Jump to content

Build Theme!
  •  
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 93101 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

MagicControl.Agent


  • This topic is locked This topic is locked
15 replies to this topic

#1 checknow

checknow

    New Member

  • New Member
  • Pip
  • 8 posts

Posted 18 November 2005 - 03:02 PM

Hope someone can help.

When running SpyBot it tells me, that my computer has the MagicControl.Agent. On fixing the problem, it only comes back on next Scan :angry:

My HijackThis log

Logfile of HijackThis v1.99.1
Scan saved at 21:51:50, on 18-11-2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
D:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Programmer\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Programmer\Analog Devices\SoundMAX\SMTray.exe
C:\WINDOWS\System32\rmctrl.exe
C:\Programmer\Logitech\iTouch\iTouch.exe
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\Programmer\Lexmark 3100 Series\lxbrbmgr.exe
C:\Programmer\Fælles filer\Microsoft Shared\Works Shared\WkUFind.exe
C:\WINDOWS\system32\carpserv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmer\Microsoft ActiveSync\WCESCOMM.EXE
C:\programmer\mailskinner\mailskinner.exe
C:\Programmer\Lexmark 3100 Series\lxbrbmon.exe
C:\Programmer\LG PC Suite\LG PC Sync\LGSyncManager.exe
C:\Programmer\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe
C:\Programmer\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe
C:\Programmer\Microsoft AntiSpyware\gcasDtServ.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
D:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
D:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\Programmer\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\UAService7.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\alg.exe
C:\Programmer\Internet Explorer\iexplore.exe
C:\DOCUME~1\Teddy\LOKALE~1\Temp\mwavscan.com
C:\DOCUME~1\Teddy\LOKALE~1\Temp\kavss.exe
D:\HijackThis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.dk/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hyperlinks
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - d:\Programmer\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Programmer\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Programmer\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programmer\MSN Apps\MSN Toolbar\01.02.4000.1001\da\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programmer\MSN Apps\MSN Toolbar\01.02.4000.1001\da\msntb.dll
O4 - HKLM\..\Run: [vptray] D:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Programmer\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Smapp] C:\Programmer\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [RemoteControl] C:\WINDOWS\System32\rmctrl.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Programmer\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [Lexmark 3100 Series] "C:\Programmer\Lexmark 3100 Series\lxbrbmgr.exe"
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Programmer\Fælles filer\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Programmer\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [THGuard] "C:\Programmer\TrojanHunter 4.2\THGuard.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Programmer\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [MailSkinner] c:\programmer\mailskinner\mailskinner.exe
O4 - HKCU\..\Run: [LDM] \Program\BackWeb-8876480.exe
O4 - Global Startup: LG SyncManager.lnk = ?
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Programmer\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = D:\Programmer\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Picture Package Menu.lnk = ?
O4 - Global Startup: Picture Package VCD Maker.lnk = ?
O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://D:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Programmer\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Programmer\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Programmer\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Programmer\Internet Explorer\Plugins\NPDocBox.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: DefWatch - Symantec Corporation - D:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programmer\Fælles filer\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Machine Debug Manager (MDM) - Unknown owner - C:\Programmer\Fælles filer\Microsoft Shared\VS7Debug\mdm.exe (file missing)
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - D:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Programmer\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\system32\UAService7.exe

Thanks.

    Advertisements

Register to Remove


#2 checknow

checknow

    New Member

  • New Member
  • Pip
  • 8 posts

Posted 19 November 2005 - 04:45 AM

HI All

I found 2 programs ind msconfig/start
yxbwedt.exe and xfjkba.exe
Both in C:\windows\system32\

I can not find them. When trying too use Hijackthis tool, delete files on startup, do not change anything :(

New HiJackThis log

Logfile of HijackThis v1.99.1
Scan saved at 10:28:42, on 19-11-2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
D:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
D:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\Programmer\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\UAService7.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
D:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Programmer\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Programmer\Analog Devices\SoundMAX\SMTray.exe
C:\WINDOWS\System32\rmctrl.exe
C:\Programmer\Logitech\iTouch\iTouch.exe
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\Programmer\Lexmark 3100 Series\lxbrbmgr.exe
C:\Programmer\Fælles filer\Microsoft Shared\Works Shared\WkUFind.exe
C:\WINDOWS\system32\carpserv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmer\Microsoft ActiveSync\WCESCOMM.EXE
C:\programmer\mailskinner\mailskinner.exe
C:\Programmer\Lexmark 3100 Series\lxbrbmon.exe
C:\Programmer\LG PC Suite\LG PC Sync\LGSyncManager.exe
C:\Programmer\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe
C:\Programmer\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Programmer\Microsoft AntiSpyware\gcasDtServ.exe
C:\Programmer\Spybot - Search & Destroy\SpybotSD.exe
C:\Programmer\Microsoft AntiSpyware\GIANTAntiSpywareMain.exe
C:\Programmer\Microsoft AntiSpyware\gcasServ.exe
C:\WINDOWS\system32\xfjkba.exe
D:\HijackThis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.dk/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hyperlinks
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - d:\Programmer\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Programmer\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Programmer\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programmer\MSN Apps\MSN Toolbar\01.02.4000.1001\da\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programmer\MSN Apps\MSN Toolbar\01.02.4000.1001\da\msntb.dll
O4 - HKLM\..\Run: [vptray] D:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Programmer\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Smapp] C:\Programmer\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [RemoteControl] C:\WINDOWS\System32\rmctrl.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Programmer\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [Lexmark 3100 Series] "C:\Programmer\Lexmark 3100 Series\lxbrbmgr.exe"
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Programmer\Fælles filer\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [yxbwedt] c:\windows\system32\yxbwedt.exe -start
O4 - HKLM\..\Run: [gcasServ] "C:\Programmer\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [THGuard] "C:\Programmer\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\Run: [pqdobs] c:\windows\system32\pqdobs.exe -start
O4 - HKLM\..\Run: [xfjkba] c:\windows\system32\xfjkba.exe -start
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Programmer\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [MailSkinner] c:\programmer\mailskinner\mailskinner.exe
O4 - HKCU\..\Run: [LDM] \Program\BackWeb-8876480.exe
O4 - Global Startup: LG SyncManager.lnk = ?
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Programmer\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = D:\Programmer\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Picture Package Menu.lnk = ?
O4 - Global Startup: Picture Package VCD Maker.lnk = ?
O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://D:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Programmer\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Programmer\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Programmer\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Programmer\Internet Explorer\Plugins\NPDocBox.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: DefWatch - Symantec Corporation - D:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programmer\Fælles filer\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Machine Debug Manager (MDM) - Unknown owner - C:\Programmer\Fælles filer\Microsoft Shared\VS7Debug\mdm.exe (file missing)
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - D:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Programmer\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\system32\UAService7.exe

#3 LDTate

LDTate

    Grand Poobah

  • Root Admin
  • 57,211 posts

Posted 19 November 2005 - 06:15 AM

Hello checknow, welcome to the forum.

Download the following programs.

a.
Download Killbox HERE and put it on your desktop

b.
Download CCleaner HERE and install it.

c.
Download Ewido security suite HERE



1. After the download of Ewido is complete, double click on the file to launch the install process.
2. During installation under the Additonal Options menu, you will be asked if you want to "Install background guard (required for automatic updates)" and "Install scan via context menu". Please UNCHECK both of these options.
3. Once installation is complete, launch Ewido by double-clicking the big "E" icon on your desktop. The program will prompt you to update -- click the 'OK' button.
4. The program will now go to the main screen. On the left hand side of the main screen, click on Update and then click 'Start Update'. The update will start and a progress bar will show the updates being installed. After the updates are installed, you will see 'Update Successful' in the lower left corner.
5. Close Ewido.

Next:

Reboot into Safemode:
Immediately begin tapping the F8 key (or F5 on some computers)
Use the arrow keys to highlight Safe Mode and press the Enter key.

This can take a few minutes to get into Safe Mode.


Run hijackthis. Hit None of the above, Click Do a System Scan Only. Put a Check in the box on the left side on these:

O4 - HKLM\..\Run: [yxbwedt] c:\windows\system32\yxbwedt.exe -start
O4 - HKLM\..\Run: [pqdobs] c:\windows\system32\pqdobs.exe -start
O4 - HKLM\..\Run: [xfjkba] c:\windows\system32\xfjkba.exe -start
O4 - HKCU\..\Run: [MailSkinner] c:\programmer\mailskinner\mailskinner.exe
O4 - HKCU\..\Run: [LDM] \Program\BackWeb-8876480.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Programmer\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = D:\Programmer\Microsoft Office\Office10\OSA.EXE

Close ALL windows and browsers except HijackThis and click "Fix checked"


Next:
Open CCleaner.

Before first use, check under Options, Settings, and ensure "Only delete files in Windows Temp folder older than 48 hours" is unchecked.

Then open it and select the items you wish to clean up.

In the Windows Tab:

I recommend cleaning all entries in the "Internet Explorer" section except Cookies.
Clean all the entries in the "Windows Explorer" section
Clean all entries in the "System" section
Clean all entries in the "Advanced" section.

In the Applications Tab:

Clean all except cookies in the Firefox/Mozilla section if you use it.
Clean all in the Opera section if you use it.
Clean Sun Java in the Internet Section.
Clean any others that you choose.

Then click the "Run Cleaner" button


Next:
Open Ewido

1. Click on 'Scanner' (the 3rd bar from the top on the left) and Choose 'Settings'
2. Please make sure 'Scan Every File' is selected. Finally, please click 'OK'
3. On the main screen, please select 'Complete System Scan' and the scan should begin.
4. While the scan is in progress, you will be prompted to clean the first infected file it finds. Choose clean, then put a check next to 'Perform action on all infections' in the left corner of the box so you don't have to sit and watch Ewido the whole time. Click OK.
5. When the scan is complete, click "Save Report". You scan results will be saved in a textfile. Please submit that with your next post.

If during your scan Ewido "crashes" or "hangs", please try scanning again. Before running the scan, click on 'Scanner' (the 3rd bar from the top on the left) and Choose 'Settings'. Uncheck 'Scan in NTFS Alternate Data Streams' as this can cause problems in overly infected systems. Click 'OK' and then follow the instructions from step #8 again.

Exclamation Note: Ewido is a free trial product for 14 days. Since Ewido is a trial version, the realtime guard and automatic update will stop functioning after 14 days (which is the reason we uncheck them during installation). You can use Ewido as an on-demand scanner (recommended) but you will have to manually update the definition file each time you scan.

If you decide to purchase Ewido, you can enable the 'Realtime Protect' and 'Automatic Update' functions by clicking on the 'Status' bar (Top left) and clicking on both items under "Your Security Status".

Now close ewido security suite.

Next:
Then double-click on the killbox.exe program.


Start Killbox and click on Tools->Delete Temp Files.
Unregister .dll before deleting (unless it is greyed out)
Delete on Reboot

Then select the option labeled Delete on reboot.

Do not close killbox, and open notepad, by clicking on Start, then Run, and typing notepad.exe and pressing the OK button.


When notepad is open, copy and paste the following bolded text into the notepad screen. You do this by highlighting each of the below bolded filenames and then pressing Control-C on your keyboard. Then click on the open notepad windows and press Control-V to paste the contents into the notepad.


C:\WINDOWS\system32\xfjkba.exe
c:\windows\system32\yxbwedt.exe
c:\windows\system32\pqdobs.exe
c:\programmer\mailskinner\mailskinner.exe


Return to Killbox, go to the File menu and select Paste from Clipboard.


Still in Killbox, click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click No at the Pending Operations prompt.

If your computer does not restart automatically, please restart it manually.

After Reboot, "copy/paste" a new log file into this thread.
Also please describe how your computer behaves at the moment.

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 


#4 checknow

checknow

    New Member

  • New Member
  • Pip
  • 8 posts

Posted 19 November 2005 - 08:09 AM

Hi LDTate Thanks for the reply. After cleaning, I try running Spybot. 2 problems MagicControl.Agent and Connect MFC Application :angry: ewido log --------------------------------------------------------- ewido security suite - Scanningsrapport --------------------------------------------------------- + Oprettet den: 14:39:11, 19-11-2005 + Rapport-Checksum: EF66845C + Scanningsresultat: HKU\S-1-5-21-299502267-688789844-1417001333-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{E8EDB60C-951E-4130-93DC-FAF1AD25F8E7} -> Spyware.MoneyTree : Renset uden backup C:\WINDOWS\system32\msclock32.dll -> Spyware.NaviPromo : Renset uden backup C:\WINDOWS\system32\msplock32.dll -> Spyware.NaviPromo : Renset uden backup ::Rapport slut My new HijackThis log Logfile of HijackThis v1.99.1 Scan saved at 15:07:32, on 19-11-2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\System32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\LEXBCES.EXE C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\LEXPPS.EXE C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE D:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe C:\Programmer\ATI Technologies\ATI Control Panel\atiptaxx.exe C:\Programmer\Analog Devices\SoundMAX\SMTray.exe C:\WINDOWS\System32\rmctrl.exe C:\Programmer\Logitech\iTouch\iTouch.exe C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE C:\Programmer\Lexmark 3100 Series\lxbrbmgr.exe C:\Programmer\Fælles filer\Microsoft Shared\Works Shared\WkUFind.exe C:\WINDOWS\system32\carpserv.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe C:\Programmer\Microsoft AntiSpyware\gcasServ.exe C:\WINDOWS\system32\ctfmon.exe C:\Programmer\Microsoft ActiveSync\WCESCOMM.EXE C:\Programmer\Lexmark 3100 Series\lxbrbmon.exe C:\Programmer\LG PC Suite\LG PC Sync\LGSyncManager.exe C:\Programmer\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe C:\Programmer\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe C:\Programmer\Microsoft AntiSpyware\gcasDtServ.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe D:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe C:\Programmer\ewido\security suite\ewidoctrl.exe D:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe C:\Programmer\Analog Devices\SoundMAX\SMAgent.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\UAService7.exe C:\WINDOWS\system32\wscntfy.exe C:\Programmer\Spybot - Search & Destroy\SpybotSD.exe C:\Programmer\Internet Explorer\iexplore.exe D:\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hyperlinks O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - d:\Programmer\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Programmer\Spybot - Search & Destroy\SDHelper.dll O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Programmer\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programmer\MSN Apps\MSN Toolbar\01.02.4000.1001\da\msntb.dll O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programmer\MSN Apps\MSN Toolbar\01.02.4000.1001\da\msntb.dll O4 - HKLM\..\Run: [vptray] D:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe O4 - HKLM\..\Run: [ATIPTA] C:\Programmer\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM\..\Run: [Smapp] C:\Programmer\Analog Devices\SoundMAX\SMTray.exe O4 - HKLM\..\Run: [RemoteControl] C:\WINDOWS\System32\rmctrl.exe O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [zBrowser Launcher] C:\Programmer\Logitech\iTouch\iTouch.exe O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE O4 - HKLM\..\Run: [Lexmark 3100 Series] "C:\Programmer\Lexmark 3100 Series\lxbrbmgr.exe" O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Programmer\Fælles filer\Microsoft Shared\Works Shared\WkUFind.exe O4 - HKLM\..\Run: [CARPService] carpserv.exe O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe O4 - HKLM\..\Run: [gcasServ] "C:\Programmer\Microsoft AntiSpyware\gcasServ.exe" O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Programmer\Microsoft ActiveSync\WCESCOMM.EXE" O4 - Global Startup: LG SyncManager.lnk = ? O4 - Global Startup: Picture Package Menu.lnk = ? O4 - Global Startup: Picture Package VCD Maker.lnk = ? O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://D:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000 O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Programmer\Microsoft ActiveSync\INETREPL.DLL O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Programmer\Microsoft ActiveSync\INETREPL.DLL O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Programmer\Microsoft ActiveSync\INETREPL.DLL O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe O12 - Plugin for .spop: C:\Programmer\Internet Explorer\Plugins\NPDocBox.dll O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe O23 - Service: DefWatch - Symantec Corporation - D:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe O23 - Service: ewido security suite control - ewido networks - C:\Programmer\ewido\security suite\ewidoctrl.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programmer\Fælles filer\InstallShield\Driver\1050\Intel 32\IDriverT.exe O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE O23 - Service: Machine Debug Manager (MDM) - Unknown owner - C:\Programmer\Fælles filer\Microsoft Shared\VS7Debug\mdm.exe (file missing) O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - D:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Programmer\Analog Devices\SoundMAX\SMAgent.exe O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\system32\UAService7.exe

#5 LDTate

LDTate

    Grand Poobah

  • Root Admin
  • 57,211 posts

Posted 19 November 2005 - 08:27 AM

After cleaning, I try running Spybot. 2 problems
MagicControl.Agent and Connect MFC Application

Does it list where these are located?

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 


#6 checknow

checknow

    New Member

  • New Member
  • Pip
  • 8 posts

Posted 19 November 2005 - 08:33 AM

Hi LDTate --- Search result list --- Connect MFC Application: Settings (Registry key, nothing done) HKEY_USERS\S-1-5-21-299502267-688789844-1417001333-1004\Software\livesvc MagicControl.Agent: User settings (Registry key, nothing done) HKEY_USERS\S-1-5-21-299502267-688789844-1417001333-1004\Software\LanConfig MagicControl.Agent: User settings (Registry value, nothing done) HKEY_USERS\S-1-5-21-299502267-688789844-1417001333-1004\Software\mc\SA

#7 LDTate

LDTate

    Grand Poobah

  • Root Admin
  • 57,211 posts

Posted 19 November 2005 - 08:51 AM

From Add/Remove Programs in the Control Panel, choose ‘mc’ (MC variant), ‘wintrim’ (Wintrim variant) or ‘wincomp’ (Wincomp variant). This uninstaller should work, though it requires internet access.


Let me know if any of these are there.

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 


#8 checknow

checknow

    New Member

  • New Member
  • Pip
  • 8 posts

Posted 19 November 2005 - 09:00 AM

None of the one on your list. BUT I got one call tesmkhl??? Don't know the program

#9 LDTate

LDTate

    Grand Poobah

  • Root Admin
  • 57,211 posts

Posted 19 November 2005 - 09:04 AM

None of the one on your list. BUT I got one call tesmkhl??? Don't know the program

Remove it then. I can't find anything with Google.

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 


#10 checknow

checknow

    New Member

  • New Member
  • Pip
  • 8 posts

Posted 19 November 2005 - 09:27 AM

THANKS LDTate. :D :D This is the result from Spybot --- Search result list --- Congratulations!: No immediate threats were found. () The new HijackThis log Logfile of HijackThis v1.99.1 Scan saved at 16:22:04, on 19-11-2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\System32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\LEXBCES.EXE C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\LEXPPS.EXE C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe D:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe C:\Programmer\ewido\security suite\ewidoctrl.exe D:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe C:\Programmer\Analog Devices\SoundMAX\SMAgent.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\UAService7.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\wscntfy.exe D:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe C:\Programmer\ATI Technologies\ATI Control Panel\atiptaxx.exe C:\Programmer\Analog Devices\SoundMAX\SMTray.exe C:\WINDOWS\System32\rmctrl.exe C:\Programmer\Logitech\iTouch\iTouch.exe C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE C:\Programmer\Lexmark 3100 Series\lxbrbmgr.exe C:\Programmer\Fælles filer\Microsoft Shared\Works Shared\WkUFind.exe C:\WINDOWS\system32\carpserv.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe C:\Programmer\Microsoft AntiSpyware\gcasServ.exe C:\Programmer\Lexmark 3100 Series\lxbrbmon.exe C:\WINDOWS\system32\ctfmon.exe C:\Programmer\Microsoft ActiveSync\WCESCOMM.EXE C:\Programmer\LG PC Suite\LG PC Sync\LGSyncManager.exe C:\Programmer\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe C:\Programmer\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe C:\Programmer\Microsoft AntiSpyware\gcasDtServ.exe D:\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hyperlinks O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - d:\Programmer\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Programmer\Spybot - Search & Destroy\SDHelper.dll O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Programmer\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programmer\MSN Apps\MSN Toolbar\01.02.4000.1001\da\msntb.dll O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programmer\MSN Apps\MSN Toolbar\01.02.4000.1001\da\msntb.dll O4 - HKLM\..\Run: [vptray] D:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe O4 - HKLM\..\Run: [ATIPTA] C:\Programmer\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM\..\Run: [Smapp] C:\Programmer\Analog Devices\SoundMAX\SMTray.exe O4 - HKLM\..\Run: [RemoteControl] C:\WINDOWS\System32\rmctrl.exe O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [zBrowser Launcher] C:\Programmer\Logitech\iTouch\iTouch.exe O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE O4 - HKLM\..\Run: [Lexmark 3100 Series] "C:\Programmer\Lexmark 3100 Series\lxbrbmgr.exe" O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Programmer\Fælles filer\Microsoft Shared\Works Shared\WkUFind.exe O4 - HKLM\..\Run: [CARPService] carpserv.exe O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe O4 - HKLM\..\Run: [gcasServ] "C:\Programmer\Microsoft AntiSpyware\gcasServ.exe" O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Programmer\Microsoft ActiveSync\WCESCOMM.EXE" O4 - Global Startup: LG SyncManager.lnk = ? O4 - Global Startup: Picture Package Menu.lnk = ? O4 - Global Startup: Picture Package VCD Maker.lnk = ? O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://D:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000 O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Programmer\Microsoft ActiveSync\INETREPL.DLL O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Programmer\Microsoft ActiveSync\INETREPL.DLL O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Programmer\Microsoft ActiveSync\INETREPL.DLL O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe O12 - Plugin for .spop: C:\Programmer\Internet Explorer\Plugins\NPDocBox.dll O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe O23 - Service: DefWatch - Symantec Corporation - D:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe O23 - Service: ewido security suite control - ewido networks - C:\Programmer\ewido\security suite\ewidoctrl.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programmer\Fælles filer\InstallShield\Driver\1050\Intel 32\IDriverT.exe O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE O23 - Service: Machine Debug Manager (MDM) - Unknown owner - C:\Programmer\Fælles filer\Microsoft Shared\VS7Debug\mdm.exe (file missing) O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - D:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Programmer\Analog Devices\SoundMAX\SMAgent.exe O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\system32\UAService7.exe This looks good to me? I will try to stay activ in this forum, an help if I can. :)

    Advertisements

Register to Remove


#11 LDTate

LDTate

    Grand Poobah

  • Root Admin
  • 57,211 posts

Posted 19 November 2005 - 09:31 AM

Lets clean-up the left overs.


Backup your Registry... - Press "CTRL - ALT - DEL" keys all at the same time to start "Task Manager"
- In the Task Manager window click on "File", then from the drop-down menu select "New Task (Run...)"
- In the "Create New Task" window enter\type "regedit" (without quotes)
- Once Regedit opens click on the FILE menu and select Export
- Save the file as backup. Save the file somewhere you will remember and not delete.
IMPORTANT: make sure to set the export range to ALL



I recommend you download RegSeeker. Extract it to it's own folder, open and double click RegSeeker.exe to start the program. Maximize the window and click clean registry. Check all sections and click OK. When the scan is complete, verify the backup box in lower left corner is checked and click the select all button, then select all again. Then right click within the search results and select delete. Run it again and again, deleting everything it finds until it finds nothing. Reboot and make sure your programs are working properly, control panel and add/remove programs windows open, etc (basically just do a quick check of everything). In the event anything was 'broken', you can open RegSeeker, click backups and double click any/all files to put the information back. A reboot may be required for the effects to be seen. Reboot When done.

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 


#12 checknow

checknow

    New Member

  • New Member
  • Pip
  • 8 posts

Posted 19 November 2005 - 09:56 AM

Thanks again LDTate. No problem after running RegSeeker. No problem after Reboot. No Problem after running Spybot :D I am very happy :weee: I will try to lear more about this, and help if I can Lates HIjackTHIS log Logfile of HijackThis v1.99.1 Scan saved at 16:56:05, on 19-11-2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\System32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\LEXBCES.EXE C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\LEXPPS.EXE C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE D:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe C:\Programmer\ATI Technologies\ATI Control Panel\atiptaxx.exe C:\Programmer\Analog Devices\SoundMAX\SMTray.exe C:\WINDOWS\System32\rmctrl.exe C:\Programmer\Logitech\iTouch\iTouch.exe C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE C:\Programmer\Lexmark 3100 Series\lxbrbmgr.exe C:\Programmer\Fælles filer\Microsoft Shared\Works Shared\WkUFind.exe C:\WINDOWS\system32\carpserv.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe C:\Programmer\Microsoft AntiSpyware\gcasServ.exe C:\WINDOWS\system32\ctfmon.exe C:\Programmer\Microsoft ActiveSync\WCESCOMM.EXE C:\Programmer\Lexmark 3100 Series\lxbrbmon.exe C:\Programmer\LG PC Suite\LG PC Sync\LGSyncManager.exe C:\Programmer\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe C:\Programmer\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe C:\Programmer\Microsoft AntiSpyware\gcasDtServ.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe D:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe C:\Programmer\ewido\security suite\ewidoctrl.exe D:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe C:\Programmer\Analog Devices\SoundMAX\SMAgent.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\UAService7.exe C:\WINDOWS\system32\wscntfy.exe C:\Programmer\Internet Explorer\iexplore.exe D:\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hyperlinks O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - d:\Programmer\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Programmer\Spybot - Search & Destroy\SDHelper.dll O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Programmer\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programmer\MSN Apps\MSN Toolbar\01.02.4000.1001\da\msntb.dll O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programmer\MSN Apps\MSN Toolbar\01.02.4000.1001\da\msntb.dll O4 - HKLM\..\Run: [vptray] D:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe O4 - HKLM\..\Run: [ATIPTA] C:\Programmer\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM\..\Run: [Smapp] C:\Programmer\Analog Devices\SoundMAX\SMTray.exe O4 - HKLM\..\Run: [RemoteControl] C:\WINDOWS\System32\rmctrl.exe O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [zBrowser Launcher] C:\Programmer\Logitech\iTouch\iTouch.exe O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE O4 - HKLM\..\Run: [Lexmark 3100 Series] "C:\Programmer\Lexmark 3100 Series\lxbrbmgr.exe" O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Programmer\Fælles filer\Microsoft Shared\Works Shared\WkUFind.exe O4 - HKLM\..\Run: [CARPService] carpserv.exe O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe O4 - HKLM\..\Run: [gcasServ] "C:\Programmer\Microsoft AntiSpyware\gcasServ.exe" O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Programmer\Microsoft ActiveSync\WCESCOMM.EXE" O4 - Global Startup: LG SyncManager.lnk = ? O4 - Global Startup: Picture Package Menu.lnk = ? O4 - Global Startup: Picture Package VCD Maker.lnk = ? O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://D:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000 O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Programmer\Microsoft ActiveSync\INETREPL.DLL O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Programmer\Microsoft ActiveSync\INETREPL.DLL O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Programmer\Microsoft ActiveSync\INETREPL.DLL O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe O12 - Plugin for .spop: C:\Programmer\Internet Explorer\Plugins\NPDocBox.dll O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe O23 - Service: DefWatch - Symantec Corporation - D:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe O23 - Service: ewido security suite control - ewido networks - C:\Programmer\ewido\security suite\ewidoctrl.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programmer\Fælles filer\InstallShield\Driver\1050\Intel 32\IDriverT.exe O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE O23 - Service: Machine Debug Manager (MDM) - Logitech - (no file) O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - D:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Programmer\Analog Devices\SoundMAX\SMAgent.exe O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\system32\UAService7.exe

#13 LDTate

LDTate

    Grand Poobah

  • Root Admin
  • 57,211 posts

Posted 19 November 2005 - 10:02 AM

Good Job :thumbup:


Log looks good :D

Note: This will remove all previous Restore Points

Turn off System Restore:

On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

Restart your computer, turn it back on.

On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Remove the Check Turn off System Restore.
Click Apply, and then click OK.

Click Start> My Computer, select the Tools menu and then Folder Options, after the new window appears select the View tab…]
This time select the: Restore Defaults
Select: Apply, and click OK




If you dont have these three programs I would recommend that you get them. Spywareblaster, Spywareguard and IESPY AD. They will add 1000's of sites to your resticted zone and block some hijacks from happening. I also have a FREE FIREWALL and FREE ANTI VIRUS if you need one.

It is critical to have both a firewall and anti virus to protect your system.

Keep your system up to date and run Adaware & Spybot, once a week works, and hopefully you will be ok from here on. Both are available below.

Safe Surfing. :D


Classroom info:
http://forums.tomcoy...?showtopic=1421

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 


#14 checknow

checknow

    New Member

  • New Member
  • Pip
  • 8 posts

Posted 19 November 2005 - 10:08 AM

I already fix the System Restore. :) I am in the process off looking in to the links. Thanks Firewall installed. :-)

#15 LDTate

LDTate

    Grand Poobah

  • Root Admin
  • 57,211 posts

Posted 19 November 2005 - 10:11 AM

Good job :thumbup: Hope to see you in the Classroom soon :wavey:

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 

Related Topics



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users