Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Aurora Trojan Attack [RESOLVED]


  • This topic is locked This topic is locked

#46
nancylpina

nancylpina

    Member

  • Topic Starter
  • Member
  • PipPip
  • 55 posts
Hi Michelle,

It says: C:\WINNT\system32\cmd.exe
C:\WINNT\System32\AutoExec.nt. The system file is not suitable for running MS-DOS and Microsoft Windows applications. Choose "Close" to terminate the application.
Then the buttons say either to close or ignore.

CQG Installation Service (CQGInstS) - CQG, Inc. - C:\WINNT\System32\cqginsts.exe
is a charting software for stocks and futures - so I need that program.

Here is the HiJack This Log from normal mode:

Logfile of HijackThis v1.99.1
Scan saved at 2:37:49 PM, on 8/22/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\cqginsts.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
c:\jetsuite\jsdaemon.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Citrix\ICA Client\ssonsvr.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\stisvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\CA\eTrust PestPatrol\PPActiveDetection.exe
C:\jetsuite\DLLCMD32.EXE
C:\jetsuite\JETSTAT.EXE
C:\Program Files\WinZip\WZQKPICK.EXE
C:\VSTASCAN\vsaccess.exe
c:\jetsuite\JSFMAN.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINNT\system32\wuauclt.exe
C:\Documents and Settings\Nancy\Desktop\HijackThis-2.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.msn.com/
O2 - BHO: CControl Object - {3643ABC2-21BF-46B9-B230-F247DB0C6FD6} - C:\Program Files\E2G\IeBHOs.dll
O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft Money\System\Activation.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [eTrustPPAP] "C:\Program Files\CA\eTrust PestPatrol\PPActiveDetection.exe"
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Compaq VistaAccess.lnk = C:\VSTASCAN\vsaccess.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: DllCmd32.lnk = C:\jetsuite\DLLCMD32.EXE
O4 - Global Startup: HP LaserJet 3100 Status.lnk = C:\jetsuite\JETSTAT.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Google Search - res://c:\winnt\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\winnt\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\winnt\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\winnt\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\winnt\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.s...sa/LSSupCtl.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1124308158750
O16 - DPF: {776706AE-CACA-4EA3-93DF-BB83D9259DA9} (MailConfigure Class) - http://supportservic...ool/MailCfg.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.c...ers/play365.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.s...sa/SymAData.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://active.macro...abs/swflash.cab
O16 - DPF: {EE8B6D5F-FEF2-11D0-B13F-00A024798EF3} (Microsoft Search Settings Control) - http://lg.home.micro...rchsettings.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: CQG Installation Service (CQGInstS) - CQG, Inc. - C:\WINNT\System32\cqginsts.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: jsdaemon - JetFax, Inc. - c:\jetsuite\jsdaemon.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
  • 0

Advertisements


#47
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts

CQG Installation Service (CQGInstS) - CQG, Inc. - C:\WINNT\System32\cqginsts.exe
is a charting software for stocks and futures - so I need that program.

Ok, good :tazz:

To fix the error message:

Open L2mfix folder and double-click l2mfix.bat. Choose Option #5, then reboot your computer and try running FindQ again.

I need you to delete this folder:

C:\Program Files\E2G

Then:

*Open HijackThis.
*Click on None of the above, just start the program
*Click Config (bottom right)
*Click Misc Tools
*Click Open Uninstall Manager
*Click Save List - Save it anywhere.
*A notepad will pop-up after it's saved, please copy everything in that Notepad and paste it here.

So, I need the log from FindQ after running option 5 and the uninstall list in your next post.

I will give you all of my recommendations for programs to remove and keep when we're done. Also, how old is Norton (2003?)?

Edited by Michelle, 22 August 2005 - 01:48 PM.

  • 0

#48
nancylpina

nancylpina

    Member

  • Topic Starter
  • Member
  • PipPip
  • 55 posts
Michelle,

I couldn't delete the E2G folder - it says that access is denied - source file may be in use. leBHOs.dll is the file in the folder that won't delete.

I have Norton AntiVirus 2005 ... I had an older version on this computer at one time but just installed the new one three weeks ago.

Here is the HiJack This Log:

Adobe Download Manager 1.2 (Remove Only)
Adobe Help Center 1.0
Adobe Stock Photos 1.0
Avery DesignPro
BHead version 4.1.2
CA eTrust PestPatrol
ccCommon
CCleaner (remove only)
Citrix ICA Client
CleanUp!
Command
Corel Uninstaller
Dell TrueMobile 2300 Control Utility
E*TRADE Trading Platform 4.6.60
E2give Plug-in
EBook Generator
ewido security suite
ExpressZip
Good Keywords v1.5b
Google Toolbar for Internet Explorer
HijackThis 1.99.1
HP Internet Printer Connection
Internet Worm Protection
Java 2 Runtime Environment Standard Edition v1.3.1_09
JetSuite Pro for the HP LaserJet 3100
J-Surf EJ
LiveReg (Symantec Corporation)
LiveUpdate 2.5 (Symantec Corporation)
Microsoft FrontPage 2000 SR-1
Microsoft Money 2002
Microsoft Money 2002 System Pack
Microsoft Office 2000 Disc 2
Microsoft Office 2000 Professional
Mozilla Firefox (1.0.6)
Norton AntiVirus 2005
Norton AntiVirus 2005 (Symantec Corporation)
Norton AntiVirus Help
Norton AntiVirus Parent MSI
Norton AntiVirus SYMLT MSI
Norton WMI Update
NTI CD-Maker 2000 Standard
NTI FileCD
OIN
Panda ActiveScan
Presto! PageType
QuickTime
Read in Microsoft Reader Add-in for Microsoft Word
SPBBC
Spybot - Search & Destroy 1.3
SpywareBlaster v3.3
Symantec
Symantec Script Blocking Installer
SymNet
TrojanHunter 4.2
Ulead Drop Spot 1.0
Ulead PhotoImpact 6
VistaShuttle
Windows 2000 Hotfix - KB842773
Windows 2000 Service Pack 4
Windows 2000 Support Tools
Windows Installer 3.1 (KB893803)
Windows Media Player 7.1
WinZip

Here is the FindQ Log:

»»»»» Search by size and name...
»»»»» Files found by this method are not necessarily bad...
»»»»» Example PNGFILT.DLL is a windows file...

C:\WINNT\SYSTEM32\DFGFDJS.DLL

»»»»»2K XP 9X and ME Misc check's...

C:\WINNT\SYSTEM32\QWVGQ.DAT

»»»»» 9X and ME check's...
  • 0

#49
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
Please zip these files up and e-mail them to me (last ones I promise!)

C:\WINNT\SYSTEM32\DFGFDJS.DLL
C:\WINNT\SYSTEM32\QWVGQ.DAT

Add password Qoo

Then,
* Run Killbox.exe.

* Select "Delete on Reboot".

* Copy the file names below to the clipboard by highlighting ALL of them then press CTRL + C

C:\WINNT\SYSTEM32\DFGFDJS.DLL
C:\WINNT\SYSTEM32\QWVGQ.DAT
C:\Program Files\E2G\IeBHOs.dll


* Return to Killbox, go to the File menu, and choose "Paste from Clipboard".

* Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. If your computer does not restart automatically, please restart it manually.

After your computer reboots, Run HiJacKThis. Place a check next to this item and click FIX CHECKED:

O2 - BHO: CControl Object - {3643ABC2-21BF-46B9-B230-F247DB0C6FD6} - C:\Program Files\E2G\IeBHOs.dll

Close HiJackThis.

Delete the folder:

C:\Program Files\E2G

Rescan with HJT and post the new log.
  • 0

#50
nancylpina

nancylpina

    Member

  • Topic Starter
  • Member
  • PipPip
  • 55 posts
Here is the HiJackThis log :tazz:
I also emailed those files to you too!

Logfile of HijackThis v1.99.1
Scan saved at 3:43:26 PM, on 8/22/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\cqginsts.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
c:\jetsuite\jsdaemon.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Citrix\ICA Client\ssonsvr.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\CA\eTrust PestPatrol\PPActiveDetection.exe
C:\jetsuite\DLLCMD32.EXE
C:\jetsuite\JETSTAT.EXE
C:\Program Files\WinZip\WZQKPICK.EXE
C:\VSTASCAN\vsaccess.exe
c:\jetsuite\JSFMAN.EXE
C:\WINNT\system32\wuauclt.exe
C:\Documents and Settings\Nancy\Desktop\HijackThis-2.exe
C:\WINNT\SoftwareDistribution\Download\S-1-5-18\c02f0e8c30b7379ef1ced34dd711bbc8\update\update.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.msn.com/
O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft Money\System\Activation.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [eTrustPPAP] "C:\Program Files\CA\eTrust PestPatrol\PPActiveDetection.exe"
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Compaq VistaAccess.lnk = C:\VSTASCAN\vsaccess.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: DllCmd32.lnk = C:\jetsuite\DLLCMD32.EXE
O4 - Global Startup: HP LaserJet 3100 Status.lnk = C:\jetsuite\JETSTAT.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Google Search - res://c:\winnt\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\winnt\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\winnt\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\winnt\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\winnt\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.s...sa/LSSupCtl.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1124308158750
O16 - DPF: {776706AE-CACA-4EA3-93DF-BB83D9259DA9} (MailConfigure Class) - http://supportservic...ool/MailCfg.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.c...ers/play365.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.s...sa/SymAData.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://active.macro...abs/swflash.cab
O16 - DPF: {EE8B6D5F-FEF2-11D0-B13F-00A024798EF3} (Microsoft Search Settings Control) - http://lg.home.micro...rchsettings.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: CQG Installation Service (CQGInstS) - CQG, Inc. - C:\WINNT\System32\cqginsts.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: jsdaemon - JetFax, Inc. - c:\jetsuite\jsdaemon.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
  • 0

#51
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
I got the files, Thank you :tazz:

Your log looks great, just one more program to run for me please to make sure we get rid of leftovers too! We're almost done! After this I will give you my recommendations.

Please download WebRoot SpySweeper from HERE (It's a 2 week trial):
  • Click the Free Trial link on the right - next to "SpySweeper for Home Computers" to download the program.
  • Install it.
  • Once the program is installed, it will open.
  • It will prompt you to update to the latest definitions, click Yes.
  • Once the definitions are installed, click Sweep Now on the left side.
  • Click the Start button.
  • When it's done scanning, click the Next button.
  • Make sure everything has a check next to it, then click the Next button.
  • It will remove all of the items found.
  • Click Session Log in the upper right corner, copy everything in that window.
  • Click the Summary tab and click Finish.
  • Paste the contents of the session log you copied into your next reply.

  • 0

#52
nancylpina

nancylpina

    Member

  • Topic Starter
  • Member
  • PipPip
  • 55 posts
Here is the log Michelle :tazz:


********

3:56 PM: |··· Start of Session, Monday, August 22, 2005 ···|
3:56 PM: Spy Sweeper started
3:56 PM: Sweep initiated using definitions version 519
3:56 PM: Starting Memory Sweep
4:02 PM: Memory Sweep Complete, Elapsed Time: 00:06:29
4:02 PM: Starting Registry Sweep
4:02 PM: Found Adware: apropos
4:02 PM: HKU\S-1-5-21-1993962763-152049171-842925246-1000\software\aprps\ (7 subtraces) (ID = 103740)
4:02 PM: Found Adware: begin2search
4:02 PM: HKCR\clsid\{9ade0443-2ab2-4b23-a3f8-ac520773de12}\ (1 subtraces) (ID = 104109)
4:02 PM: Found Adware: hotsearchbar toolbar
4:02 PM: HKCR\clsid\{9ade0443-2ab2-4b23-a3f8-ac520773de12}\ (1 subtraces) (ID = 104109)
4:02 PM: HKCR\interface\{6b882c34-a832-4f5b-bef1-7e198be3f094}\ (8 subtraces) (ID = 104124)
4:02 PM: HKCR\interface\{9b6b4031-1d6d-4c65-acba-021916853822}\ (8 subtraces) (ID = 104126)
4:02 PM: HKCR\interface\{9ff60a27-0c0c-4a6a-a15f-b21b644d67bb}\ (8 subtraces) (ID = 104127)
4:02 PM: HKCR\interface\{15d53b86-e055-43b1-bbee-a91a0f37bd2a}\ (8 subtraces) (ID = 104128)
4:02 PM: HKCR\interface\{f3c41c1d-22f1-4692-8a7a-88de70a2e9e2}\ (8 subtraces) (ID = 104139)
4:02 PM: HKCR\interface\{fa6fa7a5-2c49-4567-ba74-6dd1c36099ee}\ (8 subtraces) (ID = 104141)
4:02 PM: HKLM\software\classes\clsid\{9ade0443-2ab2-4b23-a3f8-ac520773de12}\ (1 subtraces) (ID = 104159)
4:02 PM: HKLM\software\classes\clsid\{9ade0443-2ab2-4b23-a3f8-ac520773de12}\ (1 subtraces) (ID = 104159)
4:02 PM: HKLM\software\classes\interface\{6b882c34-a832-4f5b-bef1-7e198be3f094}\ (8 subtraces) (ID = 104174)
4:02 PM: HKLM\software\classes\interface\{9b6b4031-1d6d-4c65-acba-021916853822}\ (8 subtraces) (ID = 104176)
4:02 PM: HKLM\software\classes\interface\{9ff60a27-0c0c-4a6a-a15f-b21b644d67bb}\ (8 subtraces) (ID = 104177)
4:02 PM: HKLM\software\classes\interface\{15d53b86-e055-43b1-bbee-a91a0f37bd2a}\ (8 subtraces) (ID = 104178)
4:02 PM: HKLM\software\classes\interface\{f3c41c1d-22f1-4692-8a7a-88de70a2e9e2}\ (8 subtraces) (ID = 104189)
4:02 PM: HKLM\software\classes\interface\{fa6fa7a5-2c49-4567-ba74-6dd1c36099ee}\ (8 subtraces) (ID = 104191)
4:02 PM: HKLM\software\classes\typelib\{bf56be6a-0aea-45f3-8b10-7312876584a8}\ (9 subtraces) (ID = 104195)
4:02 PM: HKLM\software\classes\typelib\{bf56be6a-0aea-45f3-8b10-7312876584a8}\ (9 subtraces) (ID = 104195)
4:02 PM: HKCR\typelib\{bf56be6a-0aea-45f3-8b10-7312876584a8}\ (9 subtraces) (ID = 104238)
4:02 PM: HKCR\typelib\{bf56be6a-0aea-45f3-8b10-7312876584a8}\ (9 subtraces) (ID = 104238)
4:02 PM: Found Adware: bookedspace
4:02 PM: HKLM\software\configuration manager\cfgmgr52\ (245 subtraces) (ID = 104873)
4:03 PM: Found Adware: delfin
4:03 PM: HKLM\software\classes\vccpgdataaccess.pgdataaccessctrl.1\ (3 subtraces) (ID = 124846)
4:03 PM: HKLM\software\vidctrl\ (3 subtraces) (ID = 124897)
4:03 PM: HKCR\vccpgdataaccess.pgdataaccessctrl.1\ (3 subtraces) (ID = 124900)
4:03 PM: Found Adware: e2g
4:03 PM: HKCR\appid\iebhos.dll\ (1 subtraces) (ID = 125406)
4:03 PM: HKCR\appid\{3b99f202-145a-4e5a-ac7b-88a36910bf5e}\ (1 subtraces) (ID = 125407)
4:03 PM: HKCR\iebhos.control.1\ (3 subtraces) (ID = 125444)
4:03 PM: HKCR\iebhos.control\ (5 subtraces) (ID = 125445)
4:03 PM: HKLM\software\classes\appid\iebhos.dll\ (1 subtraces) (ID = 125446)
4:03 PM: HKLM\software\classes\appid\{3b99f202-145a-4e5a-ac7b-88a36910bf5e}\ (1 subtraces) (ID = 125447)
4:03 PM: HKLM\software\classes\iebhos.control.1\ (3 subtraces) (ID = 125482)
4:03 PM: HKLM\software\classes\iebhos.control\ (5 subtraces) (ID = 125483)
4:03 PM: HKLM\software\classes\typelib\{3b99f202-145a-4e5a-ac7b-88a36910bf5e}\ (9 subtraces) (ID = 125484)
4:03 PM: HKLM\software\e2g\ (7 subtraces) (ID = 125485)
4:03 PM: HKLM\software\microsoft\windows\currentversion\uninstall\e2g plugin\ (5 subtraces) (ID = 125522)
4:03 PM: HKU\S-1-5-21-1993962763-152049171-842925246-1000\software\ptech\ (4 subtraces) (ID = 125528)
4:03 PM: HKCR\typelib\{3b99f202-145a-4e5a-ac7b-88a36910bf5e}\ (9 subtraces) (ID = 125529)
4:03 PM: Found Adware: multidial
4:03 PM: HKCR\dialerr.dialerr\ (3 subtraces) (ID = 135344)
4:03 PM: HKLM\software\classes\dialerr.dialerr\ (3 subtraces) (ID = 135355)
4:03 PM: Found Adware: exact navisearch
4:03 PM: HKCR\adp.urlcatcher.1\ (3 subtraces) (ID = 135552)
4:03 PM: Found Trojan Horse: trojan-downloader-pacisoft
4:03 PM: HKU\S-1-5-21-1993962763-152049171-842925246-1000\software\psof1\ (16 subtraces) (ID = 136530)
4:03 PM: Found Adware: redzip toolbar
4:03 PM: HKU\S-1-5-21-1993962763-152049171-842925246-1000\software\microsoft\windows\currentversion\explorer\ || insid (ID = 139328)
4:03 PM: Found Adware: surfsidekick
4:03 PM: HKCR\clsid\{02ee5b04-f144-47bb-83fb-a60bd91b74a9}\ (3 subtraces) (ID = 143389)
4:03 PM: HKLM\software\classes\clsid\{02ee5b04-f144-47bb-83fb-a60bd91b74a9}\ (3 subtraces) (ID = 143392)
4:03 PM: HKLM\software\microsoft\internet explorer\urlsearchhooks\ || {02ee5b04-f144-47bb-83fb-a60bd91b74a9} (ID = 143400)
4:03 PM: HKU\S-1-5-21-1993962763-152049171-842925246-1000\software\surfsidekick3\ (3 subtraces) (ID = 143412)
4:03 PM: HKLM\software\surfsidekick3\ (3 subtraces) (ID = 143413)
4:03 PM: Found Adware: virtualbouncer
4:03 PM: HKLM\software\microsoft\cryptography\services\ || distid (ID = 145553)
4:03 PM: Found Adware: winad
4:03 PM: HKCR\appid\loaderx.exe\ (1 subtraces) (ID = 147150)
4:03 PM: HKCR\appid\{735c5a0c-f79f-47a1-8ca1-2a2e482662a8}\ (1 subtraces) (ID = 147151)
4:03 PM: HKCR\clsid\{1e5f0d38-214b-4085-ad2a-d2290e6a2d2c}\ (14 subtraces) (ID = 147153)
4:03 PM: HKLM\software\classes\appid\loaderx.exe\ (1 subtraces) (ID = 147164)
4:03 PM: HKLM\software\classes\appid\{735c5a0c-f79f-47a1-8ca1-2a2e482662a8}\ (1 subtraces) (ID = 147165)
4:03 PM: HKLM\software\classes\clsid\{1e5f0d38-214b-4085-ad2a-d2290e6a2d2c}\ (14 subtraces) (ID = 147167)
4:03 PM: HKLM\software\classes\typelib\{15696ae2-6ea4-47f4-bea6-a3d32693efc7}\ (9 subtraces) (ID = 147176)
4:03 PM: HKLM\software\media access\ (8 subtraces) (ID = 147182)
4:03 PM: HKCR\typelib\{15696ae2-6ea4-47f4-bea6-a3d32693efc7}\ (9 subtraces) (ID = 147244)
4:03 PM: Found Adware: shopnavupdater
4:03 PM: HKLM\software\classes\typelib\{46bd3f46-6e46-43d2-a69d-fd8c05044475}\ (9 subtraces) (ID = 359508)
4:03 PM: HKCR\typelib\{46bd3f46-6e46-43d2-a69d-fd8c05044475}\ (9 subtraces) (ID = 359513)
4:03 PM: Found Adware: abetterinternet
4:03 PM: HKLM\software\classes\typelib\{6d992911-b563-47fc-ab29-437f42d1c729}\ (ID = 359756)
4:03 PM: HKCR\interface\{544b6a3f-4024-4403-9661-69b8410be505}\ (8 subtraces) (ID = 479497)
4:03 PM: HKCR\typelib\{6d992911-b563-47fc-ab29-437f42d1c729}\ (ID = 480791)
4:03 PM: Found Adware: drsnsrch hijacker
4:03 PM: HKCR\dsrch.band\ (5 subtraces) (ID = 509134)
4:03 PM: Found Adware: ieplugin
4:03 PM: HKCR\typelib\{8f73ac0f-5769-4282-8762-b396a3bff377}\ (9 subtraces) (ID = 509153)
4:03 PM: HKLM\software\classes\dsrch.band\ (5 subtraces) (ID = 509171)
4:03 PM: HKCR\dsrch.band\clsid\ (1 subtraces) (ID = 509361)
4:03 PM: HKCR\dsrch.band\curver\ (1 subtraces) (ID = 509362)
4:03 PM: Found Adware: rich editor
4:03 PM: HKCR\clsid\{71d1708f-973d-4600-af01-ad86688403ae}\ (1 subtraces) (ID = 544813)
4:03 PM: HKCR\typelib\{34a35bbb-8c19-4482-864c-290bd8dd6a5d}\ (9 subtraces) (ID = 544913)
4:03 PM: HKLM\software\classes\clsid\{71d1708f-973d-4600-af01-ad86688403ae}\ (1 subtraces) (ID = 550504)
4:03 PM: HKLM\software\classes\typelib\{34a35bbb-8c19-4482-864c-290bd8dd6a5d}\ (9 subtraces) (ID = 550573)
4:03 PM: HKLM\system\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list\lanbrup.exe\ (1 subtraces) (ID = 552678)
4:03 PM: HKLM\software\classes\typelib\{34a35bbb-8c19-4482-864c-290bd8dd6a5d}\1.0\ (8 subtraces) (ID = 609169)
4:03 PM: HKLM\software\lanbridge\ (28 subtraces) (ID = 609177)
4:03 PM: HKLM\software\classes\typelib\{8f73ac0f-5769-4282-8762-b396a3bff377}\ (9 subtraces) (ID = 646384)
4:03 PM: Registry Sweep Complete, Elapsed Time:00:00:42
4:03 PM: Starting Cookie Sweep
4:03 PM: Cookie Sweep Complete, Elapsed Time: 00:00:00
4:03 PM: Starting File Sweep
4:03 PM: Found Adware: addestroyer
4:03 PM: c:\documents and settings\all users\application data\addestroyer (1 subtraces) (ID = -2147481464)
4:03 PM: c:\documents and settings\all users\application data\nsv (17 subtraces) (ID = -2147481136)
4:03 PM: Found Trojan Horse: trojan-downloader-bookedspace
4:03 PM: c:\winnt\cfgmgr52 (75 subtraces) (ID = -2147479590)
4:03 PM: c:\documents and settings\all users\application data\vidctrl (1 subtraces) (ID = -2147477475)
4:03 PM: c:\winnt\system32\vidctrl (ID = -2147481117)
4:03 PM: c:\winnt\system32\nsvsvc (ID = -2147481119)
4:03 PM: c:\program files\surfsidekick 3 (ID = -2147480186)
4:03 PM: ringtone2.ico (ID = 125993)
4:04 PM: wmv1920.dbd (ID = 57692)
4:04 PM: sony psp1.ico (ID = 125992)
4:05 PM: Found Adware: purityscan
4:05 PM: shex.exe (ID = 94438)
4:05 PM: wmv1215.dbd (ID = 57687)
4:06 PM: Found Adware: upspiral toolbar
4:06 PM: unist2.exe.tcf (ID = 82040)
4:06 PM: ei.exe (ID = 59383)
4:06 PM: kill all spyware.ico (ID = 125994)
4:07 PM: wmv2007.dbd (ID = 57693)
4:08 PM: virushunter4.ico (ID = 113920)
4:08 PM: Found Adware: shopathomeselect
4:08 PM: lgt91krk.dat (ID = 121494)
4:08 PM: Found Adware: adlogix
4:08 PM: lqgebb.xml (ID = 49280)
4:08 PM: jeoqwb.xml (ID = 49280)
4:08 PM: wmv0412.ddx (ID = 57686)
4:08 PM: wmv0204.ddx (ID = 57686)
4:08 PM: wmv0504.ddx (ID = 57686)
4:08 PM: wmv0904.ddx (ID = 57684)
4:08 PM: wmv0106.ddx (ID = 57679)
4:09 PM: wmv0315.ddx (ID = 57686)
4:09 PM: wmv1204.ddx (ID = 57686)
4:09 PM: wmv1909.ddx (ID = 57684)
4:09 PM: wmv1125.ddx (ID = 57685)
4:09 PM: File Sweep Complete, Elapsed Time: 00:05:39
4:09 PM: Full Sweep has completed. Elapsed time 00:13:00
4:09 PM: Traces Found: 858
4:11 PM: Removal process initiated
4:12 PM: Quarantining All Traces: apropos
4:12 PM: Quarantining All Traces: begin2search
4:12 PM: Quarantining All Traces: hotsearchbar toolbar
4:12 PM: Quarantining All Traces: bookedspace
4:12 PM: Quarantining All Traces: delfin
4:12 PM: Quarantining All Traces: e2g
4:12 PM: Quarantining All Traces: multidial
4:12 PM: Quarantining All Traces: exact navisearch
4:12 PM: Quarantining All Traces: trojan-downloader-pacisoft
4:12 PM: Quarantining All Traces: redzip toolbar
4:12 PM: Quarantining All Traces: surfsidekick
4:12 PM: Quarantining All Traces: virtualbouncer
4:12 PM: Quarantining All Traces: winad
4:12 PM: Quarantining All Traces: shopnavupdater
4:12 PM: Quarantining All Traces: abetterinternet
4:12 PM: Quarantining All Traces: drsnsrch hijacker
4:12 PM: Quarantining All Traces: ieplugin
4:12 PM: Quarantining All Traces: rich editor
4:12 PM: Quarantining All Traces: addestroyer
4:12 PM: Quarantining All Traces: trojan-downloader-bookedspace
4:12 PM: Quarantining All Traces: purityscan
4:12 PM: Quarantining All Traces: upspiral toolbar
4:12 PM: Quarantining All Traces: shopathomeselect
4:12 PM: Quarantining All Traces: adlogix
4:12 PM: Removal process completed. Elapsed time 00:00:52
********
3:55 PM: |··· Start of Session, Monday, August 22, 2005 ···|
3:55 PM: Spy Sweeper started
3:56 PM: Messenger service has been disabled.
3:56 PM: |··· End of Session, Monday, August 22, 2005 ···|
  • 0

#53
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
Ok, great :tazz:

Any other problems??

Edited by Michelle, 22 August 2005 - 03:23 PM.

  • 0

#54
nancylpina

nancylpina

    Member

  • Topic Starter
  • Member
  • PipPip
  • 55 posts
None at all (yeah!!) Thank you so much for your help!! Do you have suggestions on which spyware programs you like? I have so many now and would like to delete some of them.
  • 0

#55
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
One last thing:

Copy everything inside the code box below and paste into Notepad. Go up to "File > Save As", then click the drop-down box to change the "Save As Type" to "All Files". Save it as findfiles.bat on your Desktop.

dir C:\WINNT\system32\??anregw.exe /a h > files.txt
notepad files.txt

Locate findfiles.bat on your Desktop and double-click on it. It will produce a notepad. I need you to copy everything in that notepad and paste it here.

Copy everything inside the code box below and paste into Notepad. Go up to "File > Save As", then click the drop-down box to change the "Save As Type" to "All Files". Save it as findfiles1.bat on your Desktop.

dir C:\WINNT\System32\d?dplay.exe /a h > files.txt
notepad files.txt

Locate findfiles1.bat on your Desktop and double-click on it. It will produce a notepad. I need you to copy everything in that notepad and paste it here.

Please post both logs here :tazz:
  • 0

Advertisements


#56
nancylpina

nancylpina

    Member

  • Topic Starter
  • Member
  • PipPip
  • 55 posts
Here you go!

Volume in drive C has no label.
Volume Serial Number is 8C06-FB55

Directory of C:\WINNT\system32

08/08/2005 08:26a 401,408 ??anregw.exe
1 File(s) 401,408 bytes

Directory of C:\Documents and Settings\Nancy\Desktop

Volume in drive C has no label.
Volume Serial Number is 8C06-FB55

Directory of C:\WINNT\System32

07/26/2000 12:00p 120,592 dvdplay.exe
08/08/2005 08:28a 401,408 d?dplay.exe
2 File(s) 522,000 bytes

Directory of C:\Documents and Settings\Nancy\Desktop
  • 0

#57
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
I promise this is the last of your fix :tazz:

You're looking for 2 files to delete (let me know if you don't find them):

C:\WINNT\system32\scanregw.exe

NOTE: this file may not have an icon so it may be harder to find.

Then there are TWO files with the same name in the system32 folder, one is legit!:

C:\WINNT\system32\dvdplay.exe <-If you right-click and go to properties it will have a size of 120,592 created 7/26/2000 THIS IS THE LEGIT ONE! Do NOT Delete this one!

Then there will be this one:

C:\WINT\system32\dvdplay.exe <-If you right-click and go to properties, it will have a size of 401,408 created 8/8/05. This is the BAD GUY. DELETE THIS ONE! The bad one may not have an icon so it may be harder to find.
  • 0

#58
nancylpina

nancylpina

    Member

  • Topic Starter
  • Member
  • PipPip
  • 55 posts
Good morning Michelle!

I didn't find the first file at all. The second good file is there twice, but no bad file. I did a search of the whole system too!
Is there anything else I need to look for?
Thank you!

Nancy
  • 0

#59
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
The good file should not be in there twice, one of them is the bad guy. Right-click on both and go to properties and the one with the size of 401,408 (about) created 8/8/05 needs to be deleted. No need to search the whole system, because they are both in the system32 folder :tazz:

Look for any file that starts with 2 letters then ends in "anregw.exe" and delete it, but like I said the name is most likely scanregw.exe and it may not have an icon.

Both of these files are there and need to be deleted.

Edited by Michelle, 23 August 2005 - 10:46 AM.

  • 0

#60
nancylpina

nancylpina

    Member

  • Topic Starter
  • Member
  • PipPip
  • 55 posts
Okay ....
One of the DVD icons shows a size of 120,592 bytes/size on disk 120,832 bytes created on 11/30/99 - Modified on 7/26/00
The other icon shows a size of 120,592 bytes/size on disk 67,584 bytes; created on 11/30/99 - Modified on 7/26/00 ... so which one is the bad guy?

The other file I still have not found ..
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP