Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Winfixer installtion pop ups and more random ones [RESOLVED]


  • This topic is locked This topic is locked

#1
Oracle115

Oracle115

    New Member

  • Member
  • Pip
  • 5 posts
Hi i recently got rid of aurora now my only problem is winfixer and more random stuff ive done several searches and deletes with ad aware,spy sweeper,Spybot search and destroy, and more but just come back right after a reboot heres my hijack this log ill post my ewido log in just a second after this scan finishes

Logfile of HijackThis v1.99.1
Scan saved at 7:09:41 PM, on 9/2/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\aol\ACS\acsd.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\WINDOWS\BCMSMMSG.exe
C:\PROGRA~1\VERIZO~1\SMARTB~1\MotiveSB.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Valve\Steam\Steam.exe
C:\Program Files\winCMAPP\wincmapp.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Xfire\Xfire.exe
C:\Program Files\Common Files\AOL\1125381020\ee\AOLHostManager.exe
C:\Program Files\Common Files\AOL\1125381020\ee\AOLServiceHost.exe
C:\Program Files\Verizon Online\bin\mpbtn.exe
C:\Program Files\Common Files\AOL\1125381020\ee\AOLServiceHost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Documents and Settings\Matt\My Documents\Spyware Fixer\HJT1991.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: MSEvents Object - {827DC836-DD9F-4A68-A602-5812EB50A834} - C:\WINDOWS\Help\SBSI\nut.dll
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [CqS] C:\documents and settings\~~~~~~chris~~~~~\local settings\temp\CqS.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\VERIZO~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1125381020\ee\AOLHostManager.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [Steam] C:\Program Files\Valve\Steam\Steam.exe -silent
O4 - HKCU\..\Run: [wincmap] "C:\Program Files\winCMAPP\wincmapp.exe"
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\Xfire.exe
O4 - Global Startup: Verizon Online Support Center.lnk = C:\Program Files\Verizon Online\bin\matcli.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell....iler/SysPro.CAB
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplane...DC_1_0_0_44.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com...kup/qdiagcc.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {CFCB7308-782F-11D4-BE27-000102598CE4} (NPX Control) - http://kr.pristontal...protect/npx.cab
O16 - DPF: {D1E7CBDA-E60E-4970-A01C-37301EF7BF98} (Measurement Services Client v.3.7) - http://gameadvisor.f...lobal/msc37.cab
O20 - Winlogon Notify: nut - C:\WINDOWS\Help\SBSI\nut.dll
O20 - Winlogon Notify: tcpmfc - C:\WINDOWS\msagent\INTL\tcpmfc.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\aol\ACS\acsd.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Kerio Personal Firewall (PersFw) - Kerio Technologies - C:\Program Files\Kerio\Personal Firewall\persfw.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

Heres my Ewido Log

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 7:57:08 PM, 9/2/2005
+ Report-Checksum: 8C34C6E2

+ Scan result:

HKLM\SOFTWARE\BTIEIN\BTIEIN\taskcache -> Spyware.WebSearch : Ignored
C:\Documents and Settings\Matt\Cookies\matt@2o7[2].txt -> Spyware.Cookie.2o7 : Ignored
C:\Documents and Settings\Matt\Cookies\matt@perf.overture[1].txt -> Spyware.Cookie.Overture : Ignored
C:\Documents and Settings\Matt\Cookies\matt@z1.adserver[1].txt -> Spyware.Cookie.Adserver : Ignored
C:\Documents and Settings\Matt\My Documents\Spyware Fixer\backups\backup-20050827-105707-379.dll -> TrojanDownloader.ConHook.k : Ignored
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP282\A0307412.exe -> Trojan.Pakes : Ignored
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP282\A0308461.exe -> Spyware.CASClient : Ignored
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP282\A0308465.exe -> Adware.BetterInternet : Ignored
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP282\A0308466.exe.tcf -> Trojan.Imiserv.c : Ignored
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP282\A0308467.exe -> TrojanDownloader.VB.hw : Ignored
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP282\A0308476.exe -> Trojan.Pakes : Ignored
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP282\A0308478.exe -> Trojan.Pakes : Ignored
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP282\A0308583.dll -> Trojan.Agent.db : Ignored
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP282\A0309480.exe -> Trojan.Pakes : Ignored
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP282\A0309529.exe -> Trojan.Pakes : Ignored
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP282\A0310529.exe -> Trojan.Pakes : Ignored
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP282\A0311528.exe -> Trojan.Pakes : Ignored
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP282\A0312528.exe -> Trojan.Pakes : Ignored
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP282\A0312621.exe -> Trojan.Pakes : Ignored
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP286\A0316995.dll -> Spyware.HotSearchBar : Ignored
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP287\A0317955.dll -> TrojanDownloader.ConHook.k : Ignored
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP287\A0318099.dll -> Trojan.Agent.db : Ignored
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP287\A0318105.exe -> Spyware.SafeSurfing : Ignored
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP287\A0318107.dll -> Spyware.SafeSurfing : Ignored
C:\WINDOWS\Help\SBSI\nut.dll -> Spyware.Virtumonde : Ignored
C:\WINDOWS\MSAGENT\INTL\tcpmfc.dll -> Spyware.Virtumonde : Ignored
C:\WINDOWS\nyajblh.exe -> TrojanDropper.Agent.tb : Ignored
C:\WINDOWS\SYSTEM32\geede.dll -> TrojanDownloader.ConHook.k : Ignored
C:\WINDOWS\znizyftwp.exe -> Adware.BetterInternet : Ignored
HKLM\SOFTWARE\Altnet -> Spyware.Altnet : Error during cleaning
HKLM\SOFTWARE\Altnet\Dashboard -> Spyware.Altnet : Error during cleaning
HKLM\SOFTWARE\Altnet\Dashboard\Settings -> Spyware.Altnet : Error during cleaning
HKLM\SOFTWARE\BTIEIN -> Spyware.WebSearch : Error during cleaning
HKLM\SOFTWARE\BTIEIN\BTIEIN -> Spyware.WebSearch : Error during cleaning


::Report End
  • 0

Advertisements


#2
Excal

Excal

    Malware Slayer Extraordinaire!

  • Retired Staff
  • 12,739 posts
Hi Oracle115 and welcome to GeeksToGo! My name is Excal and I will be helping you.

I can see that you have some malware issues. This maybe a few step process in removing it. I encourage you to stick with it and follow my directions as closely as possible so as to avoid complicating the problem further.

Why did you choose to ignore all the fixes with ewido?


Please print these instructions out for use in Safe Mode.

Please download VundoFix.exe to your desktop.
  • Double-click VundoFix.exe to extract the files.
  • After the files are extracted, please reboot your computer into Safe Mode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight Safe Mode then hit enter.
  • Once in safe mode open the VundoFix folder and doubleclick on KillVundo.bat
  • Please type the following file path (make sure to enter it exactly as below!):
    • C:\WINDOWS\Help\SBSI\nut.dll
  • Press Enter, then press the F6 key, then press Enter one more time to continue with the fix.
  • The fix will run then HijackThis will open.
  • In HiJackThis, please place a check next to the following items and click FIX CHECKED:O2 - BHO: MSEvents Object - {827DC836-DD9F-4A68-A602-5812EB50A834} - C:\WINDOWS\Help\SBSI\nut.dll
    O20 - Winlogon Notify: nut - C:\WINDOWS\Help\SBSI\nut.dll
  • After you have fixed these items, close Hijackthis and Press any key to Force a reboot of your computer.
  • Pressing any key will cause a "Blue Screen of Death" this is normal, do not worry!
  • Once your machine reboots please post a new HijackThis log as well as the vundofix.txt file from the vundofix folder into this topic.

  • 0

#3
Oracle115

Oracle115

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
I went into safe mode went into KillVundo

pressed enter
typed in C:\WINDOWS\Help\SBSI\nut.dll

Pressed enter F6 and Enter

Then it said that file could not be found


Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 Craig.Peacock@beyondlogic.org
Suspending PID 188 'smss.exe'
Threads [192][196][200]

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 828 'explorer.exe'
Killing PID 828 'explorer.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 Craig.Peacock@beyondlogic.org
Error, Cannot find a process with an image name of rundll32.exe

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 268 'winlogon.exe'
Killing PID 268 'winlogon.exe'
Could not delete file.
  • 0

#4
Excal

Excal

    Malware Slayer Extraordinaire!

  • Retired Staff
  • 12,739 posts
Could I please have a fresh HiJackthis log :)


Thanks,

:tazz:

Excal
  • 0

#5
Oracle115

Oracle115

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
Sorry for the trouble, I do plan on donating after this though :tazz:

Here it is,


Logfile of HijackThis v1.99.1
Scan saved at 5:05:34 PM, on 9/3/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\aol\ACS\acsd.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Kerio\Personal Firewall\persfw.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\WINDOWS\BCMSMMSG.exe
C:\PROGRA~1\VERIZO~1\SMARTB~1\MotiveSB.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Valve\Steam\Steam.exe
C:\Program Files\winCMAPP\wincmapp.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Common Files\AOL\1125381020\ee\AOLHostManager.exe
C:\Program Files\Common Files\AOL\1125381020\ee\AOLServiceHost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Verizon Online\bin\mpbtn.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Common Files\AOL\1125381020\ee\AOLServiceHost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\Documents and Settings\Matt\My Documents\Spyware Fixer\HJT1991.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: MSEvents Object - {827DC836-DD9F-4A68-A602-5812EB50A834} - C:\WINDOWS\Help\SBSI\nut.dll
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [CqS] C:\documents and settings\~~~~~~chris~~~~~\local settings\temp\CqS.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\VERIZO~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1125381020\ee\AOLHostManager.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [Steam] C:\Program Files\Valve\Steam\Steam.exe -silent
O4 - HKCU\..\Run: [wincmap] "C:\Program Files\winCMAPP\wincmapp.exe"
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\Xfire.exe
O4 - Global Startup: Verizon Online Support Center.lnk = C:\Program Files\Verizon Online\bin\matcli.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell....iler/SysPro.CAB
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplane...DC_1_0_0_44.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com...kup/qdiagcc.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {CFCB7308-782F-11D4-BE27-000102598CE4} (NPX Control) - http://kr.pristontal...protect/npx.cab
O16 - DPF: {D1E7CBDA-E60E-4970-A01C-37301EF7BF98} (Measurement Services Client v.3.7) - http://gameadvisor.f...lobal/msc37.cab
O20 - Winlogon Notify: nut - C:\WINDOWS\Help\SBSI\nut.dll
O20 - Winlogon Notify: tcpmfc - C:\WINDOWS\msagent\INTL\tcpmfc.dll (file missing)
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\aol\ACS\acsd.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Kerio Personal Firewall (PersFw) - Kerio Technologies - C:\Program Files\Kerio\Personal Firewall\persfw.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

Edited by Oracle115, 03 September 2005 - 03:09 PM.

  • 0

#6
Excal

Excal

    Malware Slayer Extraordinaire!

  • Retired Staff
  • 12,739 posts
The Temp folders should be cleaned out periodically as installation programs and hijack programs leave a lot of junk there. Download CleanUp! (Alternate Link if the main link does not work) and install it.

Run CleanUp! and click on CleanUp! button. When it asks you if you want to logoff, click on Yes.


Please download the Killbox.

Please run Killbox.
  • Select "Delete on Reboot".
  • Copy the file names below to the clipboard by highlighting them and pressing Control-C:

    C:\WINDOWS\Help\SBSI\nut.dll

  • Return to Killbox, go to the File menu, and choose "Paste from Clipboard".
  • Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

    If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run TheKillbox, click here to download and run missingfilesetup.exe. Then try TheKillbox again..
  • when system reboots, please boot into safe mode..
while in safe mode

open Hijackthis and do a scan. Please check off the following items:

O2 - BHO: MSEvents Object - {827DC836-DD9F-4A68-A602-5812EB50A834} - C:\WINDOWS\Help\SBSI\nut.dll
O20 - Winlogon Notify: nut - C:\WINDOWS\Help\SBSI\nut.dll


click FIX CHECKED then close Hijackthis

Please run Killbox.
  • Select "Delete on Reboot".
  • Copy the file names below to the clipboard by highlighting them and pressing Control-C:

    C:\WINDOWS\Help\SBSI\nut.dll

  • Return to Killbox, go to the File menu, and choose "Paste from Clipboard".
  • Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.
Reboot into normal mode and please run this online virus scan: ActiveScan - Save the results from the scan!

Please post the Active scan log and a fresh HiJackThis log. Let me know how your computer is running.



Thanks,

:tazz:

Excal

Edited by Excal, 03 September 2005 - 04:04 PM.

  • 0

#7
Oracle115

Oracle115

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
:tazz: :) Hah All gone thank you very much :) :)


Geeks to Go For the win! ive never seen my computer go this fast O.o


Logfile of HijackThis v1.99.1
Scan saved at 7:02:03 PM, on 9/3/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\COMMON~1\aol\ACS\acsd.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\BCMSMMSG.exe
C:\PROGRA~1\VERIZO~1\SMARTB~1\MotiveSB.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Valve\Steam\Steam.exe
C:\Program Files\winCMAPP\wincmapp.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Common Files\AOL\1125381020\ee\AOLHostManager.exe
C:\Program Files\Common Files\AOL\1125381020\ee\AOLServiceHost.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Kerio\Personal Firewall\persfw.exe
C:\Program Files\Verizon Online\bin\mpbtn.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Common Files\AOL\1125381020\ee\AOLServiceHost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Matt\My Documents\Spyware Fixer\HJT1991.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\VERIZO~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1125381020\ee\AOLHostManager.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [Steam] C:\Program Files\Valve\Steam\Steam.exe -silent
O4 - HKCU\..\Run: [wincmap] "C:\Program Files\winCMAPP\wincmapp.exe"
O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\Xfire.exe
O4 - Global Startup: Verizon Online Support Center.lnk = C:\Program Files\Verizon Online\bin\matcli.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell....iler/SysPro.CAB
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplane...DC_1_0_0_44.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com...kup/qdiagcc.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {D1E7CBDA-E60E-4970-A01C-37301EF7BF98} (Measurement Services Client v.3.7) - http://gameadvisor.f...lobal/msc37.cab
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\aol\ACS\acsd.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Kerio Personal Firewall (PersFw) - Kerio Technologies - C:\Program Files\Kerio\Personal Firewall\persfw.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe


Pandaware Free Scan

Incident Status Location

Possible Virus. No disinfected C:\Documents and Settings\Matt\Desktop\Games\redux\redux.exe
Virus:Trj/Pakes.AV Disinfected C:\Documents and Settings\Matt\My Documents\Spyware Fixer\backups\backup-20050903-174017-486.dll
Adware:Adware/BigTrafficNet No disinfected C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP286\A0317036.exe
Virus:Trj/Downloader.L Disinfected C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP287\A0318100.inf
Spyware:Spyware/BetterInet No disinfected C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP287\A0318101.inf
Adware:Adware/SAHAgent No disinfected C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP287\A0318102.inf
Adware:Adware/DealHelper No disinfected C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP287\A0318111.dll
Spyware:Spyware/ShopNav No disinfected C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP287\A0318114.exe
Virus:Trj/Agent.AJK Disinfected C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP290\A0319583.dll
Possible Virus. No disinfected C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP290\A0319608.exe
Virus:Trj/Pakes.AV Disinfected C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP290\A0319626.dll
Virus:Trj/Pakes.AV Disinfected C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP290\A0319684.dll
Adware:adware/bookedspace No disinfected C:\WINDOWS\cfgmgr52.ini
Virus:Trj/Keyhost.A Disinfected C:\WINDOWS\INF\host.inf
Dialer:dialer.bny No disinfected C:\WINDOWS\pcconfig.dat
Adware:Adware/IEDriver No disinfected C:\WINDOWS\SYSTEM32\ATHPRXY5.exe
Adware:Adware/nCase No disinfected C:\WINDOWS\SYSTEM32\ezStub3.dll
Spyware:spyware/whazit No disinfected C:\WINDOWS\SYSTEM32\fiz1
Adware:Adware/NetPals No disinfected C:\WINDOWS\SYSTEM32\n3tpa1i.dll
Adware:adware/aurora No disinfected C:\WINDOWS\SYSTEM32\Poller.exe
Adware:adware/ilookup No disinfected C:\WINDOWS\SYSTEM32\xbox31.ico

Edited by Oracle115, 03 September 2005 - 05:37 PM.

  • 0

#8
Excal

Excal

    Malware Slayer Extraordinaire!

  • Retired Staff
  • 12,739 posts
If you use Windows XP, Go to My Computer->Tools->Folder Options->View tab and make sure that Show hidden files and folders is enabled. Also make sure that the System Files and Folders are showing/visible also.

  • Open HiJackThis
  • Click on the configure button on the bottom right
  • Click on the tab "Misc Tools"
  • Click on "Delete File on Reboot"
  • Navigate to this file - C:\WINDOWS\cfgmgr52.ini
  • Double click on that file.
  • HJT asks you if you want to reboot, now. Click "no".

    Do that for the following files also, until you get to the last one, then click "yes" when HJT asks you to reboot.
C:\WINDOWS\INF\host.inf
C:\WINDOWS\pcconfig.dat
C:\WINDOWS\SYSTEM32\ATHPRXY5.exe
C:\WINDOWS\SYSTEM32\ezStub3.dll
C:\WINDOWS\SYSTEM32\fiz1
C:\WINDOWS\SYSTEM32\n3tpa1i.dll
C:\WINDOWS\SYSTEM32\Poller.exe
C:\WINDOWS\SYSTEM32\xbox31.ico


Post back when you finish and tell me how your computer is running :tazz:
  • 0

#9
Oracle115

Oracle115

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
Running perfectly now :tazz: I cant thank you enough all the files were deleted succesfully
  • 0

#10
Excal

Excal

    Malware Slayer Extraordinaire!

  • Retired Staff
  • 12,739 posts
Great job, it appears your computer is clean :tazz:

Ensure you rehide your “hidden files and folders” back to the way they were.

Now that your system is Malware Free, it is important to reset your system Restore. Click Here to learn how to.

I recommend that you Defrag your computer before setting your Restore points:

Go to start>all programs>accessories>system tools>Disk Defragmentor Make sure it set to the proper drive (default should be your main driver) and click on defragment


Might I suggest the following Free Spyware programs, if you don't already have them, for added security, you can download them at the following links. These programs work great for detection:

Ad-aware SE
Spybot S&D
Microsoft Anti-Spyware


If you are unhappy with your current antivirus and want to replace it or if you dont already have one, I suggest one of these free programs:
*Note - do not use more than one anti-virus program as it will more than likely cause conflict.

AVG
Avast
AntiVir


The following free programs are great for prevention:

SpywareBlaster 3.4
Spywareguard
IE/Spyad

A Firewall is a must! Here are 3 good free versions:
(do not have more than one firewall running on your system)

Sygate
Kerio
ZoneLabs

There are other options other than Internet Explorer for a browser, which some say have better security. Two of them are:

Firefox
Opera

If you decide to keep Internet Explorer, This site is a great source for tightening up security on It's settings.

Make sure that you keep your Operating System and IE updated with the latest Critical Security Updates from Microsoft...they usually come out once a month, on the 2nd Tuesday of each month.

Be sure and give the Temp folders a cleaning out now and then as well, Make sure after you clean your Temp files to empty out your Recycle bin as well.
For ease use the following program:

Cleanup
Run "Cleanup" and when it has finished, Reboot

To help prevent future spyware installations/infections, please read the Anti-Spyware Tutorial and use the tools provided. Also read How I got Infected
  • 0

#11
Excal

Excal

    Malware Slayer Extraordinaire!

  • Retired Staff
  • 12,739 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :tazz:

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP