WE'RE SURE THAT YOU'LL LOVE US!
Hey there! 
Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. 
Join 93101 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.
Try What the Tech -- It's free!
HJT, Rapport, and Ewido logs
Started by
vanburen
, Jun 16 2006 08:34 AM
-
This topic is locked
12 replies to this topic
#1
vanburen
-
- New Member
-
- 6 posts
New Member
Posted 16 June 2006 - 08:34 AM
Register to Remove
#2
MrCharlie
-
- Malware Team
-
- 2,949 posts
SuperMember
Posted 18 June 2006 - 05:52 AM
Please print out or copy these instructions/tutorial to Notepad as the internet will not be (while in Safe Mode) available to you at certain points of the removal process. Make sure to work through all the Steps in the exact order in which they are listed below. If there's anything that you don't understand, ask your question(s) before moving on with the fixes.
Reboot your computer in Safe Mode.
Open the SmitfraudFix Folder, then double-click smitfraudfix.cmd file to start the tool.
Select option #2 - Clean by typing 2 and press Enter.
Wait for the tool to complete and disk cleanup to finish.
You will be prompted : "Registry cleaning - Do you want to clean the registry ?" answer Yes by typing Y and hit Enter.
The tool will also check if wininet.dll is infected. If a clean version is found, you will be prompted to replace wininet.dll. Answer Yes to the question "Replace infected file ?" by typing Y and hit Enter.
A reboot may be needed to finish the cleaning process, if you computer does not restart automatically please do it yourself manually. Reboot in Safe Mode.
The tool will create a log named rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.
______________________________
Clean out your Temporary Internet files. Proceed like this:
Empty the Recycle Bin by right-clicking the Recycle Bin icon on your Desktop, and then clicking Empty Recycle Bin.
______________________________
Close ALL open Windows / Programs / Folders. Please start Ewido, and run a full scan.
Once the scan has completed, there will be a button located on the bottom of the screen named Save Report.
______________________________
Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #3 - Delete Trusted zone by typing 3 and press Enter
Answer Yes to the question "Restore Trusted Zone ?" by typing Y and hit Enter.
Note, if you use SpywareBlaster and/or IE-SPYAD, it will be necessary to re-install the protection both afford. For SpywareBlaster, run the program and re-protect all items. For IE-SPYAD, run the batch file and reinstall the protection.
______________________________
Please post:
MrC
Reboot your computer in Safe Mode.
- If the computer is running, shut down Windows, and then turn off the power.
- Wait 30 seconds, and then turn the computer on.
- Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
- Ensure that the Safe Mode option is selected.
- Press Enter. The computer then begins to start in Safe mode.
- Login on your usual account.
Open the SmitfraudFix Folder, then double-click smitfraudfix.cmd file to start the tool.
Select option #2 - Clean by typing 2 and press Enter.
Wait for the tool to complete and disk cleanup to finish.
You will be prompted : "Registry cleaning - Do you want to clean the registry ?" answer Yes by typing Y and hit Enter.
The tool will also check if wininet.dll is infected. If a clean version is found, you will be prompted to replace wininet.dll. Answer Yes to the question "Replace infected file ?" by typing Y and hit Enter.
A reboot may be needed to finish the cleaning process, if you computer does not restart automatically please do it yourself manually. Reboot in Safe Mode.
The tool will create a log named rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.
______________________________
Clean out your Temporary Internet files. Proceed like this:
- Quit Internet Explorer and quit any instances of Windows Explorer.
- Click Start, click Control Panel, and then double-click Internet Options.
- On the General tab, click Delete Files under Temporary Internet Files.
- In the Delete Files dialog box, tick the Delete all offline content check box , and then click OK.
- On the General tab, click Delete Cookies under Temporary Internet Files, and then click OK.
- Click on the Programs tab then click the Reset Web Settings button. Click Apply then OK.
- Click OK.
Empty the Recycle Bin by right-clicking the Recycle Bin icon on your Desktop, and then clicking Empty Recycle Bin.
______________________________
Close ALL open Windows / Programs / Folders. Please start Ewido, and run a full scan.
- Click on Scanner
- Click on Settings
- Under How to scan all boxes should be checked
- Under Unwanted Software all boxes should be checked
- Under What to scan select Scan every file
- Click on Ok
- Click on Complete System Scan to start the scan process.
- Let the program scan the machine.
Once the scan has completed, there will be a button located on the bottom of the screen named Save Report.
- Click Save Report button
- Save the report to your Desktop
______________________________
Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #3 - Delete Trusted zone by typing 3 and press Enter
Answer Yes to the question "Restore Trusted Zone ?" by typing Y and hit Enter.
Note, if you use SpywareBlaster and/or IE-SPYAD, it will be necessary to re-install the protection both afford. For SpywareBlaster, run the program and re-protect all items. For IE-SPYAD, run the batch file and reinstall the protection.
______________________________
Please post:
- c:\rapport.txt
- Ewido log
- A new HijackThis log
MrC
#3
vanburen
-
- New Member
-
- 6 posts
New Member
Posted 19 June 2006 - 06:58 AM
Thank you for your reply.
Sorry it took me so long to reply, but this is my work computer that is infected, so I was away from it all weekend.
Anyways, I follow your instructions to the letter and here are the logs you requested:
SmitFraudFix v2.61
Scan done at 7:54:19.09, Mon 06/19/2006
Run from C:\Documents and Settings\Jennifer Shawver\Desktop\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix ran in safe mode
»»»»»»»»»»»»»»»»»»»»»»»» Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
»»»»»»»»»»»»»»»»»»»»»»»» Killing process
»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files
»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix
GenericRenosFix by S!Ri
»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files
»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning
Registry Cleaning done.
»»»»»»»»»»»»»»»»»»»»»»»» After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
»»»»»»»»»»»»»»»»»»»»»»»» End
---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------
+ Created on: 8:49:20 AM, 6/19/2006
+ Report-Checksum: 79D8947A
+ Scan result:
:mozilla.14:C:\Documents and Settings\Jennifer Shawver\Application Data\Mozilla\Firefox\Profiles\g73k71sm.default\cookies.txt -> TrackingCookie.Reliablestats : Cleaned with backup
:mozilla.17:C:\Documents and Settings\Jennifer Shawver\Application Data\Mozilla\Firefox\Profiles\g73k71sm.default\cookies.txt -> TrackingCookie.Reliablestats : Cleaned with backup
:mozilla.18:C:\Documents and Settings\Jennifer Shawver\Application Data\Mozilla\Firefox\Profiles\g73k71sm.default\cookies.txt -> TrackingCookie.Reliablestats : Cleaned with backup
:mozilla.19:C:\Documents and Settings\Jennifer Shawver\Application Data\Mozilla\Firefox\Profiles\g73k71sm.default\cookies.txt -> TrackingCookie.Reliablestats : Cleaned with backup
:mozilla.20:C:\Documents and Settings\Jennifer Shawver\Application Data\Mozilla\Firefox\Profiles\g73k71sm.default\cookies.txt -> TrackingCookie.Reliablestats : Cleaned with backup
:mozilla.21:C:\Documents and Settings\Jennifer Shawver\Application Data\Mozilla\Firefox\Profiles\g73k71sm.default\cookies.txt -> TrackingCookie.Reliablestats : Cleaned with backup
:mozilla.22:C:\Documents and Settings\Jennifer Shawver\Application Data\Mozilla\Firefox\Profiles\g73k71sm.default\cookies.txt -> TrackingCookie.Reliablestats : Cleaned with backup
:mozilla.23:C:\Documents and Settings\Jennifer Shawver\Application Data\Mozilla\Firefox\Profiles\g73k71sm.default\cookies.txt -> TrackingCookie.Reliablestats : Cleaned with backup
:mozilla.38:C:\Documents and Settings\Jennifer Shawver\Application Data\Mozilla\Firefox\Profiles\g73k71sm.default\cookies.txt -> TrackingCookie.Mediaplex : Cleaned with backup
:mozilla.39:C:\Documents and Settings\Jennifer Shawver\Application Data\Mozilla\Firefox\Profiles\g73k71sm.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
:mozilla.42:C:\Documents and Settings\Jennifer Shawver\Application Data\Mozilla\Firefox\Profiles\g73k71sm.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.45:C:\Documents and Settings\Jennifer Shawver\Application Data\Mozilla\Firefox\Profiles\g73k71sm.default\cookies.txt -> TrackingCookie.Com : Cleaned with backup
:mozilla.59:C:\Documents and Settings\Jennifer Shawver\Application Data\Mozilla\Firefox\Profiles\g73k71sm.default\cookies.txt -> TrackingCookie.Doubleclick : Cleaned with backup
:mozilla.63:C:\Documents and Settings\Jennifer Shawver\Application Data\Mozilla\Firefox\Profiles\g73k71sm.default\cookies.txt -> TrackingCookie.Atdmt : Cleaned with backup
:mozilla.64:C:\Documents and Settings\Jennifer Shawver\Application Data\Mozilla\Firefox\Profiles\g73k71sm.default\cookies.txt -> TrackingCookie.Burstnet : Cleaned with backup
:mozilla.74:C:\Documents and Settings\Jennifer Shawver\Application Data\Mozilla\Firefox\Profiles\g73k71sm.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned with backup
:mozilla.75:C:\Documents and Settings\Jennifer Shawver\Application Data\Mozilla\Firefox\Profiles\g73k71sm.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned with backup
:mozilla.76:C:\Documents and Settings\Jennifer Shawver\Application Data\Mozilla\Firefox\Profiles\g73k71sm.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned with backup
:mozilla.77:C:\Documents and Settings\Jennifer Shawver\Application Data\Mozilla\Firefox\Profiles\g73k71sm.default\cookies.txt -> TrackingCookie.Euroclick : Cleaned with backup
:mozilla.78:C:\Documents and Settings\Jennifer Shawver\Application Data\Mozilla\Firefox\Profiles\g73k71sm.default\cookies.txt -> TrackingCookie.Euroclick : Cleaned with backup
:mozilla.79:C:\Documents and Settings\Jennifer Shawver\Application Data\Mozilla\Firefox\Profiles\g73k71sm.default\cookies.txt -> TrackingCookie.Euroclick : Cleaned with backup
:mozilla.80:C:\Documents and Settings\Jennifer Shawver\Application Data\Mozilla\Firefox\Profiles\g73k71sm.default\cookies.txt -> TrackingCookie.Euroclick : Cleaned with backup
:mozilla.81:C:\Documents and Settings\Jennifer Shawver\Application Data\Mozilla\Firefox\Profiles\g73k71sm.default\cookies.txt -> TrackingCookie.Euroclick : Cleaned with backup
:mozilla.84:C:\Documents and Settings\Jennifer Shawver\Application Data\Mozilla\Firefox\Profiles\g73k71sm.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned with backup
::Report End
Logfile of HijackThis v1.99.1
Scan saved at 8:53:51 AM, on 6/19/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\WINDOWS\Logi_MwX.Exe
C:\WINDOWS\system32\hpnra.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\r2 Studios\HideOutlook\HideOutlook.exe
C:\Program Files\MessengerPlus! 3\MsgPlus.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\PROGRA~1\MICROS~4\Office\OUTLOOK.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe
C:\PROGRA~1\COMMON~1\STEM32~1\chkntfs.exe
C:\Program Files\TGTSoft\StyleXP\StyleXP.exe
C:\Program Files\Common Files\System\MAPI\1033\nt\MAPISP32.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\DOCUME~1\JENNIF~1\LOCALS~1\Temp\!update.exe
C:\WINDOWS\DOBE~1\wowexec.exe
C:\HJT\HijackThis.exe
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [HP Network Registry Agent] C:\WINDOWS\system32\hpnra.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [HideOutlook] "C:\Program Files\r2 Studios\HideOutlook\HideOutlook.exe"
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [CaISSDT] "C:\Program Files\CA\eTrust Internet Security Suite\caissdt.exe"
O4 - HKLM\..\Run: [eTrustPPAP] "C:\Program Files\CA\eTrust Internet Security Suite\eTrust PestPatrol Anti-Spyware\PPActiveDetection.exe"
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AWMON] "C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe"
O4 - HKCU\..\Run: [Rqrog] C:\PROGRA~1\COMMON~1\STEM32~1\chkntfs.exe
O4 - HKCU\..\Run: [RealPlayer] "C:\Program Files\Real\RealPlayer\realplay.exe" /RunUPGToolCommandReBoot
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - http://www.onlinegis...AB/mgaxctrl.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.c...utocomplete.cab
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - AppInit_DLLs: logonui.dll
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: Imapi Helper - Alex Feinman - C:\Program Files\Alex Feinman\ISO Recorder\ImapiHelper.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
Sorry it took me so long to reply, but this is my work computer that is infected, so I was away from it all weekend.
Anyways, I follow your instructions to the letter and here are the logs you requested:
SmitFraudFix v2.61
Scan done at 7:54:19.09, Mon 06/19/2006
Run from C:\Documents and Settings\Jennifer Shawver\Desktop\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix ran in safe mode
»»»»»»»»»»»»»»»»»»»»»»»» Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
»»»»»»»»»»»»»»»»»»»»»»»» Killing process
»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files
»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix
GenericRenosFix by S!Ri
»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files
»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning
Registry Cleaning done.
»»»»»»»»»»»»»»»»»»»»»»»» After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
»»»»»»»»»»»»»»»»»»»»»»»» End
---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------
+ Created on: 8:49:20 AM, 6/19/2006
+ Report-Checksum: 79D8947A
+ Scan result:
:mozilla.14:C:\Documents and Settings\Jennifer Shawver\Application Data\Mozilla\Firefox\Profiles\g73k71sm.default\cookies.txt -> TrackingCookie.Reliablestats : Cleaned with backup
:mozilla.17:C:\Documents and Settings\Jennifer Shawver\Application Data\Mozilla\Firefox\Profiles\g73k71sm.default\cookies.txt -> TrackingCookie.Reliablestats : Cleaned with backup
:mozilla.18:C:\Documents and Settings\Jennifer Shawver\Application Data\Mozilla\Firefox\Profiles\g73k71sm.default\cookies.txt -> TrackingCookie.Reliablestats : Cleaned with backup
:mozilla.19:C:\Documents and Settings\Jennifer Shawver\Application Data\Mozilla\Firefox\Profiles\g73k71sm.default\cookies.txt -> TrackingCookie.Reliablestats : Cleaned with backup
:mozilla.20:C:\Documents and Settings\Jennifer Shawver\Application Data\Mozilla\Firefox\Profiles\g73k71sm.default\cookies.txt -> TrackingCookie.Reliablestats : Cleaned with backup
:mozilla.21:C:\Documents and Settings\Jennifer Shawver\Application Data\Mozilla\Firefox\Profiles\g73k71sm.default\cookies.txt -> TrackingCookie.Reliablestats : Cleaned with backup
:mozilla.22:C:\Documents and Settings\Jennifer Shawver\Application Data\Mozilla\Firefox\Profiles\g73k71sm.default\cookies.txt -> TrackingCookie.Reliablestats : Cleaned with backup
:mozilla.23:C:\Documents and Settings\Jennifer Shawver\Application Data\Mozilla\Firefox\Profiles\g73k71sm.default\cookies.txt -> TrackingCookie.Reliablestats : Cleaned with backup
:mozilla.38:C:\Documents and Settings\Jennifer Shawver\Application Data\Mozilla\Firefox\Profiles\g73k71sm.default\cookies.txt -> TrackingCookie.Mediaplex : Cleaned with backup
:mozilla.39:C:\Documents and Settings\Jennifer Shawver\Application Data\Mozilla\Firefox\Profiles\g73k71sm.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
:mozilla.42:C:\Documents and Settings\Jennifer Shawver\Application Data\Mozilla\Firefox\Profiles\g73k71sm.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.45:C:\Documents and Settings\Jennifer Shawver\Application Data\Mozilla\Firefox\Profiles\g73k71sm.default\cookies.txt -> TrackingCookie.Com : Cleaned with backup
:mozilla.59:C:\Documents and Settings\Jennifer Shawver\Application Data\Mozilla\Firefox\Profiles\g73k71sm.default\cookies.txt -> TrackingCookie.Doubleclick : Cleaned with backup
:mozilla.63:C:\Documents and Settings\Jennifer Shawver\Application Data\Mozilla\Firefox\Profiles\g73k71sm.default\cookies.txt -> TrackingCookie.Atdmt : Cleaned with backup
:mozilla.64:C:\Documents and Settings\Jennifer Shawver\Application Data\Mozilla\Firefox\Profiles\g73k71sm.default\cookies.txt -> TrackingCookie.Burstnet : Cleaned with backup
:mozilla.74:C:\Documents and Settings\Jennifer Shawver\Application Data\Mozilla\Firefox\Profiles\g73k71sm.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned with backup
:mozilla.75:C:\Documents and Settings\Jennifer Shawver\Application Data\Mozilla\Firefox\Profiles\g73k71sm.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned with backup
:mozilla.76:C:\Documents and Settings\Jennifer Shawver\Application Data\Mozilla\Firefox\Profiles\g73k71sm.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned with backup
:mozilla.77:C:\Documents and Settings\Jennifer Shawver\Application Data\Mozilla\Firefox\Profiles\g73k71sm.default\cookies.txt -> TrackingCookie.Euroclick : Cleaned with backup
:mozilla.78:C:\Documents and Settings\Jennifer Shawver\Application Data\Mozilla\Firefox\Profiles\g73k71sm.default\cookies.txt -> TrackingCookie.Euroclick : Cleaned with backup
:mozilla.79:C:\Documents and Settings\Jennifer Shawver\Application Data\Mozilla\Firefox\Profiles\g73k71sm.default\cookies.txt -> TrackingCookie.Euroclick : Cleaned with backup
:mozilla.80:C:\Documents and Settings\Jennifer Shawver\Application Data\Mozilla\Firefox\Profiles\g73k71sm.default\cookies.txt -> TrackingCookie.Euroclick : Cleaned with backup
:mozilla.81:C:\Documents and Settings\Jennifer Shawver\Application Data\Mozilla\Firefox\Profiles\g73k71sm.default\cookies.txt -> TrackingCookie.Euroclick : Cleaned with backup
:mozilla.84:C:\Documents and Settings\Jennifer Shawver\Application Data\Mozilla\Firefox\Profiles\g73k71sm.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned with backup
::Report End
Logfile of HijackThis v1.99.1
Scan saved at 8:53:51 AM, on 6/19/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\WINDOWS\Logi_MwX.Exe
C:\WINDOWS\system32\hpnra.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\r2 Studios\HideOutlook\HideOutlook.exe
C:\Program Files\MessengerPlus! 3\MsgPlus.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\PROGRA~1\MICROS~4\Office\OUTLOOK.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe
C:\PROGRA~1\COMMON~1\STEM32~1\chkntfs.exe
C:\Program Files\TGTSoft\StyleXP\StyleXP.exe
C:\Program Files\Common Files\System\MAPI\1033\nt\MAPISP32.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\DOCUME~1\JENNIF~1\LOCALS~1\Temp\!update.exe
C:\WINDOWS\DOBE~1\wowexec.exe
C:\HJT\HijackThis.exe
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [HP Network Registry Agent] C:\WINDOWS\system32\hpnra.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [HideOutlook] "C:\Program Files\r2 Studios\HideOutlook\HideOutlook.exe"
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [CaISSDT] "C:\Program Files\CA\eTrust Internet Security Suite\caissdt.exe"
O4 - HKLM\..\Run: [eTrustPPAP] "C:\Program Files\CA\eTrust Internet Security Suite\eTrust PestPatrol Anti-Spyware\PPActiveDetection.exe"
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AWMON] "C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe"
O4 - HKCU\..\Run: [Rqrog] C:\PROGRA~1\COMMON~1\STEM32~1\chkntfs.exe
O4 - HKCU\..\Run: [RealPlayer] "C:\Program Files\Real\RealPlayer\realplay.exe" /RunUPGToolCommandReBoot
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - http://www.onlinegis...AB/mgaxctrl.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.c...utocomplete.cab
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - AppInit_DLLs: logonui.dll
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: Imapi Helper - Alex Feinman - C:\Program Files\Alex Feinman\ISO Recorder\ImapiHelper.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
#4
MrCharlie
-
- Malware Team
-
- 2,949 posts
SuperMember
Posted 19 June 2006 - 05:45 PM
OK, a little more work to do.
Enable hidden files:
Open Windows Explorer & Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked.
Also uncheck "Hide protected operating system files" and untick "hide extensions for known file types" . Now click "Apply to all folders"
Click "Apply" then "OK" (reverse this procedure when we are done)
----------------
Please disable AdWatch, as it may hinder the removal of some entries.
To disable AdWatch:
Open AdAware SE.
Go to AdWatch User Interface.
Go to Tools and Preferences.
At the bottom of the screen you will see 2 options Active and Automatic.
Active: This will turn Ad-Watch On\Off without closing it.
Automatic: Suspicious activity will be blocked automatically.
Uncheck both options. You can enable these after resolving your problem.
Disable Windows Defender also:
Go to Tools » General Settings
Scroll down to Real-time protection options
Uncheck Turn on real-time protection (recommended)
--------------------------------
Look in your control panels add/remove programs for PuritySCAN By OIN, OuterInfo, OIN or similar , click on it and click remove.
Reboot and delete this folder if found:
C:\Program Files\PurityScan
If not listed download and run this uninstaller:
http://www.outerinfo...Uninstaller.exe
Tutorial for the uninstaller if needed
Reboot when done and delete this folder if found:
C:\Program Files\PurityScan
---------------------------
Press Control-Alt-Del to enter the Task Manager.
Click on the Processes tab and end the following processes if listed:
chkntfs.exe
wowexec.exe
Exit the Task Manager when finished
Close ALL programs down, leaving ONLY HijackThis running - Click Scan and.....
Place a check against the following items:
O4 - HKCU\..\Run: [Rqrog] C:\PROGRA~1\COMMON~1\STEM32~1\chkntfs.exe
O20 - AppInit_DLLs: logonui.dll
Click on Fix Checked and exit HijackThis.
Delete these files if found:
C:\PROGRA~1\COMMON~1\STEM32~1\chkntfs.exe
C:\WINDOWS\DOBE~1\wowexec.exe
C:\WINDOWS\system32\logonui.dll
Reboot and post a fresh HijackThis log and we'll take another look. MrC
Enable hidden files:
Open Windows Explorer & Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked.
Also uncheck "Hide protected operating system files" and untick "hide extensions for known file types" . Now click "Apply to all folders"
Click "Apply" then "OK" (reverse this procedure when we are done)
----------------
Please disable AdWatch, as it may hinder the removal of some entries.
To disable AdWatch:
Open AdAware SE.
Go to AdWatch User Interface.
Go to Tools and Preferences.
At the bottom of the screen you will see 2 options Active and Automatic.
Active: This will turn Ad-Watch On\Off without closing it.
Automatic: Suspicious activity will be blocked automatically.
Uncheck both options. You can enable these after resolving your problem.
Disable Windows Defender also:
Go to Tools » General Settings
Scroll down to Real-time protection options
Uncheck Turn on real-time protection (recommended)
--------------------------------
Look in your control panels add/remove programs for PuritySCAN By OIN, OuterInfo, OIN or similar , click on it and click remove.
Reboot and delete this folder if found:
C:\Program Files\PurityScan
If not listed download and run this uninstaller:
http://www.outerinfo...Uninstaller.exe
Tutorial for the uninstaller if needed
Reboot when done and delete this folder if found:
C:\Program Files\PurityScan
---------------------------
Press Control-Alt-Del to enter the Task Manager.
Click on the Processes tab and end the following processes if listed:
chkntfs.exe
wowexec.exe
Exit the Task Manager when finished
Close ALL programs down, leaving ONLY HijackThis running - Click Scan and.....
Place a check against the following items:
O4 - HKCU\..\Run: [Rqrog] C:\PROGRA~1\COMMON~1\STEM32~1\chkntfs.exe
O20 - AppInit_DLLs: logonui.dll
Click on Fix Checked and exit HijackThis.
Delete these files if found:
C:\PROGRA~1\COMMON~1\STEM32~1\chkntfs.exe
C:\WINDOWS\DOBE~1\wowexec.exe
C:\WINDOWS\system32\logonui.dll
Reboot and post a fresh HijackThis log and we'll take another look. MrC
#5
vanburen
-
- New Member
-
- 6 posts
New Member
Posted 20 June 2006 - 05:57 AM
Good Morning.
Followed you instructions, and here is the latest log.
Logfile of HijackThis v1.99.1
Scan saved at 7:55:54 AM, on 6/20/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\WINDOWS\Logi_MwX.Exe
C:\WINDOWS\system32\hpnra.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\r2 Studios\HideOutlook\HideOutlook.exe
C:\Program Files\MessengerPlus! 3\MsgPlus.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\MICROS~4\Office\OUTLOOK.EXE
C:\DOCUME~1\JENNIF~1\APPLIC~1\WNSXS~1\javaw.exe
C:\Program Files\Common Files\System\MAPI\1033\nt\MAPISP32.EXE
C:\HJT\HijackThis.exe
C:\WINDOWS\system32\wuauclt.exe
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [HP Network Registry Agent] C:\WINDOWS\system32\hpnra.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [HideOutlook] "C:\Program Files\r2 Studios\HideOutlook\HideOutlook.exe"
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [RealPlayer] "C:\Program Files\Real\RealPlayer\realplay.exe" /RunUPGToolCommandReBoot
O4 - HKCU\..\Run: [Ncao] "C:\DOCUME~1\JENNIF~1\APPLIC~1\WNSXS~1\javaw.exe" -vt ndrv
O4 - HKCU\..\Run: [Ufeywae] C:\DOCUME~1\JENNIF~1\MYDOCU~1\RACLE~1\nopdb.exe
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - http://www.onlinegis...AB/mgaxctrl.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.c...utocomplete.cab
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O20 - AppInit_DLLs: ati2evxx.dll
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: Imapi Helper - Alex Feinman - C:\Program Files\Alex Feinman\ISO Recorder\ImapiHelper.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
Thank you for your continuing help!
Followed you instructions, and here is the latest log.
Logfile of HijackThis v1.99.1
Scan saved at 7:55:54 AM, on 6/20/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\WINDOWS\Logi_MwX.Exe
C:\WINDOWS\system32\hpnra.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\r2 Studios\HideOutlook\HideOutlook.exe
C:\Program Files\MessengerPlus! 3\MsgPlus.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\MICROS~4\Office\OUTLOOK.EXE
C:\DOCUME~1\JENNIF~1\APPLIC~1\WNSXS~1\javaw.exe
C:\Program Files\Common Files\System\MAPI\1033\nt\MAPISP32.EXE
C:\HJT\HijackThis.exe
C:\WINDOWS\system32\wuauclt.exe
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [HP Network Registry Agent] C:\WINDOWS\system32\hpnra.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [HideOutlook] "C:\Program Files\r2 Studios\HideOutlook\HideOutlook.exe"
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [RealPlayer] "C:\Program Files\Real\RealPlayer\realplay.exe" /RunUPGToolCommandReBoot
O4 - HKCU\..\Run: [Ncao] "C:\DOCUME~1\JENNIF~1\APPLIC~1\WNSXS~1\javaw.exe" -vt ndrv
O4 - HKCU\..\Run: [Ufeywae] C:\DOCUME~1\JENNIF~1\MYDOCU~1\RACLE~1\nopdb.exe
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - http://www.onlinegis...AB/mgaxctrl.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.c...utocomplete.cab
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O20 - AppInit_DLLs: ati2evxx.dll
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: Imapi Helper - Alex Feinman - C:\Program Files\Alex Feinman\ISO Recorder\ImapiHelper.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
Thank you for your continuing help!
#6
MrCharlie
-
- Malware Team
-
- 2,949 posts
SuperMember
Posted 20 June 2006 - 03:42 PM
We still have some malware showing, lets do this:
Download and unzip the KillBox to a folder.
Open up the KillBox
Select the option Delete on reboot.
Click the button: All Files (Important!!)
Now it should flash green.
Now copy the next part in blue: (highlight it > right click on it and choose copy)
C:\DOCUME~1\JENNIF~1\APPLIC~1\WNSXS~1\javaw.exe
C:\WINDOWS\system32\ati2evxx.dll
Open 'file' in the killboxmenu on top and choose Paste from clipboard
Then press the button that looks like a red circle with a white X in it.
Killbox will tell you that all listed files will be removed on next reboot and asks if you would like to Reboot now, click YES
If you don't get that message, reboot manually.
Your computer must reboot now.
Post a fresh HJT log, MrC
Download and unzip the KillBox to a folder.
Open up the KillBox
Select the option Delete on reboot.
Click the button: All Files (Important!!)
Now it should flash green.
Now copy the next part in blue: (highlight it > right click on it and choose copy)
C:\DOCUME~1\JENNIF~1\APPLIC~1\WNSXS~1\javaw.exe
C:\WINDOWS\system32\ati2evxx.dll
Open 'file' in the killboxmenu on top and choose Paste from clipboard
Then press the button that looks like a red circle with a white X in it.
Killbox will tell you that all listed files will be removed on next reboot and asks if you would like to Reboot now, click YES
If you don't get that message, reboot manually.
Your computer must reboot now.
Post a fresh HJT log, MrC
#7
vanburen
-
- New Member
-
- 6 posts
New Member
Posted 21 June 2006 - 05:35 AM
Logfile of HijackThis v1.99.1
Scan saved at 7:34:09 AM, on 6/21/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\WINDOWS\Logi_MwX.Exe
C:\WINDOWS\system32\hpnra.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\r2 Studios\HideOutlook\HideOutlook.exe
C:\Program Files\MessengerPlus! 3\MsgPlus.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\PROGRA~1\MICROS~4\Office\OUTLOOK.EXE
C:\Program Files\Common Files\System\MAPI\1033\nt\MAPISP32.EXE
C:\HJT\HijackThis.exe
C:\WINDOWS\system32\wuauclt.exe
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [HP Network Registry Agent] C:\WINDOWS\system32\hpnra.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [HideOutlook] "C:\Program Files\r2 Studios\HideOutlook\HideOutlook.exe"
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Ncao] "C:\DOCUME~1\JENNIF~1\APPLIC~1\WNSXS~1\javaw.exe" -vt ndrv
O4 - HKCU\..\Run: [Ufeywae] C:\DOCUME~1\JENNIF~1\MYDOCU~1\RACLE~1\nopdb.exe
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - http://www.onlinegis...AB/mgaxctrl.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.c...utocomplete.cab
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - AppInit_DLLs: ati2evxx.dll
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: Imapi Helper - Alex Feinman - C:\Program Files\Alex Feinman\ISO Recorder\ImapiHelper.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
Scan saved at 7:34:09 AM, on 6/21/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\WINDOWS\Logi_MwX.Exe
C:\WINDOWS\system32\hpnra.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\r2 Studios\HideOutlook\HideOutlook.exe
C:\Program Files\MessengerPlus! 3\MsgPlus.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\PROGRA~1\MICROS~4\Office\OUTLOOK.EXE
C:\Program Files\Common Files\System\MAPI\1033\nt\MAPISP32.EXE
C:\HJT\HijackThis.exe
C:\WINDOWS\system32\wuauclt.exe
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [HP Network Registry Agent] C:\WINDOWS\system32\hpnra.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [HideOutlook] "C:\Program Files\r2 Studios\HideOutlook\HideOutlook.exe"
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Ncao] "C:\DOCUME~1\JENNIF~1\APPLIC~1\WNSXS~1\javaw.exe" -vt ndrv
O4 - HKCU\..\Run: [Ufeywae] C:\DOCUME~1\JENNIF~1\MYDOCU~1\RACLE~1\nopdb.exe
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - http://www.onlinegis...AB/mgaxctrl.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.c...utocomplete.cab
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - AppInit_DLLs: ati2evxx.dll
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: Imapi Helper - Alex Feinman - C:\Program Files\Alex Feinman\ISO Recorder\ImapiHelper.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
#8
MrCharlie
-
- Malware Team
-
- 2,949 posts
SuperMember
Posted 21 June 2006 - 05:41 PM
Still not right, please do this for me...
Open HijackThis, click Config, click Misc Tools
Click "Open Uninstall Manager"
Click "Save List" (generates uninstall_list.txt)
Click Save, copy and paste the results in your next post.
---------------------
Perform this tweak for searching:
Because XP will not always show you hidden files and folders by default, Go to Start > Search and under "More advanced search options".
Make sure there is a check by "Search System Folders" and "Search hidden files and folders" and "Search system subfolders"
Now.....
Do a search for this file: ati2evxx.dll
and please upload it HERE for a free scan - let me know the results.
--------------------
Last....
Close ALL programs down, leaving ONLY HijackThis running - Click Scan and.....
Place a check against the following items:
O4 - HKCU\..\Run: [Ncao] "C:\DOCUME~1\JENNIF~1\APPLIC~1\WNSXS~1\javaw.exe" -vt ndrv
O20 - AppInit_DLLs: ati2evxx.dll
Click on Fix Checked and exit HijackThis.
Delete this file if found:
C:\DOCUME~1\JENNIF~1\APPLIC~1\WNSXS~1\javaw.exe
Reboot and post a fresh HJT log and let me know about ati2evxx.dll, MrC
Open HijackThis, click Config, click Misc Tools
Click "Open Uninstall Manager"
Click "Save List" (generates uninstall_list.txt)
Click Save, copy and paste the results in your next post.
---------------------
Perform this tweak for searching:
Because XP will not always show you hidden files and folders by default, Go to Start > Search and under "More advanced search options".
Make sure there is a check by "Search System Folders" and "Search hidden files and folders" and "Search system subfolders"
Now.....
Do a search for this file: ati2evxx.dll
and please upload it HERE for a free scan - let me know the results.
--------------------
Last....
Close ALL programs down, leaving ONLY HijackThis running - Click Scan and.....
Place a check against the following items:
O4 - HKCU\..\Run: [Ncao] "C:\DOCUME~1\JENNIF~1\APPLIC~1\WNSXS~1\javaw.exe" -vt ndrv
O20 - AppInit_DLLs: ati2evxx.dll
Click on Fix Checked and exit HijackThis.
Delete this file if found:
C:\DOCUME~1\JENNIF~1\APPLIC~1\WNSXS~1\javaw.exe
Reboot and post a fresh HJT log and let me know about ati2evxx.dll, MrC
#9
vanburen
-
- New Member
-
- 6 posts
New Member
Posted 22 June 2006 - 05:53 AM
MrCharlie,
I tired generating the uninstall list for you, but every time I clicked "Save List", HJT would just close.
I searched for uninstall_list.txt, but came up with nothing. Not sure what is going wrong... I followed your directions exactly.
Here are the results of the scan:
Service
Service load:
0% 100%
File: ati2evxx.dll
Status:
INFECTED/MALWARE (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database)
MD5 fbc3262e627db50d9053168b2060ad3e
Packers detected:
-
Scanner results
AntiVir
Found Adware-Spyware/Purityscan.EN adware
ArcaVir
Found Adware.Bho.Purityscan.Jha
Avast
Found Win32:Ndrv
AVG Antivirus
Found Generic.OFX
BitDefender
Found nothing
ClamAV
Found Trojan.PurityScan.EN
Dr.Web
Found Adware.ClickSpring
F-Prot Antivirus
Found nothing
Fortinet
Found Adware/PurityScan
Kaspersky Anti-Virus
Found not-a-virus:AdWare.Win32.PurityScan.en
NOD32
Found Win32/Adware.PurityScan application
Norman Virus Control
Found W32/PurityScan.YM
UNA
Found nothing
VirusBuster
Found nothing
VBA32
Found AdWare.Win32.PurityScan.en
Logfile of HijackThis v1.99.1
Scan saved at 7:58:01 AM, on 6/22/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\WINDOWS\Logi_MwX.Exe
C:\WINDOWS\system32\hpnra.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\r2 Studios\HideOutlook\HideOutlook.exe
C:\Program Files\MessengerPlus! 3\MsgPlus.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\PROGRA~1\MICROS~4\Office\OUTLOOK.EXE
C:\Program Files\Common Files\System\MAPI\1033\nt\MAPISP32.EXE
C:\HJT\HijackThis.exe
C:\WINDOWS\system32\wuauclt.exe
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [HP Network Registry Agent] C:\WINDOWS\system32\hpnra.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [HideOutlook] "C:\Program Files\r2 Studios\HideOutlook\HideOutlook.exe"
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - http://www.onlinegis...AB/mgaxctrl.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.c...utocomplete.cab
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: Imapi Helper - Alex Feinman - C:\Program Files\Alex Feinman\ISO Recorder\ImapiHelper.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
Tried to do the unistall list again after reboot, and the same thing happens.... anytime I hit "Save List", HJT closes and does not generate a text file.
Thanks.
I tired generating the uninstall list for you, but every time I clicked "Save List", HJT would just close.
I searched for uninstall_list.txt, but came up with nothing. Not sure what is going wrong... I followed your directions exactly.
Here are the results of the scan:
Service
Service load:
0% 100%
File: ati2evxx.dll
Status:
INFECTED/MALWARE (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database)
MD5 fbc3262e627db50d9053168b2060ad3e
Packers detected:
-
Scanner results
AntiVir
Found Adware-Spyware/Purityscan.EN adware
ArcaVir
Found Adware.Bho.Purityscan.Jha
Avast
Found Win32:Ndrv
AVG Antivirus
Found Generic.OFX
BitDefender
Found nothing
ClamAV
Found Trojan.PurityScan.EN
Dr.Web
Found Adware.ClickSpring
F-Prot Antivirus
Found nothing
Fortinet
Found Adware/PurityScan
Kaspersky Anti-Virus
Found not-a-virus:AdWare.Win32.PurityScan.en
NOD32
Found Win32/Adware.PurityScan application
Norman Virus Control
Found W32/PurityScan.YM
UNA
Found nothing
VirusBuster
Found nothing
VBA32
Found AdWare.Win32.PurityScan.en
Logfile of HijackThis v1.99.1
Scan saved at 7:58:01 AM, on 6/22/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\WINDOWS\Logi_MwX.Exe
C:\WINDOWS\system32\hpnra.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\r2 Studios\HideOutlook\HideOutlook.exe
C:\Program Files\MessengerPlus! 3\MsgPlus.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\PROGRA~1\MICROS~4\Office\OUTLOOK.EXE
C:\Program Files\Common Files\System\MAPI\1033\nt\MAPISP32.EXE
C:\HJT\HijackThis.exe
C:\WINDOWS\system32\wuauclt.exe
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [HP Network Registry Agent] C:\WINDOWS\system32\hpnra.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [HideOutlook] "C:\Program Files\r2 Studios\HideOutlook\HideOutlook.exe"
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - http://www.onlinegis...AB/mgaxctrl.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.c...utocomplete.cab
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: Imapi Helper - Alex Feinman - C:\Program Files\Alex Feinman\ISO Recorder\ImapiHelper.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
Tried to do the unistall list again after reboot, and the same thing happens.... anytime I hit "Save List", HJT closes and does not generate a text file.
Thanks.
Edited by vanburen, 22 June 2006 - 06:00 AM.
#10
MrCharlie
-
- Malware Team
-
- 2,949 posts
SuperMember
Posted 22 June 2006 - 04:58 PM
That's what I thought it was but I just wanted to make sure.
anyway....
You did GOOD!
The log is clean!
Just go back and delete that ati2evxx.dll, use safe mode if you have a problem or you can use the KillBox.
Download and unzip the KillBox to a folder
Now open up the KillBox and copy and paste it in and hit delete, if the file exists, it will appear in blue under the window.
You must paste the full path of the file in, example:
C:\WINDOWS\system32\ati2evxx.dll <---or what ever it is.
Let me know, MrC
anyway....
You did GOOD!
The log is clean!Just go back and delete that ati2evxx.dll, use safe mode if you have a problem or you can use the KillBox.
Download and unzip the KillBox to a folder
Now open up the KillBox and copy and paste it in and hit delete, if the file exists, it will appear in blue under the window.
You must paste the full path of the file in, example:
C:\WINDOWS\system32\ati2evxx.dll <---or what ever it is.
Let me know, MrC
#11
vanburen
-
- New Member
-
- 6 posts
New Member
Posted 23 June 2006 - 06:11 AM
Logfile of HijackThis v1.99.1
Scan saved at 8:06:40 AM, on 6/23/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\WINDOWS\Logi_MwX.Exe
C:\WINDOWS\system32\hpnra.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\r2 Studios\HideOutlook\HideOutlook.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\Program Files\MessengerPlus! 3\MsgPlus.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
C:\PROGRA~1\MICROS~4\Office\OUTLOOK.EXE
C:\Program Files\Common Files\System\MAPI\1033\nt\MAPISP32.EXE
C:\HJT\HijackThis.exe
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [HP Network Registry Agent] C:\WINDOWS\system32\hpnra.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [HideOutlook] "C:\Program Files\r2 Studios\HideOutlook\HideOutlook.exe"
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - http://www.onlinegis...AB/mgaxctrl.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.c...utocomplete.cab
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: Imapi Helper - Alex Feinman - C:\Program Files\Alex Feinman\ISO Recorder\ImapiHelper.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
This morning, when I opened up firefox, I got the AVGold popups. I searched for the ati2evxx.dll file and found it in 2 places.... one under history and one under recent documents. I deleted both of them and then restarted. So far, I have not gotten any popups. I will not be back at this computer until Monday. Let me know if anything in the log looks suspicious or if I need to do anything else. I appreciate all the time and effort you have put towards helping me. Thank you very much for this wonderful service. I see myself making a donation in the very near future. Thank you so much!!
David
Edit: Still getting the sysprotect popups, wether I am in a browser or not.
Scan saved at 8:06:40 AM, on 6/23/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\WINDOWS\Logi_MwX.Exe
C:\WINDOWS\system32\hpnra.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\r2 Studios\HideOutlook\HideOutlook.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\Program Files\MessengerPlus! 3\MsgPlus.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
C:\PROGRA~1\MICROS~4\Office\OUTLOOK.EXE
C:\Program Files\Common Files\System\MAPI\1033\nt\MAPISP32.EXE
C:\HJT\HijackThis.exe
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [HP Network Registry Agent] C:\WINDOWS\system32\hpnra.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [HideOutlook] "C:\Program Files\r2 Studios\HideOutlook\HideOutlook.exe"
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - http://www.onlinegis...AB/mgaxctrl.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.c...utocomplete.cab
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: Imapi Helper - Alex Feinman - C:\Program Files\Alex Feinman\ISO Recorder\ImapiHelper.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
This morning, when I opened up firefox, I got the AVGold popups. I searched for the ati2evxx.dll file and found it in 2 places.... one under history and one under recent documents. I deleted both of them and then restarted. So far, I have not gotten any popups. I will not be back at this computer until Monday. Let me know if anything in the log looks suspicious or if I need to do anything else. I appreciate all the time and effort you have put towards helping me. Thank you very much for this wonderful service. I see myself making a donation in the very near future. Thank you so much!!
David
Edit: Still getting the sysprotect popups, wether I am in a browser or not.
Edited by vanburen, 23 June 2006 - 06:21 AM.
#12
MrCharlie
-
- Malware Team
-
- 2,949 posts
SuperMember
Posted 23 June 2006 - 04:35 PM
The log looks OK, for the sysprotect popups.......
Download and run SysProtect Remover.exe . Once it is running click the "Remove Now" button and follow the on screen instructions.
Let me know, MrC
Download and run SysProtect Remover.exe . Once it is running click the "Remove Now" button and follow the on screen instructions.
Let me know, MrC
#13
MrCharlie
-
- Malware Team
-
- 2,949 posts
SuperMember
Posted 25 June 2006 - 01:15 PM
Glad we could be of assistance. This topic is now closed. If you wish it reopened, please send us an email (Click for address) with a link to your thread.
Do not bother contacting us if you are not the topic starter. A valid, working link to the closed topic is required along with the user name used. If the user name does not match the one in the thread linked, the email will be deleted.
Make sure you use proper prevention to keep from having problems occur to your computer in the future.
Coyote's Installed programs for prevention:
http://forums.tomcoy...showtopic=31418
The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.
Visit the CoyoteStore http://TomCoyote.org/coyotestore.php
Do not bother contacting us if you are not the topic starter. A valid, working link to the closed topic is required along with the user name used. If the user name does not match the one in the thread linked, the email will be deleted.
Make sure you use proper prevention to keep from having problems occur to your computer in the future.
Coyote's Installed programs for prevention:
http://forums.tomcoy...showtopic=31418
The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.
Visit the CoyoteStore http://TomCoyote.org/coyotestore.php
0 user(s) are reading this topic
0 members, 0 guests, 0 anonymous users
