Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

aurora/altnet/nuker on my system [CLOSED]

Started by actexas , Sep 09 2005 06:49 PM

This topic is locked

#1
actexas

Posted 09 September 2005 - 06:49 PM

New Member

Member
6 posts

Ladies and gentlemen, I am at a loss and about to take a shotgun to this poor customers box. Need you help.

__________________________________________
Logfile of HijackThis v1.99.1
Scan saved at 2:17:36 PM, on 9/7/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\Norma\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [Dell AIO Printer A940] "C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe"
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1108323758\EE\AOLHostManager.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [rpswjclb] c:\windows\system32\rpswjclb.exe -start
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Blue Up] C:\PROGRA~1\DRIVEB~1\axisarmy.exe
O4 - HKLM\..\Run: [Jawa32] C:\WINDOWS\jawa32.exe
O4 - HKLM\..\Run: [Jawa322] C:\WINDOWS\jawa32.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com...kup/qdiagcc.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - https://objects.aol....83/mcinsctl.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1125662593781
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - https://objects.aol....,20/McGDMgr.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.app.../ITDetector.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: .NET Framework Service (.NET Connection Service) - Unknown owner - C:\WINDOWS\svchost.exe (file missing)
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\Program Files\Common Files\AOL\AOL Spyware Protection\\aolserv.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Networks Associates Technology, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

__________________________________________
---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 5:43:03 PM, 9/2/2005
+ Report-Checksum: 5B74B99A

+ Scan result:

HKLM\SOFTWARE\Altnet -> Spyware.Altnet : Error during cleaning
HKLM\SOFTWARE\Altnet\Dashboard -> Spyware.Altnet : Error during cleaning
HKLM\SOFTWARE\Altnet\Dashboard\Settings -> Spyware.Altnet : Error during cleaning
HKLM\SOFTWARE\Classes\ADM25.ADM25 -> Spyware.Altnet : Error during cleaning
HKLM\SOFTWARE\Classes\ADM4.ADM4 -> Spyware.Altnet : Error during cleaning
HKLM\SOFTWARE\Classes\ANSMTP.MassSender -> Spyware.007Spy : Error during cleaning
HKLM\SOFTWARE\Classes\CLSID\{43F02779-6D88-4958-8AD3-83C12D86ADC7} -> Spyware.AdvancedSearchbar : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{9F95F736-0F62-4214-A4B4-CAA6738D4C07} -> Spyware.SaveNow : Cleaned with backup
HKLM\SOFTWARE\Classes\MediaAccX.Installer -> Spyware.WinAd : Error during cleaning
HKLM\SOFTWARE\Classes\ToolbarBestToolbarsToolbar.BestToolbarsToolbarObject -> Spyware.FizzleBar : Error during cleaning
HKLM\SOFTWARE\Classes\URLSearch.URLSearch -> Spyware.SeekSeek : Error during cleaning
HKLM\SOFTWARE\Classes\US.US -> Spyware.SeekSeek : Error during cleaning
HKLM\SOFTWARE\Classes\WToolsB.ResProtocol -> Spyware.WebSearch : Error during cleaning
HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\HTASSstp -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\WTLBAstp -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\AUI -> Spyware.WebSearch : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ATLAssLib -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\PSguard.com -> Spyware.PSGuard : Cleaned with backup
HKLM\SOFTWARE\PSguard.com\PSGuard -> Spyware.PSGuard : Cleaned with backup
[844] C:\WINDOWS\system32\zlpnrvq.exe -> Trojan.Agent.cp : Cleaned with backup
[1084] VM_00EB0000 -> Adware.BetterInternet : Error during cleaning
C:\Documents and Settings\All Users\Start Menu\Programs\PSGuard -> Spyware.PSGuard : Cleaned with backup
C:\Documents and Settings\All Users\Start Menu\Programs\PSGuard\PSGuard.lnk -> Spyware.PSGuard : Cleaned with backup
C:\Documents and Settings\All Users\Start Menu\Programs\PSGuard\Register.lnk -> Spyware.PSGuard : Cleaned with backup
C:\Documents and Settings\All Users\Start Menu\Programs\PSGuard\Uninstall.lnk -> Spyware.PSGuard : Cleaned with backup
C:\Documents and Settings\Marci\Cookies\marci@abetterinternet[1].txt -> Spyware.Cookie.Abetterinternet : Cleaned with backup
C:\Documents and Settings\Marci\Cookies\[email protected][2].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Marci\Cookies\marci@burstnet[2].txt -> Spyware.Cookie.Burstnet : Cleaned with backup
C:\Documents and Settings\Marci\Cookies\marci@com[2].txt -> Spyware.Cookie.Com : Cleaned with backup
C:\Documents and Settings\Marci\Cookies\[email protected][1].txt -> Spyware.Cookie.Com : Cleaned with backup
C:\Documents and Settings\Marci\Cookies\[email protected][2].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Documents and Settings\Marci\Local Settings\Temp\~478836.tmp -> TrojanDownloader.WinTool : Cleaned with backup
C:\Documents and Settings\Marci\Local Settings\Temp\~487503.tmp -> Spyware.Wintools : Cleaned with backup
C:\Documents and Settings\Marci\Local Settings\Temp\~506116.tmp -> Spyware.Wintools : Cleaned with backup
C:\Documents and Settings\Marci\Local Settings\Temp\~516970.tmp -> Spyware.Wintools : Cleaned with backup
C:\Documents and Settings\Marci\Local Settings\Temp\~531973.tmp -> Spyware.Wintools : Cleaned with backup
C:\Documents and Settings\Marci\Local Settings\Temp\~589291.tmp -> TrojanDownloader.WinTool : Cleaned with backup
C:\Documents and Settings\Marci\Local Settings\Temp\~658215.tmp -> TrojanDownloader.WinTool : Cleaned with backup
C:\Documents and Settings\Marci\Local Settings\Temp\~700885.tmp -> TrojanDownloader.WinTool : Cleaned with backup
C:\Documents and Settings\Marci\Local Settings\Temp\~728722.tmp -> TrojanDownloader.WinTool : Cleaned with backup
C:\Documents and Settings\Marci\Local Settings\Temp\~744064.tmp -> TrojanDownloader.WinTool : Cleaned with backup
C:\Documents and Settings\Marci\Local Settings\Temp\~750924.tmp -> TrojanDownloader.WinTool : Cleaned with backup
C:\Documents and Settings\Marci\Local Settings\Temp\~779537.tmp -> TrojanDownloader.WinTool : Cleaned with backup
C:\Documents and Settings\Marci\Local Settings\Temp\~831568.tmp -> TrojanDownloader.WinTool : Cleaned with backup
C:\Documents and Settings\Marci\Local Settings\Temp\~843188.tmp -> TrojanDownloader.WinTool : Cleaned with backup
C:\Documents and Settings\Marci\Local Settings\Temp\~847099.tmp -> TrojanDownloader.WinTool : Cleaned with backup
C:\Documents and Settings\Marci\Local Settings\Temp\~858279.tmp -> TrojanDownloader.WinTool : Cleaned with backup
C:\Documents and Settings\Marci\Local Settings\Temporary Internet Files\Content.IE5\10SFD5W1\svcsysnet32_EN_XP[1].cab/svcsysnet32.dll -> Dialer.Generic : Cleaned with backup
C:\Documents and Settings\Marci\Local Settings\Temporary Internet Files\Content.IE5\10SFD5W1\tb[1].txt -> Spyware.ToolBand : Cleaned with backup
C:\Documents and Settings\Marci\Local Settings\Temporary Internet Files\Content.IE5\85QFOLMF\bridge-c10[1].cab/MediaAccX.dll -> Spyware.WinAD : Cleaned with backup
C:\Documents and Settings\Marci\Local Settings\Temporary Internet Files\Content.IE5\85QFOLMF\jesstraff[1].exe -> TrojanDownloader.Small.amg : Cleaned with backup
C:\Documents and Settings\Marci\Local Settings\Temporary Internet Files\Content.IE5\GPMVWXQ3\exitpop[1] -> Trojan.NoClose.i : Cleaned with backup
C:\Documents and Settings\Norma\Application Data\PSGuard.com -> Spyware.PSGuard : Cleaned with backup
C:\Documents and Settings\Norma\Application Data\PSGuard.com\PSGuard -> Spyware.PSGuard : Cleaned with backup
C:\Documents and Settings\Norma\Application Data\PSGuard.com\PSGuard\Quarantine -> Spyware.PSGuard : Cleaned with backup
C:\Documents and Settings\Norma\Application Data\PSGuard.com\PSGuard\Quarantine\Autorun -> Spyware.PSGuard : Cleaned with backup
C:\Documents and Settings\Norma\Application Data\PSGuard.com\PSGuard\Quarantine\Autorun\HKCU -> Spyware.PSGuard : Cleaned with backup
C:\Documents and Settings\Norma\Application Data\PSGuard.com\PSGuard\Quarantine\Autorun\HKCU\RunOnce -> Spyware.PSGuard : Cleaned with backup
C:\Documents and Settings\Norma\Application Data\PSGuard.com\PSGuard\Quarantine\Autorun\HKLM -> Spyware.PSGuard : Cleaned with backup
C:\Documents and Settings\Norma\Application Data\PSGuard.com\PSGuard\Quarantine\Autorun\HKLM\RunOnce -> Spyware.PSGuard : Cleaned with backup
C:\Documents and Settings\Norma\Application Data\PSGuard.com\PSGuard\Quarantine\Autorun\StartMenuAllUsers -> Spyware.PSGuard : Cleaned with backup
C:\Documents and Settings\Norma\Application Data\PSGuard.com\PSGuard\Quarantine\Autorun\StartMenuCurrentUser -> Spyware.PSGuard : Cleaned with backup
C:\Documents and Settings\Norma\Application Data\PSGuard.com\PSGuard\Quarantine\BrowserObjects -> Spyware.PSGuard : Cleaned with backup
C:\Documents and Settings\Norma\Application Data\PSGuard.com\PSGuard\Quarantine\Packages -> Spyware.PSGuard : Cleaned with backup
C:\Documents and Settings\Norma\Cookies\norma@abetterinternet[1].txt -> Spyware.Cookie.Abetterinternet : Cleaned with backup
C:\Documents and Settings\Norma\Cookies\[email protected][2].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Norma\Cookies\norma@casalemedia[2].txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
C:\Documents and Settings\Norma\Cookies\norma@casinotropez[1].txt -> Spyware.Cookie.Casinotropez : Cleaned with backup
C:\Documents and Settings\Norma\Cookies\norma@com[2].txt -> Spyware.Cookie.Com : Cleaned with backup
C:\Documents and Settings\Norma\Cookies\norma@mysearch[2].txt -> Spyware.Cookie.Mysearch : Cleaned with backup
C:\Documents and Settings\Norma\Cookies\[email protected][1].txt -> Spyware.Cookie.Casinotropez : Cleaned with backup
C:\Documents and Settings\Norma\Cookies\norma@yieldmanager[1].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Norma\Local Settings\Temp\6DD.tmp -> Trojan.Kolweb.b : Cleaned with backup
C:\Documents and Settings\Norma\Local Settings\Temp\7A7.tmp -> Trojan.Kolweb.b : Cleaned with backup
C:\Documents and Settings\Norma\Local Settings\Temp\9vl1jh.sys -> Trojan.Kolweb.b : Cleaned with backup
C:\Documents and Settings\Norma\Local Settings\Temp\~18497.tmp -> TrojanDownloader.WinTool : Cleaned with backup
C:\Documents and Settings\Norma\Local Settings\Temp\~371639.tmp -> TrojanDownloader.WinTool : Cleaned with backup
C:\Documents and Settings\Norma\Local Settings\Temp\~393897.tmp -> TrojanDownloader.WinTool : Cleaned with backup
C:\Documents and Settings\Norma\Local Settings\Temp\~427529.tmp -> Spyware.Wintools : Cleaned with backup
C:\Documents and Settings\Norma\Local Settings\Temp\~507556.tmp -> TrojanDownloader.WinTool : Cleaned with backup
C:\Documents and Settings\Norma\Local Settings\Temp\~628082.tmp -> TrojanDownloader.WinTool : Cleaned with backup
C:\Documents and Settings\Norma\Local Settings\Temp\~645403.tmp -> TrojanDownloader.WinTool : Cleaned with backup
C:\Documents and Settings\Norma\Local Settings\Temp\~656736.tmp -> TrojanDownloader.WinTool : Cleaned with backup
C:\Documents and Settings\Norma\Local Settings\Temp\~667718.tmp -> Spyware.Wintools : Cleaned with backup
C:\Documents and Settings\Norma\Local Settings\Temp\~673074.tmp -> TrojanDownloader.WinTool : Cleaned with backup
C:\Documents and Settings\Norma\Local Settings\Temp\~679102.tmp -> TrojanDownloader.WinTool : Cleaned with backup
C:\Documents and Settings\Norma\Local Settings\Temp\~847186.tmp -> TrojanDownloader.WinTool : Cleaned with backup
C:\Documents and Settings\Norma\Local Settings\Temp\~854320.tmp -> TrojanDownloader.WinTool : Cleaned with backup
C:\Documents and Settings\Norma\Local Settings\Temp\~888277.tmp -> TrojanDownloader.WinTool : Cleaned with backup
C:\Documents and Settings\Norma\Local Settings\Temp\~893952.tmp -> TrojanDownloader.WinTool : Cleaned with backup
C:\Documents and Settings\Norma\Local Settings\Temp\~894975.tmp -> TrojanDownloader.WinTool : Cleaned with backup
C:\Documents and Settings\Norma\Local Settings\Temp\~897959.tmp -> TrojanDownloader.WinTool : Cleaned with backup
C:\Documents and Settings\Norma\Local Settings\Temp\~906733.tmp -> TrojanDownloader.WinTool : Cleaned with backup
C:\Documents and Settings\Norma\Local Settings\Temp\~923352.tmp -> TrojanDownloader.WinTool : Cleaned with backup
C:\Documents and Settings\Norma\Local Settings\Temp\~942382.tmp -> TrojanDownloader.WinTool : Cleaned with backup
C:\Documents and Settings\Norma\Local Settings\Temp\~945988.tmp -> Spyware.Wintools : Cleaned with backup
C:\Documents and Settings\Norma\Local Settings\Temp\~948520.tmp -> TrojanDownloader.WinTool : Cleaned with backup
C:\Documents and Settings\Norma\Local Settings\Temp\~949551.tmp -> Spyware.Wintools : Cleaned with backup
C:\Documents and Settings\Norma\Local Settings\Temp\~952406.tmp -> Spyware.Wintools : Cleaned with backup
C:\Documents and Settings\Norma\Local Settings\Temp\~963501.tmp -> TrojanDownloader.WinTool : Cleaned with backup
C:\Documents and Settings\Norma\Local Settings\Temp\~966239.tmp -> TrojanDownloader.WinTool : Cleaned with backup
C:\Program Files\Common Files\AOL\AOL Spyware Protection\Backup\QFle0622200513269470968.asw -> Spyware.CometCursor : Cleaned with backup
C:\Program Files\Common Files\AOL\AOL Spyware Protection\Backup\QFle08062005222996344812.asw -> Spyware.Hijacker.Generic : Cleaned with backup
C:\Program Files\Common Files\AOL\AOL Spyware Protection\Backup\QMem0622200513259411062.asw -> Spyware.Comet : Cleaned with backup
C:\Program Files\Common Files\AOL\AOL Spyware Protection\Backup\QMem0622200513259411125.asw -> Spyware.Comet : Cleaned with backup
C:\Program Files\Common Files\AOL\AOL Spyware Protection\Backup\QMem0622200513259411156.asw -> Spyware.CometCursor : Cleaned with backup
C:\Program Files\Common Files\AOL\AOL Spyware Protection\Backup\QMem0622200513269426468.asw -> Spyware.Wintools : Cleaned with backup
C:\Program Files\Common Files\AOL\AOL Spyware Protection\Backup\QMem06232005112868767937.asw -> Spyware.Wintools : Cleaned with backup
C:\WINDOWS\9vl1jh.sys -> Trojan.Kolweb.b : Cleaned with backup
C:\WINDOWS\aad.exe -> Trojan.Imiserv.c : Cleaned with backup
C:\WINDOWS\ATLASSUI.exe -> Spyware.Hijacker.Generic : Cleaned with backup
C:\WINDOWS\bwktlzvqqtb.exe -> Adware.BetterInternet : Cleaned with backup
C:\WINDOWS\dload.exe -> Trojan.LowZones.bn : Cleaned with backup
C:\WINDOWS\dsr.exe -> Trojan.Imiserv.c : Cleaned with backup
C:\WINDOWS\inviteabi.exe -> Trojan.Imiserv.c : Cleaned with backup
C:\WINDOWS\NDNuninstall4_85.exe -> Spyware.NewDotNet : Cleaned with backup
C:\WINDOWS\NDNuninstall6_10.exe -> Spyware.NewDotNet : Cleaned with backup
C:\WINDOWS\NDNuninstall6_22.exe -> Spyware.NewDotNet : Cleaned with backup
C:\WINDOWS\NDNuninstall6_38.exe -> Spyware.NewDotNet : Cleaned with backup
C:\WINDOWS\stlbd.dll -> Spyware.ToolBand : Cleaned with backup
C:\WINDOWS\SYSTEM32\9vl1jh.sys -> Trojan.Kolweb.b : Cleaned with backup
C:\WINDOWS\SYSTEM32\bH.dll -> Spyware.BargainBuddy : Cleaned with backup
C:\WINDOWS\SYSTEM32\j5u1m1u.exe -> Trojan.Delf.cf : Cleaned with backup
C:\WINDOWS\SYSTEM32\kjb21zrjoe0r.dll -> TrojanDownloader.Small.amg : Cleaned with backup
C:\WINDOWS\SYSTEM32\ut1dxb.exe -> Trojan.Kolweb.b : Cleaned with backup
C:\WINDOWS\SYSTEM32\zlpnrvq.exe -> Trojan.Agent.ay : Cleaned with backup
C:\WINDOWS\tbabi.exe -> Trojan.Imiserv.c : Cleaned with backup
C:\WINDOWS\tbdr.exe -> Trojan.Imiserv.c : Cleaned with backup
C:\WINDOWS\win32res.exe -> Trojan.Agent.fl : Cleaned with backup

::Report End
_______________________________________________
---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 3:42:32 PM, 9/7/2005
+ Report-Checksum: 64E09E2A

+ Scan result:

HKLM\SOFTWARE\Altnet -> Spyware.Altnet : Error during cleaning
HKLM\SOFTWARE\Altnet\Dashboard -> Spyware.Altnet : Error during cleaning
HKLM\SOFTWARE\Altnet\Dashboard\Settings -> Spyware.Altnet : Error during cleaning
HKLM\SOFTWARE\Classes\ADM25.ADM25 -> Spyware.Altnet : Error during cleaning
HKLM\SOFTWARE\Classes\ADM4.ADM4 -> Spyware.Altnet : Error during cleaning
HKLM\SOFTWARE\Classes\ANSMTP.MassSender -> Spyware.007Spy : Error during cleaning
HKLM\SOFTWARE\Classes\MediaAccX.Installer -> Spyware.WinAd : Error during cleaning
HKLM\SOFTWARE\Classes\ToolbarBestToolbarsToolbar.BestToolbarsToolbarObject -> Spyware.FizzleBar : Error during cleaning
HKLM\SOFTWARE\Classes\URLSearch.URLSearch -> Spyware.SeekSeek : Error during cleaning
HKLM\SOFTWARE\Classes\US.US -> Spyware.SeekSeek : Error during cleaning
HKLM\SOFTWARE\Classes\WToolsB.ResProtocol -> Spyware.WebSearch : Error during cleaning

::Report End
_____________________________________

Looking For mirindaspg.exe
Find mirindaspg.exe and more at Lycos Search. No clutter, just answers. Lycos - Go Get It!

Find mirindaspg.exe
Your relevant result is a click away!

Look for mirindaspg.exe
Find mirindaspg.exe at one of the best sites the Internet has to offer!

NEED TECH SUPPORT?

Get live help right now!

Tech Support Guy Forums > Internet & Networking > Security > Aurora

--------------------------------------------------------------------------------
PDA This is a text-only version of our page. Click here to view the full version of "Aurora"

--------------------------------------------------------------------------------

tinybri01-Sep-2005, 10:59 PM
Here is the updated log for Hijack and Ewido. what is the active scan?:

Logfile of HijackThis v1.99.1
Scan saved at 7:51:58 PM, on 9/1/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Toshiba\TOSHIBA Controls\TFncKy.exe
C:\WINDOWS\System32\TFNF5.exe
C:\WINDOWS\System32\TPWRTRAY.EXE
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\RPDFLchr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Documents and Settings\Holly Brown\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.toshiba.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshiba.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.toshiba.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = sas.r2.attbi.com:8000
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = sas.r2.attbi.com
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [TFncKy] C:\Program Files\Toshiba\TOSHIBA Controls\TFncKy.exe /Type 20
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE
O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [RoboPDF] C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\RPDFLchr.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKCU\..\Run: [NDIS Adapter] ndis.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by104fd.bay10...es/MsnPUpld.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 7:44:49 PM, 9/1/2005
+ Report-Checksum: 6E9E8FEC

+ Scan result:

HKLM\SOFTWARE\Classes\CLSID\{B5AB638F-D76C-415B-A8F2-F3CEAC502212} -> Spyware.AproposMedia : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{BC333116-6EA1-40A1-9D07-ECB192DB8CEA} -> Spyware.AproposMedia : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{BC333116-6EA1-40A1-9D07-ECB192DB8CEA} -> Spyware.AproposMedia : Cleaned with backup
HKLM\SOFTWARE\Classes\YSBactivex.Installer -> Spyware.YourSiteBar : Cleaned with backup
HKLM\SOFTWARE\Classes\YSBactivex.Installer\CLSID -> Spyware.YourSiteBar : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WinDH -> Spyware.DealHelper : Cleaned with backup
[784] C:\WINDOWS\System32\rtxmpis.exe -> Trojan.Agent.cp : Cleaned with backup
[1808] VM_012F0000 -> Adware.BetterInternet : Error during cleaning
C:\!Submit\Nail.exe -> Adware.BetterInternet : Cleaned with backup
C:\Documents and Settings\Holly Brown\Cookies\holly brown@abetterinternet[2].txt -> Spyware.Cookie.Abetterinternet : Cleaned with backup
C:\Documents and Settings\Holly Brown\Cookies\holly [email protected][2].txt -> Spyware.Cookie.Falkag : Cleaned with backup
C:\Documents and Settings\Holly Brown\Cookies\holly brown@atdmt[2].txt -> Spyware.Cookie.Atdmt : Cleaned with backup
C:\Documents and Settings\Holly Brown\Cookies\holly brown@mediaplex[2].txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
C:\Documents and Settings\Holly Brown\Cookies\holly [email protected][1].txt -> Spyware.Cookie.Adserver : Cleaned with backup
C:\Documents and Settings\Holly Brown\Desktop\backups\backup-20050831-010624-622.dll -> Spyware.WinAD : Cleaned with backup
C:\Temp\bundle_cdt1006.exe -> Adware.Saha : Cleaned with backup
C:\WINDOWS\mirindaspg.exe -> Trojan.Kolweb.b : Cleaned with backup
C:\WINDOWS\system32\8n46i4sr.exe -> Adware.SAHA : Cleaned with backup
C:\WINDOWS\system32\dun.exe -> Spyware.DealHelper : Cleaned with backup
C:\WINDOWS\system32\g27n.exe -> Trojan.Delf.cf : Cleaned with backup
C:\WINDOWS\system32\HookPopup.dll -> Spyware.DealHelper : Cleaned with backup
C:\WINDOWS\system32\iniquota.exe -> Spyware.Apropos : Cleaned with backup
C:\WINDOWS\system32\mirindaspg.exe -> Trojan.Kolweb.b : Cleaned with backup
C:\WINDOWS\system32\Qsoteg.exe -> Spyware.DealHelper : Cleaned with backup
C:\WINDOWS\system32\rtxmpis.exe -> Trojan.Pakes : Cleaned with backup
C:\WINDOWS\upsasptiqz.exe -> Adware.BetterInternet : Cleaned with backup

::Report End

--------------------------------------------------------------------------------

khazars31-Aug-2005, 06:23 AM
hi, welcome to TSG.

go to add/remove and uninstall Media Gateway, Viewpoint Toolbar, SurfSideKick 3, Viewpoint and PLook look for their folders in C:\program files and delete them.

Download the pocket killbox

http://www.bleepingc...les/killbox.php

Download the Nail/aurora fix

http://www.noidea.us...ex.php?folder=2

* Download the trial version of Ewido Security Suite here

http://www.ewido.net/en/

* Install ewido.
* During the installation, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
* Launch ewido
* It will prompt you to update click the OK button and it will go to the main screen
* On the left side of the main screen click update
* Click on Start and let it update.
* DO NOT run a scan yet. You will do that later in safe mode.

*Download Cleanup from Here

http://www.stevengou...p/download.html

* A window will open and choose SAVE, then DESKTOP as the destination.
* On your Desktop, click on Cleanup40.exe icon.
* Then, click RUN and place a checkmark beside "I Agree"
* Then click NEXT followed by START and OK.
* A window will appear with many choices, keep all the defaults as set when the Slide Bar to the left is set to Standard Quality.
* Click OK
* DO NOT RUN IT YET

* Click here for info on how to boot to safe mode if you don't already know
how.

How to boot to safe mode

http://service1.syma...src=sec_doc_nam

* Now copy these instructions to notepad and save them to your desktop. You
will need them to refer to in safe mode.

* Restart your computer into safe mode now. Perform the following steps in
safe mode:

have hijack this fix these entries. close all browsers and programmes before
clicking FIX.

R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - C:\Program Files\SurfSideKick 3\SskBho.dll
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: Viewpoint Toolbar BHO - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBarBHO.dll
O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [Plook] C:\Program Files\PLook\plook.exe
O4 - HKLM\..\Run: [Media Gateway] C:\Program Files\Media Gateway\MediaGateway.exe
O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKLM\..\Run: [gwbeee] C:\WINDOWS\System32\gltqhr.exe r
O4 - HKCU\..\Run: [NDIS Adapter] ndis.exe
O4 - HKCU\..\Run: [Windows Driver Services] msdrvs32.exe
O4 - HKCU\..\Run: [SYSTEM] lsas.exe
O4 - HKCU\..\Run: [Plook] C:\Program Files\PLook\plook.exe
O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe

Double-click on Killbox.exe to run it. Now put a tick by Standard File Kill.
In the Full Path of File to Delete box, copy and paste each of the following
lines one at a time then click on the button that has the red circle with the
X in the middle after you enter each file. It will ask for confirmation to
delete the file. Click Yes. Continue with that same procedure until you have
copied and pasted all of these in the Paste Full Path of File to Delete box.

Note: It is possible that Killbox will tell you that one or more files do not
exist. If that happens, just continue on with all the files. Be sure you
don't miss any.

C:\Program Files\SurfSideKick 3\SskBho.dll
C:\WINDOWS\Nail.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\PLook\plook.exe
C:\Program Files\Media Gateway\MediaGateway.exe
C:\Program Files\SurfSideKick 3\Ssk.exe
C:\WINDOWS\System32\gltqhr.exe

find and delete these files and folders if there?

Because XP will not always show you hidden files and folders by default,
Go to Start > Search and under "More advanced search options".
Make sure there is a check by "Search System Folders" and "Search hidden
files and folders" and "Search system subfolders"

Next click on My Computer. Go to Tools > Folder Options. Click on the View
tab and make sure that "Show hidden files and folders" is checked. Also
uncheck "Hide protected operating system files" and "Hide extensions for
known file types" . Now click "Apply to all folders"
Click "Apply" then "OK"

Don't delete Lsass, this is the legitimate file

ndis.exe
msdrvs32.exe
lsas.exe

* Once in Safe Mode, double-click on Nailfix.cmd. Your desktop and icons will
disappear and reappear, and a window should open and close very quickly ---
this is normal.

* Run Ewido:

* Click on scanner
* Click Complete System Scan and the scan will begin.
* During the scan it will prompt you to clean files, click OK
* When the scan is finished, look at the bottom of the screen and click the Save report button.
* Save the report to your desktop

* Run Cleanup:

* Click on the "Cleanup" button and let it run.
* Once its done, close the program.

post another hijack this log, the ewido and active scan logs

--------------------------------------------------------------------------------

tinybri31-Aug-2005, 04:30 AM
Well, my computer was infected by mirindaspg.exe and Aurora (not sure if they're the same thing). I tried to follow some of the directions on this forum but couldn't remove everything. At least now when I surf I don't get a virus popup every 5 seconds... however the Aurora browser still shows up and throws a bunch of popups at me. Would really appreciate it if somebody could help out. Here is my hijackthis log:

Logfile of HijackThis v1.99.1
Scan saved at 1:29:58 AM, on 8/31/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\WINDOWS\System32\gltqhr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Toshiba\TOSHIBA Controls\TFncKy.exe
C:\WINDOWS\System32\TFNF5.exe
C:\WINDOWS\System32\TPWRTRAY.EXE
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\RPDFLchr.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\Program Files\PLook\plook.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Microsoft Office\Office\WINWORD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Holly Brown\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.toshiba.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshiba.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.toshiba.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = sas.r2.attbi.com:8000
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = sas.r2.attbi.com
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - C:\Program Files\SurfSideKick 3\SskBho.dll
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Viewpoint Toolbar BHO - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBarBHO.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [TFncKy] C:\Program Files\Toshiba\TOSHIBA Controls\TFncKy.exe /Type 20
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE
O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [RoboPDF] C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\RPDFLchr.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [Plook] C:\Program Files\PLook\plook.exe
O4 - HKLM\..\Run: [Media Gateway] C:\Program Files\Media Gateway\MediaGateway.exe
O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKLM\..\Run: [gwbeee] C:\WINDOWS\System32\gltqhr.exe r
O4 - HKCU\..\Run: [NDIS Adapter] ndis.exe
O4 - HKCU\..\Run: [Windows Driver Services] msdrvs32.exe
O4 - HKCU\..\Run: [SYSTEM] lsas.exe
O4 - HKCU\..\Run: [Plook] C:\Program Files\PLook\plook.exe
O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Viewpoint Search - res://C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll/CXTSEARCH.HTML
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by104fd.bay10...es/MsnPUpld.cab
O20 - AppInit_DLLs: repairs.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe

--------------------------------------------------------------------------------

vBulletin v3.0.7, Copyright ©2000-2005, Jelsoft Enterprises Ltd.

Live Support | Nationwide 56k | Web Templates | New York Apartments
_____________________________________
There is everything I have thrown at it, and it's still there.

Dell Demension
Celeron 1.27
Win XP Home SP2
NAV 2004

Adrian

#2
actexas

Posted 13 September 2005 - 05:12 PM

New Member

Topic Starter
Member
6 posts

Need some help here

Here are the results for HJT, Ewido, and NAV:

Logfile of HijackThis v1.99.1
Scan saved at 1:57:20 AM, on 9/13/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\Dell AIO Printer A940\dlbabmon.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\COMMON~1\AOL\110832~1\EE\AOLHOS~1.EXE
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\COMMON~1\AOL\110832~1\EE\AOLServiceHost.exe
C:\windows\system32\rpswjclb.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Norma\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [Dell AIO Printer A940] "C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe"
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1108323758\EE\AOLHostManager.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [rpswjclb] c:\windows\system32\rpswjclb.exe -start
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Blue Up] C:\PROGRA~1\DRIVEB~1\axisarmy.exe
O4 - HKLM\..\Run: [Jawa32] C:\WINDOWS\jawa32.exe
O4 - HKLM\..\Run: [Jawa322] C:\WINDOWS\jawa32.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\RunOnce: [MicrosoftAntiSpywareCleaner] C:\Program Files\Microsoft AntiSpyware\gcASCleaner.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com...kup/qdiagcc.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1125662593781
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - https://objects.aol....,20/McGDMgr.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.app.../ITDetector.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: .NET Framework Service (.NET Connection Service) - Unknown owner - C:\WINDOWS\svchost.exe (file missing)
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\Program Files\Common Files\AOL\AOL Spyware Protection\\aolserv.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

------------------------------EWIDO SCAN ON 9-12-05-----------------------------------------------------------------------------------------------
Spyware Scan Details
Start Date: 9/13/2005 1:32:59 AM
End Date: 9/13/2005 1:53:13 AM
Total Time: 20 mins 14 secs

Detected Threats

WinTools Trojan more information...
Details: WinTools’ purpose is currently unknown. WinTools installs an Internet Explorer browser helper object, a URL search hook, and downloads several files in Common files\WinTools\. WinTools runs at startup
Status: Removed
Severe threat - Severe-risk items have an extreme potential for harm, such as a security exploit, and should be removed.

Infected folders detected
c:\program files\common files\wintools
c:\program files\common files\wintools\temp

EGroup.IEAccess.C Dialer more information...
Details: EGroup Dialer is an ActiveX control for premium-rate dialers, usually for adult content sites.
Status: Removed
Severe threat - Severe-risk items have an extreme potential for harm, such as a security exploit, and should be removed.

Infected registry keys/values detected
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\TrustedPublisher\Certificates\BD8400524261DF1ADBD8860F22C9CE2B97471448
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\TrustedPublisher\Certificates\BD8400524261DF1ADBD8860F22C9CE2B97471448

Altnet Browser Plug-in more information...
Details: Altnet Topsearch runs as an Internet Explorer browser helper object (BHO) and acts as a search engine. It can supply advertising to KaZaA users.
Status: Removed
Elevated threat - Elevated-risk items have some potential for harm. Users should review such programs and remove them if unwanted.

Infected registry keys/values detected
HKEY_LOCAL_MACHINE\SOFTWARE\Altnet

Detected Spyware Cookies
No spyware cookies were found during this scan.

________________________________________________________________________________
_______________________________________________________________________________
norton AV scan 9-12-05

Source: C:\WINDOWS\bafzeb.exe
Description: The file C:\WINDOWS\bafzeb.exe is a Adware threat.
____________________________________________________________________

Any help would be appreciated. Posted earlier this week, had 15 views but nobody was able to offer any assistance.

Adrian..........I thank you in advance Malware Slayers
Click for more information about this threat : Adware.Aurora

actexas Today, 05:10 PM Post #2

New Member

Group: Member
Posts: 3
Joined: 6-September 05
Member No.: 115,965
Operating System:
XP

PLEASE I REALLY DO NEED HELP ON THIS POST. ANY HELP FROM ANYONE WOULD BE APPRECIATED.

AC

#3
tampabelle

Posted 14 September 2005 - 06:02 PM

Member 5k

Retired Staff
6,363 posts

Hi,

We are sorry to have missed your log due to heavy traffic.

If you still need help, please post back a fresh Hijack This log.

If the problem has been resolved, please let us know.

#4
actexas

Posted 15 September 2005 - 09:10 AM

New Member

Topic Starter
Member
6 posts

tampabelle,

Sorry I was frustrated and posted again under a new post:

http://www.geekstogo...topic=63251&hl=

If you do a search under my profile name you can see it, or would you like for me to cut and past it here? Thanks!

#5
ScHwErV

Posted 15 September 2005 - 09:27 AM

Member 5k

Retired Staff
21,285 posts

Threads merged. Please dont start a new thread. You are in very good hands with Tampa now.

ScHwErV :tazz:

#6
actexas

Posted 15 September 2005 - 09:32 PM

New Member

Topic Starter
Member
6 posts

Super.......ok tampa....here is HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 10:29:58 PM, on 9/15/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Dell AIO Printer A940\dlbabmon.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\COMMON~1\AOL\110832~1\EE\AOLHOS~1.EXE
C:\PROGRA~1\COMMON~1\AOL\110832~1\EE\AOLServiceHost.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Norma\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [Dell AIO Printer A940] "C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe"
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1108323758\EE\AOLHostManager.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Blue Up] C:\PROGRA~1\DRIVEB~1\axisarmy.exe
O4 - HKLM\..\Run: [Jawa32] C:\WINDOWS\jawa32.exe
O4 - HKLM\..\Run: [Jawa322] C:\WINDOWS\jawa32.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com...kup/qdiagcc.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1125662593781
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - https://objects.aol....,20/McGDMgr.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.app.../ITDetector.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: .NET Framework Service (.NET Connection Service) - Unknown owner - C:\WINDOWS\svchost.exe (file missing)
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\Program Files\Common Files\AOL\AOL Spyware Protection\\aolserv.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

____________________________________________________

Tampa.....this is the last ewido I last ran....no changes since this scan:
---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 3:26:01 AM, 9/13/2005
+ Report-Checksum: 5AA9FF7B

+ Scan result:

HKLM\SOFTWARE\Altnet -> Spyware.Altnet : Error during cleaning
HKLM\SOFTWARE\Altnet\Dashboard -> Spyware.Altnet : Error during cleaning
HKLM\SOFTWARE\Altnet\Dashboard\Settings -> Spyware.Altnet : Error during cleaning
HKLM\SOFTWARE\Classes\ADM25.ADM25 -> Spyware.Altnet : Error during cleaning
HKLM\SOFTWARE\Classes\ADM4.ADM4 -> Spyware.Altnet : Error during cleaning
HKLM\SOFTWARE\Classes\ANSMTP.MassSender -> Spyware.007Spy : Error during cleaning
HKLM\SOFTWARE\Classes\MediaAccX.Installer -> Spyware.WinAd : Error during cleaning
HKLM\SOFTWARE\Classes\ToolbarBestToolbarsToolbar.BestToolbarsToolbarObject -> Spyware.FizzleBar : Error during cleaning
HKLM\SOFTWARE\Classes\URLSearch.URLSearch -> Spyware.SeekSeek : Error during cleaning
HKLM\SOFTWARE\Classes\US.US -> Spyware.SeekSeek : Error during cleaning
HKLM\SOFTWARE\Classes\WToolsB.ResProtocol -> Spyware.WebSearch : Error during cleaning
[2232] VM_01351000 -> Dialer.Generic : Error during cleaning
[584] VM_00BD1000 -> Dialer.Generic : Error during cleaning
[2196] VM_00A91000 -> Dialer.Generic : Error during cleaning
[2324] VM_00931000 -> Dialer.Generic : Error during cleaning
[1132] VM_01071000 -> Dialer.Generic : Error during cleaning
[2068] VM_00AE1000 -> Dialer.Generic : Error during cleaning
[2368] VM_00BE1000 -> Dialer.Generic : Error during cleaning
[2372] VM_00B31000 -> Dialer.Generic : Error during cleaning
[1744] VM_01041000 -> Dialer.Generic : Error during cleaning
[2596] VM_00BB1000 -> Dialer.Generic : Error during cleaning
[2588] VM_003E1000 -> Dialer.Generic : Error during cleaning
[2896] VM_00E71000 -> Dialer.Generic : Error during cleaning
[2964] VM_09861000 -> Dialer.Generic : Error during cleaning
[4000] VM_00F51000 -> Dialer.Generic : Error during cleaning
[4080] VM_016C1000 -> Dialer.Generic : Error during cleaning
[2124] VM_10001000 -> Dialer.Generic : Error during cleaning
[1560] VM_01A41000 -> Dialer.Generic : Error during cleaning
[2928] VM_10001000 -> Dialer.Generic : Error during cleaning
[2040] VM_00E61000 -> Dialer.Generic : Error during cleaning
C:\Documents and Settings\Norma\Cookies\[email protected][1].txt -> Spyware.Cookie.Pointroll : Cleaned with backup
C:\Documents and Settings\Norma\Cookies\norma@bluestreak[1].txt -> Spyware.Cookie.Bluestreak : Cleaned with backup
C:\Documents and Settings\Norma\Cookies\[email protected][1].txt -> Spyware.Cookie.Overture : Cleaned with backup
C:\Documents and Settings\Norma\Cookies\norma@questionmarket[1].txt -> Spyware.Cookie.Questionmarket : Cleaned with backup
C:\WINDOWS\SYSTEM32\msplock32.dll -> Dialer.Generic : Cleaned with backup
C:\WINDOWS\SYSTEM32\__delete_on_reboot__msclock32.dll -> Dialer.Generic : Cleaned with backup

::Report End
_______________________________________________________

Tampa.....there are my logs....any assistance in this matter would be greatly appreciated.
Adrian
:tazz:

#7
tampabelle

Posted 16 September 2005 - 10:46 AM

Member 5k

Retired Staff
6,363 posts

Please print out these instructions or copy them into a text file on your Desktop for easy access.

During the fix, u will be asked to fix some entries, delete some files or uninstall some programs. If in case, you do not see those entries / files / programs, please make a note of it. Continue with the fix and in your next post please inform me of all deviations from the fix prescribed.

1. Download Programs

Please download these programs and save them in a new folder on your desktop -

CleanUp
Ewido Security Suite

Install Ewido, and update the definitions to the newest files. Do NOT run a scan yet.

2. Run Hijack This

Run Hijack This and click on scan. The following items need to be fixed -

O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKLM\..\Run: [Jawa32] C:\WINDOWS\jawa32.exe
O4 - HKLM\..\Run: [Jawa322] C:\WINDOWS\jawa32.exe

Close all windows other than Hijack This. Check the boxes next to above items and click on Fix checked.

3. Delete Rogue files

Click on Start ---> Run. Type Services.msc and hit enter. Locate the item - .NET Framework Service . Right click on it and then click on properties. In the Startup Type choose the option Disable. Close the window.

Restart the PC in Safe Mode (repeatedly tap the F8 key when the PC is starting up).

Run CleanUp and delete all temp files including temporary internet files

Run Ewido full scan. Let it fix any items it finds.

Open Windows Explorer (right click on Start and then click on explore). Locate and delete the following files -

C:\WINDOWS\jawa32.exe
C:\WINDOWS\svchost.exe (do not delete the file C:\Windows\System32\svchost.exe)

Reboot the PC in Normal Mode.

Run Hijack This and post a fresh HJT log along with Ewido scan report.

Also, can you tell me something about this file /program -

C:\PROGRA~1\DRIVEB~1\axisarmy.exe

#8
tampabelle

Posted 08 October 2005 - 07:10 AM

Member 5k

Retired Staff
6,363 posts

Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.