:\windows\system32\uzikljp.exe
C:\Program Files\Winamp\winamp.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {FFFFFEF0-5B30-21D4-945D-000000000000} - C:\PROGRA~1\STARDO~1\SDIEInt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [HPHmon04] C:\WINDOWS\System32\hphmon04.exe
O4 - HKLM\..\Run: [HPHUPD04] "C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [WinPatrol] C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
O4 - HKLM\..\Run: [jzkeep] c:\windows\system32\uzikljp.exe r
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Steam] "c:\program files\valve\steam\steam.exe" -silent
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: rcdk.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Download with Star Downloader - C:\Program Files\Star Downloader\sdie.htm
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\System32\HPHipm11.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe

i wasn't able to delete the hukjmn.exe manually. it would disappear everytime i would try to delete it.
  • 0

#10
therock247uk

therock247uk

    Expert

  • Expert
  • 14,671 posts
  • MVP
Looks like you got nail.exe again.

First:
  • You will need to update ewido to the latest definition files.
    • On the left hand side of the main screen click update.
    • Then click on Start Update.
  • The update will start and a progress bar will show the updates being installed.
    (the status bar at the bottom will display "Update successful")
  • Exit ewido. DO NOT scan yet.
If you are having problems with the updater, you can use this link to manually update ewido.
ewido manual updates

Download CCleaner and install it, but do not run it yet.

Please download this file: Revised Installer for the Nailfix Utility
Save it to your desktop.
DO NOT run it yet.

To reboot into SafeMode with Windows XP, you can follow these steps from Microsoft:

Next, please reboot your computer in SafeMode by doing the following:
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
  • Instead of Windows loading as normal, a menu should appear
  • Select the first option, to run Windows in Safe Mode.
Once in Safe Mode, please double-click on nailfix.exe.
Click "Next" in the setup, then make sure "Run Nailfix" is checked and click "Finish".
Your desktop and icons will disappear and reappear, and a window should open and close very quickly --- this is normal.

Now open ewido and do a scan of your system.
  • Click on scanner
  • Click on Complete System Scan and the scan will begin.
  • NOTE: During some scans with ewido it is finding cases of false positives.**
    • You will need to step through the process of cleaning files one-by-one.
    • If ewido detects a file you KNOW to be legitimate, select none as the action.
    • DO NOT select "Perform action on all infections"
    • If you are unsure of any entry found select none for now as the action.
  • Once the scan has completed, there will be a button located on the bottom of the screen named Save report
  • Click Save report.
  • Save the report .txt file to your desktop or a location where you can find it easily.
Now run HijackThis, click Scan, and place a checkmark next to each of the following items:

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O4 - Global Startup: rcdk.exe
O4 - HKLM\..\Run: [random] C:\windows\system32\random.exe r

Close all open windows except for HJT, then click the Fix Checked button. Close HJT.
NOTE: The 04 entry may have changed names if you have rebooted since posting the log; look for an entry with a similar format, that will always in in a single letter r.

Locate and delete the following File in BOLD:
c:\windows\system32\random.exe (or whatever the name may have changed to, as noted above).

Now run CCleaner.
  • Uncheck "Cookies" under "Internet Explorer".
  • If running Firefox: click on the "Applications" tab and uncheck "Cookies" under "Firefox".
  • Click on Run Cleaner in the lower right-hand corner. This can take quite a while to run.
Finally, restart your computer in normal mode and please post a new HijackThis log, as well as the report log from the Ewido scan by using Add Reply
  • 0

#11
weStone

weStone

    Member

  • Topic Starter
  • Member
  • PipPip
  • 24 posts
hijackthis log:
Logfile of HijackThis v1.99.1
Scan saved at 2:27:37 PM, on 8/5/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Winamp\winamp.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Band Class - {00F1D395-4744-40f0-A611-980F61AE2C59} - C:\WINDOWS\dsr.dll (file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {FFFFFEF0-5B30-21D4-945D-000000000000} - C:\PROGRA~1\STARDO~1\SDIEInt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [HPHmon04] C:\WINDOWS\System32\hphmon04.exe
O4 - HKLM\..\Run: [HPHUPD04] "C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [WinPatrol] C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Steam] "c:\program files\valve\steam\steam.exe" -silent
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Download with Star Downloader - C:\Program Files\Star Downloader\sdie.htm
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {4208FB4D-4E53-4F5A-BF7A-3E047DDB5281} -
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} -
O16 - DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA} -
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\System32\HPHipm11.exe

ewido scan:
---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 11:15:43 AM, 8/5/2005
+ Report-Checksum: 2DB705AE

+ Scan result:

[804] c:\windows\system32\mhdqnn.exe -> Adware.BetterInternet : Error during cleaning
C:\Documents and Settings\weStone\Cookies\westone@abetterinternet[1].txt -> Spyware.Cookie.Abetterinternet : Cleaned with backup
C:\Documents and Settings\weStone\Cookies\westone@ad.yieldmanager[2].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\weStone\Cookies\westone@rotator.adjuggler[1].txt -> Spyware.Cookie.Adjuggler : Cleaned with backup
C:\Documents and Settings\weStone\Cookies\westone@statcounter[2].txt -> Spyware.Cookie.Statcounter : Cleaned with backup
C:\Documents and Settings\weStone\Desktop\l2mfix\backup.zip/mdvidctl.dll -> Spyware.Look2Me : Error during cleaning
C:\Documents and Settings\weStone\Desktop\l2mfix\backup.zip/nnprovau.dll -> Spyware.Look2Me : Error during cleaning
C:\Documents and Settings\weStone\Desktop\l2mfix\backup.zip/guard.tmp -> Spyware.Look2Me : Error during cleaning
C:\WINDOWS\dsr.dll -> Spyware.Hijacker.Generic : Cleaned with backup
C:\WINDOWS\dsr.exe -> Trojan.Imiserv.c : Cleaned with backup
C:\WINDOWS\SYSTEM32\gabuhn.exe -> Adware.BetterInternet : Cleaned with backup


::Report End
  • 0

#12
therock247uk

therock247uk

    Expert

  • Expert
  • 14,671 posts
  • MVP
1. Boot into safemode to do this keep tapping F8 on your keyboard while your PC is starting up you will get a menu select safemode.

2. While in safemode open Hijackthis and click scan. Then tick and fix the following in Hijackthis with all windows closed except Hijackthis.

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Band Class - {00F1D395-4744-40f0-A611-980F61AE2C59} - C:\WINDOWS\dsr.dll (file missing)
O16 - DPF: {4208FB4D-4E53-4F5A-BF7A-3E047DDB5281} -
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} -
O16 - DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA} -

3. Reboot and post a new Hijackthis log here in a reply.
  • 0

#13
weStone

weStone

    Member

  • Topic Starter
  • Member
  • PipPip
  • 24 posts
here you go:
Logfile of HijackThis v1.99.1
Scan saved at 12:31:52 AM, on 8/6/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\program files\valve\steam\steam.exe
C:\Program Files\Winamp\winamp.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Star Downloader\stardown.exe
C:\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {FFFFFEF0-5B30-21D4-945D-000000000000} - C:\PROGRA~1\STARDO~1\SDIEInt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [HPHmon04] C:\WINDOWS\System32\hphmon04.exe
O4 - HKLM\..\Run: [HPHUPD04] "C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [WinPatrol] C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Steam] "c:\program files\valve\steam\steam.exe" -silent
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Download with Star Downloader - C:\Program Files\Star Downloader\sdie.htm
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\System32\HPHipm11.exe


for some reason after the previous clean up, a ms-dos window kept on popping up
and it was named c:\windows\system32\hukjmn.exe. and when i looked into the task manager to close the hukjmn.exe window, it showed as ntvdm.exe and the file won't stop reappearing whenever i end the process.

Edited by weStone, 05 August 2005 - 10:51 PM.

  • 0

#14
therock247uk

therock247uk

    Expert

  • Expert
  • 14,671 posts
  • MVP
ntvdm.exe is a legit process.

Your log is clean :tazz:

Here are some tips, to reduce the potential for spyware infection in the future, I strongly recommend installing the following applications:
  • Spywareblaster <= SpywareBlaster will prevent spyware from being installed.
  • Spywareguard <= SpywareGuard offers realtime protection from spyware installation attempts.
  • How to use Ad-Aware to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Ad-Aware.
  • How to use Spybot to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Spybot. Similar to Ad-Aware, I strongly recommend both to catch most spyware.
To protect yourself further:
  • IE/Spyad <= IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
  • MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
  • Google Toolbar <= Get the free google toolbar to help stop pop up windows.
I also suggest that you delete any files from "temp", "tmp" folders. In Internet Explorer, click on "Tools" => "Internet Options" => "Delete Files" and select the box that says "Delete All Offline Content" and click on "OK" twice. Also, empty the recycle bin by right clicking on it and selecting "Empty Recycle Bin". These steps should be done on a regular basis.

Credit to PGPhantom for canned speech.
  • 0

#15
therock247uk

therock247uk

    Expert

  • Expert
  • 14,671 posts
  • MVP
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :tazz:

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP