Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Magiccontrol and others [RESOLVED]


  • This topic is locked This topic is locked

#1
TheoDread

TheoDread

    Member

  • Member
  • PipPip
  • 17 posts
Hey, Howdy, Greetings and Salutations to all at Geeks to go.

I have been experiencing problem after problem with my computer, and I would really appreciate some sage advice. I don't want to bore you with a bunch of details you don't need, so I'll just say I am losing the battle against malware. The Internet Gods seem to have smiled on me though, and I find myself here.

My thanks in advance for your insight and time.

I am using XP (all updates installed, all instant message programs uninstalled I think)
I use FireFox
I use Panda Internet Security 2005 (trial)

I have followed the steps outlined in "Geeks To Go _ Malware Removal - HiJackThis Logs Go Here _ You Must Read This Before Posting A Hijackthis Log" to the best of my ability.

Specifically; I have run,

the WinSockFix utility
CleanUp!
Ad-aware SE
CWShredder
Spybot S&D (at this point I visited spywarewarrior and unintalled the adware/malware protection I had been using)
Ewido Security Suite
TrojanHunter
Hijack This


EVERY scan seemed to find something new
I have also run numerous scans with Panda


Here are the logs which I think are requested.

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 9:09:15 AM, 20/08/2005
+ Report-Checksum: 2C586643

+ Scan result:

HKU\S-1-5-21-1004336348-492894223-1957994488-1005\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{00000010-6F7D-442C-93E3-4A4827C2E4C8} -> Spyware.InternetOptimizer : Cleaned with backup
HKU\S-1-5-21-1004336348-492894223-1957994488-1005\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{10E42047-DEB9-4535-A118-B3F6EC39B807} -> Spyware.SideFind : Cleaned with backup
HKU\S-1-5-21-1004336348-492894223-1957994488-1005\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{7C559105-9ECF-42B8-B3F7-832E75EDD959} -> Spyware.ISTBar : Cleaned with backup
HKU\S-1-5-21-1004336348-492894223-1957994488-1005\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{A3FDD654-A057-4971-9844-4ED8E67DBBB8} -> Spyware.ISTBar : Cleaned with backup
HKU\S-1-5-21-1004336348-492894223-1957994488-1005\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{F4E04583-354E-4076-BE7D-ED6A80FD66DA} -> Spyware.BargainBuddy : Cleaned with backup
HKU\S-1-5-21-1004336348-492894223-1957994488-1005\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{FAA356E4-D317-42A6-AB41-A3021C6E7D52} -> Spyware.ISTBar : Cleaned with backup
:mozilla.6:D:\Documents and Settings\jhgojbgfbf\Application Data\Mozilla\Firefox\Profiles\ba5otgi6.default\cookies.txt -> Spyware.Cookie.Atdmt : Cleaned with backup
:mozilla.7:D:\Documents and Settings\jhgojbgfbf\Application Data\Mozilla\Firefox\Profiles\ba5otgi6.default\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
:mozilla.8:D:\Documents and Settings\jhgojbgfbf\Application Data\Mozilla\Firefox\Profiles\ba5otgi6.default\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
D:\System Volume Information\_restore{B32500C8-9991-4AF5-8667-9F48CE777EA0}\RP125\A0035637.dll -> Dialer.Generic : Cleaned with backup


::Report End

Logfile of HijackThis v1.99.1
Scan saved at 10:18:05 AM, on 20/08/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\csrss.exe
D:\WINDOWS\SYSTEM32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\Program Files\Panda Software\Panda Platinum 2005 Internet Security\PavProt.exe
D:\Program Files\Panda Software\Panda Platinum 2005 Internet Security\WebProxy.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\ewido\security suite\ewidoctrl.exe
D:\Program Files\ewido\security suite\ewidoguard.exe
D:\Program Files\Panda Software\Panda Platinum 2005 Internet Security\PaSSrv.exe
D:\Program Files\Panda Software\Panda Platinum 2005 Internet Security\PavFnSvr.exe
D:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
D:\Program Files\Panda Software\Panda Platinum 2005 Internet Security\pavsrv51.exe
D:\Program Files\Panda Software\Panda Platinum 2005 Internet Security\prevsrv.exe
D:\Program Files\Panda Software\Panda Platinum 2005 Internet Security\AVENGINE.EXE
D:\Program Files\Panda Software\Panda Platinum 2005 Internet Security\PsImSvc.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\system32\wuauclt.exe
D:\WINDOWS\System32\alg.exe
D:\WINDOWS\SYSTEM32\USRmlnkA.exe
D:\WINDOWS\SYSTEM32\USRshutA.exe
D:\WINDOWS\SYSTEM32\USRmlnkA.exe
D:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
D:\WINDOWS\system32\atiptaxx.exe
D:\Program Files\Panda Software\Panda Platinum 2005 Internet Security\apvxdwin.exe
D:\Program Files\Netscape Online Accelerator\slipaccel.exe
D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
D:\Documents and Settings\jhgojbgfbf\Desktop\HijackThis.exe
D:\Program Files\Panda Software\Panda Platinum 2005 Internet Security\SRVLOAD.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ask.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5401
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [USRpdA] D:\WINDOWS\SYSTEM32\USRmlnkA.exe RunServices \Device\3cpipe-USRpdA
O4 - HKLM\..\Run: [QuickTime Task] "D:\WINDOWS\system32\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [SunJavaUpdateSched] D:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [SCANINICIO] "D:\Program Files\Panda Software\Panda Platinum 2005 Internet Security\Inicio.exe"
O4 - HKLM\..\Run: [APVXDWIN] "D:\Program Files\Panda Software\Panda Platinum 2005 Internet Security\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [THGuard] D:\Program Files\TrojanHunter 4.2\THGuard.exe
O4 - HKLM\..\RunServices: [PANDA ANTISPAM SERVER SERVICE] "D:\Program Files\Panda Software\Panda Platinum 2005 Internet Security\PasSrv.exe"
O4 - HKCU\..\Run: [slipaccel.exe] "D:\Program Files\Netscape Online Accelerator\slipaccel.exe"
O4 - Global Startup: Netscape Online Accelerator.lnk = D:\Program Files\Netscape Online Accelerator\slipaccel.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcaf...96/mcinsctl.cab
O16 - DPF: {B7E76C25-791F-432E-BDB7-748D01A93FC2} (VacPro.int_ver30) - http://advnt01.com/d...r/int_ver30.CAB
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcaf...,26/mcgdmgr.cab
O23 - Service: Ati HotKey Poller - Unknown owner - D:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ewido security suite control - ewido networks - D:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - D:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Panda Antispam Server Service (PASSRV) - Unknown owner - D:\Program Files\Panda Software\Panda Platinum 2005 Internet Security\PaSSrv.exe
O23 - Service: Panda Firewall Service (PAVFIRES) - Panda Software - D:\Program Files\Panda Software\Panda Platinum 2005 Internet Security\Firewall\PavFires.exe
O23 - Service: Panda Function Service (PAVFNSVR) - Panda Software - D:\Program Files\Panda Software\Panda Platinum 2005 Internet Security\PavFnSvr.exe
O23 - Service: Panda PavProt (PavProt) - Panda Software - D:\Program Files\Panda Software\Panda Platinum 2005 Internet Security\PavProt.exe
O23 - Service: Panda Process Protection Service (PavPrSrv) - Panda Software - D:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software - D:\Program Files\Panda Software\Panda Platinum 2005 Internet Security\pavsrv51.exe
O23 - Service: Panda Preventium+ Service (PREVSRV) - Panda Software - D:\Program Files\Panda Software\Panda Platinum 2005 Internet Security\prevsrv.exe
O23 - Service: Panda IManager Service (PSIMSVC) - Panda Software Internacional - D:\Program Files\Panda Software\Panda Platinum 2005 Internet Security\PsImSvc.exe



I am having firewall trouble and am not sure if it is a conflict between my AV protection and windows security center and my browser, or if it is the result of a malware infection, or if I just set something wrong.

Startup is still extreemly slow and I do not know if this is due to malware or perhaps if it might just be all the new scanning programs I have installed at your advice.

If I am still infected :tazz: , If I am not then some advice on which of the programs I DLed are best to buy and how they should be set up to work peacefully and cooperatively together would be awesome.


EDIT:


After surfing for a while and trying a couple of games I am guessing that I am still iinfected. Things are running pretty slowly. :)

I have also been getting an error message everytime I restart. The error message pops up as soon as I click the restart icon.The title box of the error message says "USRprobdA.exe - DLL Initialization Failed". The Error message is "The application failed to start because the window station is shutting down"

I am also being driven crazy by my firewall. Panda can't seem to install it prperly as I keep getting an error message stating that an internal error has occurred in a Panda component. Windows Security can't make up its mind wheather the firewall is working or not. At some restarts Windows security center seems to think that the fire wall is fine and at other restarts security center flashes all kinds of warning about the Panda firewall being down. I was having the same trouble with The Panda 2005 Titanium trial and so uninstalled it and tried the Platinum 2005 instead. Prior to installing any of the Panda products I was using McAfee securty on a trial basis.

I have had this computer connected to the internet for about 3 weeks not and I think these problems might go back that far. I knew I was going to have problems as I needed to connect to the internet to get the upgrades and protection I needed to be safe when connected to the internet. a catch 22 as it were. I thought I would be able to disinfect anything that got though the limited protection I started with. But it has proven to be much more difficult than I remember.

Again Thanks for your time

END EDIT

Edited by TheoDread, 20 August 2005 - 06:44 PM.

  • 0

Advertisements


#2
Justin

Justin

    I do a little bit of everything

  • Member
  • PipPipPipPipPip
  • 2,353 posts
Hello, and welcome to the GeekstoGo Forums. My name is Jfcap,and I will be helping you clean your system. I would like to start off by apologizing in the delay in our response time. We try not to let posts slip through the cracks, but things do happen due the the ammount of posts on our website, so again I apologize.

I do not see anything in your log, so we are going to run a scan, to see if ther is anything left over. :tazz:

Please Download the MWAV Scanner from Here

Unzip it to its predetermined Directory (C:\Kaspersky)

Locate "kavupd.exe" in the New Folder and Double Click to Update!

If you it says the signatures are more than 30 days old, keep trying!
Keep trying until you get the actual signatures!

When you see "Updates downloaded Successfully"

Please Press Enter to Continue!

It should open automatically>Leave the "Default Settings ticked" and add a "tick" "Drives">this will light up "All Drives">Click "Scan Clean" to begin!

This Scan will take Several Hours or more to Complete,Depending on the Hard Drive Size!

Please be sure it is Completed before proceeding!

Once the Scan has finished,All entries Identified as Infected will displayed in the lower pane!

Highlight everything that is inside the lower pane and press Ctrl+C at the same time to Copy!

Open a Blank Notepad Page and Paste the results (Ctrl+V) to it!

Post those results back here, along with a new HiJackThis log.
  • 0

#3
TheoDread

TheoDread

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
Hullo jfcap,

No need to say sorry for the wait, I understand that this forum is busy and the ratio of geeks to infections is way of of balance. I am just happy to be here. My Thanks for your help.


I am DLing the suggested file now and will run the scan and post the results asap. I need to work today and therefore the results may not be posted untill later this evening. (perhaps 12 houirs from the time of this post)

I look forward to working with you to resolve any issuses that may remain.

Edit:

Well I DLed...updated...and got stopped...lol


I cannot find the file that starts this scan...sounds silly I guess; but, there it is.

There is no quick launch, no desktop icon...no startmenu icon and the three exe files in the kaspersky directory do not start the scan. (kavss.exe, kavupd.exe, and getvlist.exe)

I don't see any batch files that might start it either.

I was going to run this while I was at work...it will have to wait.

If I am missing something obvious..lol...oops...

If not then it is just a matter of finding the right file to start this thing.

END EDIT

Edited by TheoDread, 27 August 2005 - 06:10 AM.

  • 0

#4
Justin

Justin

    I do a little bit of everything

  • Member
  • PipPipPipPipPip
  • 2,353 posts
Hello!

Sorry, the directions are confusing. I had to download the program just to figure them out.

After updating the program, you should see Updates Downloaded Successfully. Then press Enter and the program should open. If it does not open, look for mwavscan.exe in that folder.

Then follow the rest of the directions to set the scan up.



Let me know if you have any other questions :tazz:
  • 0

#5
TheoDread

TheoDread

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
Your directions are fine.

I dunno why, but when I updated and hit enter when the time came...nothing happened...the dosbox just closed.

But I did figure it out...the file that starts the program is mwavscan.com

I managed to start the scan before I left for work..the results follow.

Scan Results,

File D:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\KHEF8LE3\MediaTicketsInstaller[1].cab tagged as not-a-virus:AdWare.MediaTickets.f. No Action Taken.

File D:\System Volume Information\_restore{B32500C8-9991-4AF5-8667-9F48CE777EA0}\RP126\A0038025.exe tagged as not-a-virus:AdWare.NaviPromo.c. No Action Taken.


results end


So there you have it. All I can tell you is these looks suspicious to me. :)
Good thing I am planning on doing a lot more listening than telling :tazz:
  • 0

#6
Justin

Justin

    I do a little bit of everything

  • Member
  • PipPipPipPipPip
  • 2,353 posts
Hello!

Download Cleanup from Here (Alternate site if the above is not working Go Here)
  • A window will open and choose SAVE, then DESKTOP as the destination.
  • On your Desktop, click on Cleanup40.exe icon.
  • Then, click RUN and place a checkmark beside "I Agree"
  • Then click NEXT followed by START and OK.
  • A window will appear with many choices, keep all the defaults as set when the Slide Bar to the left is set to Standard Quality.
  • Click OK

Run Cleanup
  • Click on the "Cleanup" button and let it run.
  • Once its done, close the program.

Then post a new HiJackThis log for me. And let me know how the computer is running.
  • 0

#7
TheoDread

TheoDread

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
Sorry bout the slow response...my poor 'puter is running pretty slow...and I have had to restart a couple of times.

Also, the geekstogo site was timing out everytime I tried to connect to it.

I hope I haven't messed anything up, but I went ahead and and ran an ewido security suite scan and a panda scan. Both programs found problems and said they were fixed. I hope this doesn't mess up what you are trying to do...I do appriciate your help.


As requested

Cleanup was run

and then HJT

Logfile of HijackThis v1.99.1
Scan saved at 10:59:55 PM, on 27/08/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\csrss.exe
D:\WINDOWS\SYSTEM32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\Program Files\Panda Software\Panda Platinum 2005 Internet Security\PavProt.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\ewido\security suite\ewidoctrl.exe
D:\Program Files\ewido\security suite\ewidoguard.exe
D:\Program Files\Panda Software\Panda Platinum 2005 Internet Security\PaSSrv.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\Panda Software\Panda Platinum 2005 Internet Security\PavFnSvr.exe
D:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
D:\Program Files\Panda Software\Panda Platinum 2005 Internet Security\pavsrv51.exe
D:\Program Files\Panda Software\Panda Platinum 2005 Internet Security\AVENGINE.EXE
D:\Program Files\Panda Software\Panda Platinum 2005 Internet Security\prevsrv.exe
D:\Program Files\Panda Software\Panda Platinum 2005 Internet Security\PsImSvc.exe
D:\WINDOWS\SYSTEM32\USRmlnkA.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\SYSTEM32\USRshutA.exe
D:\WINDOWS\SYSTEM32\USRmlnkA.exe
D:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
D:\WINDOWS\system32\atiptaxx.exe
D:\Program Files\Panda Software\Panda Platinum 2005 Internet Security\APVXDWIN.EXE
D:\Program Files\Netscape Online Accelerator\slipaccel.exe
D:\Program Files\Panda Software\Panda Platinum 2005 Internet Security\SRVLOAD.EXE
D:\WINDOWS\System32\alg.exe
D:\Program Files\Panda Software\Panda Platinum 2005 Internet Security\WebProxy.exe
D:\WINDOWS\system32\wscntfy.exe
D:\Program Files\Mozilla Firefox\firefox.exe
D:\Documents and Settings\jhgojbgfbf\Desktop\GtGfix\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ask.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5401
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [USRpdA] D:\WINDOWS\SYSTEM32\USRmlnkA.exe RunServices \Device\3cpipe-USRpdA
O4 - HKLM\..\Run: [QuickTime Task] "D:\WINDOWS\system32\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [SunJavaUpdateSched] D:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [SCANINICIO] "D:\Program Files\Panda Software\Panda Platinum 2005 Internet Security\Inicio.exe"
O4 - HKLM\..\Run: [APVXDWIN] "D:\Program Files\Panda Software\Panda Platinum 2005 Internet Security\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [THGuard] "D:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\RunServices: [PANDA ANTISPAM SERVER SERVICE] "D:\Program Files\Panda Software\Panda Platinum 2005 Internet Security\PasSrv.exe"
O4 - HKCU\..\Run: [slipaccel.exe] "D:\Program Files\Netscape Online Accelerator\slipaccel.exe"
O4 - Global Startup: Netscape Online Accelerator.lnk = D:\Program Files\Netscape Online Accelerator\slipaccel.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: Show All Original Images - res://D:\Program Files\Netscape Online Accelerator\slipaccel.exe/250
O8 - Extra context menu item: Show Original Image - res://D:\Program Files\Netscape Online Accelerator\slipaccel.exe/227
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcaf...96/mcinsctl.cab
O16 - DPF: {B7E76C25-791F-432E-BDB7-748D01A93FC2} (VacPro.int_ver30) - http://advnt01.com/d...r/int_ver30.CAB
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcaf...,26/mcgdmgr.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{241EE592-7946-4BFA-ACFF-767603D666CA}: NameServer = 198.6.100.125 198.6.1.125
O23 - Service: Ati HotKey Poller - Unknown owner - D:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ewido security suite control - ewido networks - D:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - D:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Panda Antispam Server Service (PASSRV) - Unknown owner - D:\Program Files\Panda Software\Panda Platinum 2005 Internet Security\PaSSrv.exe
O23 - Service: Panda Firewall Service (PAVFIRES) - Panda Software - D:\Program Files\Panda Software\Panda Platinum 2005 Internet Security\Firewall\PavFires.exe
O23 - Service: Panda Function Service (PAVFNSVR) - Panda Software - D:\Program Files\Panda Software\Panda Platinum 2005 Internet Security\PavFnSvr.exe
O23 - Service: Panda PavProt (PavProt) - Panda Software - D:\Program Files\Panda Software\Panda Platinum 2005 Internet Security\PavProt.exe
O23 - Service: Panda Process Protection Service (PavPrSrv) - Panda Software - D:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software - D:\Program Files\Panda Software\Panda Platinum 2005 Internet Security\pavsrv51.exe
O23 - Service: Panda Preventium+ Service (PREVSRV) - Panda Software - D:\Program Files\Panda Software\Panda Platinum 2005 Internet Security\prevsrv.exe
O23 - Service: Panda IManager Service (PSIMSVC) - Panda Software Internacional - D:\Program Files\Panda Software\Panda Platinum 2005 Internet Security\PsImSvc.exe


:tazz:
  • 0

#8
Justin

Justin

    I do a little bit of everything

  • Member
  • PipPipPipPipPip
  • 2,353 posts
Hello!

If you saved the log from PandaScan and Ewido, could you please post them?

Thanks :tazz:
  • 0

#9
TheoDread

TheoDread

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
Well here is what is happening.

It does not seem to matter how many scans I complete Or whether the programs say the infections are cleaned or not. Every time I run a new scan, the same infections are still there. I have run numerous scans this week and am still where I started. I understand you are still collecting information and I hope these help.






---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 10:51:12 AM, 28/08/2005
+ Report-Checksum: 73E324E3

+ Scan result:

:mozilla.17:D:\Documents and Settings\jhgojbgfbf\Application Data\Mozilla\Firefox\Profiles\ba5otgi6.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.18:D:\Documents and Settings\jhgojbgfbf\Application Data\Mozilla\Firefox\Profiles\ba5otgi6.default\cookies.txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
:mozilla.21:D:\Documents and Settings\jhgojbgfbf\Application Data\Mozilla\Firefox\Profiles\ba5otgi6.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.22:D:\Documents and Settings\jhgojbgfbf\Application Data\Mozilla\Firefox\Profiles\ba5otgi6.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.23:D:\Documents and Settings\jhgojbgfbf\Application Data\Mozilla\Firefox\Profiles\ba5otgi6.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.24:D:\Documents and Settings\jhgojbgfbf\Application Data\Mozilla\Firefox\Profiles\ba5otgi6.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.25:D:\Documents and Settings\jhgojbgfbf\Application Data\Mozilla\Firefox\Profiles\ba5otgi6.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.26:D:\Documents and Settings\jhgojbgfbf\Application Data\Mozilla\Firefox\Profiles\ba5otgi6.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.27:D:\Documents and Settings\jhgojbgfbf\Application Data\Mozilla\Firefox\Profiles\ba5otgi6.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.28:D:\Documents and Settings\jhgojbgfbf\Application Data\Mozilla\Firefox\Profiles\ba5otgi6.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.29:D:\Documents and Settings\jhgojbgfbf\Application Data\Mozilla\Firefox\Profiles\ba5otgi6.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.30:D:\Documents and Settings\jhgojbgfbf\Application Data\Mozilla\Firefox\Profiles\ba5otgi6.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.31:D:\Documents and Settings\jhgojbgfbf\Application Data\Mozilla\Firefox\Profiles\ba5otgi6.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.32:D:\Documents and Settings\jhgojbgfbf\Application Data\Mozilla\Firefox\Profiles\ba5otgi6.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.33:D:\Documents and Settings\jhgojbgfbf\Application Data\Mozilla\Firefox\Profiles\ba5otgi6.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.34:D:\Documents and Settings\jhgojbgfbf\Application Data\Mozilla\Firefox\Profiles\ba5otgi6.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.35:D:\Documents and Settings\jhgojbgfbf\Application Data\Mozilla\Firefox\Profiles\ba5otgi6.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.36:D:\Documents and Settings\jhgojbgfbf\Application Data\Mozilla\Firefox\Profiles\ba5otgi6.default\cookies.txt -> Spyware.Cookie.Pro-market : Cleaned with backup
:mozilla.37:D:\Documents and Settings\jhgojbgfbf\Application Data\Mozilla\Firefox\Profiles\ba5otgi6.default\cookies.txt -> Spyware.Cookie.Pro-market : Cleaned with backup
:mozilla.38:D:\Documents and Settings\jhgojbgfbf\Application Data\Mozilla\Firefox\Profiles\ba5otgi6.default\cookies.txt -> Spyware.Cookie.Atdmt : Cleaned with backup
D:\System Volume Information\_restore{B32500C8-9991-4AF5-8667-9F48CE777EA0}\RP135\A0038275.exe -> Spyware.DealHelper : Cleaned with backup
D:\System Volume Information\_restore{B32500C8-9991-4AF5-8667-9F48CE777EA0}\RP135\A0038276.exe -> Spyware.DealHelper : Cleaned with backup


::Report End


PANDA Report


Panda Platinum 2005 Internet Security incident report
Filter selected:Virus detected, Suspicious file, Dangerous file, Script execution
Phone connection, Connection attempt, Port scan attack, Denial of service attack,
Spoofing, Attacking IP address blocked, Enabled, Disabled, Update, Scan started, Scan complete,
Date: After or on 08/28/05

Scan complete On-demand antivirus scan 08/28/05 11:24:42 Scan: My Computer
Spyware detected: Cookie/Humanclick On-demand antivirus scan 08/28/05 11:11:48 Disinfected Path: D:\Documents and Settings\jhgojbgfbf\Application Data\Mozilla\Firefox\Profiles\ba5otgi6.default\cookies.txt[hc2.humanclick.com/]
Spyware detected: Cookie/Humanclick On-demand antivirus scan 08/28/05 11:11:48 Disinfected Path: D:\Documents and Settings\jhgojbgfbf\Application Data\Mozilla\Firefox\Profiles\ba5otgi6.default\cookies.txt[hc2.humanclick.com/hc/53382006]
Spyware detected: Cookie/Humanclick On-demand antivirus scan 08/28/05 11:11:48 Disinfected Path: D:\Documents and Settings\jhgojbgfbf\Application Data\Mozilla\Firefox\Profiles\ba5otgi6.default\cookies.txt[hc2.humanclick.com/]
Spyware detected: Cookie/Humanclick On-demand antivirus scan 08/28/05 11:11:48 Disinfected Path: D:\Documents and Settings\jhgojbgfbf\Application Data\Mozilla\Firefox\Profiles\ba5otgi6.default\cookies.txt[hc2.humanclick.com/hc/53382006]
Scan started On-demand antivirus scan 08/28/05 11:08:30 Scan: My Computer



The Kaspersky mwavscan reports the same two files

File D:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\KHEF8LE3\MediaTicketsInstaller[1].cab tagged as not-a-virus:AdWare.MediaTickets.f. No Action Taken.

File D:\System Volume Information\_restore{B32500C8-9991-4AF5-8667-9F48CE777EA0}\RP126\A0038025.exe tagged as not-a-virus:AdWare.NaviPromo.c. No Action Taken.

EDIT

AdWare.NaviPromo. This is where I think the problem is. Navipromo..aka Magiccontrol

:) ...but I am not really supposed to be thinking am I .. :tazz:

END EDIT


And here is a fresh HJT log

Logfile of HijackThis v1.99.1
Scan saved at 2:35:29 PM, on 28/08/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\csrss.exe
D:\WINDOWS\SYSTEM32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\Program Files\Panda Software\Panda Platinum 2005 Internet Security\PavProt.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\ewido\security suite\ewidoctrl.exe
D:\Program Files\ewido\security suite\ewidoguard.exe
D:\Program Files\Panda Software\Panda Platinum 2005 Internet Security\PaSSrv.exe
D:\Program Files\Panda Software\Panda Platinum 2005 Internet Security\PavFnSvr.exe
D:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
D:\Program Files\Panda Software\Panda Platinum 2005 Internet Security\pavsrv51.exe
D:\Program Files\Panda Software\Panda Platinum 2005 Internet Security\prevsrv.exe
D:\Program Files\Panda Software\Panda Platinum 2005 Internet Security\AVENGINE.EXE
D:\Program Files\Panda Software\Panda Platinum 2005 Internet Security\PsImSvc.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\alg.exe
D:\WINDOWS\system32\wscntfy.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\SYSTEM32\USRmlnkA.exe
D:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
D:\WINDOWS\SYSTEM32\USRshutA.exe
D:\WINDOWS\SYSTEM32\USRmlnkA.exe
D:\WINDOWS\system32\atiptaxx.exe
D:\Program Files\Panda Software\Panda Platinum 2005 Internet Security\APVXDWIN.EXE
D:\Program Files\Netscape Online Accelerator\slipaccel.exe
D:\Program Files\Panda Software\Panda Platinum 2005 Internet Security\SRVLOAD.EXE
D:\Program Files\Panda Software\Panda Platinum 2005 Internet Security\WebProxy.exe
D:\Program Files\Mozilla Firefox\firefox.exe
D:\WINDOWS\system32\NOTEPAD.EXE
D:\Documents and Settings\jhgojbgfbf\Desktop\GtGfix\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ask.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5401
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [USRpdA] D:\WINDOWS\SYSTEM32\USRmlnkA.exe RunServices \Device\3cpipe-USRpdA
O4 - HKLM\..\Run: [QuickTime Task] "D:\WINDOWS\system32\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [SunJavaUpdateSched] D:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [SCANINICIO] "D:\Program Files\Panda Software\Panda Platinum 2005 Internet Security\Inicio.exe"
O4 - HKLM\..\Run: [APVXDWIN] "D:\Program Files\Panda Software\Panda Platinum 2005 Internet Security\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [THGuard] "D:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\RunServices: [PANDA ANTISPAM SERVER SERVICE] "D:\Program Files\Panda Software\Panda Platinum 2005 Internet Security\PasSrv.exe"
O4 - HKCU\..\Run: [slipaccel.exe] "D:\Program Files\Netscape Online Accelerator\slipaccel.exe"
O4 - Global Startup: Netscape Online Accelerator.lnk = D:\Program Files\Netscape Online Accelerator\slipaccel.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: Show All Original Images - res://D:\Program Files\Netscape Online Accelerator\slipaccel.exe/250
O8 - Extra context menu item: Show Original Image - res://D:\Program Files\Netscape Online Accelerator\slipaccel.exe/227
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcaf...96/mcinsctl.cab
O16 - DPF: {B7E76C25-791F-432E-BDB7-748D01A93FC2} (VacPro.int_ver30) - http://advnt01.com/d...r/int_ver30.CAB
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcaf...,26/mcgdmgr.cab
O23 - Service: Ati HotKey Poller - Unknown owner - D:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ewido security suite control - ewido networks - D:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - D:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Panda Antispam Server Service (PASSRV) - Unknown owner - D:\Program Files\Panda Software\Panda Platinum 2005 Internet Security\PaSSrv.exe
O23 - Service: Panda Firewall Service (PAVFIRES) - Panda Software - D:\Program Files\Panda Software\Panda Platinum 2005 Internet Security\Firewall\PavFires.exe
O23 - Service: Panda Function Service (PAVFNSVR) - Panda Software - D:\Program Files\Panda Software\Panda Platinum 2005 Internet Security\PavFnSvr.exe
O23 - Service: Panda PavProt (PavProt) - Panda Software - D:\Program Files\Panda Software\Panda Platinum 2005 Internet Security\PavProt.exe
O23 - Service: Panda Process Protection Service (PavPrSrv) - Panda Software - D:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software - D:\Program Files\Panda Software\Panda Platinum 2005 Internet Security\pavsrv51.exe
O23 - Service: Panda Preventium+ Service (PREVSRV) - Panda Software - D:\Program Files\Panda Software\Panda Platinum 2005 Internet Security\prevsrv.exe
O23 - Service: Panda IManager Service (PSIMSVC) - Panda Software Internacional - D:\Program Files\Panda Software\Panda Platinum 2005 Internet Security\PsImSvc.exe


These were run in the order they are presented. I hadn't saved the last two logs, so I just re-ran Cleanup..followed by these scans.

Once more allow me to say thank you for your time and knowledge.

I will not run anymore scans untill and unless you require them.

Edited by TheoDread, 28 August 2005 - 12:58 PM.

  • 0

#10
Justin

Justin

    I do a little bit of everything

  • Member
  • PipPipPipPipPip
  • 2,353 posts
Hello!

Open Add/Remove Programs and let me know if you see any of the following (Also delete remove it)

mc
wintrim
wincomp


This will let me know which variant of MagicControl you have.
  • 0

Advertisements


#11
TheoDread

TheoDread

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
G'day,

I am sorry to say that I did not see anything in add/remove programs. All of the prgrams there are programs which I installed...just a couple of games. I could list all of them if you need me to
  • 0

#12
Justin

Justin

    I do a little bit of everything

  • Member
  • PipPipPipPipPip
  • 2,353 posts
Hello!

Please download aSquared

Open aSquared and scan your computer. It should fix the magiccontrol issue.

Fix anything that aSquared finds, and let me know how it goes.
  • 0

#13
TheoDread

TheoDread

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
Hullo again,

well I DLed, Installed, and updated a-squared. I ran the scan with the default setting.

It did not find anything. :tazz:

I was researching navipromo about a week ago when I saw the "aka magiccontrol", so I am just going by what I have read when I say I think it is magic control. When I research Navipromo.c I find some information and there are av definitions for it. Ewido is supposed to be able to take care of it, but it does not.

I am a little worried about the Kaspersky scans results...

File D:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\KHEF8LE3\MediaTicketsInstaller[1].cab tagged as not-a-virus:AdWare.MediaTickets.f. No Action Taken.

File D:\System Volume Information\_restore{B32500C8-9991-4AF5-8667-9F48CE777EA0}\RP126\A0038025.exe tagged as not-a-virus:AdWare.NaviPromo.c. No Action Taken.


...in so far as both of these files are obvious malware. Why and how are they tagged as "not a virus" ...and then ignored "no action taken".

is there a way to delete these files? I do not want interfere with your solution and so I am just leaving these for now...also I just don't know if deleting these two will solve anything..if they are not the main components of the program .

I am more than willing to continue running any scans you think might help.

I look forward to an eventual solution. I am going to run cleanup again and post a fresh HJT log.

Thanks
  • 0

#14
TheoDread

TheoDread

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
Here is a fresh HJT log

Logfile of HijackThis v1.99.1
Scan saved at 11:17:36 AM, on 29/08/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\csrss.exe
D:\WINDOWS\SYSTEM32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\Program Files\Panda Software\Panda Platinum 2005 Internet Security\PavProt.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\ewido\security suite\ewidoctrl.exe
D:\Program Files\ewido\security suite\ewidoguard.exe
D:\Program Files\Panda Software\Panda Platinum 2005 Internet Security\PaSSrv.exe
D:\Program Files\Panda Software\Panda Platinum 2005 Internet Security\PavFnSvr.exe
D:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
D:\Program Files\Panda Software\Panda Platinum 2005 Internet Security\pavsrv51.exe
D:\Program Files\Panda Software\Panda Platinum 2005 Internet Security\prevsrv.exe
D:\Program Files\Panda Software\Panda Platinum 2005 Internet Security\AVENGINE.EXE
D:\Program Files\Panda Software\Panda Platinum 2005 Internet Security\PsImSvc.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\alg.exe
D:\Program Files\Panda Software\Panda Platinum 2005 Internet Security\apvxdwin.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\system32\wscntfy.exe
D:\Program Files\Panda Software\Panda Platinum 2005 Internet Security\SRVLOAD.EXE
D:\WINDOWS\SYSTEM32\USRmlnkA.exe
D:\WINDOWS\SYSTEM32\USRshutA.exe
D:\WINDOWS\SYSTEM32\USRmlnkA.exe
D:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
D:\WINDOWS\system32\atiptaxx.exe
D:\Program Files\Netscape Online Accelerator\slipaccel.exe
D:\Program Files\a2\a2guard.exe
D:\Program Files\Panda Software\Panda Platinum 2005 Internet Security\WebProxy.exe
D:\Documents and Settings\jhgojbgfbf\Desktop\GtGfix\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ask.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5401
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [USRpdA] D:\WINDOWS\SYSTEM32\USRmlnkA.exe RunServices \Device\3cpipe-USRpdA
O4 - HKLM\..\Run: [QuickTime Task] "D:\WINDOWS\system32\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [SunJavaUpdateSched] D:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [SCANINICIO] "D:\Program Files\Panda Software\Panda Platinum 2005 Internet Security\Inicio.exe"
O4 - HKLM\..\Run: [APVXDWIN] "D:\Program Files\Panda Software\Panda Platinum 2005 Internet Security\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [THGuard] "D:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\RunServices: [PANDA ANTISPAM SERVER SERVICE] "D:\Program Files\Panda Software\Panda Platinum 2005 Internet Security\PasSrv.exe"
O4 - HKCU\..\Run: [slipaccel.exe] "D:\Program Files\Netscape Online Accelerator\slipaccel.exe"
O4 - HKCU\..\Run: [a-squared] "D:\Program Files\a2\a2guard.exe"
O4 - Global Startup: Netscape Online Accelerator.lnk = D:\Program Files\Netscape Online Accelerator\slipaccel.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: Show All Original Images - res://D:\Program Files\Netscape Online Accelerator\slipaccel.exe/250
O8 - Extra context menu item: Show Original Image - res://D:\Program Files\Netscape Online Accelerator\slipaccel.exe/227
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcaf...96/mcinsctl.cab
O16 - DPF: {B7E76C25-791F-432E-BDB7-748D01A93FC2} (VacPro.int_ver30) - http://advnt01.com/d...r/int_ver30.CAB
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcaf...,26/mcgdmgr.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{241EE592-7946-4BFA-ACFF-767603D666CA}: NameServer = 198.6.100.125 198.6.1.125
O23 - Service: Ati HotKey Poller - Unknown owner - D:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ewido security suite control - ewido networks - D:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - D:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Panda Antispam Server Service (PASSRV) - Unknown owner - D:\Program Files\Panda Software\Panda Platinum 2005 Internet Security\PaSSrv.exe
O23 - Service: Panda Firewall Service (PAVFIRES) - Panda Software - D:\Program Files\Panda Software\Panda Platinum 2005 Internet Security\Firewall\PavFires.exe
O23 - Service: Panda Function Service (PAVFNSVR) - Panda Software - D:\Program Files\Panda Software\Panda Platinum 2005 Internet Security\PavFnSvr.exe
O23 - Service: Panda PavProt (PavProt) - Panda Software - D:\Program Files\Panda Software\Panda Platinum 2005 Internet Security\PavProt.exe
O23 - Service: Panda Process Protection Service (PavPrSrv) - Panda Software - D:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software - D:\Program Files\Panda Software\Panda Platinum 2005 Internet Security\pavsrv51.exe
O23 - Service: Panda Preventium+ Service (PREVSRV) - Panda Software - D:\Program Files\Panda Software\Panda Platinum 2005 Internet Security\prevsrv.exe
O23 - Service: Panda IManager Service (PSIMSVC) - Panda Software Internacional - D:\Program Files\Panda Software\Panda Platinum 2005 Internet Security\PsImSvc.exe

Lemme know what you think.

I was thinking about cleaning all of the referances to mcafee, as I am not using it...I thought it was uninstalled...but there appears to be some residual stuff left...

O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcaf...96/mcinsctl.cab
O16 - DPF: {B7E76C25-791F-432E-BDB7-748D01A93FC2} (VacPro.int_ver30) - http://advnt01.com/d...r/int_ver30.CAB
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcaf...,26/mcgdmgr.cab

I am also not sure what this is...

O23 - Service: Ati HotKey Poller - Unknown owner - D:\WINDOWS\System32\Ati2evxx.exe


I am thinking that the three 016 entries could be cleaned but I would like your input before I do it.

Also...I ran an online analysis of this log that you could look at HERE. I dunno if you need to or if it will even help. I :) am just tossing in anything I think might help.

Thanks again.

EDIT

I have been spending some time reading the tutorials in geek-u. I am not sure if this means anything or not, so I'll just toss this out for your information.

I mentioned in my first post here that I am using firefox as my default browser. I belive this a mozilla based browser. I do use Internet Explorer. yet the setting for IE are showing up in the R0 line and R1 is a mystery to me...I am going to reseach the entry "ProxyServer = http=127.0.0.1:5401" . I dunno what I may find out but it seems strange to me that I would even have an R0 or R1 when I am not using IE.

To continue along the train of thought, brings up the lack of any "N" entries...there is no entry for N1,2,3 etc. If firefox is my default browser shouldn't there be an entry in the log which reflects that?

:tazz: (Again with the thinking) :)

I would not be surprised if I am way out in left field with this, but my poor brain has been working overtime trying to sort this out. As always I look forward to your input.

END EDIT

Edited by TheoDread, 29 August 2005 - 01:51 PM.

  • 0

#15
Justin

Justin

    I do a little bit of everything

  • Member
  • PipPipPipPipPip
  • 2,353 posts
Hello!

First, I need to ask you to stop offering advice on how to fix your own computer. You are still in GeekU, and if you wish, you are more than welcome to fix your computer on your own. However, if you decide to take matters into your own hands and fix your computer, Geekstogo.com will not be responsible for any damage.

The majority of items in HiJackThis are considered harmless, and if you remove them, there is a large possibility that you remove something that your computer needs.

So if you would like me to continue working on your computer, follow the below directions:

Lets clear your restore points, this will get rid of the entry that is making you believe that you have MagicControl\NaviPromo.C. aSquared is a great program that will find and remove both MagicControl and NaviPromo.C. I can safely say that you are not infected with either of those.

The entry that you are seeing is in your system restore. So by clearing your restore points, NaviPromo.C will no longer show up.

To reset your restore points, please note that you will need to log into your computer with an account which has full administrator access. You will know if the account has administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account.

(Windows XP)
1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

2. Reboot.

3. Turn ON System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.

How to Turn On and Turn Off System Restore in Windows XP
http://support.micro...kb;en-us;310405


Next, to get rid of those 016s that you are worried about, run KAV again.

Finally, please let me know if you are using TweakUI. I see it in your HiJackThis log, and if you are intentionally using this program, it could be the cause of your problems.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP