Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Shaosk.exe what is it? I can not get rid of it. [RESOLVED]

Started by gosenbach , Nov 30 2005 12:28 PM

  • This topic is locked This topic is locked

#1
gosenbach
Posted 30 November 2005 - 12:28 PM

gosenbach

    New Member

  • Member
  • Pip
  • 7 posts
Hello. My workstation recently became infected with an odd piece of adware/spyware that I can not seem to get rid of.

This program is running in the background and hidden, it does not even show up in windows task manager.

The program is called shaosk.exe

So far I have been unsuccessful at locating any information on this program on the net. If I load up security task manager, it will show up listed as an un named process id. This program spawns popus even without a browser window open. When a popup is spawned, cpu usage for this process jumps from o% to 10% and adds a few megs onto its memory usage. The process uses UDP to listen on a port (dynamic every time it starts). When I shut down the process, it starts its self back up after a few minutes.

So far I have found no references to it in the registry. My diagnosis indicates that it resides in c:\program files\comndows\shaosk.exe but that directory does not seem exist.

When searching the hard drive for "shaosk", it finds a file called SHAOSK.EXE-068C1EF3.pf in c:\windows\prefetch. When I delete this file, it turns up again after a few minutes.

I have scanned my system many times with Spybot, Adaware SE, and MS Anti Spyware beta and none of them will pick it up. My anti-virus program does not pick it up either.

All the other process running on my machine are legit as near as I have been able to discover.

Has anyone ever seen this before or know what it is?

Edited by gosenbach, 30 November 2005 - 12:29 PM.

  • 0

Advertisements

#2
gosenbach
Posted 30 November 2005 - 03:50 PM

gosenbach

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Here is the HijackThis log. I do not see anything abnormal. Perhaps I am missing somthing?

I also just found another process wpal3dv2.exe
My system is indicating that it is in c:\windows\system32\wpal3dv2.exe but that file does not seem to exist. Similar to the Shaosk.exe. It also does not show up on any scanner. I can however see them both in STM and Active Ports. Both of them are activally listening on UDP ports (random port each time the process spawns).



Logfile of HijackThis v1.99.1
Scan saved at 10:36:55 AM, on 11/30/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\crypserv.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\Google\Gmail Notifier\G001-1.0.25.0\gnotify.exe
C:\Program Files\Winamp\winampa.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\System32\niSvcLoc.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\OpenOffice.org 1.9.125\program\soffice.exe
C:\Program Files\OpenOffice.org 1.9.125\program\soffice.BIN
C:\WINDOWS\System32\locator.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\system32\nipalsm.exe
C:\WINDOWS\system32\nipalsm.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Security Task Manager\TaskMan.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Winamp\Winamp.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\PROGRA~1\MICROS~3\Office10\OUTLOOK.EXE
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\WINDOWS\System32\taskmgr.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe
C:\Program Files\Active Ports\aports.exe
C:\Documents and Settings\Greg\My Documents\Downloads\Programs\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! Companion BHO - {13F537F0-AF09-11d6-9029-0002B31F9E59} - C:\Program Files\Yahoo!\Common\ycomp5,0,2,0.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\ycomp5,0,2,0.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE
O4 - HKLM\..\Run: [IPSentryV4] "C:\Program Files\RGE INC\IPSentry\IPSentry.EXE" /RUNSTARTUP
O4 - HKLM\..\Run: [IMAQBoot] C:\Program Files\National Instruments\NI-IMAQ\bin\ImaqBoot.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [Hpppta] C:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionScan\hpppta.exe /ICON
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\G001-1.0.25.0\gnotify.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\RunOnce: [DELDIR0.EXE] "C:\DOCUME~1\Greg\LOCALS~1\Temp\DELDIR0.EXE" "C:\Program Files\McAfee\McAfee Shared Components\Guardian\"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Coast to Coast AM] C:\Program Files\Coast to Coast AM Media Center\Coast to Coast AM Media Center.exe
O4 - Startup: OpenOffice.org 1.9.125.lnk = C:\Program Files\OpenOffice.org 1.9.125\program\quickstart.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Start EasyFreeWebCam - {ECC5777A-6E88-BFCE-13CE-81F134789E8B} - C:\PROGRA~1\EASYWE~1\easywebcam.exe
O9 - Extra 'Tools' menuitem: &EasyFreeWebCam - {ECC5777A-6E88-BFCE-13CE-81F134789E8B} - C:\PROGRA~1\EASYWE~1\easywebcam.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - http://components.me...MetaStream3.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{EF9FCF17-EFEF-43C1-8DAF-82F31705C80F}: NameServer = 192.168.0.1
O23 - Service: 3Com DMI Agent (3ComDMIService) - Unknown owner - C:\WINDOWS\System32\3Com_DMI\3CDMINIC.EXE (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Indexing Service (cisvc) - Unknown owner - C:\WINDOWS\system32\cisvc.exe (file missing)
O23 - Service: Crypkey License - CrypKey (Canada) Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: dnWhoDisp - Unknown owner - C:\Program Files\Rockwell Software\RSLINX\dnwhodisp.exe
O23 - Service: Harmony - Rockwell Software Inc. - C:\PROGRA~1\ROCKWE~1\RSCommon\RSOBSERV.EXE
O23 - Service: nidevldu - National Instruments Corporation - C:\WINDOWS\system32\nipalsm.exe
O23 - Service: NILM License manager - Macrovision Corporation - C:\Program Files\National Instruments\Shared\License Manager\Bin\lmgrd.exe
O23 - Service: nipxirmu - National Instruments Corporation - C:\WINDOWS\system32\nipalsm.exe
O23 - Service: NI Service Locator (niSvcLoc) - National Instruments - C:\WINDOWS\System32\niSvcLoc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: OpcEnum - OPC Foundation - C:\Program Files\Common Files\OPC Foundation\opcenum.exe
O23 - Service: RSLinx - Rockwell Software, Inc. - C:\PROGRA~1\ROCKWE~1\RSLinx\RSLINX.EXE
  • 0

#3
Buckeye_Sam
Posted 13 December 2005 - 08:35 AM

Buckeye_Sam

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 10,019 posts
Hi and welcome to GeeksToGo! My name is Sam and I will be helping you. :tazz:

Let's see what we can turn up.

Download and save backlight to your desktop. Doubleclick blbeta.exe, accept the agreement, leave [X]scan through Windows Explorer checked, click scan > next.

You'll see a list of all the items it found. There will also be a log on your desktop with the name fsbl.xxxxxxx.log (where xxxxxxx represents numbers). The application finds both bad files and legitimate ones such as "wbemtest.exe", so don't choose the rename option yet! Copy and paste the log it generated in your next reply.


=========


Please download DLLCompare

*Save it to your desktop and run it.
*Click 'Run Locate.com'to scan.
*When the scan has completed, click 'Compare'.
*When completed, click "Make a Log of What Was Found".
*Please Copy/Paste the entire contents of the logfile to this thread.

Note: If you get an error after pressing Run Locate.com:
copy autoexec.nt from c:\windows\repair\ folder to c:\windows\system32\ folder.
  • 0

#4
gosenbach
Posted 13 December 2005 - 10:17 AM

gosenbach

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Thank you so much for the assistance Sam.

12/13/05 07:32:47 [Info]: BlackLight Engine 1.0.29 initialized
12/13/05 07:32:47 [Info]: OS: 5.1 build 2600 (Service Pack 1)
12/13/05 07:32:47 [Note]: 7019 4
12/13/05 07:32:47 [Note]: 7005 0
12/13/05 07:32:54 [Note]: 7006 0
12/13/05 07:32:54 [Note]: 7011 796
12/13/05 07:32:56 [Note]: 7018 1384
12/13/05 07:32:56 [Info]: Hidden process: C:\PROGRAM FILES\COMNDOWS\SHAOSK.EXE
12/13/05 07:32:56 [Note]: 7018 1440
12/13/05 07:32:56 [Info]: Hidden process: C:\WINDOWS\SYSTEM32\WPAL3DV2.EXE
12/13/05 07:32:57 [Note]: FSRAW library version 1.7.1013
12/13/05 07:33:01 [Info]: Hidden file: C:\Program Files\Comndows\ace.dll
12/13/05 07:33:01 [Note]: 7002 0
12/13/05 07:33:01 [Note]: 7003 1
12/13/05 07:33:01 [Note]: 10002 3
12/13/05 07:33:01 [Info]: Hidden file: C:\Program Files\Comndows\AI_07-12-2005.log
12/13/05 07:33:01 [Note]: 7002 0
12/13/05 07:33:01 [Note]: 7003 1
12/13/05 07:33:01 [Note]: 10002 3
12/13/05 07:33:01 [Info]: Hidden file: C:\Program Files\Comndows\AI_08-12-2005.log
12/13/05 07:33:01 [Note]: 7002 0
12/13/05 07:33:01 [Note]: 7003 1
12/13/05 07:33:01 [Note]: 10002 3
12/13/05 07:33:01 [Info]: Hidden file: C:\Program Files\Comndows\AI_09-12-2005.log
12/13/05 07:33:01 [Note]: 7002 0
12/13/05 07:33:01 [Note]: 7003 1
12/13/05 07:33:01 [Note]: 10002 3
12/13/05 07:33:01 [Info]: Hidden file: C:\Program Files\Comndows\AI_10-12-2005.log
12/13/05 07:33:01 [Note]: 7002 0
12/13/05 07:33:01 [Note]: 7003 1
12/13/05 07:33:01 [Note]: 10002 3
12/13/05 07:33:01 [Info]: Hidden file: C:\Program Files\Comndows\AI_11-12-2005.log
12/13/05 07:33:01 [Note]: 7002 0
12/13/05 07:33:01 [Note]: 7003 1
12/13/05 07:33:01 [Note]: 10002 3
12/13/05 07:33:01 [Info]: Hidden file: C:\Program Files\Comndows\AI_12-12-2005.log
12/13/05 07:33:01 [Note]: 7002 0
12/13/05 07:33:01 [Note]: 7003 1
12/13/05 07:33:01 [Note]: 10002 3
12/13/05 07:33:01 [Info]: Hidden file: C:\Program Files\Comndows\AI_13-12-2005.log
12/13/05 07:33:01 [Note]: 7002 0
12/13/05 07:33:01 [Note]: 7003 1
12/13/05 07:33:01 [Note]: 10002 3
12/13/05 07:33:01 [Info]: Hidden file: C:\Program Files\Comndows\broomput.exe
12/13/05 07:33:01 [Note]: 7002 0
12/13/05 07:33:01 [Note]: 7003 1
12/13/05 07:33:01 [Note]: 10002 3
12/13/05 07:33:01 [Info]: Hidden file: C:\Program Files\Comndows\Cache\0000001c_4391bf43_000a4083
12/13/05 07:33:01 [Note]: 7002 0
12/13/05 07:33:01 [Note]: 7003 1
12/13/05 07:33:01 [Note]: 10002 3
12/13/05 07:33:01 [Info]: Hidden file: C:\Program Files\Comndows\Cache\00000029_438b1d1a_0000fc71
12/13/05 07:33:01 [Note]: 7002 0
12/13/05 07:33:01 [Note]: 7003 1
12/13/05 07:33:01 [Note]: 10002 3
12/13/05 07:33:01 [Info]: Hidden file: C:\Program Files\Comndows\Cache\00000029_438b31c4_000a7d8c
12/13/05 07:33:01 [Note]: 7002 0
12/13/05 07:33:01 [Note]: 7003 1
12/13/05 07:33:01 [Note]: 10002 3
12/13/05 07:33:01 [Info]: Hidden file: C:\Program Files\Comndows\Cache\00000029_438b3fb7_000e1113


.......................... There are 4300 items in the cache directory, I am going to skip most of them to avoid a massive post. The log file is ~2mb...................


12/13/05 07:43:35 [Note]: 10002 3
12/13/05 07:43:35 [Note]: 10002 3
12/13/05 07:43:35 [Note]: 10002 3
12/13/05 07:43:35 [Note]: 10002 3
12/13/05 07:43:54 [Info]: Hidden file: C:\WINDOWS\SYSTEM32\DRIVERS\abpr4_xp.sys
12/13/05 07:43:54 [Note]: 7002 0
12/13/05 07:43:54 [Note]: 7003 1
12/13/05 07:43:54 [Note]: 10002 1
12/13/05 07:44:09 [Info]: Hidden file: C:\WINDOWS\SYSTEM32\WPAL3DV2.EXE
12/13/05 07:44:09 [Note]: 7002 0
12/13/05 07:44:09 [Note]: 7003 1
12/13/05 07:44:09 [Note]: 10002 1
12/13/05 07:44:53 [Note]: 7007 0

............... End of backlight log file.



Dll Compare log:

* DLLCompare Log version(1.0.0.127)
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________

C:\WINDOWS\SYSTEM32\niini32.dll Thu Sep 20 2001 2:33:02p A.S.. 36,864 36.00 K
C:\WINDOWS\SYSTEM32\nispylog.dll Thu Mar 11 2004 11:34:04a A.S.. 49,152 48.00 K
________________________________________________

1,556 items found: 1,556 files (2 H/S), 0 directories.
Total of file sizes: 338,908,217 bytes 323.21 M

Administrator Account = True

--------------------End log---------------------
  • 0

#5
Buckeye_Sam
Posted 13 December 2005 - 11:22 AM

Buckeye_Sam

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 10,019 posts
You may want to print out these instructions for reference, since you will have to restart your computer during the fix.

Please download AproposFix from here:
http://swandog46.gee.../aproposfix.exe

Save it to your desktop but do NOT run it yet.

Then please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.


Once in Safe Mode, please double-click aproposfix.exe and unzip it to the desktop. Open the aproposfix folder on your desktop and run RunThis.bat. Follow the prompts.

When the tool is finished, please reboot back into normal mode, and post a new HijackThis log, along with the entire contents of the log.txt file in the aproposfix folder.
  • 0

#6
gosenbach
Posted 13 December 2005 - 11:57 AM

gosenbach

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Sam,
Aproposfix came up with some networking errors when I ran it. I was not sure if I should boot into safe with networking and run it again. networking was disabled when I ran it. If you need me to run it again with networking enabled, let me know. Here is the logs.


Log of AproposFix v1

************

Running from directory:
C:\Documents and Settings\Greg\Desktop\aproposfix

************

Registry entries found:

[HKEY_LOCAL_MACHINE\Software\C0Xj4AzoIWs5]
@="elo54zzIJJIJJKJYrOE\\92IJJIYLJsejZksoJoGAB 4POJz90D 9AJwx79Q_F7KAGA"
"Device"="\\\\.\\CV2wfrk"
"DriverPath"="C:\\WINDOWS\\System32\\drivers\\abpr4_xp.sys"
"DriverName"="IPSnmdd"
"HideUninstallerName"="C:\\Program Files\\Comndows\\broomput.exe"
"UninstallerPath"="C:\\WINDOWS\\System32\\mqdat.exe"
"UninstallerRegKey"="HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\{F41FA8D0-A037-46ED-A949-D939E0232274}"
"UninstallerParams"="/CTUN"
"HDll"="C:\\WINDOWS\\System32\\migicm32.dll"
"ServerAddress"="adchannel.contextplus.net"
"LegalNote"="http://adchannel.con...onbranded.html"
"PartnerId"="CP.IST2"
"InstallationId"="{X4acc736-dae3-323a-62fb-63955750da5b}"
"PageFiltering"=dword:00000001
"CrMnTmt"=dword:0036ee80

************

Removing hidden service:
Service IPSnmdd removed.

Removing hidden folder:
Deletion of folder Comndows succeeded!

Deleting files:

Deletion of file C:\WINDOWS\System32\drivers\abpr4_xp.sys succeeded!
Deletion of file C:\WINDOWS\System32\wpal3dv2.exe succeeded!
Deletion of file C:\WINDOWS\System32\migicm32.dll succeeded!
Deletion of file C:\WINDOWS\System32\mqdat.exe succeeded!

Backing up files:
Done!

Removing registry entries:

REGEDIT4

[-HKEY_CURRENT_USER\Software\C0Xj4AzoIWs5]
[-HKEY_LOCAL_MACHINE\Software\C0Xj4AzoIWs5]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{F41FA8D0-A037-46ED-A949-D939E0232274}]

Done!

Finished!






Logfile of HijackThis v1.99.1
Scan saved at 9:49:41 AM, on 12/13/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\Google\Gmail Notifier\G001-1.0.25.0\gnotify.exe
C:\Program Files\Winamp\winampa.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Java\jre1.5.0_04\bin\jucheck.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\crypserv.exe
C:\Program Files\OpenOffice.org 1.9.125\program\soffice.exe
C:\Program Files\OpenOffice.org 1.9.125\program\soffice.BIN
C:\WINDOWS\System32\lkcitdl.exe
C:\WINDOWS\System32\lkads.exe
C:\WINDOWS\System32\lktsrv.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\System32\nicitdl5.exe
C:\WINDOWS\System32\niSvcLoc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\nipalsm.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Greg\My Documents\Downloads\Programs\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! Companion BHO - {13F537F0-AF09-11d6-9029-0002B31F9E59} - C:\Program Files\Yahoo!\Common\ycomp5,0,2,0.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\ycomp5,0,2,0.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE
O4 - HKLM\..\Run: [IPSentryV4] "C:\Program Files\RGE INC\IPSentry\IPSentry.EXE" /RUNSTARTUP
O4 - HKLM\..\Run: [IMAQBoot] C:\Program Files\National Instruments\NI-IMAQ\bin\ImaqBoot.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [Hpppta] C:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionScan\hpppta.exe /ICON
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\G001-1.0.25.0\gnotify.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [dbservices] scm -Silent 1 -Action 1 -Service mssqlserver
O4 - HKLM\..\RunOnce: [DELDIR0.EXE] "C:\DOCUME~1\Greg\LOCALS~1\Temp\DELDIR0.EXE" "C:\Program Files\McAfee\McAfee Shared Components\Guardian\"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Coast to Coast AM] C:\Program Files\Coast to Coast AM Media Center\Coast to Coast AM Media Center.exe
O4 - Startup: OpenOffice.org 1.9.125.lnk = C:\Program Files\OpenOffice.org 1.9.125\program\quickstart.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Start EasyFreeWebCam - {ECC5777A-6E88-BFCE-13CE-81F134789E8B} - C:\PROGRA~1\EASYWE~1\easywebcam.exe
O9 - Extra 'Tools' menuitem: &EasyFreeWebCam - {ECC5777A-6E88-BFCE-13CE-81F134789E8B} - C:\PROGRA~1\EASYWE~1\easywebcam.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - http://components.me...MetaStream3.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{EF9FCF17-EFEF-43C1-8DAF-82F31705C80F}: NameServer = 192.168.0.1
O23 - Service: 3Com DMI Agent (3ComDMIService) - Unknown owner - C:\WINDOWS\System32\3Com_DMI\3CDMINIC.EXE (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Indexing Service (cisvc) - Unknown owner - C:\WINDOWS\system32\cisvc.exe (file missing)
O23 - Service: Crypkey License - CrypKey (Canada) Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: dnWhoDisp - Unknown owner - C:\Program Files\Rockwell Software\RSLINX\dnwhodisp.exe
O23 - Service: Harmony - Rockwell Software Inc. - C:\PROGRA~1\ROCKWE~1\RSCommon\RSOBSERV.EXE
O23 - Service: Lookout Citadel Server (LkCitadelServer) - National Instruments, Inc. - C:\WINDOWS\System32\lkcitdl.exe
O23 - Service: Lookout Classified Ads (LkClassAds) - National Instruments, Inc. - C:\WINDOWS\System32\lkads.exe
O23 - Service: Lookout Time Synchronization (LkTimeSync) - National Instruments, Inc. - C:\WINDOWS\System32\lktsrv.exe
O23 - Service: National Instruments Citadel (NICitadel5Service) - National Instruments, Inc. - C:\WINDOWS\System32\nicitdl5.exe
O23 - Service: nidevldu - National Instruments Corporation - C:\WINDOWS\system32\nipalsm.exe
O23 - Service: NILM License Manager (NILM License manager) - Macrovision Corporation - C:\Program Files\National Instruments\Shared\License Manager\Bin\lmgrd.exe
O23 - Service: nipxirmu - National Instruments Corporation - C:\WINDOWS\system32\nipalsm.exe
O23 - Service: NI Service Locator (niSvcLoc) - National Instruments - C:\WINDOWS\System32\niSvcLoc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: OpcEnum - OPC Foundation - C:\Program Files\Common Files\OPC Foundation\opcenum.exe
O23 - Service: RSLinx - Rockwell Software, Inc. - C:\PROGRA~1\ROCKWE~1\RSLinx\RSLINX.EXE
  • 0

#7
gosenbach
Posted 13 December 2005 - 12:39 PM

gosenbach

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Sam,
It appears that that cleared up the problem!! Thank you so much!

Greg
  • 0

#8
Buckeye_Sam
Posted 13 December 2005 - 02:45 PM

Buckeye_Sam

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 10,019 posts
Your log looks clean to me! :tazz:

Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:
  • Disable and Enable System Restore. - If you are using Windows ME or XP then you should disable and reenable system restore to make sure there are no infected files found in a restore point left over from what we have just cleaned.

    You can find instructions on how to enable and reenable system restore here:

    Managing Windows Millenium System Restore

    or

    Windows XP System Restore Guide

    Renable system restore with instructions from tutorial above

  • Make your Internet Explorer more secure - This can be done by following these simple instructions:
    • From within Internet Explorer click on the Tools menu and then click on Options.
    • Click once on the Security tab
    • Click once on the Internet icon so it becomes highlighted.
    • Click once on the Custom Level button.
      • Change the Download signed ActiveX controls to Prompt
      • Change the Download unsigned ActiveX controls to Disable
      • Change the Initialize and script ActiveX controls not marked as safe to Disable
      • Change the Installation of desktop items to Prompt
      • Change the Launching programs and files in an IFRAME to Prompt
      • Change the Navigate sub-frames across different domains to Prompt
      • When all these settings have been made, click on the OK button.
      • If it prompts you as to whether or not you want to save the settings, press the Yes button.
    • Next press the Apply button and then the OK to exit the Internet Properties page.
  • Use an AntiVirus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.

    See this link for a listing of some online & their stand-alone antivirus programs:

    Virus, Spyware, and Malware Protection and Removal Resources

  • Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.

  • Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.

    For a tutorial on Firewalls and a listing of some available ones see the link below:

    Understanding and Using Firewalls

  • Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

  • Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an antivirus software.

    A tutorial on installing & using this product can be found here:

    Using Spybot - Search & Destroy to remove Spyware , Malware, and Hijackers

  • Install Ad-Aware - Install and download Ad-Aware. ou should also scan your computer with program on a regular basis just as you would an antivirus software in conjunction with Spybot.

    A tutorial on installing & using this product can be found here:

    Using Ad-aware to remove Spyware, Malware, & Hijackers from Your Computer

  • Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

    A tutorial on installing & using this product can be found here:

    Using SpywareBlaster to protect your computer from Spyware and Malware

  • Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Follow this list and your potential for being infected again will reduce dramatically.

:) :)
  • 0

#9
gosenbach
Posted 13 December 2005 - 02:58 PM

gosenbach

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Thanks again Sam! This one was driving me nuts :tazz:
  • 0

#10
Buckeye_Sam
Posted 13 December 2005 - 03:06 PM

Buckeye_Sam

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 10,019 posts
Glad I could help! :tazz:
  • 0

#11
Buckeye_Sam
Posted 13 December 2005 - 03:06 PM

Buckeye_Sam

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 10,019 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :tazz:

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP