Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

aurora/popups [RESOLVED]

Started by borboleta , Aug 18 2005 02:40 PM

  • This topic is locked This topic is locked

#1
borboleta
Posted 18 August 2005 - 02:40 PM

borboleta

    Member

  • Member
  • PipPip
  • 21 posts
i tryed to follow the "You Must Read This Before Posting A Hijackthis Log, Required steps before posting your log.", but im confused. first, i think i successfull did the CleanUp!, Adaware SE (but i have another question about this, in a sec...), CWShredder, Search and Destroy, and Ewido. i know that there is a norton antivirus icon at the bottom right of my start bar thingy, but i dont know if it is updated or whatever. i tryed the trendhousecall, but it seems like thats for netscape users? and Panda is for IE browsers? i am using Mozilla Foxfire(i just switched yesterday from IE)...ok. so then i just hit the Windows Update downlowd SP1a link and went through that, and now i rebooted and AdAware came up and showed me the 200+quarantined objects, i just closed the window, cause i didnt know what to do with them...so i guess my questions before i download hijackthis and post the log is do i need to do an antivirus scan, did i do the security updates for windows correctly, and what do i do with the quarintined items in AdAware? and then ill download the hijack this and post the log? sorry for the monologue, i want to get this right, and i feel like ive already spent too much time on this...:tazz:

oh, and also do i need to keep the software for all those things? my desktop is suddenly very full...

ok, i received no replies, so im going to add the hijack this log and see if someone can please help me...im still getting the aurora popups...

Logfile of HijackThis v1.99.1
Scan saved at 6:20:19 PM, on 8/22/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\basfipm.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\System32\RegSrvc.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\System32\1XConfig.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\System32\kasrof.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Sharp\Sharpdesk\IndexTray.exe
C:\Program Files\Sharp\Sharpdesk\SharpTray.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
C:\Program Files\Apoint\Apntex.exe
C:\PROGRA~1\Sharp\SHARPD~1\Indexer.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\windows\sp2update.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Sharp\Sharpdesk\sdFTP.exe
C:\Program Files\Palm\HOTSYNC.EXE
C:\lotus\organize\easyclip.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Vince.COMPANY\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R3 - URLSearchHook: (no name) - _{02EE5B04-F144-47BB-83FB-A60BD91B74A9} - (no file)
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - C:\Program Files\SurfSideKick 3\SskBho.dll
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O1 - Hosts: 192.1.1.2 omd
O2 - BHO: Bucket Class - {00000001-C003-4A2F-9142-7CB1D78DE6C1} - C:\WINDOWS\tct101.dll (file missing)
O2 - BHO: Band Class - {00F1D395-4744-40f0-A611-980F61AE2C59} - C:\WINDOWS\dsr.dll (file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {7A1693A1-AFAF-4F1E-9B05-EEC38A85FBF3} - C:\WINDOWS\SYSTEM32\mo6.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [bascstray] BascsTray.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [IndexTray] "C:\Program Files\Sharp\Sharpdesk\IndexTray.exe"
O4 - HKLM\..\Run: [SharpTray] "C:\Program Files\Sharp\Sharpdesk\SharpTray.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [msresearch] C:\WINDOWS\msresearch.exe
O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKLM\..\Run: [sp2update] C:\windows\sp2update.exe
O4 - HKLM\..\Run: [fvhlar] C:\WINDOWS\System32\kasrof.exe r
O4 - HKLM\..\RunOnce: [nhq776.exe] C:\WINDOWS\System32\nhq776.exe /k
O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKCU\..\RunOnce: [nhq776.exe] C:\WINDOWS\System32\nhq776.exe /k
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
O4 - Startup: Lotus Organizer EasyClip.lnk = C:\lotus\organize\easyclip.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Start Network Scanner Tool.lnk = C:\Program Files\Sharp\Sharpdesk\sdFTP.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - ms-its:mhtml:file://c:\fsacsklc.mht!http://filesharingac...Bridge-c139.cab
O16 - DPF: {BAC01377-73DD-4796-854D-2A8997E3D68A} (Yahoo! Photos Easy Upload Tool Class) - http://us.dl1.yimg.c...ropper1_6us.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.ao.../ampx_en_dl.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = sostexas.com
O17 - HKLM\Software\..\Telephony: DomainName = sostexas.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{1193E467-A6FE-441A-A652-8F3C9FCE4D48}: NameServer = 128.200.1.201,128.200.192.202
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = sostexas.com
O17 - HKLM\System\CS1\Services\Tcpip\..\{1193E467-A6FE-441A-A652-8F3C9FCE4D48}: NameServer = 128.200.1.201,128.200.192.202
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = sostexas.com
O17 - HKLM\System\CS2\Services\Tcpip\..\{1193E467-A6FE-441A-A652-8F3C9FCE4D48}: NameServer = 128.200.1.201,128.200.192.202
O18 - Protocol: sds - {79E0F14C-9C52-4218-89A7-7C4B0563D121} - C:\Program Files\Sharp\Sharpdesk\ExplorerExtensions.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O20 - Winlogon Notify: Sebring - C:\WINDOWS\System32\LgNotify.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Broadcom ASF IP monitoring service v6.0.3 (BAsfIpM) - Broadcom Corp. - C:\WINDOWS\System32\basfipm.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: InCD File System Service (InCDsrv) - AHEAD Software - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe

thanks!

thanks,
borboleta

Edited by borboleta, 22 August 2005 - 07:21 PM.

  • 0

Advertisements

#2
Excal
Posted 22 August 2005 - 09:47 PM

Excal

    Malware Slayer Extraordinaire!

  • Retired Staff
  • 12,739 posts
Hi borboleta and welcome to GeeksToGo! My name is Excal and I will be helping you.

I apologize for the delay getting to your log, the helpers here are very busy.
If you still need help, please post a fresh Hijack log, in this thread, so I can help you with your Malware Problems.

If you have resolved this issue please let us know.

:tazz:

Excal
  • 0

#3
borboleta
Posted 23 August 2005 - 12:04 AM

borboleta

    Member

  • Topic Starter
  • Member
  • PipPip
  • 21 posts
thanks so much, and i didnt mean to be impatient. on the contrary, i am ever so grateful! i was just worried that i had done something dumb...again :tazz:


Logfile of HijackThis v1.99.1
Scan saved at 11:03:32 PM, on 8/22/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\basfipm.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\System32\RegSrvc.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\System32\1XConfig.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\System32\kasrof.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Sharp\Sharpdesk\IndexTray.exe
C:\Program Files\Sharp\Sharpdesk\SharpTray.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
C:\Program Files\Apoint\Apntex.exe
C:\PROGRA~1\Sharp\SHARPD~1\Indexer.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\windows\sp2update.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Sharp\Sharpdesk\sdFTP.exe
C:\Program Files\Palm\HOTSYNC.EXE
C:\lotus\organize\easyclip.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\kductbkqzv.exe
C:\Documents and Settings\Vince.COMPANY\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R3 - URLSearchHook: (no name) - _{02EE5B04-F144-47BB-83FB-A60BD91B74A9} - (no file)
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - C:\Program Files\SurfSideKick 3\SskBho.dll
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O1 - Hosts: 192.1.1.2 omd
O2 - BHO: Bucket Class - {00000001-C003-4A2F-9142-7CB1D78DE6C1} - C:\WINDOWS\tct101.dll (file missing)
O2 - BHO: Band Class - {00F1D395-4744-40f0-A611-980F61AE2C59} - C:\WINDOWS\dsr.dll (file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {7A1693A1-AFAF-4F1E-9B05-EEC38A85FBF3} - C:\WINDOWS\SYSTEM32\mo6.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [bascstray] BascsTray.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [IndexTray] "C:\Program Files\Sharp\Sharpdesk\IndexTray.exe"
O4 - HKLM\..\Run: [SharpTray] "C:\Program Files\Sharp\Sharpdesk\SharpTray.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [msresearch] C:\WINDOWS\msresearch.exe
O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKLM\..\Run: [sp2update] C:\windows\sp2update.exe
O4 - HKLM\..\Run: [fvhlar] C:\WINDOWS\System32\kasrof.exe r
O4 - HKLM\..\RunOnce: [nhq776.exe] C:\WINDOWS\System32\nhq776.exe /k
O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKCU\..\RunOnce: [nhq776.exe] C:\WINDOWS\System32\nhq776.exe /k
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
O4 - Startup: Lotus Organizer EasyClip.lnk = C:\lotus\organize\easyclip.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Start Network Scanner Tool.lnk = C:\Program Files\Sharp\Sharpdesk\sdFTP.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - ms-its:mhtml:file://c:\fsacsklc.mht!http://filesharingac...Bridge-c139.cab
O16 - DPF: {BAC01377-73DD-4796-854D-2A8997E3D68A} (Yahoo! Photos Easy Upload Tool Class) - http://us.dl1.yimg.c...ropper1_6us.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.ao.../ampx_en_dl.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = sostexas.com
O17 - HKLM\Software\..\Telephony: DomainName = sostexas.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{1193E467-A6FE-441A-A652-8F3C9FCE4D48}: NameServer = 128.200.1.201,128.200.192.202
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = sostexas.com
O17 - HKLM\System\CS1\Services\Tcpip\..\{1193E467-A6FE-441A-A652-8F3C9FCE4D48}: NameServer = 128.200.1.201,128.200.192.202
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = sostexas.com
O17 - HKLM\System\CS2\Services\Tcpip\..\{1193E467-A6FE-441A-A652-8F3C9FCE4D48}: NameServer = 128.200.1.201,128.200.192.202
O18 - Protocol: sds - {79E0F14C-9C52-4218-89A7-7C4B0563D121} - C:\Program Files\Sharp\Sharpdesk\ExplorerExtensions.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O20 - Winlogon Notify: Sebring - C:\WINDOWS\System32\LgNotify.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Broadcom ASF IP monitoring service v6.0.3 (BAsfIpM) - Broadcom Corp. - C:\WINDOWS\System32\basfipm.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: InCD File System Service (InCDsrv) - AHEAD Software - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe
  • 0

#4
Excal
Posted 23 August 2005 - 12:20 AM

Excal

    Malware Slayer Extraordinaire!

  • Retired Staff
  • 12,739 posts
lol, your doing fine :tazz:


DOWNLOAD PROGRAMS

Please download Nailfix from Here
please do NOT run it yet.

Download CWShredder here to its own folder.

Update CWShredder
  • Open CWShredder and click I AGREE
  • Click Check For Update
  • Close CWShredder
We will be using this program later.

Download and install CleanUp! Here*NOTE* Cleanup deletes EVERYTHING out of temp/temporary folders and does not make backups.
We will use this program later.


THE FIX

Please read this post completely, it may make it easier for you if you copy and paste this post to a new text document or print it for reference later.

1. Click this link to be sure you can view hidden files.

2. Ensure you are NOT connected to the internet.

3. Reboot into safe mode.

Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

4. Now run CWShredder. Click I Agree, then Fix and then Next, let it fix everything it asks about.

5. Once in Safe Mode, please double-click on
Nailfix.exe on your desktop. Click next, then finished. Your desktop and icons will disappear and reappear, and a window should open and close very quickly --- this is normal.

6. Now open and run Ewido:
  • Click on scanner
  • Click Complete System Scan and the scan will begin.
  • During the scan when it ask if you want to clean the first file, put a check in the lower left corner of the box that says "Perform action on all infections" then choose clean and click OK
  • When the scan is finished, look at the bottom of the screen and click the Save report button.
  • Save the report to your desktop
Close Ewido

7. Close all browsers, windows and unneeded programs.

8. Open HiJack and do a scan.

9. Put a Check next to the following items:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R3 - URLSearchHook: (no name) - _{02EE5B04-F144-47BB-83FB-A60BD91B74A9} - (no file)
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - C:\Program Files\SurfSideKick 3\SskBho.dll
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O1 - Hosts: 192.1.1.2 omd
O2 - BHO: Bucket Class - {00000001-C003-4A2F-9142-7CB1D78DE6C1} - C:\WINDOWS\tct101.dll (file missing)
O2 - BHO: Band Class - {00F1D395-4744-40f0-A611-980F61AE2C59} - C:\WINDOWS\dsr.dll (file missing)
O4 - HKLM\..\Run: [msresearch] C:\WINDOWS\msresearch.exe
O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKLM\..\Run: [sp2update] C:\windows\sp2update.exe
O4 - HKLM\..\Run: [fvhlar] C:\WINDOWS\System32\kasrof.exe r
O4 - HKLM\..\RunOnce: [nhq776.exe] C:\WINDOWS\System32\nhq776.exe /k
O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKCU\..\RunOnce: [nhq776.exe] C:\WINDOWS\System32\nhq776.exe /k
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - ms-its:mhtml:file://c:\fsacsklc.mht!http://filesharingac...Bridge-c139.cab
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe

10. click the Fix Checked box

11. Please remove these entries from Add/Remove Programs in the Control Panel(if present):

SurfSideKick 3

12. Please remove the following folders using Windows Explorer (if present):

C:\Program Files\SurfSideKick 3

13. Please remove just the files from the following paths using Windows Explorer (if present):

C:\WINDOWS\msresearch.exe
C:\windows\sp2update.exe
C:\WINDOWS\System32\nhq776.exe

14. Run the program CleanUp!

15. Reboot into normal mode and please run this online virus scan: ActiveScan - Save the results from the scan!

16. Please post an Active scan log , Ewido Scan log and a fresh HiJackThis log. Let me know how your computer is running.
  • 0

#5
borboleta
Posted 23 August 2005 - 12:28 PM

borboleta

    Member

  • Topic Starter
  • Member
  • PipPip
  • 21 posts
ok...so i couldnt start in safe mode, cause somehow the login/pswd is different, so i just did it all in normal mode...i checked everythting that i could for the hijack this thing, but the following werent there:
O4 - HKLM\..\Run: [sp2update] C:\windows\sp2update.exe
O4 - HKLM\..\Run: [fvhlar] C:\WINDOWS\System32\kasrof.exe r
O4 - HKLM\..\RunOnce: [nhq776.exe] C:\WINDOWS\System32\nhq776.exe /k
O4 - HKCU\..\RunOnce: [nhq776.exe] C:\WINDOWS\System32\nhq776.exe /k
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe
...so that 14 thingys were fixed...
i couldnt find SurfSideKick 3 in add/remove programs, but there was something odd, a program caled Select Cashback...i left it, but it doesnt seem right...
ok, then i tried to remove C:/Program Files/SurfSideKick 3...i found the folder, but i couldnt delete it, a message came up that said cannot delete Ssk.exe...in use...but i didnt have any windows open, and i wasnt connected to the internet, i swear...i removed C:\WINDOWS\msresearch.exe,
but i couldnt find the following:
C:\windows\sp2update.exe
C:\WINDOWS\System32\nhq776.exe
i ran clean up, but i couldnt do Active scan, cause i use Firefox...should i open it with explorer? also, as soon as i opened the internet connection, my dear friend aurora poped up to say hello, so that certainly hasnt been fixed... here is the ewido scan and the hijack this log, i didnt get the active scan, like i said...

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 10:56:37 AM, 8/23/2005
+ Report-Checksum: 8F1BBEBA

+ Scan result:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Surf SideKick -> Spyware.SurfSide : Cleaned with backup
[1672] C:\WINDOWS\system32\DrPMon.dll -> Adware.BetterInternet : Cleaned with backup
[780] C:\WINDOWS\System32\msoibp.exe -> Trojan.Agent.cp : Cleaned with backup
[1840] C:\windows\sp2update.exe -> TrojanDownloader.VB.nh : Cleaned with backup
[1560] VM_00BF0000 -> Adware.BetterInternet : Error during cleaning
:mozilla.17:C:\Documents and Settings\Vince.COMPANY\Application Data\Mozilla\Firefox\Profiles\vtzeikcg.default\cookies.txt -> Spyware.Cookie.Atdmt : Cleaned with backup
:mozilla.26:C:\Documents and Settings\Vince.COMPANY\Application Data\Mozilla\Firefox\Profiles\vtzeikcg.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.27:C:\Documents and Settings\Vince.COMPANY\Application Data\Mozilla\Firefox\Profiles\vtzeikcg.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.28:C:\Documents and Settings\Vince.COMPANY\Application Data\Mozilla\Firefox\Profiles\vtzeikcg.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.29:C:\Documents and Settings\Vince.COMPANY\Application Data\Mozilla\Firefox\Profiles\vtzeikcg.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.30:C:\Documents and Settings\Vince.COMPANY\Application Data\Mozilla\Firefox\Profiles\vtzeikcg.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.31:C:\Documents and Settings\Vince.COMPANY\Application Data\Mozilla\Firefox\Profiles\vtzeikcg.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.32:C:\Documents and Settings\Vince.COMPANY\Application Data\Mozilla\Firefox\Profiles\vtzeikcg.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.41:C:\Documents and Settings\Vince.COMPANY\Application Data\Mozilla\Firefox\Profiles\vtzeikcg.default\cookies.txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
:mozilla.42:C:\Documents and Settings\Vince.COMPANY\Application Data\Mozilla\Firefox\Profiles\vtzeikcg.default\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned with backup
:mozilla.43:C:\Documents and Settings\Vince.COMPANY\Application Data\Mozilla\Firefox\Profiles\vtzeikcg.default\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned with backup
:mozilla.45:C:\Documents and Settings\Vince.COMPANY\Application Data\Mozilla\Firefox\Profiles\vtzeikcg.default\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned with backup
:mozilla.46:C:\Documents and Settings\Vince.COMPANY\Application Data\Mozilla\Firefox\Profiles\vtzeikcg.default\cookies.txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
:mozilla.47:C:\Documents and Settings\Vince.COMPANY\Application Data\Mozilla\Firefox\Profiles\vtzeikcg.default\cookies.txt -> Spyware.Cookie.Adserver : Cleaned with backup
:mozilla.48:C:\Documents and Settings\Vince.COMPANY\Application Data\Mozilla\Firefox\Profiles\vtzeikcg.default\cookies.txt -> Spyware.Cookie.Adserver : Cleaned with backup
:mozilla.49:C:\Documents and Settings\Vince.COMPANY\Application Data\Mozilla\Firefox\Profiles\vtzeikcg.default\cookies.txt -> Spyware.Cookie.Adserver : Cleaned with backup
:mozilla.56:C:\Documents and Settings\Vince.COMPANY\Application Data\Mozilla\Firefox\Profiles\vtzeikcg.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.57:C:\Documents and Settings\Vince.COMPANY\Application Data\Mozilla\Firefox\Profiles\vtzeikcg.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.58:C:\Documents and Settings\Vince.COMPANY\Application Data\Mozilla\Firefox\Profiles\vtzeikcg.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.70:C:\Documents and Settings\Vince.COMPANY\Application Data\Mozilla\Firefox\Profiles\vtzeikcg.default\cookies.txt -> Spyware.Cookie.Questionmarket : Cleaned with backup
:mozilla.71:C:\Documents and Settings\Vince.COMPANY\Application Data\Mozilla\Firefox\Profiles\vtzeikcg.default\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.72:C:\Documents and Settings\Vince.COMPANY\Application Data\Mozilla\Firefox\Profiles\vtzeikcg.default\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.73:C:\Documents and Settings\Vince.COMPANY\Application Data\Mozilla\Firefox\Profiles\vtzeikcg.default\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.74:C:\Documents and Settings\Vince.COMPANY\Application Data\Mozilla\Firefox\Profiles\vtzeikcg.default\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.75:C:\Documents and Settings\Vince.COMPANY\Application Data\Mozilla\Firefox\Profiles\vtzeikcg.default\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.76:C:\Documents and Settings\Vince.COMPANY\Application Data\Mozilla\Firefox\Profiles\vtzeikcg.default\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.78:C:\Documents and Settings\Vince.COMPANY\Application Data\Mozilla\Firefox\Profiles\vtzeikcg.default\cookies.txt -> Spyware.Cookie.Bridgetrack : Cleaned with backup
C:\Documents and Settings\Vince.COMPANY\Cookies\vince@2o7[2].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\Vince.COMPANY\Cookies\vince@abetterinternet[1].txt -> Spyware.Cookie.Abetterinternet : Cleaned with backup
C:\Documents and Settings\Vince.COMPANY\Cookies\[email protected][2].txt -> Spyware.Cookie.Bridgetrack : Cleaned with backup
C:\Documents and Settings\Vince.COMPANY\Cookies\[email protected][1].txt -> Spyware.Cookie.Overture : Cleaned with backup
C:\Documents and Settings\Vince.COMPANY\Cookies\vince@trafficmp[2].txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
C:\Documents and Settings\Vince.COMPANY\Cookies\[email protected][1].txt -> Spyware.Cookie.Adserver : Cleaned with backup
C:\Documents and Settings\Vince.COMPANY\Local Settings\Temp\1ke.sys -> Trojan.Kolweb.b : Cleaned with backup
C:\Documents and Settings\Vince.COMPANY\Local Settings\Temporary Internet Files\Content.IE5\TOM5F4H9\sp2update[1].exe -> TrojanDownloader.VB.nh : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP164\A0031739.exe -> TrojanDownloader.Intexp.d : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP164\A0031740.dll -> Spyware.Hijacker.Generic : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP164\A0031741.exe -> Trojan.Imiserv.c : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP164\A0031742.sys -> Trojan.Kolweb.b : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP164\A0031743.exe -> TrojanDownloader.VB.nh : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP164\A0031744.exe -> TrojanDropper.Small.qn : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP164\A0031745.exe -> Adware.SAHA : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP164\A0031746.sys -> Trojan.Kolweb.b : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP164\A0031747.exe -> Trojan.Kolweb.b : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP164\A0031748.exe -> Trojan.Delf.cf : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP164\A0031749.dll -> TrojanDownloader.Dyfuca.eg : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP165\A0033987.exe -> Trojan.Agent.gp : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP165\A0033988.exe -> Trojan.Agent.gp : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP165\A0033996.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP166\A0034005.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP166\A0034018.exe -> Trojan.Agent.gp : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP166\A0034984.exe -> Trojan.Agent.gp : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP166\A0034986.exe -> Trojan.Kolweb.b : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP166\A0034987.exe -> Trojan.Kolweb.b : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP166\A0034997.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP166\A0035021.exe -> Trojan.Agent.gp : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP166\A0035026.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP167\A0035042.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP167\A0035049.exe -> Trojan.Agent.gp : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP167\A0035055.exe -> Trojan.Agent.gp : Cleaned with backup
C:\WINDOWS\1ke.sys -> Trojan.Kolweb.b : Cleaned with backup
C:\WINDOWS\kductbkqzv.exe -> Adware.BetterInternet : Cleaned with backup
C:\WINDOWS\sp2update.exe -> TrojanDownloader.VB.nh : Cleaned with backup
C:\WINDOWS\SYSTEM32\1ke.sys -> Trojan.Kolweb.b : Cleaned with backup
C:\WINDOWS\SYSTEM32\msoibp.exe -> Trojan.Agent.gp : Cleaned with backup
C:\WINDOWS\SYSTEM32\nhq776.exe -> Trojan.Kolweb.b : Cleaned with backup


::Report End




Logfile of HijackThis v1.99.1
Scan saved at 11:27:31 AM, on 8/23/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\basfipm.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\System32\RegSrvc.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\WINDOWS\System32\1XConfig.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\System32\DSentry.exe
C:\WINDOWS\System32\jbaxdj.exe
C:\Program Files\Sharp\Sharpdesk\IndexTray.exe
C:\Program Files\Sharp\Sharpdesk\SharpTray.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
C:\PROGRA~1\Sharp\SHARPD~1\Indexer.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Sharp\Sharpdesk\sdFTP.exe
C:\Program Files\Palm\HOTSYNC.EXE
C:\lotus\organize\easyclip.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Vince.COMPANY\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: Band Class - {00F1D395-4744-40f0-A611-980F61AE2C59} - C:\WINDOWS\dsr.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {7A1693A1-AFAF-4F1E-9B05-EEC38A85FBF3} - C:\WINDOWS\SYSTEM32\6lo.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [bascstray] BascsTray.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [IndexTray] "C:\Program Files\Sharp\Sharpdesk\IndexTray.exe"
O4 - HKLM\..\Run: [SharpTray] "C:\Program Files\Sharp\Sharpdesk\SharpTray.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [tsqrbqf] C:\WINDOWS\System32\jbaxdj.exe r
O4 - HKLM\..\Run: [Dinst] C:\WINDOWS\dinst.exe
O4 - HKLM\..\RunOnce: [ugaq68m.exe] C:\WINDOWS\System32\ugaq68m.exe /k
O4 - HKCU\..\RunOnce: [ugaq68m.exe] C:\WINDOWS\System32\ugaq68m.exe /k
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
O4 - Startup: Lotus Organizer EasyClip.lnk = C:\lotus\organize\easyclip.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Start Network Scanner Tool.lnk = C:\Program Files\Sharp\Sharpdesk\sdFTP.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {BAC01377-73DD-4796-854D-2A8997E3D68A} (Yahoo! Photos Easy Upload Tool Class) - http://us.dl1.yimg.c...ropper1_6us.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.ao.../ampx_en_dl.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = sostexas.com
O17 - HKLM\Software\..\Telephony: DomainName = sostexas.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{1193E467-A6FE-441A-A652-8F3C9FCE4D48}: NameServer = 128.200.1.201,128.200.192.202
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = sostexas.com
O17 - HKLM\System\CS1\Services\Tcpip\..\{1193E467-A6FE-441A-A652-8F3C9FCE4D48}: NameServer = 128.200.1.201,128.200.192.202
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = sostexas.com
O17 - HKLM\System\CS2\Services\Tcpip\..\{1193E467-A6FE-441A-A652-8F3C9FCE4D48}: NameServer = 128.200.1.201,128.200.192.202
O18 - Protocol: sds - {79E0F14C-9C52-4218-89A7-7C4B0563D121} - C:\Program Files\Sharp\Sharpdesk\ExplorerExtensions.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O20 - Winlogon Notify: Sebring - C:\WINDOWS\System32\LgNotify.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Broadcom ASF IP monitoring service v6.0.3 (BAsfIpM) - Broadcom Corp. - C:\WINDOWS\System32\basfipm.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: InCD File System Service (InCDsrv) - AHEAD Software - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe



sorry to ramble on, but i figure its better to tell you everything (youre like a therapist, im just trying to get it all out so you can analyse it and tell me what i need to do to get better! :tazz: ) thanks so much!!!!!
  • 0

#6
borboleta
Posted 23 August 2005 - 12:30 PM

borboleta

    Member

  • Topic Starter
  • Member
  • PipPip
  • 21 posts
ahhhhhh! suddenly im getting notices to download winfixer 2005 cause my registry is batty, and its trying to trick me into downloading, but i dont think i want to :tazz: !!! make it stop!!!!
  • 0

#7
Excal
Posted 23 August 2005 - 01:32 PM

Excal

    Malware Slayer Extraordinaire!

  • Retired Staff
  • 12,739 posts
You have to find a way to get into safe mode, other wise we are going to have problems trying to fix this.

Thanks,

:tazz:

Excal
  • 0

#8
borboleta
Posted 24 August 2005 - 04:21 AM

borboleta

    Member

  • Topic Starter
  • Member
  • PipPip
  • 21 posts
once i am able to get into safe mode (tomorrow morning, probably) what do i do? all the steps again? oh, and i was able to delete the SurfSideKick 3 folder...

thanks for all your help!
  • 0

#9
Excal
Posted 24 August 2005 - 08:22 AM

Excal

    Malware Slayer Extraordinaire!

  • Retired Staff
  • 12,739 posts
Yes :tazz:



Excal
  • 0

#10
borboleta
Posted 24 August 2005 - 12:12 PM

borboleta

    Member

  • Topic Starter
  • Member
  • PipPip
  • 21 posts
sooo, in safe mode i cant find CWShredder or Nailfix, although in normal mode its on the desktop...
also, i have musicplaying software on my computer (Musicmatch Jukebox) that is missing files now, and cant open, the dialog box suggests i try reinstalling...any comments?

sorry im so useless :tazz: ...

thanks for being so amazing :) !
  • 0

Advertisements

#11
Excal
Posted 24 August 2005 - 12:23 PM

Excal

    Malware Slayer Extraordinaire!

  • Retired Staff
  • 12,739 posts

sorry im so useless

No your not, this isn't easy thing to do. I give u alot of credit for doing this on your own :)


in safe mode i cant find CWShredder or Nailfix


becasue they are on another account, put them in shared document folder or you might to do a start>search for CWShredder.exe and nailfix.exe

i have musicplaying software on my computer (Musicmatch Jukebox) that is missing files now,


May have been that files were corrupted by the malware you have on your system, may have to reinstall it when we get you cleaned up


:tazz:

Excal
  • 0

#12
borboleta
Posted 25 August 2005 - 07:24 PM

borboleta

    Member

  • Topic Starter
  • Member
  • PipPip
  • 21 posts
im losing steam...maybe aurora isnt that bad...j/k :tazz: . how do i make a shared document folder? i did a search in safemode for the applications, but i couldnt access them. also, when i shut down from safe mode, there is always a dialog box that says: end program-sample, and i have just been saying end now...but should i worry about that?
  • 0

#13
borboleta
Posted 25 August 2005 - 08:31 PM

borboleta

    Member

  • Topic Starter
  • Member
  • PipPip
  • 21 posts
i figured it out...i rock!

Edited by borboleta, 25 August 2005 - 08:32 PM.

  • 0

#14
borboleta
Posted 25 August 2005 - 08:46 PM

borboleta

    Member

  • Topic Starter
  • Member
  • PipPip
  • 21 posts
never mind. i made a folder, i made it be shared, but i cant find it in safe mode... :tazz:
  • 0

#15
Excal
Posted 25 August 2005 - 10:37 PM

Excal

    Malware Slayer Extraordinaire!

  • Retired Staff
  • 12,739 posts
Go to my computer. Then in that box, up in the top you will see a folder called "Shared Documents"

:tazz:

Excal
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP