Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Your my last and final hope before total format! [CLOSED]


  • This topic is locked This topic is locked

#16
Neo-VII

Neo-VII

    Member

  • Topic Starter
  • Member
  • PipPip
  • 28 posts
********
6:58 AM: |··· Start of Session, Thursday, August 11, 2005 ···|
6:58 AM: Spy Sweeper started
6:58 AM: Sweep initiated using definitions version 512
6:58 AM: Starting Memory Sweep
6:59 AM: Memory Sweep Complete, Elapsed Time: 00:00:40
6:59 AM: Starting Registry Sweep
6:59 AM: Registry Sweep Complete, Elapsed Time:00:00:13
6:59 AM: Starting Cookie Sweep
6:59 AM: Cookie Sweep Complete, Elapsed Time: 00:00:00
6:59 AM: Starting File Sweep
7:01 AM: File Sweep Complete, Elapsed Time: 00:01:15
7:01 AM: Full Sweep has completed. Elapsed time 00:02:14
7:01 AM: Traces Found: 0
********
6:49 AM: |··· Start of Session, Thursday, August 11, 2005 ···|
6:49 AM: Spy Sweeper started
6:49 AM: Sweep initiated using definitions version 512
6:49 AM: Starting Memory Sweep
6:50 AM: Memory Sweep Complete, Elapsed Time: 00:00:59
6:50 AM: Starting Registry Sweep
6:50 AM: Found Adware: drsnsrch.com hijack
6:50 AM: HKU\S-1-5-21-2052111302-842925246-1060284298-1003\software\microsoft\search assistant\ || defaultsearchurl (ID = 128205)
6:50 AM: Found System Monitor: networkessentials
6:50 AM: HKLM\software\microsoft\windows\currentversion\uninstall\cdm\ (2 subtraces) (ID = 136172)
6:50 AM: HKLM\software\novo\ (23 subtraces) (ID = 136175)
6:50 AM: HKLM\software\np\ (2 subtraces) (ID = 136176)
6:50 AM: Found Adware: purityscan
6:50 AM: HKCR\interface\{3517fb25-305d-4012-b531-186e3851e7ed}\ (5 subtraces) (ID = 137348)
6:50 AM: HKCR\interface\{4781daa6-4de5-47a1-b02a-945f0d017a9e}\ (5 subtraces) (ID = 137349)
6:50 AM: HKLM\software\classes\interface\{3517fb25-305d-4012-b531-186e3851e7ed}\ (5 subtraces) (ID = 137678)
6:50 AM: HKLM\software\classes\interface\{4781daa6-4de5-47a1-b02a-945f0d017a9e}\ (5 subtraces) (ID = 137679)
6:50 AM: Found Adware: roings search enhancment
6:50 AM: HKLM\software\mm\ (1 subtraces) (ID = 140211)
6:50 AM: Found Adware: abetterinternet
6:50 AM: HKU\WRSS_Profile_S-1-5-21-2052111302-842925246-1060284298-500\software\aurora\ (18 subtraces) (ID = 360174)
6:50 AM: HKU\WRSS_Profile_S-1-5-21-2052111302-842925246-1060284298-501\software\aurora\ (26 subtraces) (ID = 360174)
6:50 AM: Found Adware: drsnsrch hijacker
6:50 AM: HKCR\dsrch.band\ (5 subtraces) (ID = 509134)
6:50 AM: HKCR\dsrch.bottomframe\ (5 subtraces) (ID = 509135)
6:50 AM: HKCR\dsrch.leftframe\ (5 subtraces) (ID = 509136)
6:50 AM: HKCR\dsrch.popupbrowser\ (5 subtraces) (ID = 509137)
6:50 AM: HKCR\dsrch.popupwindow\ (5 subtraces) (ID = 509138)
6:50 AM: HKCR\clsid\{8b51fc2f-c687-40a3-b54a-bb9ebf8d407f}\ (11 subtraces) (ID = 509139)
6:50 AM: HKCR\clsid\{ce27d4df-714b-4427-95eb-923fe53adf8e}\ (13 subtraces) (ID = 509140)
6:50 AM: HKCR\clsid\{e2d2fe40-5674-4b77-802b-ec86b6c2c41d}\ (13 subtraces) (ID = 509141)
6:50 AM: HKCR\clsid\{e311d3a5-4a3b-4e49-9e0a-b40fae1f0b28}\ (11 subtraces) (ID = 509142)
6:50 AM: Found Adware: ieplugin
6:50 AM: HKCR\typelib\{8f73ac0f-5769-4282-8762-b396a3bff377}\ (9 subtraces) (ID = 509153)
6:50 AM: HKU\S-1-5-21-2052111302-842925246-1060284298-1003\software\dsrch\ (11 subtraces) (ID = 509156)
6:50 AM: HKLM\software\classes\dsrch.band\ (5 subtraces) (ID = 509171)
6:50 AM: HKLM\software\classes\dsrch.bottomframe\ (5 subtraces) (ID = 509172)
6:50 AM: HKLM\software\classes\dsrch.leftframe\ (5 subtraces) (ID = 509179)
6:50 AM: HKLM\software\classes\dsrch.popupbrowser\ (5 subtraces) (ID = 509185)
6:50 AM: HKLM\software\classes\dsrch.popupwindow\ (5 subtraces) (ID = 509191)
6:50 AM: HKLM\software\classes\clsid\{8b51fc2f-c687-40a3-b54a-bb9ebf8d407f}\ (11 subtraces) (ID = 509198)
6:50 AM: HKLM\software\classes\clsid\{ce27d4df-714b-4427-95eb-923fe53adf8e}\ (13 subtraces) (ID = 509210)
6:50 AM: HKLM\software\classes\clsid\{e2d2fe40-5674-4b77-802b-ec86b6c2c41d}\ (13 subtraces) (ID = 509224)
6:50 AM: HKLM\software\classes\clsid\{e311d3a5-4a3b-4e49-9e0a-b40fae1f0b28}\ (11 subtraces) (ID = 509238)
6:50 AM: HKCR\dsrch.band\clsid\ (1 subtraces) (ID = 509361)
6:50 AM: HKCR\dsrch.band\curver\ (1 subtraces) (ID = 509362)
6:50 AM: HKCR\dsrch.bottomframe\clsid\ (1 subtraces) (ID = 509363)
6:50 AM: HKCR\dsrch.bottomframe\curver\ (1 subtraces) (ID = 509364)
6:50 AM: HKCR\dsrch.leftframe\clsid\ (1 subtraces) (ID = 509365)
6:50 AM: HKCR\dsrch.leftframe\curver\ (1 subtraces) (ID = 509366)
6:50 AM: HKCR\dsrch.popupbrowser\clsid\ (1 subtraces) (ID = 509367)
6:50 AM: HKCR\dsrch.popupbrowser\curver\ (1 subtraces) (ID = 509368)
6:50 AM: HKCR\dsrch.popupwindow\clsid\ (1 subtraces) (ID = 509369)
6:50 AM: HKCR\dsrch.popupwindow\curver\ (1 subtraces) (ID = 509370)
6:50 AM: HKCR\dsrch.bottomframe.1\ (3 subtraces) (ID = 512699)
6:50 AM: HKCR\dsrch.leftframe.1\ (3 subtraces) (ID = 512706)
6:50 AM: HKCR\dsrch.popupbrowser.1\ (3 subtraces) (ID = 512713)
6:50 AM: HKCR\dsrch.popupwindow.1\ (3 subtraces) (ID = 512720)
6:50 AM: HKCR\clsid\{00f1d395-4744-40f0-a611-980f61ae2c59}\ (11 subtraces) (ID = 512747)
6:50 AM: HKLM\software\classes\dsrch.bottomframe.1\ (3 subtraces) (ID = 513076)
6:50 AM: HKLM\software\classes\dsrch.leftframe.1\ (3 subtraces) (ID = 513080)
6:50 AM: HKLM\software\classes\dsrch.popupbrowser.1\ (3 subtraces) (ID = 513084)
6:50 AM: HKLM\software\classes\dsrch.popupwindow.1\ (3 subtraces) (ID = 513088)
6:50 AM: HKLM\software\classes\clsid\{00f1d395-4744-40f0-a611-980f61ae2c59}\ (11 subtraces) (ID = 513114)
6:50 AM: Registry Sweep Complete, Elapsed Time:00:00:14
6:50 AM: Starting Cookie Sweep
6:50 AM: Cookie Sweep Complete, Elapsed Time: 00:00:00
6:50 AM: Starting File Sweep
6:54 AM: m67m.inf (ID = 74028)
6:56 AM: Found Adware: shopathomeselect
6:56 AM: bah2gl9g.dat (ID = 121494)
6:56 AM: shex.exe (ID = 94438)
6:56 AM: File Sweep Complete, Elapsed Time: 00:06:12
6:56 AM: Full Sweep has completed. Elapsed time 00:07:35
6:56 AM: Traces Found: 368
6:57 AM: Removal process initiated
6:57 AM: Quarantining All Traces: drsnsrch.com hijack
6:57 AM: Quarantining All Traces: networkessentials
6:57 AM: Quarantining All Traces: purityscan
6:57 AM: Quarantining All Traces: roings search enhancment
6:57 AM: Quarantining All Traces: abetterinternet
6:57 AM: Quarantining All Traces: drsnsrch hijacker
6:57 AM: Quarantining All Traces: ieplugin
6:57 AM: Quarantining All Traces: shopathomeselect
6:57 AM: Removal process completed. Elapsed time 00:00:08
6:58 AM: |··· End of Session, Thursday, August 11, 2005 ···|
********
6:36 AM: |··· Start of Session, Thursday, August 11, 2005 ···|
6:36 AM: Spy Sweeper started
------------------------------------------------------------------------------------------


Incident Status Location

Adware:adware/superspider No disinfected C:\WINDOWS\SYSTEM32\services
Spyware:spyware/media-motor No disinfected Windows Registry
Hacktool:Hacktool/Processor No disinfected C:\Documents and Settings\All Users\Desktop\nailfix\Process.exe
Possible Virus. No disinfected C:\Program Files\TrojanHunter 4.2\Tools\Process Viewer\ProcessViewer.exe
-----------------------------------------------------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 8:06:22 AM, on 8/11/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
E:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
E:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Support.com\bin\tgcmd.exe
C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
E:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
E:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
E:\Program Files\Creative\MediaSource\Go\CTCMSGo.exe
C:\Program Files\TuneUp Utilities 2004\MemOptimizer.exe
E:\progra~1\steam\steam.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - E:\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - E:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: 3DNA Toolbar - {2ECB7FB2-0333-416F-92FD-4904AD49252B} - C:\WINDOWS\system32\3DNATO~1.DLL
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - E:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [CTSysVol] E:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTDVDDET] E:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [LiveNote] livenote.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [vidctrl] C:\WINDOWS\system32\vidctrl\vidctrl.exe
O4 - HKLM\..\Run: [myziju] c:\windows\system32\zjpekav.exe r
O4 - HKLM\..\Run: [rmwfkq] c:\windows\system32\jfhkaer.exe r
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Steam] "e:\progra~1\steam\steam.exe" -silent
O4 - HKCU\..\Run: [ASUS SmartDoctor] E:\Program Files\ASUS\SmartDoctor\\SmartDoctor.exe /start
O4 - HKCU\..\Run: [Creative MediaSource Go] E:\Program Files\Creative\MediaSource\Go\CTCMSGo.exe /SCB
O4 - HKCU\..\Run: [TuneUp MemOptimizer] "C:\Program Files\TuneUp Utilities 2004\MemOptimizer.exe" autostart
O4 - HKCU\..\Run: [Shrkvkar] C:\WINDOWS\system32\w?nlogon.exe
O4 - HKCU\..\Run: [Wioa] C:\Program Files\cdme\teib.exe
O8 - Extra context menu item: Download &All by FD - fdiectx2.htm
O8 - Extra context menu item: Download with &FD - fdiectx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative....015/CTSUEng.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplane...DC_1_0_0_44.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {82F2D6B2-6C58-4404-A930-9DB0FD90D4B1} (Driver_Detective_v43_Non_Member.DD_v43) - http://www.drivershq..._Non_Member.CAB
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/...ro.cab34246.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative....15014/CTPID.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - E:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - E:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Speed Disk service - Symantec Corporation - E:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program Files\TuneUp Utilities 2004\WinStylerThemeSvc.exe
  • 0

Advertisements


#17
Rawe

Rawe

    Visiting Staff

  • Member
  • PipPipPipPipPipPipPip
  • 4,746 posts
How is the system running?

There's still couple things we need to take care of..

Download
CleanUp

Run the CleanUp! installer and get the program ready to be used but don't run it yet.

Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.


Run a scan with HiJackThis. Check the following objects for removal;

O4 - HKLM\..\Run: [vidctrl] C:\WINDOWS\system32\vidctrl\vidctrl.exe
O4 - HKLM\..\Run: [myziju] c:\windows\system32\zjpekav.exe r
O4 - HKLM\..\Run: [rmwfkq] c:\windows\system32\jfhkaer.exe r
O4 - HKCU\..\Run: [Shrkvkar] C:\WINDOWS\system32\w?nlogon.exe
O4 - HKCU\..\Run: [Wioa] C:\Program Files\cdme\teib.exe


Make sure they are all checked and hit "Fix Checked".

Delete these files & folder;
C:\WINDOWS\system32\vidctrl\ <= Entire Folder
c:\windows\system32\zjpekav.exe
c:\windows\system32\jfhkaer.exe
C:\WINDOWS\system32\w?nlogon.exe <= Note the ? -> Only delete the file with ?
C:\Program Files\cdme\teib.exe


Then run CleanUp! and reboot.

Boot up into normal mode and run this online scan;
Panda Activescan

Post it's results here with a fresh HiJackThis log & tell me how's the system running.

- Rawe :tazz:
  • 0

#18
Neo-VII

Neo-VII

    Member

  • Topic Starter
  • Member
  • PipPip
  • 28 posts

Delete these files & folder;
C:\WINDOWS\system32\vidctrl\ <= Entire Folder
c:\windows\system32\zjpekav.exe
c:\windows\system32\jfhkaer.exe
C:\WINDOWS\system32\w?nlogon.exe <= Note the ? -> Only delete the file with ?
C:\Program Files\cdme\teib.exe


Im sorry, man. Im pulling out my hair.. I went to the C:\windows\system32 file. All of the system 32 files arent there. I have searched high and low. I arrange the windows\system32 file by types even, then I went to the exe section and still none of these match your list. There is 2 that are close however. There are 2 winlogon.exe files in system32 file. They are differnt sizes in KBs I havent touched either yet. My computer is still in safe mode. This is our second computer I'm writing to you on.

I have even done word searches on the c drive and the windows\system32 file to find what you request. Nothing for any of them are coming up.

Now as for "C:\Program files\ cdme\teib.exe" , I remember erasing this one a few steps back.. The file/icon is currently not there atm, at least its not visible. The only file in this area is a "ucer" file and its empty.

Waiting on your instructions.

Edited by Neo-VII, 11 August 2005 - 11:15 AM.

  • 0

#19
Rawe

Rawe

    Visiting Staff

  • Member
  • PipPipPipPipPipPipPip
  • 4,746 posts

Im sorry, man. Im pulling out my hair.. I went to the C:\windows\system32 file. All of the system 32 files arent there. I have searched high and low. I arrange the windows\system32 file by types even, then I went to the exe section and still none of these match your list. There is 2 that are close however. There are 2 winlogon.exe files in system32 file. They are differnt sizes in KBs I havent touched either yet. My computer is still in safe mode. This is our second computer I'm writing to you on.


Can you tell me what are those files which are close?

There are two winlogon.exe's, yes. They should be there too. ONLY delete the one with ?

If you can't find it, leave them alone.

I guess these two exe's are the ones you can't find;
c:\windows\system32\zjpekav.exe
c:\windows\system32\jfhkaer.exe

Can you tell me which ones are similar?

- Rawe :tazz:
  • 0

#20
Neo-VII

Neo-VII

    Member

  • Topic Starter
  • Member
  • PipPip
  • 28 posts

I guess these two exe's are the ones you can't find;
c:\windows\system32\zjpekav.exe
c:\windows\system32\jfhkaer.exe

Can you tell me which ones are similar?


None are similar.

In the windows\system32 file all the js are as follows:

-java.exe "looks like a square white board"
-java.exe "looks like a square white board"
-java.exe " looks like a java cup"
-jdbgmgr.exe " looks like a teddy bear"
-Jview.exe "looks like a white board with the letter J in the middle of it."

Thats all the "Js" in the exe section.

As for the Z section..... There is no Z section for the exe area. The last Exe is called "xpsp1hfm.exe" . It looks like a software setup program....
  • 0

#21
Rawe

Rawe

    Visiting Staff

  • Member
  • PipPipPipPipPipPipPip
  • 4,746 posts
Delete this file;
jdbgmgr.exe

It's a hoax. Otherwise, none of them are bad.

Did you find these;

C:\WINDOWS\system32\vidctrl\
C:\WINDOWS\system32\w?nlogon.exe

- Rawe :tazz:

Can you also run this when you reboot back to normal mode;
Click "Start", Run and type in; MRT
Click "Ok". Click "Next". Let it scan and let me know if it finds anything.
  • 0

#22
Neo-VII

Neo-VII

    Member

  • Topic Starter
  • Member
  • PipPip
  • 28 posts
The hoax is deleted.

Did you find these;

C:\WINDOWS\system32\vidctrl\
C:\WINDOWS\system32\w?nlogon.exe


In Windows\system32 these are in the V section of the exe's:

-Verifier.exe
-vssadmin.exe
-vssvc.exe
-vwipxspx.exe


The W's exe list has a bit more on it.

-w32tm.exe
-wdfmgr.exe
-wextract.exe
-wiaacmgr.exe
-winchat.exe
-winhlp32.exe
-winlogon.exe
-winmine.exe
-winmsd.exe
-winspool.exe
-winver.exe
-wisptis.exe
-wjview.exe
-wmpstub.exe
-wowdeb.exe
-wowexec.exe
-wpabaln.exe
-wpnpinst.exe
-write.exe
-wscntfy.exe
-wscript.exe
-wuauclt1.exe 168kb
-wuauclt1.exe (looks just like the last one.) 121kb
-wupdmgr.exe
-winlogon.exe (no pic on top of it)


Thats all of these letters
  • 0

#23
Rawe

Rawe

    Visiting Staff

  • Member
  • PipPipPipPipPipPipPip
  • 4,746 posts
Ok, can you leave the deletion for a while, please just proceed with the rest,
run CleanUp! and reboot into normal mode, then run the Panda scan and Windows Malicious software removal tool and post me the logs with a fresh HiJackThis log.

- Rawe :tazz:
  • 0

#24
Neo-VII

Neo-VII

    Member

  • Topic Starter
  • Member
  • PipPip
  • 28 posts
(Quote- Windows Malicious software removal tool )

Call it a brain fart, Im forgetting this software. Can I get a link plz?
  • 0

#25
Rawe

Rawe

    Visiting Staff

  • Member
  • PipPipPipPipPipPipPip
  • 4,746 posts
Click "Start", Run and type in; MRT
Click "Ok". Click "Next". Let it scan and let me know if it finds anything.

That's the one. :tazz:
  • 0

Advertisements


#26
Neo-VII

Neo-VII

    Member

  • Topic Starter
  • Member
  • PipPip
  • 28 posts
MRT says nothing is infected. I tried to get a log for you but i coudln't.



Adware:adware/superspider No disinfected C:\WINDOWS\SYSTEM32\services
Spyware:spyware/media-motor No disinfected Windows Registry
Hacktool:Hacktool/Processor No disinfected C:\Documents and Settings\All Users\Desktop\nailfix\Process.exe
Possible Virus. No disinfected C:\Program Files\TrojanHunter 4.2\Tools\Process Viewer\ProcessViewer.exe

----------------------------------------------------------------------------------------------


Logfile of HijackThis v1.99.1
Scan saved at 12:54:29 PM, on 8/11/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
E:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
E:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Support.com\bin\tgcmd.exe
C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
E:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
E:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
E:\Program Files\Creative\MediaSource\Go\CTCMSGo.exe
C:\Program Files\TuneUp Utilities 2004\MemOptimizer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSCNo.exe
C:\Program Files\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - E:\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - E:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: 3DNA Toolbar - {2ECB7FB2-0333-416F-92FD-4904AD49252B} - C:\WINDOWS\system32\3DNATO~1.DLL
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - E:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [CTSysVol] E:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTDVDDET] E:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [LiveNote] livenote.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Steam] "e:\progra~1\steam\steam.exe" -silent
O4 - HKCU\..\Run: [ASUS SmartDoctor] E:\Program Files\ASUS\SmartDoctor\\SmartDoctor.exe /start
O4 - HKCU\..\Run: [Creative MediaSource Go] E:\Program Files\Creative\MediaSource\Go\CTCMSGo.exe /SCB
O4 - HKCU\..\Run: [TuneUp MemOptimizer] "C:\Program Files\TuneUp Utilities 2004\MemOptimizer.exe" autostart
O8 - Extra context menu item: Download &All by FD - fdiectx2.htm
O8 - Extra context menu item: Download with &FD - fdiectx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative....015/CTSUEng.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplane...DC_1_0_0_44.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {82F2D6B2-6C58-4404-A930-9DB0FD90D4B1} (Driver_Detective_v43_Non_Member.DD_v43) - http://www.drivershq..._Non_Member.CAB
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/...ro.cab34246.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative....15014/CTPID.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - E:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - E:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Speed Disk service - Symantec Corporation - E:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program Files\TuneUp Utilities 2004\WinStylerThemeSvc.exe
  • 0

#27
Rawe

Rawe

    Visiting Staff

  • Member
  • PipPipPipPipPipPipPip
  • 4,746 posts
Delete this folder;
C:\WINDOWS\SYSTEM32\services

Empty recycle bin and reboot.

Post back and tell me how's the system running. Do you have any problems?
  • 0

#28
Neo-VII

Neo-VII

    Member

  • Topic Starter
  • Member
  • PipPip
  • 28 posts
(Quote- Delete this folder;
C:\WINDOWS\SYSTEM32\services)

The Exe file?
  • 0

#29
Rawe

Rawe

    Visiting Staff

  • Member
  • PipPipPipPipPipPipPip
  • 4,746 posts
There is no services folder?
Only an .exe file?

Don't delete.
Just run CleanUp, reboot and post back and let me know how's your system running.

- Rawe :tazz:
  • 0

#30
Neo-VII

Neo-VII

    Member

  • Topic Starter
  • Member
  • PipPip
  • 28 posts
Before you helped all, alot of things were studdering. The Windows media player visuals were even studdering regardless of size during any music play. My games were VERY bad. My web pages when EI would be brought up would come up but going page up and down would bring a lag of some sort. After I would request the page to go and down it would creep at first and then after 4 seconds then it would suddenly go where I told it to, or over scroll. Even the videos/logos before the games were studderings.

Now with what we have done, I have done some gaming to see the results of our work. The logos/vidoes before the games no longer studder. The Windows media player no longer studders.

The game play still studders. Before, when I first got BF 2, I could play the game in high settings, now I'm stuck on low settings due to the spyware that has come onto my computer. The Windows scrolling still lags/creeps along then deceides to catch up 4 seconds later. Alot of improvments yes, still need alittle more help though. Im sorry I couldn't find those other files last time. I can't figure out how they arent showing up yet Hijackthis would find them. My computer is under 3 different names, im curious if I need to log into the other names to try and find the files that we could find. The current part of the computer that we have been working in does have administrtor ability. So I'm not sure if it even matters.

Thanks for your help thus far.

Edited by Neo-VII, 12 August 2005 - 10:17 AM.

  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP