Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Need Help With Aurora [CLOSED]


  • This topic is locked This topic is locked

#16
Excal

Excal

    Malware Slayer Extraordinaire!

  • Retired Staff
  • 12,739 posts
Run Cleanup!,

reboot

run spybot search and destroy.


then try active scan again.

:tazz:

Excal
  • 0

Advertisements


#17
skanderson

skanderson

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
Ran cleanup, rebooted, ran spybot (wild tangent came up again), deleted it, ran active scan got the same thing for delfinmedia. Tried Regsrch again with no results (same as above). Here's Active Scan and Hijack this logs. By the way, things seem to be running fine, but its annoying because it wasn't there yesterday :tazz: .

ncident Status Location

Adware:adware/delfinmedia No disinfected Windows Registry

Logfile of HijackThis v1.99.1
Scan saved at 6:54:33 PM, on 8/12/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\PROGRA~1\NavNT\DefWatch.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\PROGRA~1\NavNT\Rtvscan.exe
C:\NAgent\NSCAGENT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\symantec\LIVEUP~1\savroam.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\Program Files\Logitech\iTouch\kbdtray.exe
C:\PROGRA~1\NavNT\vptray.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\SmartDisk\FlashPath\sdstat.exe
C:\Palm\HOTSYNC.EXE
C:\Program Files\Hewlett-Packard\HP OfficeJet Series 700\Bin\HPOstr05.exe
C:\Program Files\Microsoft Office\Office\MSOFFICE.EXE
C:\Program Files\Hewlett-Packard\HP OfficeJet Series 700\bin\HPOVDX05.EXE
C:\WINDOWS\system32\hpoipm07.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft Money\System\urlmap.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =

http://www.dellnet.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =

http://www.optonline.net/Home
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =

http://home.netscape.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =

http://home.netscape.../winsearch.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =

http://home.netscape.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet

Settings,AutoConfigURL = http:\\autoproxy.verizon.com\cgi-bin\getproxy
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet

Settings,ProxyServer =

ftp=banhproxy:80;gopher=banhproxy:80;http=banhproxy:80;https=banhproxy:80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet

Settings,ProxyOverride =

bell-atl.com;eweb.verizon.com;nynex.com;bellatlantic.com;

basit.com;treasury.verizon.com;verizon.com;<local>
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} -

C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program

Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} -

C:\Program Files\AIM Toolbar\AIMBar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} -

C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator

5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program

Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [AHQInit] C:\Program

Files\Creative\SBLive\Program\AHQInit.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MusicMatch\MusicMatch

Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program

Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\NavNT\vptray.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint

Manager\ViewMgr.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MusicMatch\MusicMatch

Jukebox\mmtask.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe"

/background
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program

Files\Microsoft Works\WkDetect.exe
O4 - Startup: Microsoft Office Shortcut Bar.Lnk = C:\Program Files\Microsoft

Office\Office\MSOFFICE.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common

Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Camio Viewer 2000.lnk = C:\Program Files\Sierra

Imaging\Image Expert 2000\IXApplet.exe
O4 - Global Startup: FlashPath Monitor.lnk = C:\Program

Files\SmartDisk\FlashPath\sdstat.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
O4 - Global Startup: HP OfficeJet Series 700 Startup.lnk = C:\Program

Files\Hewlett-Packard\HP OfficeJet Series 700\Bin\HPOstr05.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -

C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console -

{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program

Files\AIM\aim.exe
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} -

C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -

C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger -

{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus

scanner) -

http://security.syma...bin/AvSniff.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer

Class) - http://www.pandasoft...free/asinst.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) -

http://download.game...uarium/popcaplo

ader_v6.cab
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = verizon.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = verizon.com
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O23 - Service: C-DillaCdaC11BA - Macrovision -

C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd -

C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: DefWatch - Symantec Corporation -

C:\PROGRA~1\NavNT\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program

Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Contivity VPN Service (ExtranetAccess) - Nortel Networks NA,

Inc. - C:\Program Files\Nortel Networks\Extranet_serv.exe
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. -

C:\WINDOWS\System32\ImapiRox.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec

Corporation - C:\PROGRA~1\NavNT\Rtvscan.exe
O23 - Service: Norton System Agent (NSDUAgent) - Unknown owner -

C:\NAgent\NSCAGENT.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation -

C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVRoam - symantec - C:\PROGRA~1\symantec\LIVEUP~1\savroam.exe
  • 0

#18
Excal

Excal

    Malware Slayer Extraordinaire!

  • Retired Staff
  • 12,739 posts
Well the bad thing is it doesn't give us the reg entry. Lets try cleaning up the registry a bit and see if it show up again.
  • Please dowload: RegSeeker.
  • Click on "Clean The Registry" in the left panel.
  • Check all boxes (make sure the backup box in the lower left corner is selected!).
  • After it runs, click "Select All" on the bottom, then right-click on any selected item in the window and select "Delete Selected Items".
  • Click "Quit RegSeeker".
Now, open any of your installed programs, and make sure that everything opens ok. If so, reboot, then go back and run the RegSeeker again, do the same thing again if anything is found. When RegSeeker finds nothing else, then it's clean!


Thanks,

:tazz:

Excal
  • 0

#19
skanderson

skanderson

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
Ok. I ran Reg Seeker about 9 or 10 times and the last 4 times I kept getting the same 7 entries which have to do with Turbo Tax uninstall links (one each for fed and state 2003, 2002, 2001 etc.) Even though I said to delete, they kept coming up. Then I tried running RegSrch and it didn't find an entry for delfinmedia. then I ran Active Scan and it still shows the same delfinmedia entry as above.
  • 0

#20
Excal

Excal

    Malware Slayer Extraordinaire!

  • Retired Staff
  • 12,739 posts
do you have another account on that computer? If you do run that reg search on that one.

:tazz:

Excal
  • 0

#21
skanderson

skanderson

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
Not sure exactly what you mean by accounts. I have myself, my husband and my son set up as separate users. I logged on as each of them and ran RegSrch. Still nothing comes up.
  • 0

#22
Excal

Excal

    Malware Slayer Extraordinaire!

  • Retired Staff
  • 12,739 posts
Lets see if this finds it.

I need you to download MWav to a convenient location.

This scan might take around 3+ hours to finish when set to scan everything.
I need you to run MWav by double-clicking on mwav.exe.
Put a check next to the below items before scanning:
  • Memory
  • Startup Folders
  • Drive - All Local Drives
  • Registry
  • System Folders
  • Services
  • Include Sub-Directory
  • Scan All Files
Please make sure ALL of these are checked, then press the Scan button. This typically will take hours to complete.

**NOTE*** Sometimes MWav will pause and it appears to be finished, but it isn't done. Just let it run until it says it's complete.

On the bottom portion of the window, you will see the lower panel where MWav is listing "infected items". When it's done scanning, please highlight everything in that lower panel and copy them by holding CTRL + C then paste it here. The whole log will be extremely BIG so there is no way to post the log. I just need the infected items list.

Don't copy and paste the lines from infected files that are present in recovery or backupfolders from antispywarescanner (eg adaware, spybot s&d) or your virusscanner. Those I don't need.
I don't need the infected files/lines that are present in your System Volume Information-folder.
I just want all the other infected ones apart from those above.
  • 0

#23
skanderson

skanderson

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
OK this is what I got

Object "AltNet Spyware/Adware" found in File System! Action Taken: No Action

Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\ModuleUsage"

refers to invalid object "C:\WINDOWS\Downloaded Program

Files\HDPlugin1015.dll". Action Taken: No Action Taken.
Entry

"HKLM\Software\Microsoft\Windows\CurrentVersion\ModuleUsage" refers to

invalid object "C:\WINDOWS\Downloaded Program Files\popcaploader.dll". Action

Taken: No Action Taken.
Entry

"HKLM\Software\Microsoft\Windows\CurrentVersion\ModuleUsage" refers to

invalid object "C:\WINDOWS\Downloaded Program Files\rufsi.dll". Action Taken:

No Action Taken.
Entry

"HKLM\Software\Microsoft\Windows\CurrentVersion\ModuleUsage" refers to

invalid object "C:\WINDOWS\System32\EGCOMSERVICE2.dll". Action Taken: No

Action Taken.
Entry

"HKLM\Software\Microsoft\Windows\CurrentVersion\ModuleUsage" refers to

invalid object "C:\WINDOWS\System32\EGCOMSERVICE_1048.dll". Action Taken: No

Action Taken.
Entry

"HKLM\Software\Microsoft\Windows\CurrentVersion\ModuleUsage" refers to

invalid object "C:\WINDOWS\System32\EGCOMSERVICE_1049.dll". Action Taken: No

Action Taken.
Entry

"HKLM\Software\Microsoft\Windows\CurrentVersion\ModuleUsage" refers to

invalid object "C:\WINDOWS\System32\EGCOMSERVICE_1051.dll". Action Taken: No

Action Taken.
Entry

"HKLM\Software\Microsoft\Windows\CurrentVersion\ModuleUsage" refers to

invalid object "C:\WINDOWS\System32\EGCOMSERVICE_1053.dll". Action Taken: No

Action Taken.
Entry

"HKLM\Software\Microsoft\Windows\CurrentVersion\ModuleUsage" refers to

invalid object "C:\WINDOWS\System32\EGDACCESS_1055.dll". Action Taken: No

Action Taken.
Entry

"HKLM\Software\Microsoft\Windows\CurrentVersion\ModuleUsage" refers to

invalid object "C:\WINDOWS\System32\EGDHTML_1026.dll". Action Taken: No

Action Taken.
Entry

"HKLM\Software\Microsoft\Windows\CurrentVersion\ModuleUsage" refers to

invalid object "C:\WINDOWS\System32\eglivecam_1028.dll". Action Taken: No

Action Taken.
Entry

"HKLM\Software\Microsoft\Windows\CurrentVersion\ModuleUsage" refers to

invalid object "C:\WINDOWS\System32\eglivecam_1029.dll". Action Taken: No

Action Taken.
Entry

"HKLM\Software\Microsoft\Windows\CurrentVersion\ModuleUsage" refers to

invalid object "C:\WINDOWS\System32\LiveService_5.dll". Action Taken: No

Action Taken.
Entry

"HKLM\Software\Microsoft\Windows\CurrentVersion\ModuleUsage" refers to

invalid object "C:\WINDOWS\System32\nethv32.dll". Action Taken: No Action

Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\ModuleUsage"

refers to invalid object "C:\WINDOWS\System32\netslv32.dll". Action Taken: No

Action Taken.
Entry

"HKLM\Software\Microsoft\Windows\CurrentVersion\ModuleUsage" refers to

invalid object "C:\WINDOWS\system32\objsafe.tlb". Action Taken: No Action

Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls"

refers to invalid object "D:\Office\Actors\logo.act". Action Taken: No Action

Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls"

refers to invalid object "D:\Office\Actors\scribble.act". Action Taken: No

Action Taken.
Entry

"HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid

object "D:\Office\Actors\dot.act". Action Taken: No Action Taken.
Entry

"HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid

object "D:\Office\Actors\mnature.act". Action Taken: No Action Taken.
Entry

"HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid

object "D:\Office\Actors\hoverbot.act". Action Taken: No Action Taken.
Entry

"HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid

object "D:\Office\Actors\will.act". Action Taken: No Action Taken.
Entry

"HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid

object "D:\Office\Actors\powerpup.act". Action Taken: No Action Taken.
Entry

"HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid

object "D:\Office\Actors\genius.act". Action Taken: No Action Taken.
Entry

"HKCR\CLSID\{88E729D6-BDC1-11D1-BD2A-00C04FB9603F}" refers to invalid object

"fde.dll". Action Taken: No Action Taken.
File C:\Documents and

Settings\SANDY.DELL8200\My Documents\Old Stuff\Mine\waterfree.exe tagged as

"not-a-virus:AdWare.SaveNow.aq". Action Taken: No Action Taken.
File

C:\Program Files\BitTorrent\uninstall.exe tagged as

not-a-virus:RiskTool.Win32.Processor.1001. No Action Taken.
File C:\Documents

and Settings\SANDY.DELL8200\My Documents\Old Stuff\Mine\waterfree.exe tagged

as "not-a-virus:AdWare.SaveNow.aq". Action Taken: No Action Taken.
File

C:\Program Files\BitTorrent\uninstall.exe tagged as

not-a-virus:RiskTool.Win32.Processor.1001. No Action Taken.
  • 0

#24
Excal

Excal

    Malware Slayer Extraordinaire!

  • Retired Staff
  • 12,739 posts
Do you know what this file is?:C:\Documents and

Settings\SANDY.DELL8200\My Documents\Old Stuff\Mine\waterfree.exe


Looks like a lot of crud in your registry.

I think it would serve you well to clean your registry!
  • Please dowload: RegSeeker.
  • Click on "Clean The Registry" in the left panel.
  • Check all boxes (make sure the backup box in the lower left corner is selected!).
  • After it runs, click "Select All" on the bottom, then right-click on any selected item in the window and select "Delete Selected Items".
  • Click "Quit RegSeeker".
Now, open any of your installed programs, and make sure that everything opens ok. If so, reboot, then go back and run the RegSeeker again, do the same thing again if anything is found. When RegSeeker finds nothing else, then it's clean!
  • 0

#25
skanderson

skanderson

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
C:\Documents and

Settings\SANDY.DELL8200\My Documents\Old Stuff\Mine\waterfree.exe


I was moving a folder from my server at work to my home PC and that was in there. I think its one of those waterfall screensavers. Never used it, so I deleted it. Ran RegSeeker a bunch of times and still can't get rid of those 7 Turbo Tax entries (see post #19). Ran active scan, delfinmedia is still there.
  • 0

Advertisements


#26
Excal

Excal

    Malware Slayer Extraordinaire!

  • Retired Staff
  • 12,739 posts
Run the Reg Cleaner on the other accounts also. It possible the reg entry my be there.


Thanks,

:tazz:

Excal
  • 0

#27
Excal

Excal

    Malware Slayer Extraordinaire!

  • Retired Staff
  • 12,739 posts
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP