Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

My logs! please help! [RESOLVED]

Started by D_mcpasterfield , Nov 15 2005 09:43 PM

  • This topic is locked This topic is locked

#31
Trevuren
Posted 27 November 2005 - 12:23 PM

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
1. Please turn on your SYSTEM RESTORE immediately. If anything drastic occurred, you would not have a restore point to fall back upon. We here at Geeks strongly disagree with turning the restore feature off. We would rather work with an infected system, which would be the case if you had to restore from an infected point than not have anything to fall back on.

2. Kaspersky is one of the best AntiVirus products on the market if not the best. I would trust them before relying on Symantec. That is my opinion but it is shared by many others.

3. . Download the Killbox.
  • Unzip it to the desktop
  • Double-click Killbox.exe to run it.
  • Select "Delete on Reboot".
  • Place the following line (complete path) in E:\MFdownloads\pic0023-1.com in the "Full Path of File to Delete" box in Killbox:
  • Put a mark next to "Delete on Reboot"
  • Click the red-and-white "Delete File" button. Click "Yes" at theDelete on Reboot prompt.
  • Click "No" at the Pending Operations prompt.
If your computer does not restart automatically, please restart it manually

4. To finally. to remove all those entries from your Java cache, please do the following:

How to empty your Java Cache

1. Go Start>>Settings>>Control Panel.

2. Click on Java which will open a Java window.

3. Click on the Cache Tab, then click on the Clear button.

4. Close the window

5. Reboot your system

6. Please run HJT, produce a log and post it in your reply. Please also include any information relating to the exience of redirects or popups tha may still remain.

Regards,

Trevuren
  • 0

Advertisements

#32
D_mcpasterfield
Posted 27 November 2005 - 06:21 PM

D_mcpasterfield

    Member

  • Topic Starter
  • Member
  • PipPip
  • 24 posts
ok, no pop-ups as of now.
Another symptom i forgot to mention earlier, though this hasn't happened in a few days, it changed some of my drive letters (as in it changed H to F...) not a big deal, i just change em back, but none-theless annoying.
(NO!!!! it just gave me a pop-up!!, argh... i'll kill you , search inqwire... if it's the last thing i do!)
new HJT,

Logfile of HijackThis v1.99.1
Scan saved at 6:17:53 PM, on 11/27/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\System32\CTSvcCDA.EXE
E:\Program Files\Alias\Maya 6.0 Personal Learning Edition\docs\wrapper.exe
C:\WINDOWS\System32\nvsvc32.exe
E:\Program Files\Alias\Maya 6.0 Personal Learning Edition\docs\jre\bin\java.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\AIM\aim.exe
H:\Program Files\Shareaza\Shareaza.exe
H:\Program Files\Xfire\Xfire.exe
E:\HSA KILL\hijackthis.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Shareaza] "H:\Program Files\Shareaza\Shareaza.exe" -tray
O4 - Startup: Xfire.lnk = H:\Program Files\Xfire\Xfire.exe
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTSvcCDA.EXE
O23 - Service: Maya 6 PLE Documentation Server (mple6docserver) - Unknown owner - E:\Program Files\Alias\Maya 6.0 Personal Learning Edition\docs\wrapper.exe" -s "E:\Program Files\Alias\Maya 6.0 Personal Learning Edition\docs\Wrapper.conf (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe

thanks,
Steve

Edited by D_mcpasterfield, 27 November 2005 - 06:23 PM.

  • 0

#33
Trevuren
Posted 27 November 2005 - 10:13 PM

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
Once we have finished with the malware part, if the drive letter problem still annoys you, open a thread in the hardware forum where helpers way more qualified than I am in these matters, will be able to help you. Please don't open the new thread until this one is closed.

Your log looks good. If you have no more malware-related problems that you are aware of, just give me the OK and we can start the final but essential cleanup procedures.

Trevuren
  • 0

#34
D_mcpasterfield
Posted 29 November 2005 - 05:56 PM

D_mcpasterfield

    Member

  • Topic Starter
  • Member
  • PipPip
  • 24 posts
it seems like im almost in the clear, though one new problem, i have gotten the blue screen of death 3 times in the last few days. I have also come home and found my computer has been rebooted too...
The pop-ups are still here... Though im pretty sure if i close rundll32.exe they stop. Also, about rundll32.exe... in the process list in task manager, it says the username for that process is me... shouldnt it say system?
It doesn't appear that im in the clear quite yet.

Thanks,
Steve Sullivan
  • 0

#35
Trevuren
Posted 29 November 2005 - 08:38 PM

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
We need to check if any of your system files are missing or corrupt:

1. Please go to Start -> Run -> type cmd and press Enter.

2. At the command prompt type sfc /scannow, making sure to put a space between the "c" and the slash, and then press Enter. This will run the System File Checker.

3. Follow the prompts, and insert your Windows installation CD if requested.

4. Then please REBOOT your computer.


Regards,

Trevuren
  • 0

#36
D_mcpasterfield
Posted 03 December 2005 - 11:40 PM

D_mcpasterfield

    Member

  • Topic Starter
  • Member
  • PipPip
  • 24 posts
ok i finished running that scan.
I was asked to insert my cd several times, i clicked retry each time (I don't think it should be asking me for my cd more than once...) , and it putted along. The pop-ups are still here... I just ran it again, the same thing is happening... i think for some reason it isn't working, though the second time i ran it, it asked for my cd less times. The second time i ran it after rebooting, it asked me 0 times for my cd. To me, i think that it is restoring itself on reboot, because it seems to be gone after running that SFC thing AFTER a reboot, but if before, the virus will just restore itself....
Also, i am currently runnning trojan hunter....
What the heck is going on with my computer?
Steve

Edited by D_mcpasterfield, 03 December 2005 - 11:53 PM.

  • 0

#37
Trevuren
Posted 04 December 2005 - 01:46 AM

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
Keep on trying to repair it. It appears to be getting better. Infections don't just cause popups, some of them destroy important system files and eventually make the system crash.


Trevuren
  • 0

#38
D_mcpasterfield
Posted 04 December 2005 - 10:09 AM

D_mcpasterfield

    Member

  • Topic Starter
  • Member
  • PipPip
  • 24 posts
TROJAN HUNTER LOG!

Registry scan
No suspicious entries found
Inifile scan
No suspicious entries found
Port scan
Port 5180/TCP is open (Matches Peeper.120. Port being used by process aim.exe/PID 196) (Tell me more about port alerts...)
Memory scan
No trojans found in memory
File scan
Found possible trojan file: C:\WINDOWS\SYSTEM32\wfwall1.exe (Suspicious: UPX-packed file in Windows System folder) (What's a possible trojan file?) (Submit for analysis...) (Add to ignore list)
Found possible trojan file: C:\WINDOWS\SYSTEM32\SkyAffiliate.exe/2yaIYS.exe (SDBot) (What's a possible trojan file?) (Submit for analysis...) (Add to ignore list)
Found possible trojan file: C:\WINDOWS\SYSTEM32\SkyAffiliate.exe (Suspicious: UPX-packed file in Windows System folder) (What's a possible trojan file?) (Submit for analysis...) (Add to ignore list)
Error: Error while pre-processing H:\pagefile.sys: Failed to create FileMappingView
Win32: Not enough storage is available to process this command (8)
Error: Error while calling IsValidPeFile: Failed to create FileMappingView
Win32: Not enough storage is available to process this command (8)
3 possible trojan files found
  • 0

#39
Trevuren
Posted 04 December 2005 - 01:38 PM

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
I will attempt to give you a brief intro to ports in the venacular. It is a complicated subject thatdeals with communications. Each system, router etc.. has numeorus entry points for information goin out and coming in. These must be controlled if we don't want people entering (hacking) our systems. Some ports are closed by the system, some are left open because they are needed. Some programs access the net through specific ports. All my ports are "stealth" hidden from remote computers and closed. This acn be done through harware and software firewalls.

Here is a site where you can test to see what ports are open on your system and they also give you some info on ports and how they work: http://www.grc.com/default.htm


In the meantim, as suggested by TH, please subit the following files to the site shown below for analysis. Please submit them, one at a time and post the individual results back into this thread so we can determine a course of action to take:

There is a file in your log of which I am unsure and of which there exists very little informatiion. For that reason, I need you to submit it to Jotti's for analysis.

1. Click HERE to get to Jotti's site.

2. At the top of the Jotti window, use the Browse button to locate the following file on your system:

C:\WINDOWS\SYSTEM32\wfwall1.exe

3. Once you have located the file, click SUBMIT and the content of the file will be uploaded by the site and analysed.

4. Now repeat the same procedure with the following files:

C:\WINDOWS\SYSTEM32\SkyAffiliate.exe/2yaIYS.exe
C:\WINDOWS\SYSTEM32\SkyAffiliate.exe

5. Please provide me with the results of the analyses.

Regards,

Trevuren
  • 0

#40
D_mcpasterfield
Posted 04 December 2005 - 01:47 PM

D_mcpasterfield

    Member

  • Topic Starter
  • Member
  • PipPip
  • 24 posts
Ok,

wfwall1.exe
File: wfwall1.exe
Status:
INFECTED/MALWARE (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database)
MD5 2c7576e078c04ed2b1e1e43fb2b67f06
Packers detected:
UPX
Scanner results
AntiVir
Found Trojan/Drop.Agen.hl.3.B
ArcaVir
Found nothing
Avast
Found nothing
AVG Antivirus
Found nothing
BitDefender
Found nothing
ClamAV
Found nothing
Dr.Web
Found DLOADER.Trojan (probable variant)
F-Prot Antivirus
Found nothing
Fortinet
Found nothing
Kaspersky Anti-Virus
Found nothing
NOD32
Found nothing
Norman Virus Control
Found nothing
UNA
Found nothing
VBA32
Found nothing

skyaffiliate.exe

File: SkyAffiliate.exe
Status:
INFECTED/MALWARE (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database)
MD5 67cacff7d3f27da0d44ed3d0009c6460
Packers detected:
UPX
Scanner results
AntiVir
Found Trojan/Dldr.Agent.xq.8
ArcaVir
Found nothing
Avast
Found nothing
AVG Antivirus
Found nothing
BitDefender
Found BehavesLike:Trojan.Downloader (probable variant)
ClamAV
Found nothing
Dr.Web
Found Trojan.DownLoader.5681
F-Prot Antivirus
Found nothing
Fortinet
Found nothing
Kaspersky Anti-Virus
Found not-a-virus:AdWare.Win32.Pacer.c
NOD32
Found nothing
Norman Virus Control
Found W32/DLoader.MAN
UNA
Found nothing
VBA32
Found AdWare.Win32.Pacer.c

ok, it wasn't able to scan this because it is an invalid file name. SkyAffiliate.exe/2yaIYS.exe

does this help?,
Steve
  • 0

Advertisements

#41
Trevuren
Posted 04 December 2005 - 02:11 PM

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
A. Please DELETE all 3 files.

B. Surf to "safe" sites for about 30 minutes and please report on the occurrence of any popups.

C. Also submit a fresh HJT log

Regards,

Trevuren
  • 0

#42
D_mcpasterfield
Posted 05 December 2005 - 06:56 PM

D_mcpasterfield

    Member

  • Topic Starter
  • Member
  • PipPip
  • 24 posts
ok, im finished. though the pop-ups are still around.
here it is,
Logfile of HijackThis v1.99.1
Scan saved at 7:10:32 AM, on 12/5/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\System32\CTSvcCDA.EXE
E:\Program Files\Alias\Maya 6.0 Personal Learning Edition\docs\wrapper.exe
C:\WINDOWS\System32\nvsvc32.exe
E:\Program Files\Alias\Maya 6.0 Personal Learning Edition\docs\jre\bin\java.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\Yahoo!\Messenger\ypager.exe
C:\Program Files\AIM\aim.exe
H:\Program Files\Shareaza\Shareaza.exe
H:\Program Files\Xfire\Xfire.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\TrojanHunter 4.2\TrojanHunter.exe
C:\Program Files\Microsoft Office\Office\Winword.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\DOCUME~1\STEVEN~1\LOCALS~1\Temp\Rar$EX00.438\KillBox.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\spoolsv.exe
E:\HSA KILL\hijackthis.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Shareaza] "H:\Program Files\Shareaza\Shareaza.exe" -tray
O4 - Startup: Xfire.lnk = H:\Program Files\Xfire\Xfire.exe
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTSvcCDA.EXE
O23 - Service: Maya 6 PLE Documentation Server (mple6docserver) - Unknown owner - E:\Program Files\Alias\Maya 6.0 Personal Learning Edition\docs\wrapper.exe" -s "E:\Program Files\Alias\Maya 6.0 Personal Learning Edition\docs\Wrapper.conf (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe

Thanks,
Steve
  • 0

#43
Trevuren
Posted 05 December 2005 - 07:12 PM

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
We are down to playing a "longshot":

Please print out these instructions for reference, since you will have to restart your computer during the fix.

1. Please download AproposFix from here:
http://swandog46.gee.../aproposfix.exe

2. Save it to your desktop but Do NOT RUN IT YET.

3. Then please Reboot your computer in Safe Mode by doing the following:

A) Restart your computer.
B) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
C) Instead of Windows loading as normal, a menu should appear
D) Select the first option, to run Windows in Safe Mode.


4. Once in Safe Mode
  • Double-click aproposfix.exe and unzip it to the desktop.
  • Open the aproposfix folder on your desktop
  • Run RunThis.bat.
  • Follow the prompts.
5. When the tool is finished
  • Reboot back into normal mode
  • Post a new HijackThis log, along with the entire contents of the log.txt file in the aproposfix folder. Please also comment on the presence/absence of popups
Regards,

Trevuren
  • 0

#44
D_mcpasterfield
Posted 05 December 2005 - 10:31 PM

D_mcpasterfield

    Member

  • Topic Starter
  • Member
  • PipPip
  • 24 posts
oh my goodness! I think it's gone! no pop-ups as of yet!!!! YES!!!!!
Good thinking my man!

Here's the new HJT log

Edition\docs\jre\bin\java.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Yahoo!\Messenger\ypager.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\AIM\aim.exe
H:\Program Files\Shareaza\Shareaza.exe
H:\Program Files\Xfire\Xfire.exe
C:\Program Files\Mozilla Firefox\firefox.exe
E:\HSA KILL\hijackthis.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Shareaza] "H:\Program Files\Shareaza\Shareaza.exe" -tray
O4 - Startup: Xfire.lnk = H:\Program Files\Xfire\Xfire.exe
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTSvcCDA.EXE
O23 - Service: Maya 6 PLE Documentation Server (mple6docserver) - Unknown owner - E:\Program Files\Alias\Maya 6.0 Personal Learning Edition\docs\wrapper.exe" -s "E:\Program Files\Alias\Maya 6.0 Personal Learning Edition\docs\Wrapper.conf (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe

Along with the log from apropos,

Log of AproposFix v1

************

Running from directory:
C:\Documents and Settings\Steven Sullivan\Desktop\aproposfix

************

Registry entries found:

[HKEY_LOCAL_MACHINE\Software\CoUQmABEMj82]
@="P6v2xp BCCBCCDCh0pxt.4BCCBREClXcSdlhCh934t\\IHCs2x6t23C2\\r34up4D393"
"Device"="\\\\.\\Spaient"
"DriverPath"="C:\\WINDOWS\\System32\\drivers\\rmcstfat.sys"
"DriverName"="Avgrial"
"HideUninstallerName"="C:\\Program Files\\Chanager\\npkdmoe2.exe"
"HDll"="C:\\WINDOWS\\System32\\filmagx5.dll"
"ServerAddress"="adchannel.contextplus.net"
"LegalNote"="http://adchannel.con...onbranded.html"
"PartnerId"="CP.LAV"
"InstallationId"="{Xf809917-5f48-4c96-d148-d0a25358299e}"
"PageFiltering"=dword:00000001
"ClientName"="C:\\Program Files\\Chanager\\nxdocvw.exe"
"AutoUpdater"="C:\\WINDOWS\\System32\\offbexec.exe"
"Version"="2.0.131"
"CrMnTmt"=dword:0036ee80

************

Removing hidden service:
Service Avgrial removed.

Removing hidden folder:
Deletion of folder Chanager succeeded!

Deleting files:

Deletion of file C:\WINDOWS\System32\drivers\rmcstfat.sys succeeded!
Deletion of file C:\WINDOWS\System32\offbexec.exe succeeded!
Deletion of file C:\WINDOWS\System32\filmagx5.dll succeeded!

Backing up files:
Done!

Removing registry entries:

REGEDIT4

[-HKEY_CURRENT_USER\Software\CoUQmABEMj82]
[-HKEY_LOCAL_MACHINE\Software\CoUQmABEMj82]

Done!

Finished!

Yay!,
Steve
  • 0

#45
Trevuren
Posted 05 December 2005 - 11:30 PM

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
Yeah!! I was starting to doubt my capabilities LOL

In your exhuberance, you forgot to post a complete hjt log. We need it togive it a final check before comencing our final cleanup procedures and recommendations.

Regards,

Trevuren
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP