Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Hijackthis log, Aurora/ABI [RESOLVED]

Started by pete5883 , Aug 09 2005 10:38 PM

  • This topic is locked This topic is locked

#16
Trevuren
Posted 10 August 2005 - 08:13 PM

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
We want to stop, disable and delete an added service (023)

A. To stop a service and set to 'disabled'
  • Go to Start > Run and type in Services.msc then click OK
  • Click the Extended tab.
  • Scroll down until you find the service.
    ===>Service: System Startup Service (SvcProc)
  • Click once on the service to highlight it.
  • Click Stop
  • Right-Click on the service.
  • Click on 'Properties'
  • Select the 'General' tab
  • Click the Arrow-down tab on the right-hand side on the 'Start-up Type' box
  • From the drop-down menu, click on 'Disabled'
  • Click the 'Apply' tab, then click 'OK'
The service is now stopped and disabled.


B. We will now delete the service:

1. Open HJT

2. Click on Config>>Misc Tools>>Delete an NT Service

3. Copy/Paste SvcProc in the space provided and click OK

4. The program will ask you to REBOOT --- Accept

5. REBOOT into SAFE MODE

6. Using Windows Explorer, locate and DELETE the following file (if it still is present):

C:\WINDOWS\svcproc.exe

7. REBOOT back into Normal Mode

8. Finally, run HijackThis, click SCAN, produce a LOG and POST it in this thread for review.

Regards,

Trevuren
  • 0

Advertisements

#17
pete5883
Posted 10 August 2005 - 08:33 PM

pete5883

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts
Once again, AVG found the dinst.exe virus but couldn't do anything about it. Here's the log:

Logfile of HijackThis v1.99.1
Scan saved at 10:33:43 PM, on 8/10/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.exe
D:\Apache Group\Apache2\bin\Apache.exe
C:\WINDOWS\system32\rgrhfe.exe
C:\WINDOWS\System32\ati2evxx.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\system32\Atiptaxx.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Compaq\COMPAQ~2\hibserv.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
D:\Apache Group\Apache2\bin\ApacheMonitor.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
D:\Apache Group\Apache2\bin\Apache.exe
D:\mysql\bin\winmysqladmin.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
D:\mysql\bin\mysqld-nt.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\HJT\HijackThis.exe

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [axsldge] C:\WINDOWS\system32\rgrhfe.exe r
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: WinMySQLadmin.lnk = D:\mysql\bin\winmysqladmin.exe
O4 - Global Startup: Monitor Apache Servers.lnk = D:\Apache Group\Apache2\bin\ApacheMonitor.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1097596608666
O16 - DPF: {CAFEEFAC-0014-0000-0001-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0_01) -
O23 - Service: Apache2 - Unknown owner - D:\Apache Group\Apache2\bin\Apache.exe" -k runservice (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Hibernation - Unknown owner - C:\PROGRA~1\Compaq\COMPAQ~2\hibserv.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MySql - Unknown owner - D:/mysql/bin/mysqld-nt.exe
  • 0

#18
Trevuren
Posted 10 August 2005 - 08:58 PM

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
One More Time Please download new files from the net. (Except for Ewido and Cleanup)

Please print out or copy this page to Notepad for we will be doing most of our work in Safe Mode. Make sure to work through the steps in the exact order in which they are mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fix.
  • Download DSRFIX by Atribune, et al... from HERE onto your Desktop.
    • Unzip and EXTRACT the files to your Desktop.
    • The program creates and names the new folder to house the files.
    • DO NOT RUN IT YET
  • Download this file: Revised Installer for the Nailfix Utility
    • Save it to your desktop.
    • DO NOT RUN IT YET.
  • Reboot your computer into SafeMode by doing the following:
    • To reboot into SafeMode with Windows XP, you can follow these steps from Microsoft:
    • OR
      • Restart your computer
      • After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
      • Instead of Windows loading as normal, a menu should appear
      • Select the first option, to run Windows in Safe Mode.
    Once in Safe Mode,

  • Double-click on nailfix.exe.
    • Click "Next" in the setup, then make sure "Run Nailfix" is checked and click "Finish".
    • Your desktop and icons will disappear and reappear, and a window should open and close very quickly --- this is normal.
  • Open the folder dsrfix
    • Double click on the dsrfix batch file( the one with the little gear in it )
    • Once dsrfix has completed it will close on its own
  • Open Ewido and scan your system.
    • Click on scanner
    • Click on Complete System Scan and the scan will begin.
    • NOTE: During some scans with ewido it is finding cases of false positives.**
      • You will need to step through the process of cleaning files one-by-one.
      • If ewido detects a file you KNOW to be legitimate, select none as the action.
      • DO NOT select "Perform action on all infections"
      • If you are unsure of any entry found select none for now as the action.
    • Once the scan has completed, click the Save Report button located on the bottom of the screen and choose your DESKTOP as the destination.
  • Now run HijackThis, click Scan, and place a checkmark next to each of the following items:

    F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
    O4 - HKLM\..\Run: [axsldge] C:\windows\system32\rgrhfe.exe r


  • Close all open windows except for HJT, click the Fix Checked button and EXIT HJT.

    NOTE: The 04 entry may have changed names if you have rebooted since posting the log; look for an entry with a similar format, that will always end in a single letter r

  • Now, using Windows Explorer, locate and DELETE the following Files/Folders (with all their content), if they are present:

    c:\windows\system32\rgrhfe.exe (or whatever the name may have changed to, as noted above).
    C:\WINDOWS\Nail.exe

  • Run Cleanup
    • Click on the "Cleanup" button and let it run.
    • Once its done, close the program
  • Finally, REBOOT into Normal Mode and please post a new HijackThis log, as well as the report log from the Ewido scan .
Regards,

Treburen
  • 0

#19
pete5883
Posted 10 August 2005 - 09:27 PM

pete5883

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts
(posting from another computer)

While I'm waiting for ewido to finish scanning, I'll point out that I don't think dsrfix did anything because it didn't find c:\windows\redir.txt, dsr.exe, dinst.exe, or dsr.dll. I looked in the directory where AVG claimed that dinst.exe was and its not in there.

Is the problem getting any better at least? I didn't have any winfixer windows last time but I'm not sure if that was a fluke or not.
  • 0

#20
pete5883
Posted 10 August 2005 - 10:32 PM

pete5883

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts
Once again could not delete the randomly named exe because it was being used. Log:

Logfile of HijackThis v1.99.1
Scan saved at 12:31:30 AM, on 8/11/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
D:\Apache Group\Apache2\bin\Apache.exe
C:\WINDOWS\System32\ati2evxx.exe
D:\Apache Group\Apache2\bin\Apache.exe
C:\WINDOWS\system32\Atiptaxx.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\iiprpi.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
D:\Apache Group\Apache2\bin\ApacheMonitor.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
D:\mysql\bin\winmysqladmin.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\PROGRA~1\Compaq\COMPAQ~2\hibserv.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
D:\mysql\bin\mysqld-nt.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\HJT\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [qgskmx] C:\WINDOWS\system32\iiprpi.exe r
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: WinMySQLadmin.lnk = D:\mysql\bin\winmysqladmin.exe
O4 - Global Startup: Monitor Apache Servers.lnk = D:\Apache Group\Apache2\bin\ApacheMonitor.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1097596608666
O16 - DPF: {CAFEEFAC-0014-0000-0001-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0_01) -
O23 - Service: Apache2 - Unknown owner - D:\Apache Group\Apache2\bin\Apache.exe" -k runservice (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Hibernation - Unknown owner - C:\PROGRA~1\Compaq\COMPAQ~2\hibserv.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MySql - Unknown owner - D:/mysql/bin/mysqld-nt.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - c:\windows\SvcProc.exe

and ewido:

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 12:24:01 AM, 8/11/2005
+ Report-Checksum: D30E3B76

+ Scan result:

[820] C:\WINDOWS\system32\rfcawna.exe -> Trojan.Agent.cp : Cleaned with backup
[972] VM_00AD0000 -> Adware.BetterInternet : Error during cleaning
C:\WINDOWS\bmlgunuadup.exe -> Adware.BetterInternet : Cleaned with backup
D:\Documents and Settings\pcintula\Cookies\[email protected][1].txt -> Spyware.Cookie.Adserver : Cleaned with backup
D:\Documents and Settings\pcintula\Cookies\pcintula@abetterinternet[2].txt -> Spyware.Cookie.Abetterinternet : Cleaned with backup


::Report End
  • 0

#21
Trevuren
Posted 10 August 2005 - 10:58 PM

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
Let's hope so


Trevuren
  • 0

#22
pete5883
Posted 10 August 2005 - 11:08 PM

pete5883

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts
Unfortunately still getting Aurora popups though...
  • 0

#23
Trevuren
Posted 10 August 2005 - 11:13 PM

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
There is something that is not working properly. And that is an understatement. You are the first refractory case I have had to treat. I need some time to try and develop another approach.


Trevuren
  • 0

#24
Trevuren
Posted 10 August 2005 - 11:15 PM

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
Are you aware that you are running a Hibernation Service?


Trevuren

Edited by Trevuren, 11 August 2005 - 09:21 AM.

  • 0

#25
pete5883
Posted 11 August 2005 - 08:04 AM

pete5883

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts
I thought a hibernation service was something that puts the computer into hibernate mode? Anyway the problem I see is that even in Safe mode the computer boots with the random .exe running, if it weren't running then I should be able to delete it, since I've never been able to after running Ewido.
  • 0

Advertisements

#26
Trevuren
Posted 11 August 2005 - 09:50 AM

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
Please download APT and unzip the contents to a new folder on your desktop.
  • Open the folder you just created and click on apt.exe and search in the window for <<C:\WINDOWS\system32\iiprpi.exe>>.
  • Open your C:\Windows\system32 folder and search for << iiprpi.exe>>.
    Don't delete it yet, just leave the system32 folder open so you can see the bad file.
  • In APT again, Select <<C:\Windows\System32\iiprpi.exe>> and Click Kill3
  • Then immediately delete <<iiprpi.exe>> from your system32 folder.
Close APT.


Next, please reboot your computer in SafeMode by doing the following:
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, start tapping press F8 key.
  • Instead of Windows loading as normal, a menu should appear
  • Select the first option, to run Windows in Safe Mode.
Once in Safe Mode, please double-click on nailfix.exe.
Click "Next" in the setup, then make sure "Run Nailfix" is checked and click "Finish".
Your desktop and icons will disappear and reappear, and a window should open and close very quickly --- this is normal.

Now open ewido and do a scan of your system.
  • Click on scanner
  • Click on Complete System Scan and the scan will begin.
  • You will be prompted to clean the first infection.
  • Select "Perform action on all infections", then proceed.
  • Once the scan has completed, there will be a button located on the bottom of the screen named Save report
  • Click Save report.
  • Save the report .txt file to your desktop or a location where you can find it easily.
Now scan with HJT and place a checkmark next to each of the following items:

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O4 - HKLM\..\Run: [qgskmx] C:\WINDOWS\system32\iiprpi.exe r
O23 - Service: System Startup Service (SvcProc) - Unknown owner - c:\windows\SvcProc.exe


Close all open windows except for HJT, then click the Fix Checked button. Close HJT.

Now open the folder dsrfix on your desktop.
  • Double-Click on dsrfix.bat
  • A window will pop up briefly then close, this is normal.
Enable show hidden files and folders:

* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.
* Under the Hidden files and folders heading select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Click Yes to confirm.
* Click OK

Now run the CleanUp program:


Finally, restart your computer back into Normal Mode and please post a new HJT log by using Add Reply


Regards,

Trevuren
  • 0

#27
pete5883
Posted 11 August 2005 - 12:03 PM

pete5883

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts
So far so good:

Logfile of HijackThis v1.99.1
Scan saved at 2:04:05 PM, on 8/11/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
D:\Apache Group\Apache2\bin\Apache.exe
C:\WINDOWS\System32\ati2evxx.exe
D:\Apache Group\Apache2\bin\Apache.exe
C:\WINDOWS\system32\Atiptaxx.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
D:\Apache Group\Apache2\bin\ApacheMonitor.exe
D:\mysql\bin\winmysqladmin.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\PROGRA~1\Compaq\COMPAQ~2\hibserv.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
D:\mysql\bin\mysqld-nt.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\HJT\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: WinMySQLadmin.lnk = D:\mysql\bin\winmysqladmin.exe
O4 - Global Startup: Monitor Apache Servers.lnk = D:\Apache Group\Apache2\bin\ApacheMonitor.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1097596608666
O16 - DPF: {CAFEEFAC-0014-0000-0001-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0_01) -
O23 - Service: Apache2 - Unknown owner - D:\Apache Group\Apache2\bin\Apache.exe" -k runservice (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Hibernation - Unknown owner - C:\PROGRA~1\Compaq\COMPAQ~2\hibserv.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MySql - Unknown owner - D:/mysql/bin/mysqld-nt.exe

And ewigo log, if you need it:

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 1:58:05 PM, 8/11/2005
+ Report-Checksum: AE843EBE

+ Scan result:

C:\WINDOWS\bmlgunuadup.exe -> Adware.BetterInternet : Cleaned with backup
D:\Documents and Settings\pcintula\Cookies\pcintula@abetterinternet[2].txt -> Spyware.Cookie.Abetterinternet : Cleaned with backup
D:\Documents and Settings\pcintula\Cookies\[email protected][1].txt -> Spyware.Cookie.Adserver : Cleaned with backup
D:\Documents and Settings\pcintula\Cookies\pcintula@atdmt[1].txt -> Spyware.Cookie.Atdmt : Cleaned with backup


::Report End
  • 0

#28
Trevuren
Posted 11 August 2005 - 12:10 PM

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
Your log looks good. If you have no more malware-related problems that you are aware of, just give me the OK and we can start the final but essential cleanup procedures.

Trevuren
  • 0

#29
pete5883
Posted 11 August 2005 - 12:25 PM

pete5883

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts
Browsed to a few sites without any popups or problems, so I'd say I'm ready for cleanup :tazz:
  • 0

#30
Trevuren
Posted 11 August 2005 - 02:26 PM

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
Congratulations, your log shows that your SYSTEM IS CLEAN

There are a few things you must do once you are completely clean:

1. Re-hide your System Files and Folders to prevent any future accidents.

2. Cleanup the leftovers. Download CleanUP! - Cleans temporary files from IE and Windows, empties the recycle bin and more. Great tool to help speed up your computer and knock out those nasties that like to reside in the temp folders.

3. Reset and Re-enable your System Restore to remove bad files from the backup that Windows makes as no program is able to clean those files:

TO DISABLE SYSTEM RESTORE
  • Right-click "My Computer", and then left click "Properties".
  • Left click on "System Restore Tab"
  • Check box beside "Turn Off System Restore"
  • Left click on "Apply"
TO ENABLE SYSTEM RESTORE
  • Remove check mark from "Turn Off System Restore"
  • Click on "Apply"
Here are some tips to reduce the potential for spyware infection in the future:

Make sure you keep your Windows OS current by visiting Windows update
regularly to download and install any critical updates and service packs. With out these you are leaving the backdoor open.

I strongly recommend installing the following applications:
  • Spywareblaster <= SpywareBlaster will prevent spyware from being installed.
  • Spywareguard <= SpywareGuard offers realtime protection from spyware installation attempts.
  • How to use Ad-Aware to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Ad-Aware.
  • How to use Spybot to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Spybot. Similar to Ad-Aware, I strongly recommend both to catch most spyware.
To protect yourself further:
  • Spyad <= IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
  • MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
  • Google Toolbar <= Get the free google toolbar to help stop pop up windows.
And also see TonyKlein's good advice
So how did I get infected in the first place? (My Favorite)

Regards,

Trevuren
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP