Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

WinFixer 2005


  • This topic is locked This topic is locked

#1
mookie954

mookie954

    Member

  • Member
  • PipPip
  • 54 posts
"Notice: If your computer has errors in the registry database or file system, it could cause unpredictable or erratic behavior, freezes, and crashes. Fixing these errors can increase your computer's performance and prevent data loss

Would you like to install WinFixer 2005 to check your computer for free?
(recommended)"

Please help me to stop this from killing my PC.
Michelle
  • 0

Advertisements


#2
g2i2r4

g2i2r4

    retired HiJack Helper

  • Retired Staff
  • 5,080 posts
Welcome mookie954 to Geeks to Go!

Please don't let it install!!

Please download the latest version of HiJack This. Click here to download the latest version (1.99.1). Please save it in a permanent folder (such as C:\HJT). This is to ensure that backups are saved and accessible in the event you should need it. Follow the instructions below if you are unsure how to save it in a permanent folder:
1.) Click on the link to download HiJackThis.exe.
2.) When it pulls up the box (for you to pick a location to save the file), click on the pulldown menu and select "[C:]".
3.) Click on the button to "create new folder" and name the folder HiJackThis
4.) Double click on the folder you just made (to go into the folder) and click "save" on the bottom of the box.
Double-click HijackThis and press 'scan and save log'.

Post that log here in this topic by using the button 'add reply'.
  • 0

#3
mookie954

mookie954

    Member

  • Topic Starter
  • Member
  • PipPip
  • 54 posts
Logfile of HijackThis v1.99.1
Scan saved at 3:50:56 PM, on 8/16/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\System32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.exe
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\Program Files\AVPersonal\AVGNT.EXE
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\AVPersonal\AVGUARD.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\AVPersonal\AVWUPSRV.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rpen.exe
C:\Program Files\AVPersonal\AVWIN.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\DOCUME~1\BEAYER~1\LOCALS~1\Temp\~AceTemp\hijackthis\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
N2 - Netscape 6: user_pref("browser.startup.homepage", "http://www.yahoo.com/"); (C:\Documents and Settings\Bea Yerks\Application Data\Mozilla\Profiles\default\mw59bskv.slt\prefs.js)
N2 - Netscape 6: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5Cmozilla.org%5CMozilla%5Csearchplugins%5CNetscapeSearch.src"); (C:\Documents and Settings\Bea Yerks\Application Data\Mozilla\Profiles\default\mw59bskv.slt\prefs.js)
O1 - Hosts: 216.93.168.167 sitefinder.verisign.com
O1 - Hosts: comments (such as these) may be inserted on individual
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {CF410323-BFC3-E06A-B5E8-954BC6375E97} - C:\WINDOWS\system32\znfr.dll
O2 - BHO: PnIEBrowserHelperObj Class - {D2F719F3-106A-402B-9996-3A5B12ACA564} - C:\Program Files\Failsafe\GuardIE\PnIE.dll
O3 - Toolbar: @C:\Program Files\Failsafe\GuardIE\PnIE.dll,-100 - {37C8204D-97C3-4127-BB28-1BFF3FA2F7DA} - C:\Program Files\Failsafe\GuardIE\PnIE.dll
O3 - Toolbar: (no name) - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - (no file)
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain
O4 - HKLM\..\Run: [AVGCtrl] "C:\Program Files\AVPersonal\AVGNT.EXE" /min
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [gdnahn] C:\WINDOWS\system32\ovnsoyb.exe r
O4 - HKCU\..\Run: [Usrr] C:\Program Files\etea\rpen.exe
O4 - Startup: PowerReg SchedulerV2.exe
O4 - User Startup: PowerReg SchedulerV2.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: America Online Tray Icon.lnk = C:\Program Files\America Online 9.0a\aoltray.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\aim\aim.exe
O9 - Extra button: (no name) - {BDD75188-2FC0-4099-909F-AA8D432BE037} - C:\Program Files\Failsafe\GuardIE\PnIE.dll
O9 - Extra 'Tools' menuitem: @C:\Program Files\Failsafe\GuardIE\PnIE.dll,-100 - {BDD75188-2FC0-4099-909F-AA8D432BE037} - C:\Program Files\Failsafe\GuardIE\PnIE.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {1FDEC088-A699-46FE-BF76-D5FD6DAE6150} (UCSearch.ucUCSearch) - http://www.armbender.com/UCSearch.CAB
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {56C9629A-C33F-11D3-BBFB-00105A1FAD68} - http://eyetide.com/d...e Installer.cab
O16 - DPF: {731918D2-517A-47E2-886A-3BC1380C591D} - http://webpdp.gator....094_hd3ptdm.cab
O16 - DPF: {92CA8ACC-4E99-4A2A-93F1-B2C5CADC8613} (NMInstall Control) - http://a14.g.akamai....GAPANEL_USA.cab
O16 - DPF: {9DBAFCCF-592F-FFFF-FFFF-00608CEC297C} - http://download.weat...uginstaller.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/...ro.cab34246.cab
O16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} (TikGames Online Control) - http://zone.msn.com/.../default/gf.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/...aploader_v6.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Toolbar) - http://us.dl1.yimg.c...ebio5_1_6_0.cab
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX/kdx.cab
O20 - Winlogon Notify: Extensions - C:\WINDOWS\system32\djocx.dll
O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\Program Files\AVPersonal\AVGUARD.EXE
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Program Files\AVPersonal\AVWUPSRV.EXE
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe
  • 0

#4
mookie954

mookie954

    Member

  • Topic Starter
  • Member
  • PipPip
  • 54 posts
Task manager says there are 35 processes running though not all are listed. AVGuard caught a few Trojans today and Ad-aware found several data miners. My windows prefetch file shows all the same files AVG deleted. And lots more that are "created" at the exact time I started this mess. Last night at 1:47 a.m.-ish.
  • 0

#5
g2i2r4

g2i2r4

    retired HiJack Helper

  • Retired Staff
  • 5,080 posts
You may want to print or save these instructions locally before starting.

Download CleanUp!.
If that doesn’t work, use this link.
Don't use it yet.

***

Please download, install, and update the free version of Ewido trojan scanner:
  • When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
  • Run Ewido --- When you run it for the first time, you will get a warning "Database could not be found!". Click OK. We will fix this in a moment.
  • From the main ewido screen, click on update in the left menu, then click the Start update button.
  • After the update finishes (the status bar at the bottom will display "Update successful")
  • Exit Ewido. DO NOT scan yet.
***

We will take on an infection now that changes names. It's this line in the current HijackThis log:
O4 - HKLM\..\Run: [gdnahn] C:\WINDOWS\system32\ovnsoyb.exe r

Please download APT and unzip the contents to a new folder on your desktop.
  • Open the folder you just created and click on apt.exe and search in the window for gdnahn.
  • Open your C:\Windows\system32 folder and search for ovnsoyb.exe.
    Don't delete it yet, just leave the system32 folder open so you can see the bad file.
  • In APT again, Select gdnahn and Click Kill3
  • Then immediately delete ovnsoyb.exe from your system32 folder.
Close APT.

***

Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.

For additional help in booting into Safe Mode, see the following site:
http://www.pchell.co.../safemode.shtml

***

Once in Safe Mode, please double-click on nailfix.exe[/b. Your desktop and icons will disappear and reappear, and a window should open and close very quickly --- this is normal.

***

Next, run Ewido again.
  • Click on the Scanner button in the left menu, then click on Complete System Scan. This scan can take quite a while to run.
  • If ewido finds anything, it will pop up a notification. We have been finding some cases of false positives with the new version of Ewido, so we need to step through the fixes one-by-one. If Ewido finds something that you KNOW is legitimate (for example, parts of AVG Antivirus, pcAnywhere and the game "Risk" have been flagged), select "none" as the action. DO NOT check "Perform action with all infections". If you are unsure of an entry, select "none" for the time being. I'll see that in the log you will post later and let you know if ewido needs to be run again.
  • When the scan finishes, click on "Save Report". This will create a text file. Make sure you know where to find this file again.
***

Then run HijackThis, click Scan, and place a checkmark by the following item:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe

O2 - BHO: (no name) - {CF410323-BFC3-E06A-B5E8-954BC6375E97} - C:\WINDOWS\system32\znfr.dll

O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u

O4 - HKLM\..\Run: [gdnahn] C:\WINDOWS\system32\ovnsoyb.exe r

O4 - HKCU\..\Run: [Usrr] C:\Program Files\etea\rpen.exe

O16 - DPF: {1FDEC088-A699-46FE-BF76-D5FD6DAE6150} (UCSearch.ucUCSearch) - http://www.armbender.com/UCSearch.CAB

O16 - DPF: {731918D2-517A-47E2-886A-3BC1380C591D} - http://webpdp.gator....094_hd3ptdm.cab

O16 - DPF: {9DBAFCCF-592F-FFFF-FFFF-00608CEC297C} - http://download.weat...uginstaller.cab

O20 - Winlogon Notify: Extensions - C:\WINDOWS\system32\djocx.dll


Close all open windows except for HijackThis and click Fix Checked.

***

Now run the CleanUp program:

*IMPORTANT NOTE*
CleanUp deletes EVERYTHING out of your temp/temporary folders, it does not make backups.
If you have any documents or programs that are saved in any Temporary Folders, please make a backup of these before running CleanUp

Running CleanUp
  • Start CleanUp by double-clicking the icon on your desktop (or from the Start > All Programs menu).
  • When CleanUp starts go to the Options button (right side of CleanUp screen)
  • Move the arrow down to "Custom CleanUp!"
  • Now place a checkmark next to the following (Make sure nothing else is checked!):
    • Delete Cookies
      This is optional, if you leave the box checked it will remove all of your cookies, at this point removing cookies is a good idea
    • Empty Recycle Bins
    • Delete Prefetch files
    • Cleanup! All Users
  • Click OK
  • Then click on the CleanUp button. This will take a short while, let it do its thing.
  • When asked to reboot system select No
  • Close CleanUp
***

Finally, restart your computer back into Normal Mode and please post a new HJT log, as well as the ewido report log from the Ewido scan by using [b]Add Reply

  • 0

#6
mookie954

mookie954

    Member

  • Topic Starter
  • Member
  • PipPip
  • 54 posts
Logfile of HijackThis v1.99.1
Scan saved at 9:16:42 AM, on 8/17/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\System32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.exe
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\WINDOWS\system32\RUNDLL32.exe
C:\Program Files\AVPersonal\AVGNT.EXE
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\TrojanHunter 4.2\THGuard.exe
C:\Program Files\AVPersonal\AVGUARD.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\AVPersonal\AVWUPSRV.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\uamumv.exe
C:\WINDOWS\system32\lmkjlm.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Bea Yerks\Desktop\cyber_5.4\cyber_5.4\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
N2 - Netscape 6: user_pref("browser.startup.homepage", "http://www.yahoo.com/"); (C:\Documents and Settings\Bea Yerks\Application Data\Mozilla\Profiles\default\mw59bskv.slt\prefs.js)
N2 - Netscape 6: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5Cmozilla.org%5CMozilla%5Csearchplugins%5CNetscapeSearch.src"); (C:\Documents and Settings\Bea Yerks\Application Data\Mozilla\Profiles\default\mw59bskv.slt\prefs.js)
O1 - Hosts: comments (such as these) may be inserted on individual
O2 - BHO: Band Class - {00F1D395-4744-40f0-A611-980F61AE2C59} - C:\WINDOWS\dsr.dll (file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: (no name) - {CF410323-BFC3-E06A-B5E8-954BC6375E97} - C:\WINDOWS\system32\znfr.dll
O2 - BHO: PnIEBrowserHelperObj Class - {D2F719F3-106A-402B-9996-3A5B12ACA564} - C:\Program Files\Failsafe\GuardIE\PnIE.dll
O3 - Toolbar: @C:\Program Files\Failsafe\GuardIE\PnIE.dll,-100 - {37C8204D-97C3-4127-BB28-1BFF3FA2F7DA} - C:\Program Files\Failsafe\GuardIE\PnIE.dll
O3 - Toolbar: (no name) - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - (no file)
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain
O4 - HKLM\..\Run: [AVGCtrl] "C:\Program Files\AVPersonal\AVGNT.EXE" /min
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - Startup: PowerReg SchedulerV2.exe
O4 - User Startup: PowerReg SchedulerV2.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: America Online Tray Icon.lnk = C:\Program Files\America Online 9.0a\aoltray.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\aim\aim.exe
O9 - Extra button: (no name) - {BDD75188-2FC0-4099-909F-AA8D432BE037} - C:\Program Files\Failsafe\GuardIE\PnIE.dll
O9 - Extra 'Tools' menuitem: @C:\Program Files\Failsafe\GuardIE\PnIE.dll,-100 - {BDD75188-2FC0-4099-909F-AA8D432BE037} - C:\Program Files\Failsafe\GuardIE\PnIE.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {56C9629A-C33F-11D3-BBFB-00105A1FAD68} - http://eyetide.com/d...e Installer.cab
O16 - DPF: {92CA8ACC-4E99-4A2A-93F1-B2C5CADC8613} (NMInstall Control) - http://a14.g.akamai....GAPANEL_USA.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O16 - DPF: {9DBAFCCF-592F-FFFF-FFFF-00608CEC297C} - http://download.weat...uginstaller.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/...ro.cab34246.cab
O16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} (TikGames Online Control) - http://zone.msn.com/.../default/gf.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/...aploader_v6.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Toolbar) - http://us.dl1.yimg.c...ebio5_1_6_0.cab
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX/kdx.cab
O20 - Winlogon Notify: RunServices - C:\WINDOWS\system32\djocx.dll
O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\Program Files\AVPersonal\AVGUARD.EXE
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Program Files\AVPersonal\AVWUPSRV.EXE
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe
  • 0

#7
mookie954

mookie954

    Member

  • Topic Starter
  • Member
  • PipPip
  • 54 posts
Analyze this new log and repost instructions. Ran lots of things in safe mode etc. FOund removed several things. Everything is staying in the windows file and duplicated in the prefetch file.
Thanks for your help!
Michelle
  • 0

#8
mookie954

mookie954

    Member

  • Topic Starter
  • Member
  • PipPip
  • 54 posts
Running the Ewido now to get you a log before I start anything you are asking me to do. Like a million things keep changing, moving, etc. Wait a couple more minutes.
Thanks,
Michelle
  • 0

#9
g2i2r4

g2i2r4

    retired HiJack Helper

  • Retired Staff
  • 5,080 posts
Let's wait what Ewido has to say, then we will move on to the next step.

EDIT:

Looks like we should have disabled your security before we did the previous advise.
Please do it again, but now shut down your security when you do so.

Edited by g2i2r4, 17 August 2005 - 08:04 AM.

  • 0

#10
mookie954

mookie954

    Member

  • Topic Starter
  • Member
  • PipPip
  • 54 posts
---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 10:10:27 AM, 8/17/2005
+ Report-Checksum: 21943D77

+ Scan result:

[492] C:\WINDOWS\system32\djocx.dll -> Spyware.Look2Me : Error during cleaning
[1248] C:\WINDOWS\system32\thcfgwmi.dll -> Spyware.Look2Me : Error during cleaning
[1584] VM_016A0000 -> Adware.BetterInternet : Error during cleaning
[2592] C:\WINDOWS\system32\uamumv.exe -> Trojan.Agent.gp : Error during cleaning
[2640] C:\WINDOWS\system32\lmkjlm.exe -> Trojan.Agent.cp : Error during cleaning
C:\Documents and Settings\Bea Yerks\Local Settings\Temp\Cookies\bea yerks@abetterinternet[1].txt -> Spyware.Cookie.Abetterinternet : Cleaned with backup
C:\WINDOWS\Nail.exe -> Adware.BetterInternet : Cleaned with backup
C:\WINDOWS\system32\ewent.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\nqtid.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\__delete_on_reboot__thcfgwmi.dll -> Spyware.Look2Me : Cleaned with backup


::Report End
  • 0

Advertisements


#11
mookie954

mookie954

    Member

  • Topic Starter
  • Member
  • PipPip
  • 54 posts
Right after ewido finished it popped up with the aurora exe file to remove it. The whole time this was running AntiGuard is popping up with Agent.gp stuff.
  • 0

#12
mookie954

mookie954

    Member

  • Topic Starter
  • Member
  • PipPip
  • 54 posts
---------------------------------------------------------
ewido security suite - Startup report
---------------------------------------------------------

+ Created on: 10:16:10 AM, 8/17/2005
+ Report-Checksum: 75A05E41

Reg\HKLM\Run EM_EXEC C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
Shell\CommonStartup Adobe Gamma Loader.lnk C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
Shell\CommonStartup America Online Tray Icon.lnk C:\Documents and Settings\All Users\Start Menu\Programs\Startup\America Online Tray Icon.lnk
Shell\UserStartup PowerReg SchedulerV2.exe C:\Documents and Settings\Bea Yerks\Start Menu\Programs\Startup\PowerReg SchedulerV2.exe
File\SystemIni il.exe Explorer.exe C:\WINDOWS\Nail.exe
Reg\HKLM\Run WildTangent CDA RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain
Reg\HKLM\Run AVGCtrl "C:\Program Files\AVPersonal\AVGNT.EXE" /min
Reg\HKLM\Run UserFaultCheck %systemroot%\system32\dumprep 0 -u
Reg\HKLM\Run QuickTime Task "C:\Program Files\QuickTime\qttask.exe" -atboottime
Reg\HKLM\Run SSBkgdUpdate "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
Reg\HKLM\Run PaperPort PTD C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
Reg\HKLM\Run IndexSearch C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
Reg\HKLM\Run THGuard "C:\Program Files\TrojanHunter 4.2\THGuard.exe"

-------------------------------------------------
ewido security suite - Connection report
---------------------------------------------------------

+ Created on: 10:16:40 AM, 8/17/2005
+ Report-Checksum: B55BA939

TCP 0.0.0.0:135 0.0.0.0:0 LISTENING
TCP 0.0.0.0:445 0.0.0.0:0 LISTENING
TCP 0.0.0.0:18350 0.0.0.0:0 LISTENING
TCP 67.191.78.115:139 0.0.0.0:0 LISTENING
TCP 67.191.78.115:1255 64.192.130.161:80 ESTABLISHED
TCP 67.191.78.115:1291 69.65.20.162:80 ESTABLISHED
TCP 67.191.78.115:1292 69.65.20.162:80 ESTABLISHED
TCP 67.191.78.115:1294 69.65.20.162:80 ESTABLISHED
TCP 67.191.78.115:1295 69.65.20.162:80 ESTABLISHED
TCP 67.191.78.115:1296 69.65.20.162:80 ESTABLISHED
TCP 67.191.78.115:1297 69.65.20.162:80 ESTABLISHED
TCP 67.191.78.115:1298 69.65.20.162:80 ESTABLISHED
TCP 67.191.78.115:1299 69.65.20.162:80 ESTABLISHED
TCP 127.0.0.1:1028 127.0.0.1:18350 ESTABLISHED
TCP 127.0.0.1:1039 0.0.0.0:0 LISTENING
TCP 127.0.0.1:18350 127.0.0.1:1028 ESTABLISHED
UDP 0.0.0.0:445
UDP 0.0.0.0:500
UDP 0.0.0.0:1025
UDP 0.0.0.0:1031
UDP 0.0.0.0:4500
UDP 67.191.78.115:123
UDP 67.191.78.115:137
UDP 67.191.78.115:138
UDP 67.191.78.115:1900
UDP 127.0.0.1:123
UDP 127.0.0.1:1046
UDP 127.0.0.1:1900




---------------------------------------------------------
ewido security suite - Process report
---------------------------------------------------------

+ Created on: 10:17:01 AM, 8/17/2005
+ Report-Checksum: A00F0052

0: System Process
4: System Process
140: C:\Program Files\AVPersonal\AVWUPSRV.EXE
200: C:\Program Files\ewido\security suite\ewidoctrl.exe
216: C:\Program Files\ewido\security suite\ewidoguard.exe
420: \SystemRoot\System32\smss.exe
456: C:\WINDOWS\System32\svchost.exe
468: System Process
492: \??\C:\WINDOWS\System32\winlogon.exe
536: C:\WINDOWS\system32\services.exe
548: C:\WINDOWS\system32\lsass.exe
792: C:\WINDOWS\system32\svchost.exe
844: C:\WINDOWS\system32\svchost.exe
908: C:\WINDOWS\System32\svchost.exe
1000: System Process
1084: System Process
1128: System Process
1248: C:\WINDOWS\System32\rundll32.exe
1316: C:\WINDOWS\system32\brsvc01a.exe
1328: C:\WINDOWS\system32\LEXBCES.EXE
1344: C:\WINDOWS\system32\brss01a.exe
1364: C:\WINDOWS\system32\spoolsv.exe
1584: C:\WINDOWS\Explorer.exe
1728: C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
1736: C:\WINDOWS\system32\RUNDLL32.exe
1744: C:\Program Files\AVPersonal\AVGNT.EXE
1784: C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
1804: C:\Program Files\TrojanHunter 4.2\THGuard.exe
1832: C:\Program Files\ewido\security suite\SecuritySuite.exe
1972: System Process
2020: C:\Program Files\AVPersonal\AVGUARD.EXE
2044: C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
2232: C:\Program Files\Internet Explorer\iexplore.exe
2592: C:\WINDOWS\system32\uamumv.exe
2612: C:\WINDOWS\system32\NOTEPAD.EXE
2640: C:\WINDOWS\system32\lmkjlm.exe
3784: C:\WINDOWS\system32\NOTEPAD.EXE
3948: C:\WINDOWS\system32\NOTEPAD.EXE
  • 0

#13
g2i2r4

g2i2r4

    retired HiJack Helper

  • Retired Staff
  • 5,080 posts
Rerun my previous advise, but shutdown Antiguard to allow the changes.

Then reboot and do this:

Download L2mfix from one of these two locations:

http://www.atribune....oads/l2mfix.exe
http://www.downloads....org/l2mfix.exe

Save the file to your desktop and double click l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop. Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing enter. This will scan your computer and it may appear nothing is happening, then, after a minute or 2, notepad will open with a log. Copy the contents of that log and paste it into this thread.

IMPORTANT: Do NOT run option #2 OR any other files in the l2mfix folder until you are asked to do so!
  • 0

#14
mookie954

mookie954

    Member

  • Topic Starter
  • Member
  • PipPip
  • 54 posts
Following exactly what you said,

After running the APT.exe file, could not find gdnahn.
Then opened C:\Windows\system32 folder, could not find ovnsoyb.exe
Then, before doing the safe mode thing looked for nailfix.exe, could not find.

Decided to stop and repost a new Hijackthis log please look over it and re-repply going by the new log.
  • 0

#15
g2i2r4

g2i2r4

    retired HiJack Helper

  • Retired Staff
  • 5,080 posts
Please do the l2mfix first. We will deal with the nameshifter later.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP