Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Admiliserv.exe


  • Please log in to reply

#1
DOt

DOt

    New Member

  • Member
  • Pip
  • 9 posts
Hello... I have a problem here... There are some kind of trojans or smth that laaagz my PC... The are no active processes but it stops... Or work very slowly...
There is a program 180Search which I can't delete... And AdmiliServ, WindowsAd (or smth like that) which I can't delete too... I remove them but after a reboot they are here again... I tried to clean everything with Ad-Aware SE, but after few reboots everything starts over again... I can't switch users... I have to restart PC to switch to other user... There are always in Processes "admiliserv.exe", "admilikeep.exe"...

And sometimes it brings me a msg:
"Messenger Service
Message from 81RM4 (my PC name) to 81RM4 on 1/3/2005 10:10:10 AM {interesting time}
The Win32/StartPage.KK.Trojan was detected in C:\...FDPC....
Machine: 81RM4, User: NT AUTHORITY\SYSTEM
File Status: File was cured; system cure performed.
"
Or in the [C:\...FDPC....] there is [C:\...FFT1....]; [C:\...ISTD....] and etc...


I have removed admilikeep and made this HijackThis thing... And it shows m this:
Logfile of HijackThis v1.99.0
Scan saved at 10:02:10, on 2005.01.03
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CA\SharedComponents\Alert\ALERT.EXE
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
C:\Program Files\CA\eTrust Antivirus\InoRT.exe
C:\Program Files\CA\eTrust Antivirus\InoTask.exe
C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
C:\WINDOWS\System32\m3y.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\msc32.exe
C:\PROGRA~1\CA\ETRUST~1\realmon.exe
C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
C:\WINDOWS\system\lsvchost.exe
C:\WINDOWS\System32\aaupdt.exe
C:\WINDOWS\SYSCFG16.EXE
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Vypress Chat\VyChat.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\wuauclt.exe
C:\MartSoft\mIRC\mirc.exe
C:\MartSoft\Ad-Aware SE Personal\Ad-Aware.exe
C:\Far\Far.exe
C:\WINDOWS\System32\taskmgr.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\Program Files\Opera\opera.exe
C:\My Downloads\hijackthis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.02.3000.1002\en-xu\stmain.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Realtime Monitor] C:\PROGRA~1\CA\ETRUST~1\realmon.exe -s
O4 - HKLM\..\Run: [Microsoft WinUpdate] spoolsvs.exe
O4 - HKLM\..\Run: [Generic Host Process System] scvhost32.exe
O4 - HKLM\..\Run: [NvCplScan] msc32.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKLM\..\Run: [.mscdsr] C:\WINDOWS\system\lsvchost.exe
O4 - HKLM\..\Run: [LiOqb] C:\WINDOWS\jwpgt.exe
O4 - HKLM\..\Run: [Windows System Configuration] C:\WINDOWS\SYSCFG16.EXE
O4 - HKLM\..\Run: [Windows Security Updater] C:\WINDOWS\SYSCFG16.EXE
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe"
O4 - HKLM\..\Run: [‰K04W
}z[8C:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\jwpgt.exe
O4 - HKLM\..\Run: [nvsv32.exe] nvsv32.exe
O4 - HKLM\..\RunServices: [Generic Host Process System] scvhost32.exe
O4 - HKLM\..\RunServices: [NvCplScan] msc32.exe
O4 - HKLM\..\RunServices: [nvsv32.exe] nvsv32.exe
O4 - HKLM\..\RunOnce: [NvCplScan] msc32.exe
O4 - HKLM\..\RunOnce: [nvsv32.exe] nvsv32.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [NvCplScan] msc32.exe
O4 - HKCU\..\Run: [Generic Host Process System] scvhost32.exe
O4 - HKCU\..\Run: [Microsoft WinUpdate] spoolsvs.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [nvsv32.exe] nvsv32.exe
O4 - HKCU\..\RunOnce: [NvCplScan] msc32.exe
O4 - HKCU\..\RunOnce: [nvsv32.exe] nvsv32.exe
O4 - Global Startup: Vypress Chat StartUp.lnk = C:\Program Files\Vypress Chat\VyChat.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{FFEE8539-1F9A-4B65-B1A0-0A169FB0BA84}: NameServer = 192.168.1.2
O23 - Service: Aisigskins - Unknown - (no file)
O23 - Service: Alert Notification Server - Computer Associates International, Inc. - C:\Program Files\CA\SharedComponents\Alert\ALERT.EXE
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: CA License Client - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmt.exe
O23 - Service: CA License Server - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmtd.exe
O23 - Service: chkras - Unknown - C:\WINDOWS\System32\chkras.exe
O23 - Service: eTrust Antivirus RPC Server - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
O23 - Service: eTrust Antivirus Realtime Server - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRT.exe
O23 - Service: eTrust Antivirus Job Server - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoTask.exe
O23 - Service: Event Log Watch - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
O23 - Service: Norton AntiVirus Auto Protect Service - Unknown - C:\Program Files\Norton AntiVirus\navapsvc.exe (file missing)
O23 - Service: NetDDEfipx - Unknown - C:\WINDOWS\System32\m3y.exe
O23 - Service: NVIDIA Display Driver Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe


I can copy a log when the admiliServ is installed again, if you need... :tazz:
  • 0

Advertisements


#2
DOt

DOt

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
And there is "Search Relevancy" and "SahAgent"... These two reinstall again too...
  • 0

#3
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,671 posts
Uninstall ShopAtHome under Add/Remove Software.

Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:

O4 - HKLM\..\Run: [Microsoft WinUpdate] spoolsvs.exe
O4 - HKLM\..\Run: [Generic Host Process System] scvhost32.exe
O4 - HKLM\..\Run: [NvCplScan] msc32.exe

O4 - HKLM\..\Run: [.mscdsr] C:\WINDOWS\system\lsvchost.exe
O4 - HKLM\..\Run: [LiOqb] C:\WINDOWS\jwpgt.exe
O4 - HKLM\..\Run: [Windows System Configuration] C:\WINDOWS\SYSCFG16.EXE
O4 - HKLM\..\Run: [Windows Security Updater] C:\WINDOWS\SYSCFG16.EXE

O4 - HKLM\..\Run: [?K04W
}z[8C:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\jwpgt.exe
O4 - HKLM\..\Run: [nvsv32.exe] nvsv32.exe
O4 - HKLM\..\RunServices: [Generic Host Process System] scvhost32.exe
O4 - HKLM\..\RunServices: [NvCplScan] msc32.exe
O4 - HKLM\..\RunServices: [nvsv32.exe] nvsv32.exe
O4 - HKLM\..\RunOnce: [NvCplScan] msc32.exe
O4 - HKLM\..\RunOnce: [nvsv32.exe] nvsv32.exe

O4 - HKCU\..\Run: [NvCplScan] msc32.exe
O4 - HKCU\..\Run: [Generic Host Process System] scvhost32.exe
O4 - HKCU\..\Run: [Microsoft WinUpdate] spoolsvs.exe

O4 - HKCU\..\Run: [nvsv32.exe] nvsv32.exe
O4 - HKCU\..\RunOnce: [NvCplScan] msc32.exe
O4 - HKCU\..\RunOnce: [nvsv32.exe] nvsv32.exe


O23 - Service: Aisigskins - Unknown - (no file)

O23 - Service: chkras - Unknown - C:\WINDOWS\System32\chkras.exe

O23 - Service: Norton AntiVirus Auto Protect Service - Unknown - C:\Program Files\Norton AntiVirus\navapsvc.exe (file missing)
O23 - Service: NetDDEfipx - Unknown - C:\WINDOWS\System32\m3y.exe

Reboot and do an online virusscan for example here: http://housecall.antivirus.com/
I have reasons to believe your own AV is not uptodate or was disabled by viruses.

Post back with a new log when you are done.

Regards,

Pieter
  • 0

#4
DOt

DOt

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
That Scan found 31 file with viruses... One was NetSky.C... And now this HiJackThis log:

Logfile of HijackThis v1.99.0
Scan saved at 14:24:57, on 2005.01.04
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CA\SharedComponents\Alert\ALERT.EXE
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
C:\Program Files\CA\eTrust Antivirus\InoRT.exe
C:\Program Files\CA\eTrust Antivirus\InoTask.exe
C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\nvsv32.exe
C:\PROGRA~1\CA\ETRUST~1\realmon.exe
C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe
C:\WINDOWS\SYSCFG16.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\aaupdt.exe
C:\Program Files\Vypress Chat\VyChat.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\WINDOWS\System32\snss.exe
C:\WINDOWS\System32\snss.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Far\Far.exe
C:\My Downloads\hijackthis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.02.3000.1002\en-xu\stmain.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Realtime Monitor] C:\PROGRA~1\CA\ETRUST~1\realmon.exe -s
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe"
O4 - HKLM\..\Run: [Microsoft Update] aaupdt.exe
O4 - HKLM\..\Run: [Microsoft Update Machine] snss.exe
O4 - HKLM\..\Run: [Windows Security Updater] C:\WINDOWS\SYSCFG16.EXE
O4 - HKLM\..\Run: [nvsv32.exe] nvsv32.exe
O4 - HKLM\..\Run: [NvCplScan] msc32.exe
O4 - HKLM\..\Run: [Windows System Configuration] C:\WINDOWS\SYSCFG16.EXE
O4 - HKLM\..\RunServices: [Microsoft Update] aaupdt.exe
O4 - HKLM\..\RunServices: [Microsoft Update Machine] snss.exe
O4 - HKLM\..\RunServices: [nvsv32.exe] nvsv32.exe
O4 - HKLM\..\RunServices: [NvCplScan] msc32.exe
O4 - HKLM\..\RunOnce: [nvsv32.exe] nvsv32.exe
O4 - HKLM\..\RunOnce: [NvCplScan] msc32.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [NvCplScan] msc32.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Microsoft Update] aaupdt.exe
O4 - HKCU\..\Run: [Microsoft Update Machine] snss.exe
O4 - HKCU\..\Run: [nvsv32.exe] nvsv32.exe
O4 - HKCU\..\RunOnce: [NvCplScan] msc32.exe
O4 - HKCU\..\RunOnce: [nvsv32.exe] nvsv32.exe
O4 - Global Startup: Vypress Chat StartUp.lnk = C:\Program Files\Vypress Chat\VyChat.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{FFEE8539-1F9A-4B65-B1A0-0A169FB0BA84}: NameServer = 192.168.1.2
O23 - Service: Aisigskins - Unknown - (no file)
O23 - Service: Alert Notification Server - Computer Associates International, Inc. - C:\Program Files\CA\SharedComponents\Alert\ALERT.EXE
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: CA License Client - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmt.exe
O23 - Service: CA License Server - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmtd.exe
O23 - Service: eTrust Antivirus RPC Server - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
O23 - Service: eTrust Antivirus Realtime Server - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRT.exe
O23 - Service: eTrust Antivirus Job Server - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoTask.exe
O23 - Service: Event Log Watch - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
O23 - Service: NVIDIA Display Driver Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe


And I have found this folder \WINDOWS\Prefetch\ and there are files, for example: "CHKRAS.EXE-20EA9EA9.pf " or "CALC.EXE-02CD573A.pf "... There are 130 such files... Should they be here? (Just asking...)

Take care,
Martin

BTW, Thanks for help!
  • 0

#5
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,671 posts
31 and counting.


Check the following items in HijackThis.
Close all windows except HijackThis and click Fix checked:

O4 - HKLM\..\Run: [Microsoft Update] aaupdt.exe
O4 - HKLM\..\Run: [Microsoft Update Machine] snss.exe
O4 - HKLM\..\Run: [Windows Security Updater] C:\WINDOWS\SYSCFG16.EXE
O4 - HKLM\..\Run: [nvsv32.exe] nvsv32.exe
O4 - HKLM\..\Run: [NvCplScan] msc32.exe
O4 - HKLM\..\Run: [Windows System Configuration] C:\WINDOWS\SYSCFG16.EXE
O4 - HKLM\..\RunServices: [Microsoft Update] aaupdt.exe
O4 - HKLM\..\RunServices: [Microsoft Update Machine] snss.exe
O4 - HKLM\..\RunServices: [nvsv32.exe] nvsv32.exe
O4 - HKLM\..\RunServices: [NvCplScan] msc32.exe
O4 - HKLM\..\RunOnce: [nvsv32.exe] nvsv32.exe
O4 - HKLM\..\RunOnce: [NvCplScan] msc32.exe

O4 - HKCU\..\Run: [NvCplScan] msc32.exe

O4 - HKCU\..\Run: [Microsoft Update] aaupdt.exe
O4 - HKCU\..\Run: [Microsoft Update Machine] snss.exe
O4 - HKCU\..\Run: [nvsv32.exe] nvsv32.exe
O4 - HKCU\..\RunOnce: [NvCplScan] msc32.exe
O4 - HKCU\..\RunOnce: [nvsv32.exe] nvsv32.exe

O23 - Service: Aisigskins - Unknown - (no file)

Reboot into safe mode and delete:
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\nvsv32.exe
C:\WINDOWS\SYSCFG16.EXE
C:\WINDOWS\System32\aaupdt.exe
C:\WINDOWS\System32\snss.exe

Then boot normally and follow instructions here to celan that prefetch folder:
http://www.tweakxp.com/tweak525.aspx

Post back with a new log.

Regards,

Pieter
  • 0

#6
DOt

DOt

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
Logfile of HijackThis v1.99.0
Scan saved at 23:16:02, on 2005.01.04
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CA\SharedComponents\Alert\ALERT.EXE
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
C:\Program Files\CA\eTrust Antivirus\InoRT.exe
C:\Program Files\CA\eTrust Antivirus\InoTask.exe
C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
C:\PROGRA~1\CA\ETRUST~1\realmon.exe
C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe
C:\WINDOWS\System32\scvhost32.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\WINDOWS\System32\snss.exe
C:\WINDOWS\System32\snss.exe
C:\My Downloads\hijackthis\HijackThis.exe
C:\WINDOWS\System32\wuauclt.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.02.3000.1002\en-xu\stmain.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Realtime Monitor] C:\PROGRA~1\CA\ETRUST~1\realmon.exe -s
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe"
O4 - HKLM\..\Run: [Generic Host Process System] scvhost32.exe
O4 - HKLM\..\Run: [Windows System Configuration] C:\WINDOWS\SYSCFG16.EXE
O4 - HKLM\..\Run: [Microsoft Update Machine] snss.exe
O4 - HKLM\..\Run: [Windows Security Updater] C:\WINDOWS\SYSCFG16.EXE
O4 - HKLM\..\RunServices: [Generic Host Process System] scvhost32.exe
O4 - HKLM\..\RunServices: [Microsoft Update Machine] snss.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Generic Host Process System] scvhost32.exe
O4 - HKCU\..\Run: [Microsoft Update Machine] snss.exe
O4 - Global Startup: Vypress Chat StartUp.lnk = C:\Program Files\Vypress Chat\VyChat.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{FFEE8539-1F9A-4B65-B1A0-0A169FB0BA84}: NameServer = 192.168.1.2
O23 - Service: Aisigskins - Unknown - (no file)
O23 - Service: Alert Notification Server - Computer Associates International, Inc. - C:\Program Files\CA\SharedComponents\Alert\ALERT.EXE
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: CA License Client - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmt.exe
O23 - Service: CA License Server - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmtd.exe
O23 - Service: eTrust Antivirus RPC Server - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
O23 - Service: eTrust Antivirus Realtime Server - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRT.exe
O23 - Service: eTrust Antivirus Job Server - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoTask.exe
O23 - Service: Event Log Watch - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
O23 - Service: NVIDIA Display Driver Service - Unknown - C:\WINDOWS\System32\nvsvc32.exe (file missing)

Here it is...

What AV should I use to protect e-mail and etc?
  • 0

#7
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,671 posts
That didn't help much. :tazz:

If there is anything you don't understand or isn't working as expected, please let us know, so we can help you better.

Check the following items in HijackThis.
Close all windows except HijackThis and click Fix checked:

O4 - HKLM\..\Run: [Generic Host Process System] scvhost32.exe
O4 - HKLM\..\Run: [Windows System Configuration] C:\WINDOWS\SYSCFG16.EXE
O4 - HKLM\..\Run: [Microsoft Update Machine] snss.exe
O4 - HKLM\..\Run: [Windows Security Updater] C:\WINDOWS\SYSCFG16.EXE
O4 - HKLM\..\RunServices: [Generic Host Process System] scvhost32.exe
O4 - HKLM\..\RunServices: [Microsoft Update Machine] snss.exe

O4 - HKCU\..\Run: [Generic Host Process System] scvhost32.exe
O4 - HKCU\..\Run: [Microsoft Update Machine] snss.exe

Reboot into safe mode and delete:
C:\WINDOWS\System32\scvhost32.exe
C:\WINDOWS\System32\snss.exe

Install a program like regprot: http://www.diamondcs...hp?page=regprot
or WinPatrol: http://www.winpatrol.com/ to keep an eye on your startup keys.

I was under the impression you were using eTrust as your virusscanner. Was I wrong?

Regards,

Pieter
  • 0

#8
DOt

DOt

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
"Close ALL windows except HijackThis and click Fix checked"

Do I have to close "nVIDIA Settings" (tray icon)? Or eTrust AV?
  • 0

#9
admin

admin

    Founder Geek

  • Administrator
  • 24,501 posts

Do I have to close "nVIDIA Settings" (tray icon)? Or eTrust AV?

Wouldn't hurt, but no. Most important is to close any web browser windows.
  • 0

#10
DOt

DOt

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
Logfile of HijackThis v1.99.0
Scan saved at 11:05:41, on 2005.01.06
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CA\SharedComponents\Alert\ALERT.EXE
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
C:\Program Files\CA\eTrust Antivirus\InoRT.exe
C:\Program Files\CA\eTrust Antivirus\InoTask.exe
C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
C:\WINDOWS\System32\msc32.exe
C:\PROGRA~1\CA\ETRUST~1\realmon.exe
C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\aaupdt.exe
C:\Program Files\Vypress Chat\VyChat.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Far\Far.exe
C:\My Downloads\regprot\regprot.exe
C:\My Downloads\hijackthis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.02.3000.1002\en-xu\stmain.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Realtime Monitor] C:\PROGRA~1\CA\ETRUST~1\realmon.exe -s
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe"
O4 - HKLM\..\Run: [NvCplScan] msc32.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Microsoft Update Machine] snss.exe
O4 - HKLM\..\RunServices: [NvCplScan] msc32.exe
O4 - HKLM\..\RunServices: [Microsoft Update Machine] snss.exe
O4 - HKLM\..\RunOnce: [NvCplScan] msc32.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [NvCplScan] msc32.exe
O4 - HKCU\..\RunOnce: [NvCplScan] msc32.exe
O4 - Global Startup: Vypress Chat StartUp.lnk = C:\Program Files\Vypress Chat\VyChat.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{FFEE8539-1F9A-4B65-B1A0-0A169FB0BA84}: NameServer = 192.168.1.2
O23 - Service: Aisigskins - Unknown - (no file)
O23 - Service: Alert Notification Server - Computer Associates International, Inc. - C:\Program Files\CA\SharedComponents\Alert\ALERT.EXE
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: CA License Client - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmt.exe
O23 - Service: CA License Server - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmtd.exe
O23 - Service: eTrust Antivirus RPC Server - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
O23 - Service: eTrust Antivirus Realtime Server - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRT.exe
O23 - Service: eTrust Antivirus Job Server - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoTask.exe
O23 - Service: Event Log Watch - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
O23 - Service: NVIDIA Display Driver Service - Unknown - C:\WINDOWS\System32\nvsvc32.exe (file missing)


Yes I use eTrust... I installed RegistryProt and it shows me files, but I don't know which are good and which are bad... ;]
  • 0

#11
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,671 posts
OK Fix these and allow the changes:
Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:

O4 - HKLM\..\Run: [NvCplScan] msc32.exe

O4 - HKLM\..\Run: [Microsoft Update Machine] snss.exe
O4 - HKLM\..\RunServices: [NvCplScan] msc32.exe
O4 - HKLM\..\RunServices: [Microsoft Update Machine] snss.exe
O4 - HKLM\..\RunOnce: [NvCplScan] msc32.exe

O4 - HKCU\..\Run: [NvCplScan] msc32.exe
O4 - HKCU\..\RunOnce: [NvCplScan] msc32.exe

O23 - Service: Aisigskins - Unknown - (no file)

Then (in HijackThis click Config > Misc Tools > Delete a file on reboot
Choose:
C:\WINDOWS\System32\msc32.exe

and let the computer reboot when prompted.

Post a new log when you are done.

Regards,

Pieter
  • 0

#12
DOt

DOt

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
Logfile of HijackThis v1.99.0
Scan saved at 19:39:20, on 2005.01.06
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\CA\ETRUST~1\realmon.exe
C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\aaupdt.exe
C:\Program Files\Vypress Chat\VyChat.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\CA\SharedComponents\Alert\ALERT.EXE
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
C:\Program Files\CA\eTrust Antivirus\InoRT.exe
C:\Program Files\CA\eTrust Antivirus\InoTask.exe
C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
C:\My Downloads\hijackthis\HijackThis.exe
C:\WINDOWS\System32\wuauclt.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.02.3000.1002\en-xu\stmain.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Realtime Monitor] C:\PROGRA~1\CA\ETRUST~1\realmon.exe -s
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Microsoft Update] aaupdt.exe
O4 - HKLM\..\RunServices: [Microsoft Update] aaupdt.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Microsoft Update] aaupdt.exe
O4 - Global Startup: Vypress Chat StartUp.lnk = C:\Program Files\Vypress Chat\VyChat.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{FFEE8539-1F9A-4B65-B1A0-0A169FB0BA84}: NameServer = 192.168.1.2
O23 - Service: Aisigskins - Unknown - (no file)
O23 - Service: Alert Notification Server - Computer Associates International, Inc. - C:\Program Files\CA\SharedComponents\Alert\ALERT.EXE
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: CA License Client - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmt.exe
O23 - Service: CA License Server - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmtd.exe
O23 - Service: eTrust Antivirus RPC Server - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
O23 - Service: eTrust Antivirus Realtime Server - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRT.exe
O23 - Service: eTrust Antivirus Job Server - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoTask.exe
O23 - Service: Event Log Watch - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
O23 - Service: NVIDIA Display Driver Service - Unknown - C:\WINDOWS\System32\nvsvc32.exe (file missing)

Here it is...
  • 0

#13
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,671 posts
One step closer I think.
Fix these entries:
O4 - HKLM\..\Run: [Microsoft Update] aaupdt.exe
O4 - HKLM\..\RunServices: [Microsoft Update] aaupdt.exe

O4 - HKCU\..\Run: [Microsoft Update] aaupdt.exe

Then use the Delete a file on reboot option on (you guessed it)
C:\WINDOWS\System32\aaupdt.exe

Let's have a new log when you are done please.

Regards,

Pieter
  • 0

#14
DOt

DOt

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
Logfile of HijackThis v1.99.0
Scan saved at 07:15:07, on 2005.01.07
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CA\SharedComponents\Alert\ALERT.EXE
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CA\eTrust Antivirus\InoRT.exe
C:\Program Files\CA\eTrust Antivirus\InoTask.exe
C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
C:\PROGRA~1\CA\ETRUST~1\realmon.exe
C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Vypress Chat\VyChat.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\My Downloads\hijackthis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.02.3000.1002\en-xu\stmain.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Realtime Monitor] C:\PROGRA~1\CA\ETRUST~1\realmon.exe -s
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: Vypress Chat StartUp.lnk = C:\Program Files\Vypress Chat\VyChat.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{FFEE8539-1F9A-4B65-B1A0-0A169FB0BA84}: NameServer = 192.168.1.2
O23 - Service: Aisigskins - Unknown - (no file)
O23 - Service: Alert Notification Server - Computer Associates International, Inc. - C:\Program Files\CA\SharedComponents\Alert\ALERT.EXE
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: CA License Client - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmt.exe
O23 - Service: CA License Server - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmtd.exe
O23 - Service: eTrust Antivirus RPC Server - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
O23 - Service: eTrust Antivirus Realtime Server - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRT.exe
O23 - Service: eTrust Antivirus Job Server - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoTask.exe
O23 - Service: Event Log Watch - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
O23 - Service: NVIDIA Display Driver Service - Unknown - C:\WINDOWS\System32\nvsvc32.exe (file missing)

Here it is... Thx... U saved my live!..
  • 0

#15
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,671 posts
Hey, you did all the hard work. ;)

Glad we could help. :tazz:

Safe Surfing,

Pieter
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP