Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

[RESOLVED] Hijacked by aaawebsearch!

Started by braghetta , Dec 27 2004 06:00 AM

  • Please log in to reply

#1
braghetta
Posted 27 December 2004 - 06:00 AM

braghetta

    New Member

  • Member
  • Pip
  • 6 posts
Hi at all,

Pls I need help! :tazz: I've been hijaked by aaawebsearch, I getting crazy with a lot of IE popups!
Thanks in advance for the support! ;)

Here my HijackThis log file:

Logfile of HijackThis v1.99.0
Scan saved at 12.50.37, on 27/12/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.51 SP2 (5.51.4807.2300)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\Ati2evxx.exe
C:\Program Files\Network ICE\BlackICE\blackd.exe
C:\WINNT\system32\drivers\CDAC11BA.EXE
C:\WINNT\MS\SMS\CORE\BIN\CLISVCL.EXE
C:\Program Files\NavNT\DefWatch.exe
C:\WINNT\System32\Hummingbird\Connectivity\7.11\Inetd\inetd32.exe
C:\WINNT\system32\hidserv.exe
C:\Program Files\NavNT\rtvscan.exe
C:\PROGRA~1\Alice\ALICEE~1\app\pppoeservice.exe
C:\Program Files\Network ICE\BlackICE\RapApp.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\snmp.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\pctspk.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINNT\system32\PRPCUI.exe
C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\PROGRA~1\NavNT\vptray.exe
C:\WINNT\System32\spool\DRIVERS\W32X86\3\fppdis1.exe
C:\WINNT\MS\SMS\CORE\BIN\LAUNCH32.EXE
D:\OmniPagePro14.0\WorkFlowTray.exe
D:\OmniPagePro14.0\Opware14.exe
D:\OmniPagePro14.0\OpScheduler.exe
C:\WINNT\system32\xpsp2fw.exe
C:\WINNT\system32\EWMmg.exe
C:\Program Files\Windows ControlAd\WinCtlAd.exe
C:\WINNT\system32\internat.exe
C:\WINNT\NCLAUNCH.EXe
C:\Program Files\Windows ControlAd\WinCtlAdAlt.exe
C:\Program Files\Network ICE\BlackICE\blackice.exe
D:\Olympus_Camedia\CM_camera.exe
C:\MSOffice\Office\OSA.EXE
C:\WINNT\MS\SMS\CLICOMP\SWDist32\bin\smsmon32.exe
D:\Antivirus\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://aaawebsearch.com/?a=2
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://aaawebsearch.com/?a=2
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://aaawebsearch.com/?a=2
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://aaawebsearch.com/?a=2
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://aaawebsearch.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://aaawebsearch.com/?a=2
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://aaawebsearch.com/?a=2
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://aaawebsearch.com/?a=2
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://aaawebsearch.com/?a=2
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,SearchURL = http://aaawebsearch.com/?a=2
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,SearchURL = http://aaawebsearch.com/?a=2
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://http-proxy.eu...i-bin/proxy.cgi
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http-proxy.np.ge.com:80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 192.168.1.1;<local>
R3 - URLSearchHook: (no name) - {387E7382-A174-8B88-81BB-37A36A9975EF} - C:\WINNT\system32\EWMmg.exe
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: (no name) - {4E7BD74F-2B8D-469E-92EA-EC65A294AE31} - (no file)
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AtiPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe
O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\NavNT\vptray.exe
O4 - HKLM\..\Run: [pdfFactory Pro Dispatcher v1] C:\WINNT\System32\spool\DRIVERS\W32X86\3\fppdis1.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SMS Application Launcher] C:\WINNT\MS\SMS\CORE\BIN\LAUNCH32.EXE
O4 - HKLM\..\Run: [JobHisInit] C:\Program Files\RMClient\JobHisInit.exe
O4 - HKLM\..\Run: [MplSetUp] C:\Program Files\RMClient\MplSetUp.exe
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [WorkFlowTray] "D:\OmniPagePro14.0\WorkFlowTray.exe"
O4 - HKLM\..\Run: [Opware14] "D:\OmniPagePro14.0\Opware14.exe"
O4 - HKLM\..\Run: [OpScheduler] "D:\OmniPagePro14.0\OpScheduler.exe"
O4 - HKLM\..\Run: [XPSP2 Firewall] C:\WINNT\system32\xpsp2fw.exe
O4 - HKLM\..\Run: [81C6F98B] C:\WINNT\system32\EWMmg.exe
O4 - HKLM\..\Run: [Windows ControlAd] C:\Program Files\Windows ControlAd\WinCtlAd.exe
O4 - HKCU\..\Run: [Internat.exe] internat.exe
O4 - HKCU\..\Run: [NCLaunch] C:\WINNT\NCLAUNCH.EXe
O4 - HKCU\..\Run: [Windows Update Client ] C:\WINNT\system32\wuclient.exe
O4 - HKCU\..\Run: [81C6F98B] C:\WINNT\system32\EWMmg.exe
O4 - Global Startup: BlackICE Agent.lnk = ?
O4 - Global Startup: CAMEDIA Master.lnk = D:\Olympus_Camedia\CM_camera.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Office Startup.lnk = C:\MSOffice\Office\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Ricerca AltaVista - file://C:\Program Files\ALTAVISTA Toolbar\Cache\SelectedContextSearch.htm
O8 - Extra context menu item: Traduci - file://C:\Program Files\ALTAVISTA Toolbar\Cache\SelectedContextTranslation.htm
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .mp3: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .mpg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O13 - FTP Prefix:
O15 - Trusted Zone: http://*.69sexsearch.com
O15 - Trusted Zone: http://*.addictivetechnologies.net
O15 - Trusted Zone: http://*.c4tdownload.com
O15 - Trusted Zone: http://*.mt-download.com
O15 - Trusted Zone: http://*.overpro.com
O15 - Trusted Zone: http://*.searchmiracle.com
O15 - Trusted Zone: http://*.windupdates.com
O16 - DPF: {05D96F71-87C6-11D3-9BE4-00902742D6E0} (QuickPlace Class) - http://medquickplace02.ge.com/qp2.cab
O16 - DPF: {4E7BD74F-2B8D-469E-92EA-EC65A294AE31} - http://toolbar.altav...ab?r=1093345008
O16 - DPF: {601B418B-E6A6-47FC-A094-07248741CEB3} (Camtronics Medical Systems Web Viewer) - file://E:\vwr_data\WebVwr.cab
O16 - DPF: {BDFC91DC-AAE6-4E27-A624-EC2DE54E2F67} (IntraLaunch.MainControl) - file://E:\zzz_menu\IntraLaunch.CAB
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://www.ge.com/fi...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = euro.med.ge.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = euro.med.ge.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = euro.med.ge.com,med.ge.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = euro.med.ge.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = euro.med.ge.com,med.ge.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = euro.med.ge.com,med.ge.com
O23 - Service: Ati HotKey Poller - Unknown - C:\WINNT\system32\Ati2evxx.exe
O23 - Service: pcAnywhere Host Service - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: BlackICE - Internet Security Systems, Inc. - C:\Program Files\Network ICE\BlackICE\blackd.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINNT\system32\drivers\CDAC11BA.EXE
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Contivity VPN Service - Nortel Networks NA, Inc. - C:\Program Files\Nortel Networks\Extranet_serv.exe
O23 - Service: Hummingbird Inetd - Hummingbird Ltd. - C:\WINNT\System32\Hummingbird\Connectivity\7.11\Inetd\inetd32.exe
O23 - Service: Symantec AntiVirus Client - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: PPPoE Service - Unknown - C:\PROGRA~1\Alice\ALICEE~1\app\pppoeservice.exe
O23 - Service: RapApp - Internet Security Systems, Inc. - C:\Program Files\Network ICE\BlackICE\RapApp.exe
O23 - Service: ReplService - Unknown - C:\Trilogy\ReplService\repl.exe
  • 0

Advertisements

#2
Hemal
Posted 27 December 2004 - 09:17 AM

Hemal

    Founding Fart

  • Technician
  • 1,470 posts
You have a number of randomonly named files on your system. We like to start with an online virus and trojan scan. Even though you have antivirus software on your system, it can become corrupted by malware.

Please run a free online virus scan here (tick the "Auto Clean" checkbox):
http://housecall.antivirus.com/

And a free trojan scan here:
http://www.moosoft.com/

Reboot your PC.

If you would please, rescan with HijackThis and post a fresh log in this same topic, and we'll remove what's left.

also have you ran ad-aware or spybot search and destroy?
  • 0

#3
braghetta
Posted 28 December 2004 - 09:19 AM

braghetta

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts

You have a number of randomonly named files on your system. We like to start with an online virus and trojan scan. Even though you have antivirus software on your system, it can become corrupted by malware.

Please run a free online virus scan here (tick the "Auto Clean" checkbox):
http://housecall.antivirus.com/

And a free trojan scan here:
http://www.moosoft.com/

Reboot your PC.

If you would please, rescan with HijackThis and post a fresh log in this same topic, and we'll remove what's left.

also have you ran ad-aware or spybot search and destroy?

View Post

Ok :tazz: I did a new scan with thecleaner and pccillin. I have already done scans with ad-aware and Spybots&d.
Here my new log:

Logfile of HijackThis v1.99.0
Scan saved at 16.14.04, on 28/12/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.51 SP2 (5.51.4807.2300)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\Ati2evxx.exe
C:\Program Files\Network ICE\BlackICE\blackd.exe
C:\WINNT\system32\drivers\CDAC11BA.EXE
C:\WINNT\MS\SMS\CORE\BIN\CLISVCL.EXE
C:\Program Files\NavNT\DefWatch.exe
C:\WINNT\System32\Hummingbird\Connectivity\7.11\Inetd\inetd32.exe
C:\WINNT\system32\hidserv.exe
C:\Program Files\NavNT\rtvscan.exe
D:\ANTIVI~1\PcCtlCom.exe
C:\PROGRA~1\Alice\ALICEE~1\app\pppoeservice.exe
C:\Program Files\Network ICE\BlackICE\RapApp.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\snmp.exe
D:\ANTIVI~1\Tmntsrv.exe
D:\ANTIVI~1\tmproxy.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
D:\ANTIVI~1\TmPfw.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\pctspk.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINNT\system32\PRPCUI.exe
C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\PROGRA~1\NavNT\vptray.exe
C:\WINNT\System32\spool\DRIVERS\W32X86\3\fppdis1.exe
C:\WINNT\MS\SMS\CORE\BIN\LAUNCH32.EXE
D:\OmniPagePro14.0\WorkFlowTray.exe
D:\OmniPagePro14.0\Opware14.exe
D:\OmniPagePro14.0\OpScheduler.exe
C:\WINNT\system32\xpsp2fw.exe
C:\WINNT\system32\EWMmg.exe
C:\Program Files\Windows ControlAd\WinCtlAd.exe
C:\Program Files\Windows ControlAd\WinCtlAdAlt.exe
D:\Antivirus\pccguide.exe
D:\Antivirus\The Cleaner\tca.exe
D:\Antivirus\The Cleaner\tcm.exe
C:\WINNT\system32\internat.exe
C:\WINNT\NCLAUNCH.EXe
C:\Program Files\Network ICE\BlackICE\blackice.exe
D:\Olympus_Camedia\CM_camera.exe
C:\WINNT\MS\SMS\CLICOMP\SWDist32\bin\smsmon32.exe
C:\MSOffice\Office\OSA.EXE
D:\Antivirus\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://aaawebsearch.com/?a=2
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://aaawebsearch.com/?a=2
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://aaawebsearch.com/?a=2
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://aaawebsearch.com/?a=2
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://aaawebsearch.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://aaawebsearch.com/?a=2
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://aaawebsearch.com/?a=2
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://aaawebsearch.com/?a=2
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://aaawebsearch.com/?a=2
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,SearchURL = http://aaawebsearch.com/?a=2
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,SearchURL = http://aaawebsearch.com/?a=2
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://http-proxy.eu...i-bin/proxy.cgi
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http-proxy.np.ge.com:80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 192.168.1.1;<local>
R3 - URLSearchHook: (no name) - {387E7382-A174-8B88-81BB-37A36A9975EF} - C:\WINNT\system32\EWMmg.exe
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: (no name) - {4E7BD74F-2B8D-469E-92EA-EC65A294AE31} - (no file)
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AtiPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe
O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\NavNT\vptray.exe
O4 - HKLM\..\Run: [pdfFactory Pro Dispatcher v1] C:\WINNT\System32\spool\DRIVERS\W32X86\3\fppdis1.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SMS Application Launcher] C:\WINNT\MS\SMS\CORE\BIN\LAUNCH32.EXE
O4 - HKLM\..\Run: [JobHisInit] C:\Program Files\RMClient\JobHisInit.exe
O4 - HKLM\..\Run: [MplSetUp] C:\Program Files\RMClient\MplSetUp.exe
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [WorkFlowTray] "D:\OmniPagePro14.0\WorkFlowTray.exe"
O4 - HKLM\..\Run: [Opware14] "D:\OmniPagePro14.0\Opware14.exe"
O4 - HKLM\..\Run: [OpScheduler] "D:\OmniPagePro14.0\OpScheduler.exe"
O4 - HKLM\..\Run: [XPSP2 Firewall] C:\WINNT\system32\xpsp2fw.exe
O4 - HKLM\..\Run: [81C6F98B] C:\WINNT\system32\EWMmg.exe
O4 - HKLM\..\Run: [Windows ControlAd] C:\Program Files\Windows ControlAd\WinCtlAd.exe
O4 - HKLM\..\Run: [pccguide.exe] "D:\Antivirus\pccguide.exe"
O4 - HKLM\..\Run: [tcactive] D:\Antivirus\The Cleaner\tca.exe
O4 - HKLM\..\Run: [tcmonitor] D:\Antivirus\The Cleaner\tcm.exe
O4 - HKCU\..\Run: [Internat.exe] internat.exe
O4 - HKCU\..\Run: [NCLaunch] C:\WINNT\NCLAUNCH.EXe
O4 - HKCU\..\Run: [Windows Update Client ] C:\WINNT\system32\wuclient.exe
O4 - HKCU\..\Run: [81C6F98B] C:\WINNT\system32\EWMmg.exe
O4 - Global Startup: BlackICE Agent.lnk = ?
O4 - Global Startup: CAMEDIA Master.lnk = D:\Olympus_Camedia\CM_camera.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Office Startup.lnk = C:\MSOffice\Office\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Ricerca AltaVista - file://C:\Program Files\ALTAVISTA Toolbar\Cache\SelectedContextSearch.htm
O8 - Extra context menu item: Traduci - file://C:\Program Files\ALTAVISTA Toolbar\Cache\SelectedContextTranslation.htm
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .mp3: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .mpg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O13 - FTP Prefix:
O15 - Trusted Zone: http://*.69sexsearch.com
O15 - Trusted Zone: http://*.addictivetechnologies.net
O15 - Trusted Zone: http://*.c4tdownload.com
O15 - Trusted Zone: http://*.mt-download.com
O15 - Trusted Zone: http://*.overpro.com
O15 - Trusted Zone: http://*.searchmiracle.com
O15 - Trusted Zone: http://*.windupdates.com
O16 - DPF: {05D96F71-87C6-11D3-9BE4-00902742D6E0} (QuickPlace Class) - http://medquickplace02.ge.com/qp2.cab
O16 - DPF: {4E7BD74F-2B8D-469E-92EA-EC65A294AE31} - http://toolbar.altav...ab?r=1093345008
O16 - DPF: {601B418B-E6A6-47FC-A094-07248741CEB3} (Camtronics Medical Systems Web Viewer) - file://E:\vwr_data\WebVwr.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {BDFC91DC-AAE6-4E27-A624-EC2DE54E2F67} (IntraLaunch.MainControl) - file://E:\zzz_menu\IntraLaunch.CAB
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://www.ge.com/fi...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = euro.med.ge.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = euro.med.ge.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = euro.med.ge.com,med.ge.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = euro.med.ge.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = euro.med.ge.com,med.ge.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = euro.med.ge.com,med.ge.com
O23 - Service: Ati HotKey Poller - Unknown - C:\WINNT\system32\Ati2evxx.exe
O23 - Service: pcAnywhere Host Service - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: BlackICE - Internet Security Systems, Inc. - C:\Program Files\Network ICE\BlackICE\blackd.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINNT\system32\drivers\CDAC11BA.EXE
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Contivity VPN Service - Nortel Networks NA, Inc. - C:\Program Files\Nortel Networks\Extranet_serv.exe
O23 - Service: Hummingbird Inetd - Hummingbird Ltd. - C:\WINNT\System32\Hummingbird\Connectivity\7.11\Inetd\inetd32.exe
O23 - Service: Symantec AntiVirus Client - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: Trend Micro Central Control Component - Trend Micro Incorporated. - D:\ANTIVI~1\PcCtlCom.exe
O23 - Service: PPPoE Service - Unknown - C:\PROGRA~1\Alice\ALICEE~1\app\pppoeservice.exe
O23 - Service: RapApp - Internet Security Systems, Inc. - C:\Program Files\Network ICE\BlackICE\RapApp.exe
O23 - Service: ReplService - Unknown - C:\Trilogy\ReplService\repl.exe
O23 - Service: Trend Micro Real-time Service - Trend Micro Incorporated. - D:\ANTIVI~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall - Trend Micro Inc. - D:\ANTIVI~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service - Trend Micro Inc. - D:\ANTIVI~1\tmproxy.exe
  • 0

#4
Metallica
Posted 28 December 2004 - 09:45 AM

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 33,101 posts
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://aaawebsearch.com/?a=2
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://aaawebsearch.com/?a=2
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://aaawebsearch.com/?a=2
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://aaawebsearch.com/?a=2
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://aaawebsearch.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://aaawebsearch.com/?a=2
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://aaawebsearch.com/?a=2
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://aaawebsearch.com/?a=2
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://aaawebsearch.com/?a=2
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,SearchURL = http://aaawebsearch.com/?a=2
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,SearchURL = http://aaawebsearch.com/?a=2

R3 - URLSearchHook: (no name) - {387E7382-A174-8B88-81BB-37A36A9975EF} - C:\WINNT\system32\EWMmg.exe

O3 - Toolbar: (no name) - {4E7BD74F-2B8D-469E-92EA-EC65A294AE31} - (no file)

O4 - HKLM\..\Run: [XPSP2 Firewall] C:\WINNT\system32\xpsp2fw.exe
O4 - HKLM\..\Run: [81C6F98B] C:\WINNT\system32\EWMmg.exe
O4 - HKLM\..\Run: [Windows ControlAd] C:\Program Files\Windows ControlAd\WinCtlAd.exe

O13 - FTP Prefix:

Download: DelDomains.inf
To use: right-click and select: Install (no need to restart)
Note: This will remove all entries in the "Trusted Zone" and "Ranges" also.

Reboot into safe mode and delete:
C:\WINNT\system32\xpsp2fw.exe
C:\WINNT\system32\EWMmg.exe
C:\Program Files\Windows ControlAd <= entire folder

Post a new log when you are done.

Regards,

Pieter
  • 0

#5
braghetta
Posted 28 December 2004 - 10:43 AM

braghetta

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://aaawebsearch.com/?a=2
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://aaawebsearch.com/?a=2
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://aaawebsearch.com/?a=2
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://aaawebsearch.com/?a=2
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://aaawebsearch.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://aaawebsearch.com/?a=2
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://aaawebsearch.com/?a=2
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://aaawebsearch.com/?a=2
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://aaawebsearch.com/?a=2
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,SearchURL = http://aaawebsearch.com/?a=2
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,SearchURL = http://aaawebsearch.com/?a=2

R3 - URLSearchHook: (no name) - {387E7382-A174-8B88-81BB-37A36A9975EF} - C:\WINNT\system32\EWMmg.exe

O3 - Toolbar: (no name) - {4E7BD74F-2B8D-469E-92EA-EC65A294AE31} - (no file)

O4 - HKLM\..\Run: [XPSP2 Firewall] C:\WINNT\system32\xpsp2fw.exe
O4 - HKLM\..\Run: [81C6F98B] C:\WINNT\system32\EWMmg.exe
O4 - HKLM\..\Run: [Windows ControlAd] C:\Program Files\Windows ControlAd\WinCtlAd.exe

O13 - FTP Prefix:

Download: DelDomains.inf
To use: right-click and select: Install (no need to restart)
Note: This will remove all entries in the "Trusted Zone" and "Ranges" also.

Reboot into safe mode and delete:
C:\WINNT\system32\xpsp2fw.exe
C:\WINNT\system32\EWMmg.exe
C:\Program Files\Windows ControlAd <= entire folder

Post a new log when you are done.

Regards,

Pieter

View Post

I tried you indications...but No way, I'm in trubles like before :tazz:

Here the new log:

Logfile of HijackThis v1.99.0
Scan saved at 17.39.55, on 28/12/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.51 SP2 (5.51.4807.2300)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\Ati2evxx.exe
C:\Program Files\Network ICE\BlackICE\blackd.exe
C:\WINNT\system32\drivers\CDAC11BA.EXE
C:\Program Files\NavNT\DefWatch.exe
C:\WINNT\System32\Hummingbird\Connectivity\7.11\Inetd\inetd32.exe
C:\WINNT\system32\hidserv.exe
C:\Program Files\NavNT\rtvscan.exe
D:\ANTIVI~1\PcCtlCom.exe
C:\PROGRA~1\Alice\ALICEE~1\app\pppoeservice.exe
C:\Program Files\Network ICE\BlackICE\RapApp.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\snmp.exe
D:\ANTIVI~1\Tmntsrv.exe
D:\ANTIVI~1\tmproxy.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\pctspk.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINNT\system32\PRPCUI.exe
C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\PROGRA~1\NavNT\vptray.exe
C:\WINNT\System32\spool\DRIVERS\W32X86\3\fppdis1.exe
C:\WINNT\MS\SMS\CORE\BIN\LAUNCH32.EXE
D:\ANTIVI~1\TmPfw.exe
D:\OmniPagePro14.0\WorkFlowTray.exe
C:\WINNT\MS\SMS\CLICOMP\SWDist32\bin\smsmon32.exe
D:\OmniPagePro14.0\Opware14.exe
D:\OmniPagePro14.0\OpScheduler.exe
D:\Antivirus\pccguide.exe
D:\Antivirus\The Cleaner\tca.exe
D:\Antivirus\The Cleaner\tcm.exe
C:\WINNT\system32\internat.exe
C:\WINNT\NCLAUNCH.EXe
C:\WINNT\system32\wuclient.exe
C:\Program Files\Network ICE\BlackICE\blackice.exe
D:\Olympus_Camedia\CM_camera.exe
C:\MSOffice\Office\OSA.EXE
D:\Antivirus\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://aaawebsearch.com/?a=2
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://aaawebsearch.com/?a=2
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://aaawebsearch.com/?a=2
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://aaawebsearch.com/?a=2
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://aaawebsearch.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://aaawebsearch.com/?a=2
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://aaawebsearch.com/?a=2
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://aaawebsearch.com/?a=2
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://aaawebsearch.com/?a=2
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,SearchURL = http://aaawebsearch.com/?a=2
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,SearchURL = http://aaawebsearch.com/?a=2
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://http-proxy.eu...i-bin/proxy.cgi
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http-proxy.np.ge.com:80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 192.168.1.1;<local>
R3 - URLSearchHook: (no name) - {387E7382-A174-8B88-81BB-37A36A9975EF} - C:\WINNT\system32\EWMmg.exe (file missing)
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AtiPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe
O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\NavNT\vptray.exe
O4 - HKLM\..\Run: [pdfFactory Pro Dispatcher v1] C:\WINNT\System32\spool\DRIVERS\W32X86\3\fppdis1.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SMS Application Launcher] C:\WINNT\MS\SMS\CORE\BIN\LAUNCH32.EXE
O4 - HKLM\..\Run: [JobHisInit] C:\Program Files\RMClient\JobHisInit.exe
O4 - HKLM\..\Run: [MplSetUp] C:\Program Files\RMClient\MplSetUp.exe
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [WorkFlowTray] "D:\OmniPagePro14.0\WorkFlowTray.exe"
O4 - HKLM\..\Run: [Opware14] "D:\OmniPagePro14.0\Opware14.exe"
O4 - HKLM\..\Run: [OpScheduler] "D:\OmniPagePro14.0\OpScheduler.exe"
O4 - HKLM\..\Run: [pccguide.exe] "D:\Antivirus\pccguide.exe"
O4 - HKLM\..\Run: [tcactive] D:\Antivirus\The Cleaner\tca.exe
O4 - HKLM\..\Run: [tcmonitor] D:\Antivirus\The Cleaner\tcm.exe
O4 - HKLM\..\Run: [Windows ControlAd] C:\Program Files\Windows ControlAd\WinCtlAd.exe
O4 - HKLM\..\Run: [XPSP2 Firewall] C:\WINNT\system32\xpsp2fw.exe
O4 - HKCU\..\Run: [Internat.exe] internat.exe
O4 - HKCU\..\Run: [NCLaunch] C:\WINNT\NCLAUNCH.EXe
O4 - HKCU\..\Run: [Windows Update Client ] C:\WINNT\system32\wuclient.exe
O4 - HKCU\..\Run: [81C6F98B] C:\WINNT\system32\EWMmg.exe
O4 - Global Startup: BlackICE Agent.lnk = ?
O4 - Global Startup: CAMEDIA Master.lnk = D:\Olympus_Camedia\CM_camera.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Office Startup.lnk = C:\MSOffice\Office\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Ricerca AltaVista - file://C:\Program Files\ALTAVISTA Toolbar\Cache\SelectedContextSearch.htm
O8 - Extra context menu item: Traduci - file://C:\Program Files\ALTAVISTA Toolbar\Cache\SelectedContextTranslation.htm
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .mp3: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .mpg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://*.69sexsearch.com
O15 - Trusted Zone: http://*.addictivetechnologies.net
O15 - Trusted Zone: http://*.c4tdownload.com
O15 - Trusted Zone: http://*.mt-download.com
O15 - Trusted Zone: http://*.overpro.com
O15 - Trusted Zone: http://*.searchmiracle.com
O15 - Trusted Zone: http://*.windupdates.com
O16 - DPF: {05D96F71-87C6-11D3-9BE4-00902742D6E0} (QuickPlace Class) - http://medquickplace02.ge.com/qp2.cab
O16 - DPF: {4E7BD74F-2B8D-469E-92EA-EC65A294AE31} - http://toolbar.altav...ab?r=1093345008
O16 - DPF: {601B418B-E6A6-47FC-A094-07248741CEB3} (Camtronics Medical Systems Web Viewer) - file://E:\vwr_data\WebVwr.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {BDFC91DC-AAE6-4E27-A624-EC2DE54E2F67} (IntraLaunch.MainControl) - file://E:\zzz_menu\IntraLaunch.CAB
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://www.ge.com/fi...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = euro.med.ge.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = euro.med.ge.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = euro.med.ge.com,med.ge.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = euro.med.ge.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = euro.med.ge.com,med.ge.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = euro.med.ge.com,med.ge.com
O23 - Service: Ati HotKey Poller - Unknown - C:\WINNT\system32\Ati2evxx.exe
O23 - Service: pcAnywhere Host Service - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: BlackICE - Internet Security Systems, Inc. - C:\Program Files\Network ICE\BlackICE\blackd.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINNT\system32\drivers\CDAC11BA.EXE
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Contivity VPN Service - Nortel Networks NA, Inc. - C:\Program Files\Nortel Networks\Extranet_serv.exe
O23 - Service: Hummingbird Inetd - Hummingbird Ltd. - C:\WINNT\System32\Hummingbird\Connectivity\7.11\Inetd\inetd32.exe
O23 - Service: Symantec AntiVirus Client - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: Trend Micro Central Control Component - Trend Micro Incorporated. - D:\ANTIVI~1\PcCtlCom.exe
O23 - Service: PPPoE Service - Unknown - C:\PROGRA~1\Alice\ALICEE~1\app\pppoeservice.exe
O23 - Service: RapApp - Internet Security Systems, Inc. - C:\Program Files\Network ICE\BlackICE\RapApp.exe
O23 - Service: ReplService - Unknown - C:\Trilogy\ReplService\repl.exe
O23 - Service: Trend Micro Real-time Service - Trend Micro Incorporated. - D:\ANTIVI~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall - Trend Micro Inc. - D:\ANTIVI~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service - Trend Micro Inc. - D:\ANTIVI~1\tmproxy.exe
  • 0

#6
Metallica
Posted 28 December 2004 - 01:17 PM

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 33,101 posts
Click Ctr-Alt-Del and Taskmanager will come up.
On the processes tab look for
wuclient.exe
rightclick and choose Kill Process.

Then repeat the instructions from my last post.
(Some lines may be gone, but fix the ones that came back)

Post a new log when you are done.

Regards,

Pieter
  • 0

#7
braghetta
Posted 29 December 2004 - 10:30 AM

braghetta

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts

Click Ctr-Alt-Del and Taskmanager will come up.
On the processes tab look for
wuclient.exe
rightclick and choose Kill Process.

Then repeat the instructions from my last post.
(Some lines may be gone, but fix the ones that came back)

Post a new log when you are done.

Regards,

Pieter

View Post

Seems ok now! I have no more pup ups!! ;)

Here my new log:

Logfile of HijackThis v1.99.0
Scan saved at 17.28.36, on 29/12/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.51 SP2 (5.51.4807.2300)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\Ati2evxx.exe
C:\Program Files\Network ICE\BlackICE\blackd.exe
C:\WINNT\system32\drivers\CDAC11BA.EXE
C:\WINNT\MS\SMS\CORE\BIN\CLISVCL.EXE
C:\Program Files\NavNT\DefWatch.exe
C:\WINNT\System32\Hummingbird\Connectivity\7.11\Inetd\inetd32.exe
C:\WINNT\system32\hidserv.exe
C:\Program Files\NavNT\rtvscan.exe
D:\ANTIVI~1\PcCtlCom.exe
C:\PROGRA~1\Alice\ALICEE~1\app\pppoeservice.exe
C:\Program Files\Network ICE\BlackICE\RapApp.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\snmp.exe
D:\ANTIVI~1\Tmntsrv.exe
D:\ANTIVI~1\tmproxy.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
D:\ANTIVI~1\TmPfw.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\pctspk.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINNT\system32\PRPCUI.exe
C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\PROGRA~1\NavNT\vptray.exe
C:\WINNT\System32\spool\DRIVERS\W32X86\3\fppdis1.exe
C:\WINNT\MS\SMS\CORE\BIN\LAUNCH32.EXE
D:\OmniPagePro14.0\WorkFlowTray.exe
D:\OmniPagePro14.0\Opware14.exe
D:\OmniPagePro14.0\OpScheduler.exe
D:\Antivirus\pccguide.exe
D:\Antivirus\The Cleaner\tca.exe
D:\Antivirus\The Cleaner\tcm.exe
C:\WINNT\system32\internat.exe
C:\WINNT\NCLAUNCH.EXe
C:\WINNT\MS\SMS\CLICOMP\SWDist32\bin\smsmon32.exe
C:\Program Files\Network ICE\BlackICE\blackice.exe
D:\Olympus_Camedia\CM_camera.exe
C:\MSOffice\Office\OSA.EXE
D:\Antivirus\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://http-proxy.eu...i-bin/proxy.cgi
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http-proxy.np.ge.com:80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 192.168.1.1;<local>
R3 - URLSearchHook: (no name) - {387E7382-A174-8B88-81BB-37A36A9975EF} - C:\WINNT\system32\EWMmg.exe (file missing)
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AtiPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe
O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\NavNT\vptray.exe
O4 - HKLM\..\Run: [pdfFactory Pro Dispatcher v1] C:\WINNT\System32\spool\DRIVERS\W32X86\3\fppdis1.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SMS Application Launcher] C:\WINNT\MS\SMS\CORE\BIN\LAUNCH32.EXE
O4 - HKLM\..\Run: [JobHisInit] C:\Program Files\RMClient\JobHisInit.exe
O4 - HKLM\..\Run: [MplSetUp] C:\Program Files\RMClient\MplSetUp.exe
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [WorkFlowTray] "D:\OmniPagePro14.0\WorkFlowTray.exe"
O4 - HKLM\..\Run: [Opware14] "D:\OmniPagePro14.0\Opware14.exe"
O4 - HKLM\..\Run: [OpScheduler] "D:\OmniPagePro14.0\OpScheduler.exe"
O4 - HKLM\..\Run: [pccguide.exe] "D:\Antivirus\pccguide.exe"
O4 - HKLM\..\Run: [tcactive] D:\Antivirus\The Cleaner\tca.exe
O4 - HKLM\..\Run: [tcmonitor] D:\Antivirus\The Cleaner\tcm.exe
O4 - HKLM\..\Run: [Windows ControlAd] C:\Program Files\Windows ControlAd\WinCtlAd.exe
O4 - HKCU\..\Run: [Internat.exe] internat.exe
O4 - HKCU\..\Run: [NCLaunch] C:\WINNT\NCLAUNCH.EXe
O4 - Global Startup: BlackICE Agent.lnk = ?
O4 - Global Startup: CAMEDIA Master.lnk = D:\Olympus_Camedia\CM_camera.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Office Startup.lnk = C:\MSOffice\Office\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Ricerca AltaVista - file://C:\Program Files\ALTAVISTA Toolbar\Cache\SelectedContextSearch.htm
O8 - Extra context menu item: Traduci - file://C:\Program Files\ALTAVISTA Toolbar\Cache\SelectedContextTranslation.htm
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .mp3: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .mpg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {05D96F71-87C6-11D3-9BE4-00902742D6E0} (QuickPlace Class) - http://medquickplace02.ge.com/qp2.cab
O16 - DPF: {4E7BD74F-2B8D-469E-92EA-EC65A294AE31} - http://toolbar.altav...ab?r=1093345008
O16 - DPF: {601B418B-E6A6-47FC-A094-07248741CEB3} (Camtronics Medical Systems Web Viewer) - file://E:\vwr_data\WebVwr.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {BDFC91DC-AAE6-4E27-A624-EC2DE54E2F67} (IntraLaunch.MainControl) - file://E:\zzz_menu\IntraLaunch.CAB
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://www.ge.com/fi...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = euro.med.ge.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = euro.med.ge.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = euro.med.ge.com,med.ge.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = euro.med.ge.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = euro.med.ge.com,med.ge.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = euro.med.ge.com,med.ge.com
O23 - Service: Ati HotKey Poller - Unknown - C:\WINNT\system32\Ati2evxx.exe
O23 - Service: pcAnywhere Host Service - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: BlackICE - Internet Security Systems, Inc. - C:\Program Files\Network ICE\BlackICE\blackd.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINNT\system32\drivers\CDAC11BA.EXE
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Contivity VPN Service - Nortel Networks NA, Inc. - C:\Program Files\Nortel Networks\Extranet_serv.exe
O23 - Service: Hummingbird Inetd - Hummingbird Ltd. - C:\WINNT\System32\Hummingbird\Connectivity\7.11\Inetd\inetd32.exe
O23 - Service: Symantec AntiVirus Client - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: Trend Micro Central Control Component - Trend Micro Incorporated. - D:\ANTIVI~1\PcCtlCom.exe
O23 - Service: PPPoE Service - Unknown - C:\PROGRA~1\Alice\ALICEE~1\app\pppoeservice.exe
O23 - Service: RapApp - Internet Security Systems, Inc. - C:\Program Files\Network ICE\BlackICE\RapApp.exe
O23 - Service: ReplService - Unknown - C:\Trilogy\ReplService\repl.exe
O23 - Service: Trend Micro Real-time Service - Trend Micro Incorporated. - D:\ANTIVI~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall - Trend Micro Inc. - D:\ANTIVI~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service - Trend Micro Inc. - D:\ANTIVI~1\tmproxy.exe

Thnx a lot for your help! :tazz:
  • 0

#8
Metallica
Posted 29 December 2004 - 02:23 PM

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 33,101 posts
Not done yet.

Check the following items in HijackThis.
Close all windows except HijackThis and click Fix checked:

R3 - URLSearchHook: (no name) - {387E7382-A174-8B88-81BB-37A36A9975EF} - C:\WINNT\system32\EWMmg.exe (file missing)

O4 - HKLM\..\Run: [Windows ControlAd] C:\Program Files\Windows ControlAd\WinCtlAd.exe

Reboot after doing so, preferably into safe mode and delete:
C:\Program Files\Windows ControlAd <= entire folder

Regards,

Pieter
  • 0

#9
braghetta
Posted 03 January 2005 - 03:38 AM

braghetta

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
I did the first step but I have not the windows controlad folder. I deleted it few days ago....
  • 0

#10
Yarnouth
Posted 03 January 2005 - 03:44 AM

Yarnouth

    Visiting Staff

  • Member
  • PipPipPip
  • 508 posts
Congratulations! Your system is CLEAN :tazz:

How do you prevent spyware from being installed again? We strongly recommend installing SpywareBlaster (it's free for personal use) Click Here.

Prevent the installation of ActiveX-based spyware, adware, browser hijackers, dialers, and other potentially unwanted pests.
Block spyware/tracking cookies in Internet Explorer and Mozilla/Firefox.
Restrict the actions of potentially dangerous sites in Internet Explorer.
Consumes no system resources.

Download, run, check for updates, download updates, select all, protect against checked. All done. Check for updates every couple of weeks. If you have any errors running the program like a missing file see the link at the bottom of the javacool page.

It's also very important to keep your system up to date to avoid unnecessary security risks. Click Here to make sure that you have the latest patches for Windows.

These next two steps are optional, but will provide the greatest protection.
1. Use ANY browser besides Internet Explorer, almost every exploit is crafted to take advantage of an IE weakness. We usually recommend FireFox Posted Image.
2. Install Sun's Java. It's much more secure than Microsoft's Java Virtual Machine .

It's okay to delete the Hijack This folder if everything is working okay.

After doing all these, your system will be thoroughly protected from future threats. ;)
  • 0

#11
braghetta
Posted 04 January 2005 - 03:17 AM

braghetta

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Thank a lot for the help! :tazz:
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP