Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Trouble with popup's [RESOLVED]

Started by tvro , Dec 11 2005 06:10 PM

  • This topic is locked This topic is locked

#31
tvro
Posted 17 December 2005 - 06:47 PM

tvro

    Member

  • Topic Starter
  • Member
  • PipPip
  • 22 posts
Logfile of HijackThis v1.99.1
Scan saved at 7:45:48 PM, on 12/17/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINNT\system32\crypserv.exe
C:\Program Files\DirectUpdate v4\DUEngine.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINNT\system32\hidserv.exe
C:\Program Files\HP Web Jetadmin\hpwebjetd.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\HP Web Jetadmin\hpwebjetd.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Pinnacle\InstantCDDVD\InstantWrite\iwctrl.exe
C:\WINNT\system32\spool\DRIVERS\W32X86\3\E_S4I2D1.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\DirectUpdate v4\DUControl.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINNT\system32\wuauclt.exe
C:\Program Files\Netscape\Netscape\Netscp.exe
C:\Downloads\Cleanup\HijackThis.exe

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [$MagicMedia] I:\Old-Drive-g\Program Files\MMedia\MMEDIA.EXE startupMM
O4 - HKLM\..\Run: [VOBID] C:\Program Files\Pinnacle\InstantCDDVD\InstantDrive\InstantDrive.exe /remount
O4 - HKLM\..\Run: [IW ControlCenter] C:\Program Files\Pinnacle\InstantCDDVD\InstantWrite\iwctrl.exe
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINNT\system32\PSDrvCheck.exe
O4 - HKLM\..\Run: [EPSON Stylus C84 Series] C:\WINNT\system32\spool\DRIVERS\W32X86\3\E_S4I2D1.EXE /P23 "EPSON Stylus C84 Series" /O6 "USB003" /M "Stylus C84"
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATI DeviceDetect] C:\Program Files\ATI Multimedia\\Program Files\ATI Multimedia\main\ATIDtct.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [taskmanager] c:\windows\taskmgr.com
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DUControl] "C:\Program Files\DirectUpdate v4\DUControl.exe"
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\tv\EXPLBAR.DLL
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1129505119375
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = heatwing.local
O17 - HKLM\System\CCS\Services\Tcpip\..\{58509064-76F3-45A5-8758-18BFB9ACEA87}: NameServer = 192.168.101.1
O17 - HKLM\System\CCS\Services\Tcpip\..\{71B7343B-B77C-42AB-AC7D-7C2573348440}: NameServer = 192.168.101.1
O17 - HKLM\System\CCS\Services\Tcpip\..\{F701B0B9-489C-4B48-BC7E-25AC9C71675B}: NameServer = 192.168.101.1
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = heatwing.local
O17 - HKLM\System\CS1\Services\Tcpip\..\{58509064-76F3-45A5-8758-18BFB9ACEA87}: NameServer = 192.168.101.1
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = heatwing.local
O17 - HKLM\System\CS2\Services\Tcpip\..\{58509064-76F3-45A5-8758-18BFB9ACEA87}: NameServer = 192.168.101.1
O20 - Winlogon Notify: ATINotify - logonnfy.dll (file missing)
O20 - Winlogon Notify: IntlRun - C:\WINNT\system32\fp4803hue.dll (file missing)
O20 - Winlogon Notify: Shell Extensions - C:\WINNT\system32\afledit.dll (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINNT\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: CPUCooLServer Service (CPUCooLServer) - Unknown owner - C:\Program Files\CPUCooL\CooLSrv.exe (file missing)
O23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\WINNT\SYSTEM32\crypserv.exe
O23 - Service: DirectUpdate engine (DirectUpdate) - http://www.directupdate.net/ - C:\Program Files\DirectUpdate v4\DUEngine.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: HP Web Jetadmin (HPWebJetadmin) - Unknown owner - C:\Program Files\HP Web Jetadmin\hpwebjetd.exe" -k runservice (file missing)
O23 - Service: MlxServer - Unknown owner - C:\Program Files\MailXpert2.14\MlxServer.exe (file missing)
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools - C:\Program Files\Spyware Doctor\sdhelp.exe




Incident Status Location

Adware:adware/secure32 Not disinfected C:\WINNT\secure32.html
Adware:adware/cws.searchmeup Not disinfected C:\WINNT\tool3.exe
Adware:adware/searchresults Not disinfected C:\PROGRAM FILES\QL
Adware:adware/cws.yexe Not disinfected C:\WINNT\inet20009
Adware:Adware/Look2Me Not disinfected C:\!KillBox\cqtdll.dll
Adware:Adware/Look2Me Not disinfected C:\!KillBox\dnn6015se.dll
Adware:Adware/Look2Me Not disinfected C:\!KillBox\gppul3791.dll
Adware:Adware/Look2Me Not disinfected C:\!KillBox\guard.tmp
Adware:Adware/Look2Me Not disinfected C:\!KillBox\ktj0l71m1.dll
Adware:Adware/Look2Me Not disinfected C:\!KillBox\mei.dll
Adware:Adware/Look2Me Not disinfected C:\!KillBox\nztui2.dll
Virus:Exploit/ByteVerify Not disinfected C:\Documents and Settings\andy.HEATWING\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\BlackBox.class-15599ffc-1053bc9a.class
Adware:Adware/IST.ISTBar Not disinfected C:\Documents and Settings\andy.HEATWING\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\javainstaller.jar-5aa0b436-510037f0.zip[InstallerApplet.class]
Adware:Adware/SpySheriff Not disinfected C:\Downloads\auto-digitizing\lz03mf01.exe[run.exe]
Adware:Adware/EShopper Not disinfected C:\Program Files\MBS Disk Space Analyzer\Uninstal.exe
Adware:Adware/Secure32 Not disinfected C:\secure32.html
Virus:4096 Not disinfected C:\USB-Drive\portable_sunbird_0.2_r3.zip[selectAddressesDialog.js]
Possible Virus. Not disinfected C:\WINNT\DH.dll
Adware:Adware/Secure32 Not disinfected C:\WINNT\secure32.html
  • 0

Advertisements

#32
tvro
Posted 17 December 2005 - 07:54 PM

tvro

    Member

  • Topic Starter
  • Member
  • PipPip
  • 22 posts
Incident Status Location

Adware:adware/secure32 Not disinfected C:\WINNT\secure32.html
Adware:adware/cws.searchmeup Not disinfected C:\WINNT\tool3.exe
Adware:adware/searchresults Not disinfected C:\PROGRAM FILES\QL
Adware:adware/cws.yexe Not disinfected C:\WINNT\inet20009
Adware:Adware/Look2Me Not disinfected C:\!KillBox\cqtdll.dll
Adware:Adware/Look2Me Not disinfected C:\!KillBox\dnn6015se.dll
Adware:Adware/Look2Me Not disinfected C:\!KillBox\gppul3791.dll
Adware:Adware/Look2Me Not disinfected C:\!KillBox\guard.tmp
Adware:Adware/Look2Me Not disinfected C:\!KillBox\ktj0l71m1.dll
Adware:Adware/Look2Me Not disinfected C:\!KillBox\mei.dll
Adware:Adware/Look2Me Not disinfected C:\!KillBox\nztui2.dll
Virus:Exploit/ByteVerify Not disinfected C:\Documents and Settings\andy.HEATWING\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\BlackBox.class-15599ffc-1053bc9a.class
Adware:Adware/IST.ISTBar Not disinfected C:\Documents and Settings\andy.HEATWING\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\javainstaller.jar-5aa0b436-510037f0.zip[InstallerApplet.class]
Adware:Adware/SpySheriff Not disinfected C:\Downloads\auto-digitizing\lz03mf01.exe[run.exe]
Adware:Adware/EShopper Not disinfected C:\Program Files\MBS Disk Space Analyzer\Uninstal.exe
Adware:Adware/Secure32 Not disinfected C:\secure32.html
Virus:4096 Not disinfected C:\USB-Drive\portable_sunbird_0.2_r3.zip[selectAddressesDialog.js]
Possible Virus. Not disinfected C:\WINNT\DH.dll
Adware:Adware/Secure32 Not disinfected C:\WINNT\secure32.html


Logfile of HijackThis v1.99.1
Scan saved at 8:54:43 PM, on 12/17/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINNT\system32\crypserv.exe
C:\Program Files\DirectUpdate v4\DUEngine.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINNT\system32\hidserv.exe
C:\Program Files\HP Web Jetadmin\hpwebjetd.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\HP Web Jetadmin\hpwebjetd.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Pinnacle\InstantCDDVD\InstantWrite\iwctrl.exe
C:\WINNT\system32\spool\DRIVERS\W32X86\3\E_S4I2D1.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\DirectUpdate v4\DUControl.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINNT\system32\wuauclt.exe
C:\Program Files\Netscape\Netscape\Netscp.exe
C:\Downloads\Cleanup\HijackThis.exe

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [$MagicMedia] I:\Old-Drive-g\Program Files\MMedia\MMEDIA.EXE startupMM
O4 - HKLM\..\Run: [VOBID] C:\Program Files\Pinnacle\InstantCDDVD\InstantDrive\InstantDrive.exe /remount
O4 - HKLM\..\Run: [IW ControlCenter] C:\Program Files\Pinnacle\InstantCDDVD\InstantWrite\iwctrl.exe
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINNT\system32\PSDrvCheck.exe
O4 - HKLM\..\Run: [EPSON Stylus C84 Series] C:\WINNT\system32\spool\DRIVERS\W32X86\3\E_S4I2D1.EXE /P23 "EPSON Stylus C84 Series" /O6 "USB003" /M "Stylus C84"
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATI DeviceDetect] C:\Program Files\ATI Multimedia\\Program Files\ATI Multimedia\main\ATIDtct.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [taskmanager] c:\windows\taskmgr.com
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DUControl] "C:\Program Files\DirectUpdate v4\DUControl.exe"
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\tv\EXPLBAR.DLL
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1129505119375
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = heatwing.local
O17 - HKLM\System\CCS\Services\Tcpip\..\{58509064-76F3-45A5-8758-18BFB9ACEA87}: NameServer = 192.168.101.1
O17 - HKLM\System\CCS\Services\Tcpip\..\{71B7343B-B77C-42AB-AC7D-7C2573348440}: NameServer = 192.168.101.1
O17 - HKLM\System\CCS\Services\Tcpip\..\{F701B0B9-489C-4B48-BC7E-25AC9C71675B}: NameServer = 192.168.101.1
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = heatwing.local
O17 - HKLM\System\CS1\Services\Tcpip\..\{58509064-76F3-45A5-8758-18BFB9ACEA87}: NameServer = 192.168.101.1
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = heatwing.local
O17 - HKLM\System\CS2\Services\Tcpip\..\{58509064-76F3-45A5-8758-18BFB9ACEA87}: NameServer = 192.168.101.1
O20 - Winlogon Notify: ATINotify - logonnfy.dll (file missing)
O20 - Winlogon Notify: IntlRun - C:\WINNT\system32\fp4803hue.dll (file missing)
O20 - Winlogon Notify: Shell Extensions - C:\WINNT\system32\afledit.dll (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINNT\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: CPUCooLServer Service (CPUCooLServer) - Unknown owner - C:\Program Files\CPUCooL\CooLSrv.exe (file missing)
O23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\WINNT\SYSTEM32\crypserv.exe
O23 - Service: DirectUpdate engine (DirectUpdate) - http://www.directupdate.net/ - C:\Program Files\DirectUpdate v4\DUEngine.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: HP Web Jetadmin (HPWebJetadmin) - Unknown owner - C:\Program Files\HP Web Jetadmin\hpwebjetd.exe" -k runservice (file missing)
O23 - Service: MlxServer - Unknown owner - C:\Program Files\MailXpert2.14\MlxServer.exe (file missing)
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools - C:\Program Files\Spyware Doctor\sdhelp.exe
  • 0

#33
loophole
Posted 18 December 2005 - 01:18 PM

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
Looks like we are almost done :tazz:

Please uninstall the following (click start >>>control panel >>> add/remove programs) If present
QL


1. Click Start > Control Panel.

2. Double-click the Java icon (coffee cup) in the control panel. It will say "Java Plug-in" under the icon - please find the update button or tab in that Java control panel. Update your Java,

Pocket Killbox
  • Please double-click Killbox.exe to run it.
  • Select:
    • Delete on Reboot
    • then Click on the All Files button.
  • Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):


    C:\WINNT\tool3.exe
    C:\PROGRAM FILES\QL
    C:\WINNT\DH.dll
    C:\WINNT\secure32.html
    C:\WINNT\inet20009

  • Return to Killbox, go to the File menu, and choose Paste from Clipboard.
  • Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).
If your computer does not restart automatically, please restart it manually.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run Killbox, click here to download and run missingfilesetup.exe. Then try Killbox again.

After reboot, go back into the Control Panel and double-click the Java icon.

3. Under Temporary Internet Files, click the Delete Files button.

There are three options on this window to clear the cache - leave ALL 3 checked.
1. Downloaded Applets
2. Downloaded Applications
3. Other Files

4. Click OK on Delete Temporary Files window.
Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.

5. Click OK to leave the Java Control Panel.

Delete this folder c:\killbox


Post a new hijack log and tell me how your system is running now.

Thanks :)
  • 0

#34
tvro
Posted 18 December 2005 - 03:53 PM

tvro

    Member

  • Topic Starter
  • Member
  • PipPip
  • 22 posts
Logfile of HijackThis v1.99.1
Scan saved at 4:53:28 PM, on 12/18/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINNT\system32\crypserv.exe
C:\Program Files\DirectUpdate v4\DUEngine.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINNT\system32\hidserv.exe
C:\Program Files\HP Web Jetadmin\hpwebjetd.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\HP Web Jetadmin\hpwebjetd.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\wuauclt.exe
C:\Program Files\Pinnacle\InstantCDDVD\InstantWrite\iwctrl.exe
C:\WINNT\system32\spool\DRIVERS\W32X86\3\E_S4I2D1.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\DirectUpdate v4\DUControl.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Netscape\Netscape\Netscp.exe
C:\Downloads\Cleanup\HijackThis.exe

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [$MagicMedia] I:\Old-Drive-g\Program Files\MMedia\MMEDIA.EXE startupMM
O4 - HKLM\..\Run: [VOBID] C:\Program Files\Pinnacle\InstantCDDVD\InstantDrive\InstantDrive.exe /remount
O4 - HKLM\..\Run: [IW ControlCenter] C:\Program Files\Pinnacle\InstantCDDVD\InstantWrite\iwctrl.exe
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINNT\system32\PSDrvCheck.exe
O4 - HKLM\..\Run: [EPSON Stylus C84 Series] C:\WINNT\system32\spool\DRIVERS\W32X86\3\E_S4I2D1.EXE /P23 "EPSON Stylus C84 Series" /O6 "USB003" /M "Stylus C84"
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATI DeviceDetect] C:\Program Files\ATI Multimedia\\Program Files\ATI Multimedia\main\ATIDtct.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [taskmanager] c:\windows\taskmgr.com
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DUControl] "C:\Program Files\DirectUpdate v4\DUControl.exe"
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\tv\EXPLBAR.DLL
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1129505119375
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = heatwing.local
O17 - HKLM\System\CCS\Services\Tcpip\..\{58509064-76F3-45A5-8758-18BFB9ACEA87}: NameServer = 192.168.101.1
O17 - HKLM\System\CCS\Services\Tcpip\..\{71B7343B-B77C-42AB-AC7D-7C2573348440}: NameServer = 192.168.101.1
O17 - HKLM\System\CCS\Services\Tcpip\..\{F701B0B9-489C-4B48-BC7E-25AC9C71675B}: NameServer = 192.168.101.1
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = heatwing.local
O17 - HKLM\System\CS1\Services\Tcpip\..\{58509064-76F3-45A5-8758-18BFB9ACEA87}: NameServer = 192.168.101.1
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = heatwing.local
O17 - HKLM\System\CS2\Services\Tcpip\..\{58509064-76F3-45A5-8758-18BFB9ACEA87}: NameServer = 192.168.101.1
O20 - Winlogon Notify: ATINotify - logonnfy.dll (file missing)
O20 - Winlogon Notify: IntlRun - C:\WINNT\system32\fp4803hue.dll (file missing)
O20 - Winlogon Notify: Shell Extensions - C:\WINNT\system32\afledit.dll (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINNT\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: CPUCooLServer Service (CPUCooLServer) - Unknown owner - C:\Program Files\CPUCooL\CooLSrv.exe (file missing)
O23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\WINNT\SYSTEM32\crypserv.exe
O23 - Service: DirectUpdate engine (DirectUpdate) - http://www.directupdate.net/ - C:\Program Files\DirectUpdate v4\DUEngine.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: HP Web Jetadmin (HPWebJetadmin) - Unknown owner - C:\Program Files\HP Web Jetadmin\hpwebjetd.exe" -k runservice (file missing)
O23 - Service: MlxServer - Unknown owner - C:\Program Files\MailXpert2.14\MlxServer.exe (file missing)
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools - C:\Program Files\Spyware Doctor\sdhelp.exe
  • 0

#35
loophole
Posted 18 December 2005 - 11:13 PM

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
Please go here: Jotti

Click the "browse" button and locate this file:

c:\windows\taskmgr.com

Click "Open", then click the "Submit" button. Copy the results and paste them here.

Thanks
  • 0

#36
tvro
Posted 19 December 2005 - 04:40 AM

tvro

    Member

  • Topic Starter
  • Member
  • PipPip
  • 22 posts
I have a C:\WINNT\taskman.exe

Andy

Service load:
0% 100%
File: TASKMAN.EXE
Status:
OK
MD5 fed8a09528acfe5e04af44438a8a4d1b
Packers detected:
-
Scanner results
AntiVir
Found nothing
ArcaVir
Found nothing
Avast
Found nothing
AVG Antivirus
Found nothing
BitDefender
Found nothing
ClamAV
Found nothing
Dr.Web
Found nothing
F-Prot Antivirus
Found nothing
Fortinet
Found nothing
Kaspersky Anti-Virus
Found nothing
NOD32
Found nothing
Norman Virus Control
Found nothing
UNA
Found nothing
VBA32
Found nothing
  • 0

#37
loophole
Posted 19 December 2005 - 10:03 AM

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
Check and fix this entry in hijack:

O4 - HKLM\..\Run: [taskmanager] c:\windows\taskmgr.com



How is everything running?
  • 0

#38
tvro
Posted 19 December 2005 - 03:05 PM

tvro

    Member

  • Topic Starter
  • Member
  • PipPip
  • 22 posts
Everything look great.

Andy
  • 0

#39
loophole
Posted 19 December 2005 - 03:12 PM

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
I thing we are good to go then :)

Congratulations
your system is clean :tazz:

The following is a list of tools and utilities that I like to suggest to people. This list is full of great tools and utilities to help you understand how you got infected and how to keep from getting infected again.
  • Spybot Search & Destroy - Uber powerful tool which can search and annhilate nasties that make it onto your system. Now with an Immunize section that will help prevent future infections.
  • AdAware - Another very powerful tool which searches and kills nasties that infect your system. AdAware and Spybot Search & Destroy compliment each other very well.
  • SpywareBlaster - Great prevention tool to keep nasties from installing on your system.
  • SpywareGuard - Works as a Spyware "Shield" to protect your computer from getting malware in the first place.
  • IE-SpyAd - puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
  • CleanUP! - Cleans temporary files from IE and Windows, empties the recycle bin and more. Great tool to help speed up your computer and knock out those nasties that like to reside in the temp folders.
  • Windows Updates - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.
  • Google Toolbar - Free google toolbar that allows you to use the powerful Google search engine from the bar, but also blocks pop up windows.
  • Trillian or Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)
To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein
  • 0

#40
tvro
Posted 19 December 2005 - 04:26 PM

tvro

    Member

  • Topic Starter
  • Member
  • PipPip
  • 22 posts
Thanks for all the help. I usually can handle the normal problems, but this was over my head.

Andy
  • 0

Advertisements

#41
loophole
Posted 19 December 2005 - 04:52 PM

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
Yep this one is a pain!!

Good luck to you :tazz:
  • 0

#42
loophole
Posted 31 December 2005 - 10:28 PM

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :tazz:

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP