Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

pokapoka76 [RESOLVED]

Started by mnolo , Oct 17 2005 12:16 PM

  • This topic is locked This topic is locked

#1
mnolo
Posted 17 October 2005 - 12:16 PM

mnolo

    Member

  • Member
  • PipPip
  • 14 posts
Hello, my problem appears to be quite similar to the one in another post ( http://www.geekstogo...showtopic=71673 )

Symtpoms are:

-an internet dialing windows tries to connect me to the internet called by several sites such as 0x80.my1x1.com (but my virus is not w32.toxbot.al as i've run the symantec fix and doesnt find this particular bug.

-great slow down of internet access and frequent crashes.

-I know the pokapoka76 is around as it's in the log


Logfile of HijackThis v1.99.1
Scan saved at 20:14:15, on 17/10/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRAM FILES\AVPERSONAL\AVGUARD.EXE
C:\Program Files\AVPersonal\AVWUPSRV.EXE
C:\WINDOWS\System32\winjava.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wincntrl.exe
C:\Program Files\AVPersonal\AVGNT.EXE
C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\Logitech\Video\LogiTray.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\WINDOWS\System32\atwtusb.exe
C:\WINDOWS\System32\devldr32.exe
C:\WINDOWS\System32\MSGUPDATED.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\System32\TBLMOUSE.EXE
C:\WINDOWS\System32\svc32.pif
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\etb\pokapoka76.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [AME_CSA] rundll32 amecsa.cpl,RUN_DLL
O4 - HKLM\..\Run: [AVGCtrl] "C:\Program Files\AVPersonal\AVGNT.EXE" /min
O4 - HKLM\..\Run: [AudioHQ] C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [atwtusb] atwtusb.exe beta
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [MICROSFT ANTIVIRUS UPDATE SUPPORT] MSGUPDATED.EXE
O4 - HKLM\..\Run: [SVC Service] svc32.pif
O4 - HKLM\..\Run: [System service76] C:\WINDOWS\\\etb\\pokapoka76.exe
O4 - HKLM\..\RunServices: [MICROSFT ANTIVIRUS UPDATE SUPPORT] MSGUPDATED.EXE
O4 - HKLM\..\RunServices: [SVC Service] svc32.pif
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [SVC Service] svc32.pif
O4 - HKCU\..\RunServices: [SVC Service] svc32.pif
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: Lancement rapide d'Adobe Reader.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: Share in Hello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll
O9 - Extra 'Tools' menuitem: Share in H&ello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1129398271481
O16 - DPF: {E6A3C1E2-F792-483E-9133-596215172BE9} (AcceptLang Class) - http://runonce.msn.c...tacceptlang.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{A342434E-89EE-4FEE-9CB1-BBD8700360C2}: NameServer = 62.235.14.4 62.235.13.199
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\PROGRAM FILES\AVPERSONAL\AVGUARD.EXE
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Program Files\AVPersonal\AVWUPSRV.EXE
O23 - Service: Enables Java Support (Java) - Unknown owner - C:\WINDOWS\System32\winjava.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: MS Dns Service (WinNet) - Unknown owner - C:\WINDOWS\system32\wincntrl.exe

Many thanks in advance!!!
  • 0

Advertisements

#2
Trevuren
Posted 17 October 2005 - 12:42 PM

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
Hi lilbashi187 and welcome to the Geeks to Go Forums.

My name is Trevuren and I will be helping you with your log.

We can definitely help you, but first you need to help us. The first step in this process is to apply Service Pack 1a for Windows XP. Without this update, you're wide open to re-infection, and we're both just wasting our time. DO NOT UPGRADE TO SP2 AT THIS TIME
  • Click HERE for the update.
  • Apply the update.
  • REBOOT YOUR SYSTEM

Regards,

Trevuren
  • 0

#3
mnolo
Posted 19 October 2005 - 02:19 AM

mnolo

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
Thank you. I have tried to download service pack 1a but, I think because my internet connection is greately slowed down by the virus, i cannot do so. I am trying to buy the service pack CD 1a from Microsoft (as this is the alternative they give in ther website) but it may take a while.

Any other ideas?

Thank you
  • 0

#4
Trevuren
Posted 19 October 2005 - 10:52 AM

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
*Please go HERE (Microsoft website) using Internet Explorer ( not Firefox or any other browser as they won't work)
*Click on "Windows Validation Assistant"
*Click on the "Validate Now" button.
*Be patient while the ActiveX loads, do not click on any links.
*Read the instructions on this page while it's loading. You will be prompted to install - click YES.
*Enter your product key then click "continue"
*When it says "Validation Complete" please click "Continue to return to your previous activity"
*Copy what it says and paste it here

Trevuren
  • 0

#5
mnolo
Posted 19 October 2005 - 12:26 PM

mnolo

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
Ok, tahnk you agian. First of all I couldnt loda the active X control on the msn page (the explorer has furthermore a new search bar which I have not installed myslef). I tried the other option which was to verify authenticty by cross cheking authenticity stickers on the pc etc. this is the (written) content fo the last screen:


Thank you for comparing your anti-piracy features.

Your COA exhibits Microsoft’s anti-piracy features.

These features are designed to reduce counterfeiting, and their presence on your Certificate of Authenticity is a positive indicator of a genuine Microsoft Windows operating system.


Next Step: Compare Anti-Piracy Features on Your CD
To find out which kind of software CD you should have received with your Microsoft Windows operating system, you must answer the following question regarding your COA.


Do the words 'OEM Product' appear beneath the product name in the center of your Certificate of Authenticity?
Yes No



You should have received a recovery solutions CD from your PC manufacturer. To verify that the recovery solutions CD that came with your PC is genuine, please contact your PC manufacturer.


You should have received a Microsoft Windows hologram CD with your PC. Your hologram CD should contain anti-piracy features which can be compared to genuine Microsoft hologram CDs.


Access Microsoft Support Services
Users of genuine Microsoft Windows products are entitled to access the following resources:

Windows Update
Microsoft Help and Support
Download Center
Microsoft TechNet
Microsoft Insider
Protect Your PC

Now what?
  • 0

#6
Trevuren
Posted 19 October 2005 - 05:56 PM

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
1. Please download LQfix.exe and save it to your desktop.
  • Double-Click LQfix.exe and click Next > Next > Install.
  • Leave the default settings, if you change them, the fix will Fail!
  • Now make sure the "Launch LQfix" box is checked.
  • Click the Finish button, after clicking the Finish button the fix will start.
  • Follow the on-screen prompts.
  • Your system will now reboot afterwards.
  • Please be patient after the reboot, there is a script running in the background that needs to complete.
2. Now do a scan with HiJackThis and post a new log by using Add Reply


Regards,

Trevuren
  • 0

#7
mnolo
Posted 20 October 2005 - 12:20 PM

mnolo

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
Lqfix done, thanks

Here's the new log:

Logfile of HijackThis v1.99.1
Scan saved at 20:18:48, on 20/10/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRAM FILES\AVPERSONAL\AVGUARD.EXE
C:\Program Files\AVPersonal\AVWUPSRV.EXE
C:\WINDOWS\System32\winjava.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wincntrl.exe
C:\WINDOWS\System32\devldr32.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\AVPersonal\AVGNT.EXE
C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\WINDOWS\System32\NotifyPhoneBook.exe
C:\Program Files\Logitech\Video\LogiTray.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\WINDOWS\System32\atwtusb.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINDOWS\System32\TBLMOUSE.EXE
C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.ezwebsearching.com/sp2.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.ezwebsearching.com/sp2.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.ezwebsearching.com/sp2.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [AME_CSA] rundll32 amecsa.cpl,RUN_DLL
O4 - HKLM\..\Run: [AVGCtrl] "C:\Program Files\AVPersonal\AVGNT.EXE" /min
O4 - HKLM\..\Run: [AudioHQ] C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [atwtusb] atwtusb.exe beta
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [MICROSFT ANTIVIRUS UPDATE SUPPORT] MSGUPDATED.EXE
O4 - HKLM\..\Run: [SVC Service] svc32.pif
O4 - HKLM\..\RunServices: [MICROSFT ANTIVIRUS UPDATE SUPPORT] MSGUPDATED.EXE
O4 - HKLM\..\RunServices: [SVC Service] svc32.pif
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [SVC Service] svc32.pif
O4 - HKCU\..\RunServices: [SVC Service] svc32.pif
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: Lancement rapide d'Adobe Reader.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: Share in Hello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll
O9 - Extra 'Tools' menuitem: Share in H&ello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1129398271481
O16 - DPF: {E6A3C1E2-F792-483E-9133-596215172BE9} (AcceptLang Class) - http://runonce.msn.c...tacceptlang.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{A342434E-89EE-4FEE-9CB1-BBD8700360C2}: NameServer = 62.235.14.4 62.235.13.199
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\PROGRAM FILES\AVPERSONAL\AVGUARD.EXE
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Program Files\AVPersonal\AVWUPSRV.EXE
O23 - Service: Enables Java Support (Java) - Unknown owner - C:\WINDOWS\System32\winjava.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: AntiVir Update Temp (TmpUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\DOCUME~1\BEL&MANO\LOCALS~1\TEMP\_VWUPSRV.EXE
O23 - Service: MS Dns Service (WinNet) - Unknown owner - C:\WINDOWS\system32\wincntrl.exe

Regards
  • 0

#8
Trevuren
Posted 20 October 2005 - 12:38 PM

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
I want to get rid of the redirect first

A.
  • Please RUN HijackThis.
    . Click the SCAN button to produce a log.

  • Place a check mark beside each one of the following items:

    O17 - HKLM\System\CCS\Services\Tcpip\..\{A342434E-89EE-4FEE-9CB1-BBD8700360C2}: NameServer = 62.235.14.4 62.235.13.199
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)


  • Now with all the items selected, and all windows closed except for HJT, delete them by clicking the FIX checked button. Close the HijackThis window.

  • Reboot Your System


  • Finally, RUN Hijackthis again and produce a new HJT log. Post it in the forum so we can check how everything looks now.

B. Make sure you are disconnected from the Internet and that all programs and windows are closed.

Run HiJackThis. Place a check next to the following items and click FIX CHECKED:

place bad O17s from the HiJackThis log here

Close HiJackThis.

Now lets check some settings on your system.
  • Go to Start > Control Panel and double-click on Network Connections
  • Then right click on your Default Connection
    • Usually Local Area Connection for Cable and DSL
  • Left click on Properties.
  • Click the Networking tab.
  • Double-Click on the Internet Protocol (TCP/IP) item.
  • Select the radio dial that says Obtain DNS Servers Automatically.
  • Press OK twice to get out of the properties screen and reboot if it asks.
Make sure to reboot and post back a new HiJackThis log into this topic.

C. Pleae tell me what you know about the following Service:

O23 - Service: MS Dns Service (WinNet) - Unknown owner - C:\WINDOWS\system32\wincntrl.exe


Regards,

Trevuren
  • 0

#9
mnolo
Posted 20 October 2005 - 01:19 PM

mnolo

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
This the log after step A:

Logfile of HijackThis v1.99.1
Scan saved at 21:16:44, on 20/10/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\logonui.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRAM FILES\AVPERSONAL\AVGUARD.EXE
C:\Program Files\AVPersonal\AVWUPSRV.EXE
C:\WINDOWS\System32\winjava.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wincntrl.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\AVPersonal\AVGNT.EXE
C:\WINDOWS\System32\devldr32.exe
C:\WINDOWS\System32\NotifyPhoneBook.exe
C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\Logitech\Video\LogiTray.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\WINDOWS\System32\atwtusb.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\System32\TBLMOUSE.EXE
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.ezwebsearching.com/sp2.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.ezwebsearching.com/sp2.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.ezwebsearching.com/sp2.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [AME_CSA] rundll32 amecsa.cpl,RUN_DLL
O4 - HKLM\..\Run: [AVGCtrl] "C:\Program Files\AVPersonal\AVGNT.EXE" /min
O4 - HKLM\..\Run: [AudioHQ] C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCen
ter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [atwtusb] atwtusb.exe beta
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [MICROSFT ANTIVIRUS UPDATE SUPPORT] MSGUPDATED.EXE
O4 - HKLM\..\Run: [SVC Service] svc32.pif
O4 - HKLM\..\RunServices: [MICROSFT ANTIVIRUS UPDATE SUPPORT] MSGUPDATED.EXE
O4 - HKLM\..\RunServices: [SVC Service] svc32.pif
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [SVC Service] svc32.pif
O4 - HKCU\..\RunServices: [SVC Service] svc32.pif
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: Lancement rapide d'Adobe Reader.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: Share in Hello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll
O9 - Extra 'Tools' menuitem: Share in H&ello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1129398271481
O16 - DPF: {E6A3C1E2-F792-483E-9133-596215172BE9} (AcceptLang Class) - http://runonce.msn.c...tacceptlang.cab
O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\PROGRAM FILES\AVPERSONAL\AVGUARD.EXE
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Program Files\AVPersonal\AVWUPSRV.EXE
O23 - Service: Enables Java Support (Java) - Unknown owner - C:\WINDOWS\System32\winjava.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: AntiVir Update Temp (TmpUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\DOCUME~1\BEL&MANO\LOCALS~1\TEMP\_VWUPSRV.EXE
O23 - Service: MS Dns Service (WinNet) - Unknown owner - C:\WINDOWS\system32\wincntrl.exe
  • 0

#10
mnolo
Posted 20 October 2005 - 01:40 PM

mnolo

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
Step B:

I did a new Hijackthis and found no 017s,

I checked the settings on my system and they were already as you suggested,

I rebooted and did a new hijackthis, here's the log:

Logfile of HijackThis v1.99.1
Scan saved at 21:30:12, on 20/10/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRAM FILES\AVPERSONAL\AVGUARD.EXE
C:\Program Files\AVPersonal\AVWUPSRV.EXE
C:\WINDOWS\System32\winjava.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wincntrl.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\AVPersonal\AVGNT.EXE
C:\WINDOWS\System32\NotifyPhoneBook.exe
C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\Logitech\Video\LogiTray.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\WINDOWS\System32\atwtusb.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\WINDOWS\System32\TBLMOUSE.EXE
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.ezwebsearching.com/sp2.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.ezwebsearching.com/sp2.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.ezwebsearching.com/sp2.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [AME_CSA] rundll32 amecsa.cpl,RUN_DLL
O4 - HKLM\..\Run: [AVGCtrl] "C:\Program Files\AVPersonal\AVGNT.EXE" /min
O4 - HKLM\..\Run: [AudioHQ] C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [atwtusb] atwtusb.exe beta
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [MICROSFT ANTIVIRUS UPDATE SUPPORT] MSGUPDATED.EXE
O4 - HKLM\..\Run: [SVC Service] svc32.pif
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\RunServices: [MICROSFT ANTIVIRUS UPDATE SUPPORT] MSGUPDATED.EXE
O4 - HKLM\..\RunServices: [SVC Service] svc32.pif
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [SVC Service] svc32.pif
O4 - HKCU\..\RunServices: [SVC Service] svc32.pif
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: Lancement rapide d'Adobe Reader.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: Share in Hello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll
O9 - Extra 'Tools' menuitem: Share in H&ello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1129398271481
O16 - DPF: {E6A3C1E2-F792-483E-9133-596215172BE9} (AcceptLang Class) - http://runonce.msn.c...tacceptlang.cab
O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\PROGRAM FILES\AVPERSONAL\AVGUARD.EXE
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Program Files\AVPersonal\AVWUPSRV.EXE
O23 - Service: Enables Java Support (Java) - Unknown owner - C:\WINDOWS\System32\winjava.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: AntiVir Update Temp (TmpUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\DOCUME~1\BEL&MANO\LOCALS~1\TEMP\_VWUPSRV.EXE
O23 - Service: MS Dns Service (WinNet) - Unknown owner - C:\WINDOWS\system32\wincntrl.exe

Step C

I dont know anything about : O23 - Service: MS Dns Service (WinNet) - Unknown owner - C:\WINDOWS\system32\wincntrl.exe

For your infomation when disconnected from the net I still get all the time the dialing window that requests to connect to internet on the request of asylumrules.reflect1.com (a site I dont know anything about)

I await instructions. Thanks for this again.
  • 0

Advertisements

#11
Trevuren
Posted 20 October 2005 - 02:21 PM

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
We want to stop, disable and delete an added service (023)

A. To stop a service and set to 'disabled'
  • Go to Start > Run and type in Services.msc then click OK
  • Click the Extended tab.
  • Scroll down until you find the service.
    ===>MS Dns Service
  • Click once on the service to highlight it.
  • Click Stop
  • Right-Click on the service.
  • Click on 'Properties'
  • Select the 'General' tab
  • Click the Arrow-down tab on the right-hand side on the 'Start-up Type' box
  • From the drop-down menu, click on 'Disabled'
  • Click the 'Apply' tab, then click 'OK'
The service is now stopped and disabled.


B. We will now delete the service:

1. Open HJT

2. Click on Config>>Misc Tools>>Delete an NT Service

3. Copy/Paste WinNet in the space provided and click OK

4. The program will ask you to REBOOT --- Accept

5. REBOOT into SAFE MODE

6. Using Windows Explorer, locate and DELETE the following file (if it still is present):

C:\WINDOWS\system32\wincntrl.exe

7. REBOOT back into Normal Mode

8. Finally, run HijackThis, click SCAN, produce a LOG and POST it in this thread for review.

Regards,

Trevuren
  • 0

#12
mnolo
Posted 20 October 2005 - 02:45 PM

mnolo

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
Step A

I have not got the option to STOP the MS Dns Service (step 3 to 5)
Furthermore, the option Apply is not available when I choose "Disable" in the Start-up Type box (Step 9 to 11)

Step B does not seem to be possible without having done step A as Hijack ths doe not find WinNet in the registry.

Thanks
  • 0

#13
mnolo
Posted 20 October 2005 - 03:48 PM

mnolo

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
:tazz: Correction to previous post,

After restarting the pc and checking again MS Dns Service was disabled and was able to Delet WinNet

Here's the resulting log:

Logfile of HijackThis v1.99.1
Scan saved at 23:38:23, on 20/10/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRAM FILES\AVPERSONAL\AVGUARD.EXE
C:\Program Files\AVPersonal\AVWUPSRV.EXE
C:\WINDOWS\System32\winjava.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\AVPersonal\AVGNT.EXE
C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\Logitech\Video\LogiTray.exe
C:\WINDOWS\System32\devldr32.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\WINDOWS\System32\atwtusb.exe
C:\WINDOWS\System32\NotifyPhoneBook.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\WINDOWS\System32\TBLMOUSE.EXE
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Hijackthis\HijackThis.exe
C:\WINDOWS\System32\rasautou.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.ezwebsearching.com/sp2.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.ezwebsearching.com/sp2.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.ezwebsearching.com/sp2.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [AME_CSA] rundll32 amecsa.cpl,RUN_DLL
O4 - HKLM\..\Run: [AVGCtrl] "C:\Program Files\AVPersonal\AVGNT.EXE" /min
O4 - HKLM\..\Run: [AudioHQ] C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [atwtusb] atwtusb.exe beta
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [MICROSFT ANTIVIRUS UPDATE SUPPORT] MSGUPDATED.EXE
O4 - HKLM\..\Run: [SVC Service] svc32.pif
O4 - HKLM\..\RunServices: [MICROSFT ANTIVIRUS UPDATE SUPPORT] MSGUPDATED.EXE
O4 - HKLM\..\RunServices: [SVC Service] svc32.pif
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [SVC Service] svc32.pif
O4 - HKCU\..\RunServices: [SVC Service] svc32.pif
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: Lancement rapide d'Adobe Reader.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: Share in Hello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll
O9 - Extra 'Tools' menuitem: Share in H&ello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1129398271481
O16 - DPF: {E6A3C1E2-F792-483E-9133-596215172BE9} (AcceptLang Class) - http://runonce.msn.c...tacceptlang.cab
O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\PROGRAM FILES\AVPERSONAL\AVGUARD.EXE
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Program Files\AVPersonal\AVWUPSRV.EXE
O23 - Service: Enables Java Support (Java) - Unknown owner - C:\WINDOWS\System32\winjava.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: AntiVir Update Temp (TmpUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\DOCUME~1\BEL&MANO\LOCALS~1\TEMP\_VWUPSRV.EXE
  • 0

#14
Trevuren
Posted 20 October 2005 - 05:44 PM

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
We want to stop, disable and delete an added service (023)

A. To stop a service and set to 'disabled'
  • Go to Start > Run and type in Services.msc then click OK
  • Click the Extended tab.
  • Scroll down until you find the service.
    ===>AntiVir Update Temp
  • Click once on the service to highlight it.
  • Click Stop
  • Right-Click on the service.
  • Click on 'Properties'
  • Select the 'General' tab
  • Click the Arrow-down tab on the right-hand side on the 'Start-up Type' box
  • From the drop-down menu, click on 'Disabled'
  • Click the 'Apply' tab, then click 'OK'
The service is now stopped and disabled.


B. We will now delete the service:

1. Open HJT

2. Click on Config>>Misc Tools>>Delete an NT Service

3. Copy/Paste TmpUpSrv in the space provided and click OK

4. The program will ask you to REBOOT --- Accept

5. REBOOT into SAFE MODE

6. Using Windows Explorer, locate and DELETE the following file (if it still is present):

C:\DOCUME~1\BEL&MANO\LOCALS~1\TEMP\_VWUPSRV.EXE


7. REBOOT back into Normal Mode

8. Finally, run HijackThis, click SCAN, produce a LOG and POST it in this thread for review.

Regards,

Trevuren
  • 0

#15
mnolo
Posted 23 October 2005 - 04:14 AM

mnolo

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
Sorry Ive been quite sick for a couple of days (an anlogic virus, yes they do yet exist :tazz: ) and couldnt post my reply.

Here's the log:


Logfile of HijackThis v1.99.1
Scan saved at 12:06:57, on 23/10/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRAM FILES\AVPERSONAL\AVGUARD.EXE
C:\Program Files\AVPersonal\AVWUPSRV.EXE
C:\WINDOWS\System32\winjava.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\devldr32.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\AVPersonal\AVGNT.EXE
C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\Logitech\Video\LogiTray.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\WINDOWS\System32\atwtusb.exe
C:\WINDOWS\System32\NotifyPhoneBook.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\WINDOWS\System32\TBLMOUSE.EXE
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.ezwebsearching.com/sp2.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.ezwebsearching.com/sp2.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.ezwebsearching.com/sp2.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [AME_CSA] rundll32 amecsa.cpl,RUN_DLL
O4 - HKLM\..\Run: [AVGCtrl] "C:\Program Files\AVPersonal\AVGNT.EXE" /min
O4 - HKLM\..\Run: [AudioHQ] C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [atwtusb] atwtusb.exe beta
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [MICROSFT ANTIVIRUS UPDATE SUPPORT] MSGUPDATED.EXE
O4 - HKLM\..\Run: [SVC Service] svc32.pif
O4 - HKLM\..\RunServices: [MICROSFT ANTIVIRUS UPDATE SUPPORT] MSGUPDATED.EXE
O4 - HKLM\..\RunServices: [SVC Service] svc32.pif
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [SVC Service] svc32.pif
O4 - HKCU\..\RunServices: [SVC Service] svc32.pif
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: Lancement rapide d'Adobe Reader.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: Share in Hello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll
O9 - Extra 'Tools' menuitem: Share in H&ello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1129398271481
O16 - DPF: {E6A3C1E2-F792-483E-9133-596215172BE9} (AcceptLang Class) - http://runonce.msn.c...tacceptlang.cab
O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\PROGRAM FILES\AVPERSONAL\AVGUARD.EXE
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Program Files\AVPersonal\AVWUPSRV.EXE
O23 - Service: Enables Java Support (Java) - Unknown owner - C:\WINDOWS\System32\winjava.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP