Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Aurora and webservicehosts problems [CLOSED]


  • This topic is locked This topic is locked

#1
elviradd

elviradd

    New Member

  • Member
  • Pip
  • 4 posts
Hijack this log, after running Spybot S&D, Adaware, and Trojanhunter programs

Logfile of HijackThis v1.99.1
Scan saved at 9:31:02 AM, on 8/17/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINNT\System32\NMSSvc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\wanmpsvc.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINNT\System32\alg.exe
C:\WINNT\Explorer.exe
C:\WINNT\System32\hkcmd.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\WINNT\system32\rundll32.exe
C:\WINNT\system32\rundll32.exe
C:\WINNT\system32\rundll32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\Program Files\Media Gateway\MediaGateway.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\COMMON~1\AOL\112034~1\EE\AOLHOS~1.EXE
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\PROGRA~1\COMMON~1\AOL\112034~1\EE\AOLServiceHost.exe
C:\Program Files\AIM\aim.exe
C:\WINNT\system32\r?gedit.exe
C:\PROGRA~1\AOLCOM~1\ACCAgnt.exe
C:\Program Files\sder\dees.exe
C:\WINNT\System32\wbem\wmiprvse.exe
C:\Program Files\Messenger\msmsgs.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\Program Files\TrojanHunter 4.2\THGuard.exe
C:\Program Files\TrojanHunter 4.2\TrojanHunter.exe
C:\Documents and Settings\Elvira\My Documents\tools\HijackThis.exe
C:\Documents and Settings\Elvira\My Documents\tools\HijackThis.exe
C:\Documents and Settings\Elvira\My Documents\tools\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drs...esearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drs...esearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gateway.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drs...esearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drs...esearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drs...esearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drs...esearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Program Files\Common Files\Microsoft Shared\Stationery\Blank.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: Shell=Explorer.exe C:\WINNT\Nail.exe
O2 - BHO: Band Class - {00F1D395-4744-40f0-A611-980F61AE2C59} - C:\WINNT\dsr.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SearchToolbarBHOObject - {12EE7A5E-0674-42f9-A76A-000000004D00} - C:\WINNT\system32\stlb2.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {8DA5457F-A8AA-4CCF-A842-70E6FD274094} - C:\PROGRA~1\COMMON~1\WinTools\WToolsT.dll (file missing)
O2 - BHO: (no name) - {B29BAA80-3745-63C4-4C6E-1B5341F256C7} - C:\WINNT\system32\zemqr.dll
O2 - BHO: (no name) - {D0560D3F-C0F3-CD2C-F020-BFC9D8C13C92} - C:\WINNT\system32\xuyb.dll
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O3 - Toolbar: Search - {12EE7A5E-0674-42f9-A76B-000000004D00} - C:\WINNT\system32\stlb2.dll
O3 - Toolbar: (no name) - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [Windows SA] C:\Program Files\WindowsSA\omniscient.exe
O4 - HKLM\..\Run: [ywqXhS] C:\documents and settings\stephie\local settings\temp\ywqXhS.exe
O4 - HKLM\..\Run: [HGBCIoz] C:\documents and settings\stephie\local settings\temp\HGBCIoz.exe
O4 - HKLM\..\Run: [{12EE7A5E-0674-42f9-A76B-000000004D00}] rundll32.exe stlb2.dll,DllRunMain
O4 - HKLM\..\Run: [A70F6A1D-0195-42a2-934C-D8AC0F7C08EB] rundll32.exe E6F1873B.DLL,D9EBC318C
O4 - HKLM\..\Run: [98D0CE0C16B1] rundll32.exe D0CE0C16B1,D0CE0C16B1
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1120340634\EE\AOLHostManager.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [bv7l7dru] C:\WINNT\system32\bv7l7dru.exe
O4 - HKLM\..\Run: [Media Gateway] C:\Program Files\Media Gateway\MediaGateway.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [Dinst] C:\WINNT\dinst.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\Run: [kjryigi] C:\WINNT\system32\wxuzwp.exe r
O4 - HKLM\..\RunOnce: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [Windows Registry Repair Pro] C:\Program Files\3B Software\Windows Registry Repair Pro\RegistryRepairPro.exe 4
O4 - HKCU\..\Run: [Fvgfx] C:\WINNT\system32\r?gedit.exe
O4 - HKCU\..\Run: [AOLCC] "C:\PROGRA~1\AOLCOM~1\ACCAgnt.exe" /startup
O4 - HKCU\..\Run: [Ltho] C:\Program Files\sder\dees.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .wav: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540000} - http://www.spywarest...es2/Install.cab
O16 - DPF: {33288993-5664-11D4-8B5B-00D0B73B3518} (ell Class) - http://aol.ea.com/do...ommon/ieell.cab
O16 - DPF: {3B02AAA2-327C-40ED-A849-4BE819AE5385} (ImgSizer Control) - file://C:\Documents and Settings\Stephie\Local Settings\Temp\~DlfnTmp0\imgSizer.ocx
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - https://objects.aol....83/mcinsctl.cab
O16 - DPF: {525A15D0-4938-11D4-94C7-0050DA20189B} - http://aol.ea.com/do...py/iesnoopy.cab
O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB
O16 - DPF: {9FC5238F-12C4-454F-B1B5-74599A21DE47} (Webshots Photo Uploader) - http://community.web...otoUploader.CAB
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - https://objects.aol....,20/McGDMgr.cab
O16 - DPF: {F919FBD3-A96B-4679-AF26-F551439BB5FD} - http://winfixer.com/...scanner/WFI.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{184E9C5C-96CC-4718-A01C-63879F4B3267}: NameServer = 207.69.188.187 207.69.188.186
O17 - HKLM\System\CS1\Services\Tcpip\..\{184E9C5C-96CC-4718-A01C-63879F4B3267}: NameServer = 207.69.188.187 207.69.188.186
O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxsrvc.dll
O23 - Service: .NET Framework Service (.NET Connection Service) - Unknown owner - C:\WINNT\svchost.exe (file missing)
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Networks Associates Technology, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINNT\System32\NMSSvc.exe
O23 - Service: PictureTaker - Unknown owner - c:\fixit\pt\PCTKRNT.SYS (file missing)
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINNT\wanmpsvc.exe

This comes from a machine that has access to teenagers. What is the best way to protect myself from this stuff coming onto my machine? I have downloaded trojan guard as a temporary fix.

Thanks for your help!
  • 0

Advertisements


#2
kool808

kool808

    Visiting Staff

  • Member
  • PipPipPipPip
  • 1,690 posts
Hello and welcome to Geeks to Go! :tazz: I'm kool808 and I will be helping you today.

I am working on your log. As soon as I made a good fix for this, I will post a reply. Thank you for your patience.
  • 0

#3
kool808

kool808

    Visiting Staff

  • Member
  • PipPipPipPip
  • 1,690 posts
Please disable your Trojan Hunter Guard temporarily because this will hinder in our fixes.
(Note: We will re-ENABLE it later after your system is all clean and malware free.)[/quote]

++++++++++++++++++++++++++++++++++++++++++++
Please SAVE THIS PAGE or secure a PRINT COPY of the instructions for reference.
++++++++++++++++++++++++++++++++++++++++++++
Please download ewido security suite it is a free version of the program.
  • Install ewido security suite
  • When installing, under "Additional Options" uncheck..
    • Install background guard
    • Install scan via context menu
  • Launch ewido, there should be an icon on your desktop, double-click it.
  • The program will now open to the main screen.
  • When you run ewido for the first time, you will get a warning "Database could not be found!". Click OK. We will fix this in a moment.
  • You will need to update ewido to the latest definition files.
    • On the left hand side of the main screen click update.
    • Then click on Start Update.
  • The update will start and a progress bar will show the updates being installed.
    (the status bar at the bottom will display ("Update successful")
  • Exit ewido. DO NOT scan yet.
If you are having problems with the updater, you can use this link to manually update ewido.
ewido manual updates

Download CleanUp
Install the program, dont run it yet, we will later.

Please download this file: Nailfix Utility
Save it to your desktop.
DO NOT run it yet.

Download dsrfix.zip
Save it to your desktop.
  • Unzip dsrfix.zip and extract it to your desktop.
  • This will create a new folder on your desktop named dsrfix.
  • Do Not open that folder yet.
++++++++ STEP 1 ++++++++
Please download APT and unzip the contents to a new folder on your desktop.
  • Open the folder you just created and click on apt.exe and search in the window for kjryigi
  • Open your C:\WINNT\system32\ folder and search for wxuzwp.exe.
    Don't delete it yet, just leave the system32 folder open so you can see the bad file.
  • In APT again, Select kjryigi and Click Kill3
  • Then immediately delete wxuzwp.exe from your system32 folder.
Close APT.

++++++++ STEP 2 ++++++++
To reboot into SafeMode with Windows XP, you can follow these steps from Microsoft:

Next, please reboot your computer in SafeMode by doing the following:
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, start tapping press F8 key.
  • Instead of Windows loading as normal, a menu should appear
  • Select the first option, to run Windows in Safe Mode.
Once in Safe Mode, please double-click on nailfix.exe.
Click "Next" in the setup, then make sure "Run Nailfix" is checked and click "Finish".
Your desktop and icons will disappear and reappear, and a window should open and close very quickly --- this is normal.

++++++++ STEP 3 ++++++++
Now open ewido and do a scan of your system.
  • Click on scanner
  • Click on Complete System Scan and the scan will begin.
  • You will be prompted to clean the first infection.
  • Select "Perform action on all infections", then proceed.
  • Once the scan has completed, there will be a button located on the bottom of the screen named Save report
  • Click Save report.
  • Save the report .txt file to your desktop or a location where you can find it easily.
++++++++ STEP 4 ++++++++
Now scan with HJT and place a checkmark next to each of the following items:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drs...esearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drs...esearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drs...esearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drs...esearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drs...esearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drs...esearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Program Files\Common Files\Microsoft Shared\Stationery\Blank.htm

F2 - REG:system.ini: Shell=Explorer.exe C:\WINNT\Nail.exe

O2 - BHO: Band Class - {00F1D395-4744-40f0-A611-980F61AE2C59} - C:\WINNT\dsr.dll
O2 - BHO: SearchToolbarBHOObject - {12EE7A5E-0674-42f9-A76A-000000004D00} - C:\WINNT\system32\stlb2.dll
O2 - BHO: (no name) - {8DA5457F-A8AA-4CCF-A842-70E6FD274094} - C:\PROGRA~1\COMMON~1\WinTools\WToolsT.dll (file missing)
O2 - BHO: (no name) - {B29BAA80-3745-63C4-4C6E-1B5341F256C7} - C:\WINNT\system32\zemqr.dll
O2 - BHO: (no name) - {D0560D3F-C0F3-CD2C-F020-BFC9D8C13C92} - C:\WINNT\system32\xuyb.dll
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O3 - Toolbar: Search - {12EE7A5E-0674-42f9-A76B-000000004D00} - C:\WINNT\system32\stlb2.dll

O4 - HKLM\..\Run: [Windows SA] C:\Program Files\WindowsSA\omniscient.exe
O4 - HKLM\..\Run: [ywqXhS] C:\documents and settings\stephie\local settings\temp\ywqXhS.exe
O4 - HKLM\..\Run: [HGBCIoz] C:\documents and settings\stephie\local settings\temp\HGBCIoz.exe
O4 - HKLM\..\Run: [A70F6A1D-0195-42a2-934C-D8AC0F7C08EB] rundll32.exe E6F1873B.DLL,D9EBC318C
O4 - HKLM\..\Run: [98D0CE0C16B1] rundll32.exe D0CE0C16B1,D0CE0C16B1
O4 - HKLM\..\Run: [bv7l7dru] C:\WINNT\system32\bv7l7dru.exe
O4 - HKLM\..\Run: [Media Gateway] C:\Program Files\Media Gateway\MediaGateway.exe
O4 - HKLM\..\Run: [Dinst] C:\WINNT\dinst.exe
O4 - HKLM\..\Run: [kjryigi] C:\WINNT\system32\wxuzwp.exe r
O4 - HKCU\..\Run: [Fvgfx] C:\WINNT\system32\r?gedit.exe

O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540000} - http://www.spywarest...es2/Install.cab
O16 - DPF: {F919FBD3-A96B-4679-AF26-F551439BB5FD} - http://winfixer.com/...scanner/WFI.cab


Close all open windows except for HJT, then click the Fix Checked button. Close HJT.

++++++++ STEP 5 ++++++++
Now open the folder dsrfix on your desktop.
  • Double-Click on dsrfix.bat
  • A window will pop up briefly then close, this is normal.
Enable show hidden files and folders:

* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.
* Under the Hidden files and folders heading select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Click Yes to confirm.
* Click OK

Be sure to View Hidden and System Files.

Through Windows Explorer, delete the following folder(s) or files(s) if they exist (in bold):
FOLDERS
  • C:\Program Files\COMMON~1\WinTools\
  • C:\Program Files\WindowsSA\
  • C:\Program Files\Media Gateway\
Finally, Empty Recycle Bin

++++++++ STEP 6 ++++++++
Now run the CleanUp program:

*IMPORTANT NOTE*
CleanUp deletes EVERYTHING out of your temp/temporary folders, it does not make backups.
If you have any documents or programs that are saved in any Temporary Folders, please make a backup of these before running CleanUp

Running CleanUp
  • Start CleanUp by double-clicking the icon on your desktop (or from the Start > All Programs menu).
  • When CleanUp starts go to the Options button (right side of CleanUp screen)
  • Move the arrow down to "Custom CleanUp!"
  • Now place a checkmark next to the following (Make sure nothing else is checked!):
    • Delete Cookies
      This is optional, if you leave the box checked it will remove all of your cookies, at this point removing cookies is a good idea
    • Empty Recycle Bins
    • Delete Prefetch files
    • Cleanup! All Users
  • Click OK
  • Then click on the CleanUp button. This will take a short while, let it do its thing.
  • When asked to reboot system select No
  • Close CleanUp
++++++++ STEP 7 ++++++++
Finally, restart your computer back into Normal Mode

Download this tool from Symantec then run FxWebsch.exe:
http://securityresponse.symantec.com/avcenter/FxWebsch.exe

++++++++ STEP 8 ++++++++
Click HERE to download Pocket Killbox by Option^Explicit. Double-click Killbox.exe to run it.

Select "Delete on Reboot".

Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C
[quote]C:\WINNT\Nail.exe
C:\WINNT\dsr.dll
C:\WINNT\system32\stlb2.dll
C:\WINNT\system32\zemqr.dll
C:\WINNT\system32\zemqr.dll
C:\documents and settings\stephie\local settings\temp\ywqXhS.exe
C:\documents and settings\stephie\local settings\temp\HGBCIoz.exe
C:\WINNT\system32\bv7l7dru.exe
C:\WINNT\dinst.exe
C:\WINNT\system32\wxuzwp.exe
C:\WINNT\system32\r?gedit.exe
[/quote]


Return to Killbox, go to the File menu, and choose "Paste from Clipboard".

Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

If your computer does not restart automatically, please restart it manually.

++++++++ STEP 9 ++++++++
Please post a new HJT log, as well as the ewido report log from the Ewido scan by using Add Reply

We will clean of what has been left.

GOOD LUCK! :tazz:

Edited by kool808, 18 August 2005 - 06:25 AM.

  • 0

#4
elviradd

elviradd

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts
Thanks Kool808 !! Step one was already cleaned ... and just a heads up that the friend I was helping was asleep so I didn't completely trash her temp files, just the ones that I knew were suspicious till she's awake. I had fun getting rid of this stuff, and think we are almost home free ....

Here's the update HJK log:

Logfile of HijackThis v1.99.1
Scan saved at 2:38:16 AM, on 8/24/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\wanmpsvc.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\hkcmd.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\AIM\aim.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\PROGRA~1\AOLCOM~1\ACCAgnt.exe
C:\Program Files\sder\dees.exe
C:\Program Files\America Online 9.0\waol.exe
C:\PROGRA~1\COMMON~1\AOL\112034~1\EE\AOLHOS~1.EXE
C:\WINNT\System32\alg.exe
C:\PROGRA~1\COMMON~1\AOL\112034~1\EE\AOLServiceHost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINNT\System32\wbem\wmiprvse.exe
C:\WINNT\system32\wuauclt.exe
C:\WINNT\system32\mmc.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\WINNT\system32\DfrgNtfs.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\America Online 9.0\shellmon.exe
C:\Documents and Settings\Elvira\My Documents\download\dd\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gateway.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.net
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: (no name) - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [{12EE7A5E-0674-42f9-A76B-000000004D00}] rundll32.exe stlb2.dll,DllRunMain
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1120340634\EE\AOLHostManager.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [Windows Registry Repair Pro] C:\Program Files\3B Software\Windows Registry Repair Pro\RegistryRepairPro.exe 4
O4 - HKCU\..\Run: [AOLCC] "C:\PROGRA~1\AOLCOM~1\ACCAgnt.exe" /startup
O4 - HKCU\..\Run: [Ltho] C:\Program Files\sder\dees.exe
O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\America Online 9.0\AOL.EXE" -b
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .wav: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O16 - DPF: {33288993-5664-11D4-8B5B-00D0B73B3518} (ell Class) - http://aol.ea.com/do...ommon/ieell.cab
O16 - DPF: {3B02AAA2-327C-40ED-A849-4BE819AE5385} (ImgSizer Control) - file://C:\Documents and Settings\Stephie\Local Settings\Temp\~DlfnTmp0\imgSizer.ocx
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - https://objects.aol....83/mcinsctl.cab
O16 - DPF: {525A15D0-4938-11D4-94C7-0050DA20189B} - http://aol.ea.com/do...py/iesnoopy.cab
O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB
O16 - DPF: {9FC5238F-12C4-454F-B1B5-74599A21DE47} (Webshots Photo Uploader) - http://community.web...otoUploader.CAB
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - https://objects.aol....,20/McGDMgr.cab
O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxsrvc.dll
O23 - Service: .NET Framework Service (.NET Connection Service) - Unknown owner - C:\WINNT\svchost.exe (file missing)
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Networks Associates Technology, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINNT\System32\NMSSvc.exe
O23 - Service: PictureTaker - Unknown owner - c:\fixit\pt\PCTKRNT.SYS (file missing)
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINNT\wanmpsvc.exe

and I've attached the ewido log from the cleaning. So far it's been great not seeing the browser redirected or annoying ads trying to claim the machine.

dd

Attached Files


  • 0

#5
kool808

kool808

    Visiting Staff

  • Member
  • PipPipPipPip
  • 1,690 posts

good job, your log looks much better now. However the report from Ewido was not from the scan results, we will do another scan then you need to post the report from the scan results.  :tazz:

Please DISABLE your Trojan Hunter Guard since this will hinder in our fixes, we will re-Enable it later when your system is all clean.


Please SAVE THIS PAGE or secure a PRINT COPY of the instructions for reference.
++++++++++++++++++++++++++++++++++++++++++++
If you have not already installed Ad-Aware SE 1.06, follow these download and setup instructions, otherwise, check for updates:
Ad-Aware SE Setup
Do NOT run the scan yet!

Please Download the stand-alone version of [ CoolWebShredder ]

Update CWShredder
  • Open CWShredder and click I AGREE
  • Click Check For Update
  • Close CWShredder
++++++++++++++++++++++++++++++++++
Please close all remaining windows, disconnect from the internet, open HijackThis then click SCAN. Please put a check on the following items listed below:

O4 - HKLM\..\Run: [{12EE7A5E-0674-42f9-A76B-000000004D00}] rundll32.exe stlb2.dll,DllRunMain
O4 - HKCU\..\Run: [Ltho] C:\Program Files\sder\dees.exe
O16 - DPF: {3B02AAA2-327C-40ED-A849-4BE819AE5385} (ImgSizer Control) - file://C:\Documents and Settings\Stephie\Local Settings\Temp\~DlfnTmp0\imgSizer.ocx

Make sure to double check the items you have selected, then click Fix Checked.

++++++++++++++++++++++++++++++++++
Reboot in SAFE MODE. (How to boot in Safe Mode...)
  • Uninstallation
    We need to uninstall the following programs:
  • Go to Control Panel > Add/Remove Programs
  • Please locate if they exist

    • BrowserAid’ or ‘CashToolbar’ (if it exist)
    • Web Toolbar (if it exist)
    • BrowserPal (if it exist)
  • Click Uninstall
  • Confirm with OK
++++++++++++++++++++++++++++++++++
Now run CWShredder. Click I Agree, then Fix and then Next, let it fix everything it asks about.

++++++++++++++++++++++++++++++++++
Open Ad-aware and do a full scan. Remove all it finds.

++++++++++++++++++++++++++++++++++
Run Ewido:
  • Click on scanner
  • Click Complete System Scan and the scan will begin.
  • During the scan it will prompt you to clean files, click OK
  • When it asks if you want to clean the first file, put a check in the lower left corner of the box that says "Perform action on all infections" then choose clean and click OK.
  • When the scan is finished, click the Save report button at the bottom of the screen.
  • Save the report to your desktop
Close Ewido

++++++++++++++++++++++++++++++++++
Be sure to View Hidden and System Files.

Through Windows Explorer, delete the following folder(s) or files(s) if they exist (in bold):
  • C:\Program Files\sder\ <-- whole folder
Finally, Empty Recycle Bin


reboot back in NORMAL MODE.

Have an On-line scan at this sites: Panda Scan, save the results then post it.
++++++++++++++++++++++++++++++++++
  • Open HijackThis
  • go to Config, then Misc Tools
  • Open Uninstall Manager, then click Save List...
  • Post the results here
  • close HJT
Open up NOTEPAD, then copy & paste the following commands. Save it to desktop as findpf.bat. Save it as file type all files.

@echo off
cd\
dir %System Root%\PROGRA~1 > pflist.txt
notepad pflist.txt

Now on your desktop double-click findpf.bat then post the results in your next reply.
(NOTE: You can delete this file afterwards.)

++++++++++++++++++++++++++++++++++
Scan with a new Hijackthis then post the results.


THINGS TO POST:
1. new HijackThis
2. Ewido report
3. Panda Scan results.
4. Uninstall list and pflist.txt results
  • 0

#6
elviradd

elviradd

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts
Thanks Kool808 ... here's the update:

HJK log:

Logfile of HijackThis v1.99.1
Scan saved at 8:49:54 AM, on 8/24/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINNT\System32\NMSSvc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\wanmpsvc.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINNT\System32\alg.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\hkcmd.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\AOLCOM~1\ACCAgnt.exe
C:\PROGRA~1\COMMON~1\AOL\112034~1\EE\AOLHOS~1.EXE
C:\Program Files\America Online 9.0\waol.exe
C:\PROGRA~1\COMMON~1\AOL\112034~1\EE\AOLServiceHost.exe
C:\WINNT\System32\wbem\wmiprvse.exe
C:\Program Files\Messenger\msmsgs.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\Program Files\America Online 9.0\shellmon.exe
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\WINNT\msagent\AgentSvr.exe
C:\Documents and Settings\Elvira\My Documents\download\dd\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.net
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: (no name) - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1120340634\EE\AOLHostManager.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [Windows Registry Repair Pro] C:\Program Files\3B Software\Windows Registry Repair Pro\RegistryRepairPro.exe 4
O4 - HKCU\..\Run: [AOLCC] "C:\PROGRA~1\AOLCOM~1\ACCAgnt.exe" /startup
O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\America Online 9.0\AOL.EXE" -b
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .wav: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O16 - DPF: {33288993-5664-11D4-8B5B-00D0B73B3518} (ell Class) - http://aol.ea.com/do...ommon/ieell.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - https://objects.aol....83/mcinsctl.cab
O16 - DPF: {525A15D0-4938-11D4-94C7-0050DA20189B} - http://aol.ea.com/do...py/iesnoopy.cab
O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O16 - DPF: {9FC5238F-12C4-454F-B1B5-74599A21DE47} (Webshots Photo Uploader) - http://community.web...otoUploader.CAB
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - https://objects.aol....,20/McGDMgr.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{184E9C5C-96CC-4718-A01C-63879F4B3267}: NameServer = 207.69.188.187 207.69.188.186
O17 - HKLM\System\CS1\Services\Tcpip\..\{184E9C5C-96CC-4718-A01C-63879F4B3267}: NameServer = 207.69.188.187 207.69.188.186
O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxsrvc.dll
O23 - Service: .NET Framework Service (.NET Connection Service) - Unknown owner - C:\WINNT\svchost.exe (file missing)
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Networks Associates Technology, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINNT\System32\NMSSvc.exe
O23 - Service: PictureTaker - Unknown owner - c:\fixit\pt\PCTKRNT.SYS (file missing)
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINNT\wanmpsvc.exe

Uninstall list:

Ad-aware 6 Personal
Adobe Acrobat 7.0.1 and Reader 7.0.1 Update
Adobe Acrobat 7.0.2 and Reader 7.0.2 Update
Adobe Acrobat 7.0.3 and Reader 7.0.3 Update
Adobe Download Manager 2.0 (Remove Only)
Adobe Reader 7.0
America Online (Choose which version to remove)
AOL Coach Version 1.0(Build:20020823.1)
AOL Coach Version 2.0(Build:20041026.5 en)
AOL Computer Check-Up
AOL Connectivity Services
AOL Deskbar
AOL Instant Messenger
AOL Spyware Protection
AOL Toolbar
AOL You've Got Pictures Screensaver
ArcSoft PhotoImpression
ArcSoft VideoImpression 1.6
Do More 5.0
ewido security suite
GTW V.92 Voicemodem
HelpSpot
HijackThis 1.99.1
hp instant support
hp officejet k series - 2
hp officejet k series - 3
hp officejet k series - 4
hp officejet k series - 5
HP Photo Printing Software
HP Share-to-Web
Intel® Extreme Graphics Driver
Intel® PRO Ethernet Adapter and Software
Intel® PROSet II
iPod for Windows 2005-01-11
iPod for Windows 2005-03-23
iTunes
McAfee SecurityCenter
McAfee VirusScan
MediaLoads
Microsoft Data Access Components KB870669
Microsoft Word 2002
Microsoft Works 2002 Setup Launcher
Microsoft Works 6.0
Microsoft Works Suite Add-in for Microsoft Word
MSN Messenger 7.0
Network Play System (Patching)
NHL® 2003
OIN
Panda ActiveScan
PC-Doctor Diagnostics
PC-Doctor for Windows
PC-Doctor Services
PS/2 Millennium Keyboard
Pure Networks Port Magic
QuickTime
RealPlayer Basic
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Windows XP (KB883939)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899588)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB903235)
Spybot - Search & Destroy 1.4
TrojanHunter 4.2
Update for Windows XP (KB894391)
Update for Windows XP (KB896727)
Update for Windows XP (KB898461)
VGA USB Camera
Viewpoint Media Player
Windows Installer 3.1 (KB893803)
Windows Installer 3.1 (KB893803)
Windows XP Hotfix - KB834707
Windows XP Hotfix - KB867282
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB885884
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890047
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB890923
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB893066
Windows XP Hotfix - KB893086
Windows XP Service Pack 2

Pflist:

Volume in drive C has no label.
Volume Serial Number is C041-B437

Directory of C:\Progra~1

08/24/2005 07:43 AM <DIR> .
08/24/2005 07:43 AM <DIR> ..
12/04/2004 12:19 PM <DIR> 3B Software
08/19/2005 11:44 AM <DIR> Adobe
09/20/2004 03:34 PM <DIR> AIM
09/20/2004 05:07 PM <DIR> AIM Toolbar
09/20/2004 03:10 PM <DIR> AIM95
07/18/2005 12:36 PM <DIR> America Online 8.0
07/02/2005 08:14 PM <DIR> America Online 9.0
09/20/2004 03:33 PM <DIR> AOD
07/05/2005 10:18 AM <DIR> AOL Computer Check-Up
07/02/2005 05:45 PM <DIR> AOL Deskbar
07/02/2005 05:45 PM <DIR> AOL Toolbar
08/21/2005 06:25 PM <DIR> ArcSoft
09/20/2004 03:34 PM <DIR> AWS
08/17/2005 12:28 AM <DIR> Common Files
10/09/2001 01:47 PM <DIR> ComPlus Applications
11/28/2003 09:05 PM <DIR> DelFin
08/21/2005 06:22 PM <DIR> directx
01/01/2004 05:15 PM <DIR> EA SPORTS
03/24/2003 08:22 PM <DIR> EACom
09/21/2002 02:13 PM <DIR> Electronic Arts
09/16/2002 03:58 PM <DIR> EPSON
08/23/2005 11:29 PM <DIR> ewido
08/19/2002 07:59 PM <DIR> Gateway
06/23/2005 08:06 PM <DIR> Griffin Technology
09/21/2002 02:35 PM <DIR> Hasbro Interactive
06/07/2004 02:35 PM <DIR> Hewlett-Packard
08/19/2002 07:59 PM <DIR> intel
08/16/2005 03:01 AM <DIR> Internet Explorer
04/26/2005 01:53 PM <DIR> iPod
04/02/2005 04:18 PM <DIR> iTunes
07/23/2004 01:48 PM <DIR> Kazaa
11/28/2003 08:49 PM <DIR> Lavasoft
08/14/2005 03:35 PM <DIR> Lycos
09/21/2002 02:11 PM <DIR> Maxis
08/08/2005 07:41 PM <DIR> McAfee.com
10/16/2002 10:37 PM <DIR> MediaLoads
02/10/2005 04:11 AM <DIR> Messenger
08/19/2002 08:00 PM <DIR> Microsoft ActiveSync
10/09/2001 01:51 PM <DIR> microsoft frontpage
12/01/2003 01:10 PM <DIR> Microsoft Office
09/29/2003 05:45 PM <DIR> Microsoft Picture It! 2002
08/19/2002 08:02 PM <DIR> Microsoft Works
08/19/2002 08:02 PM <DIR> Microsoft Works Suite 2002
01/18/2003 08:36 AM <DIR> MLH
12/24/2004 08:17 PM <DIR> Motorola
10/02/2004 10:06 AM <DIR> Movie Maker
08/15/2003 02:04 PM <DIR> MSN
10/09/2001 01:46 PM <DIR> MSN Gaming Zone
06/24/2005 11:45 PM <DIR> MSN Messenger
08/19/2002 08:03 PM <DIR> MusicMatch
08/17/2005 12:28 AM <DIR> MyWay
10/02/2004 09:49 AM <DIR> NetMeeting
12/10/2001 08:24 AM <DIR> Online Services
10/02/2004 09:49 AM <DIR> Outlook Express
08/10/2005 09:12 AM <DIR> PC-Doctor for Windows
09/16/2002 02:26 PM <DIR> Program Shortcuts
07/02/2005 05:45 PM <DIR> Pure Networks
12/01/2003 01:08 PM <DIR> QUICKENW
04/02/2005 04:19 PM <DIR> QuickTime
10/13/2003 05:03 PM <DIR> Real
08/17/2005 08:50 AM <DIR> SearchRelevant
08/08/2005 09:47 PM <DIR> Spybot - Search & Destroy
08/21/2005 10:49 AM <DIR> TrojanHunter 4.2
08/21/2005 06:22 PM <DIR> VGA USB Camera
08/11/2005 12:18 PM <DIR> Viewpoint
08/24/2005 01:02 AM <DIR> Winad Client
08/21/2005 06:25 PM <DIR> Windows Media Player
10/02/2004 09:49 AM <DIR> Windows NT
08/24/2005 01:02 AM <DIR> WindUpdates
10/09/2001 01:51 PM <DIR> xerox
0 File(s) 0 bytes
72 Dir(s) 23,949,246,464 bytes free

And I attached the scan results (thanks for the tips on getting you the right scan data). Still working on getting the recycle bin cleared, they had a lot installed.

What is the best way to prevent this stuff from taking over the machine?

dd

Attached Files


  • 0

#7
kool808

kool808

    Visiting Staff

  • Member
  • PipPipPipPip
  • 1,690 posts

You missed the Panda Scan results, as for Ewido please do NOT attach the results, post them normally like your any other post.

You still haven't disabled your Trojan Hunter Guard, it will hinder it the fixes. Please disable it temporarily.


+++++++++++++++++++++++++++
Please downloadDo NOT run them yet.

Download Lavasoft's VX2 Cleaner plug-in HERE
  • Install the VX2 Cleaner
  • Start Ad-Aware SE
  • Go to "Plug-ins"
  • Select the VX2 Cleaner plug-in and click "Run Plugin"
  • If your computer isn't infected, click "Close".
If your computer is infected
  • Select "Clean system"
  • Close Ad-Aware
Download and install Cleanup. Do NOT run it yet.

+++++++++++++++++++++++++++
Reboot in SAFE MODE. (How to boot in Safe Mode...)
  • Uninstallation
    We need to uninstall the following programs:
  • Go to Control Panel > Add/Remove Programs
  • Please locate if they exist

    • Viewpoint Media Player
  • Click Uninstall
  • Confirm with OK
+++++++++++++++++++++++++++
Open up NOTEPAD, then copy & paste the follwing codes (starting from REGEDIT4). Save it on desktop as fixme.reg. Choose file types as ALL FILES.

REGEDIT4

[-HKLM\SOFTWARE\Altnet]

[-HKLM\SOFTWARE\Altnet\Dashboard]

[-HKLM\SOFTWARE\Altnet\Dashboard\Settings]

[-HKLM\SOFTWARE\Classes\ADM25.ADM25]

[-HKLM\SOFTWARE\Classes\ADM4.ADM4]

[-HKLM\SOFTWARE\Classes\Apuc.UrlCatcher]

[-HKLM\SOFTWARE\Classes\AtlBrCon.AtlBrCon]

[-HKLM\SOFTWARE\Classes\BridgeX.Installer]

[-HKLM\SOFTWARE\Classes\DyFuCA_BH.BHObj]

[-HKLM\SOFTWARE\Classes\DyFuCA_BH.SinkObj]

[-HKLM\SOFTWARE\Classes\EZulaAgent.eZulaCtrlHost]

[-HKLM\SOFTWARE\Classes\eZulaAgent.IEObject]

[-HKLM\SOFTWARE\Classes\EZulaAgent.PlugProt]

[-HKLM\SOFTWARE\Classes\eZulaAgent.ToolBarBand]

[-HKLM\SOFTWARE\Classes\EZulaBootExe.InstallCtrl]

[-HKLM\SOFTWARE\Classes\EZulaFSearchEng.eZulaCode]

[-HKLM\SOFTWARE\Classes\EZulaFSearchEng.eZulaHash]

[-HKLM\SOFTWARE\Classes\EZulaFSearchEng.eZulaSearch]

[-HKLM\SOFTWARE\Classes\EZulaFSearchEng.PopupDisplay]

[-HKLM\SOFTWARE\Classes\EZulaFSearchEng.ResultHelper]

[-HKLM\SOFTWARE\Classes\EZulaFSearchEng.SearchHelper]

[-HKLM\SOFTWARE\Classes\EZulaMain.eZulaPopSearchPipe]

[-HKLM\SOFTWARE\Classes\EZulaMain.eZulaSearchPipe]

[-HKLM\SOFTWARE\Classes\EZulaMain.TrayIConM]

[-HKLM\SOFTWARE\Classes\SearchHelp]

[-HKLM\SOFTWARE\Classes\VX2.VX2Obj]

[-HKLM\SOFTWARE\Classes\WToolsB.ResProtocol]

[-HKLM\SOFTWARE\Classes\_ATL_GENERATED.SearchToolbarBHO]

[-HKLM\SOFTWARE\Classes\_ATL_GENERATED.SearchToolbarName]


Now double-click fixme.reg then allow it to merge to the system.
(NOTE: You can delete this file afterwards.)


+++++++++++++++++++++++++++
NOW RUN THESE TOOLS
  • FixNetOpt.exe
  • FixEzula.exe
  • FxWebsch.exe
  • Ad-Aware, full system scan
+++++++++++++++++++++++++++
Through Windows Explorer, delete the following folders if they exist (in bold):
  • C:\Program Files\DelFin\ <-- whole folder
  • C:\Program Files\Kazaa\ <-- whole folder
  • C:\Program Files\MediaLoads\ <-- whole folder
  • C:\Program Files\MyWay\ <-- whole folder
  • C:\Program Files\SearchRelevant\ <-- whole folder
  • C:\Program Files\Viewpoint\ <-- whole folder
  • C:\Program Files\Winad Client\ <-- whole folder
  • C:\Program Files\WindUpdates\ <-- whole folder
Finally, Empty Recycle Bin

+++++++++++++++++++++++++++
Do another full system scan with Ewido, then save the report.

+++++++++++++++++++++++++++
Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu).
Set the program up as follows:
Click "Options..."
Move the arrow down to "Custom CleanUp!"
Put a check next to the following (Make sure nothing else is checked!):
  • Empty Recycle Bins
  • Delete Cookies
  • Delete Prefetch files
  • Cleanup! All Users
Click OK
Press the CleanUp! button to start the program.

When you click the Close button you will be prompted to reboot, agree to it.

reboot back in NORMAL MODE.

Scan again with Panda Scan, save the results.

Then post back the report from Ewido as well as Panda scan.
(Please do NOT attach the results, post them normally like your any other post.)
  • 0

#8
elviradd

elviradd

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts
Just a quick heads up PandaScan came back and said there were 0 infections.

dd :tazz:
  • 0

#9
kool808

kool808

    Visiting Staff

  • Member
  • PipPipPipPip
  • 1,690 posts
got it! that is good to hear :tazz:

please proceed with the remaining procedures.
  • 0

#10
kool808

kool808

    Visiting Staff

  • Member
  • PipPipPipPip
  • 1,690 posts
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP