|
|
|
|
|||||
|
|
|
|
|
|
|||
| Welcome
to Tech Support Forum home to more then 136,000 problems solved. Issues
have included: Spyware, Malware, Virus Issues, Windows, Microsoft,
Linux, Networking, Security, Hardware, and Gaming Getting your
problem solved is as easy as: 1. Registering for a free account 2. Asking your question 3. Receiving an answer Registered members: * See fewer ads. * And much more..
|
| Want to know how to post a question? click here | Having problems with spyware and pop-ups? First Steps |
|
|||||||
| Resolved HJT Threads Resolved spyware and popup issues. |
|
|
LinkBack | Thread Tools |
05-20-2005, 01:33 PM
|
#1 (permalink) |
|
Registered User
Join Date: May 2005
Posts: 20
OS: XP
|
Canada.exe, maybe some others?
I've found some posts on this, and I've deleted similar files that were recommended in those posts. However, Canada.exe manages to get back every time on startup, along with a bombardmant of pop-ups. Maybe I'm missing a few? Any help would be greatly appreciated. Thanks in advance.
Logfile of HijackThis v1.99.1 Scan saved at 4:24:58 PM, on 5/20/2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Stardock\SDMCP.exe C:\Program Files\Stardock\Object Desktop\WindowBlinds\wbload.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\Program Files\Norton AntiVirus\navapsvc.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\UAService7.exe C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe C:\Program Files\ProSiteFinder\prositefinder.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\AIM\aim.exe C:\Program Files\iPod\bin\iPodService.exe c:\windows\system32\bzzfrb.exe C:\Program Files\MSN Messenger\msnmsgr.exe C:\Program Files\ProSiteFinder\prositefinderh.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Winamp\winamp.exe C:\Program Files\ProSiteFinder\prositefinder.exe C:\Program Files\Messenger\msmsgs.exe C:\Documents and Settings\Glen\Desktop\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = www.google.com R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.com R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = R3 - URLSearchHook: (no name) - _{CA0E28FA-1AFD-4C21-A8DC-70EB5BE2F076} - (no file) F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe" O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k O4 - HKLM\..\Run: [\\PERSONAL-Z6AS0S\EPSON Stylus Photo R300 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE /P48 "\\PERSONAL-Z6AS0S\EPSON Stylus Photo R300 Series" /O6 "USB001" /M "Stylus Photo R300" O4 - HKLM\..\Run: [JVM0.12] C:\WINDOWS\system32\noyfedyw.exe O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [BootSkin Startup Jobs] "C:\PROGRA~1\Stardock\WINCUS~1\BootSkin\BootSkin.exe" /StartupJobs O4 - HKLM\..\Run: [LogonStudio] "C:\Program Files\WinCustomize\LogonStudio\logonstudio.exe" /RANDOM O4 - HKLM\..\Run: [uvboyzy] c:\windows\system32\uvboyzy.exe O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM\..\Run: [Media Access] C:\Program Files\Media Access\MediaAccK.exe O4 - HKLM\..\Run: [ProSiteFinder] C:\Program Files\ProSiteFinder\prositefinder.exe O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [checkrun] C:\windows\system32\elitemhg32.exe O4 - HKLM\..\Run: [HELPER] C:\WINDOWS\system32\canada.exe -N O4 - HKLM\..\Run: [liaxxmn] c:\windows\system32\bzzfrb.exe O4 - HKCU\..\Run: [Desktop Weather 3] C:\PROGRA~1\THEWEA~1\THEWEA~1.EXE O4 - HKCU\..\Run: [DWHeartbeatMonitor] C:\PROGRA~1\THEWEA~1\DWHeartbeatMonitor.exe O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1099593321984 O20 - Winlogon Notify: MCPClient - C:\Program Files\Common Files\Stardock\mcpstub.dll O20 - Winlogon Notify: WB - C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\fastload.dll O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Sony DADC Austria AG. - C:\WINDOWS\system32\UAService7.exe |
|
     |
| Sponsored Links |
|
05-20-2005, 07:39 PM
|
#2 (permalink) |
|
Assistant Manager, TSF Academy; Moderator/Analyst Security Team
Join Date: Jan 2005
Location: Ohio
Posts: 24,048
OS: WinXP and Vista
|
Hello KainOcelot and welcome to TSF,
You have more than one infection here and we will need to do this in stages. Download Ewido Security Suite at http://www.ewido.net/en/download/ and install it. Update to the newest definitions. Do NOT run it yet. Please download nailfix at http://users.pandora.be/bluepatchy/nailfix.zip (for Windows XP). Unzip it to the desktop but do NOT run it yet. Reboot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work. Once in Safe Mode, please double-click on nailfix.bat. Your desktop and icons will disappear and reappear, and a window should open and close very quickly --- this is normal. Next run a full scan in Ewido. Post the log from the Ewido scan here. Run a scan in HijackThis. Check each the following entry and hit 'Fix checked' if it still exists: F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe Close all open windows except for HijackThis and click Fix Checked. Restart your computer in normal mode. Download FindIt's.zip to your desktop: http://forums.net-integration.net/in...post&id=142443 1. Unzip/extract the files inside to a folder on your desktop. 2. Open the folder and run FindIt's.bat and wait for notepad to open a text file. It will take awhile so please be patient ... 3. Then post the results here please, along with the new HijackThis log and the results of the Ewido Scan. |
|
|
|
|
05-21-2005, 06:45 AM
|
#3 (permalink) |
|
Registered User
Join Date: May 2005
Posts: 20
OS: XP
|
Alright, heres the Ewido Log:
--------------------------------------------------------- ewido security suite - Scan report --------------------------------------------------------- + Created on: 9:18:14 AM, 5/21/2005 + Report-Checksum: 36A5F770 + Date of database: 5/21/2005 + Version of scan engine: v3.0 + Duration: 85 min + Scanned Files: 186274 + Speed: 36.22 Files/Second + Infected files: 122 + Removed files: 122 + Files put in quarantine: 122 + Files that could not be opened: 0 + Files that could not be cleaned: 0 + Binder: Yes + Crypter: Yes + Archives: Yes + Scanned items: C:\ F:\ + Scan result: C:\Documents and Settings\Glen\Cookies\glen@ar.atwola[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup C:\Documents and Settings\Glen\Cookies\glen@search.msn[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup C:\Documents and Settings\Glen\Local Settings\Temp\BMK\aurareco.exe -> Spyware.BetterInternet -> Cleaned with backup C:\Documents and Settings\Glen\Local Settings\Temp\BTH\aurareco.exe -> Spyware.BetterInternet -> Cleaned with backup C:\Documents and Settings\Glen\Local Settings\Temp\BVE\aurareco.exe -> Spyware.BetterInternet -> Cleaned with backup C:\Documents and Settings\Glen\Local Settings\Temp\BVP\aurareco.exe -> Spyware.BetterInternet -> Cleaned with backup C:\Documents and Settings\Glen\Local Settings\Temp\CDD\aurareco.exe -> Spyware.BetterInternet -> Cleaned with backup C:\Documents and Settings\Glen\Local Settings\Temp\CKL\aurareco.exe -> Spyware.BetterInternet -> Cleaned with backup C:\Documents and Settings\Glen\Local Settings\Temp\CMK\aurareco.exe -> Spyware.BetterInternet -> Cleaned with backup C:\Documents and Settings\Glen\Local Settings\Temp\COF\aurareco.exe -> Spyware.BetterInternet -> Cleaned with backup C:\Documents and Settings\Glen\Local Settings\Temp\common.dll -> Spyware.WebSearch.ae -> Cleaned with backup C:\Documents and Settings\Glen\Local Settings\Temp\dealhelper.exe -> TrojanDownloader.Agent.hw -> Cleaned with backup C:\Documents and Settings\Glen\Local Settings\Temp\Del7C.tmp -> TrojanDownloader.Small.asf -> Cleaned with backup C:\Documents and Settings\Glen\Local Settings\Temp\DQI\aurareco.exe -> Spyware.BetterInternet -> Cleaned with backup C:\Documents and Settings\Glen\Local Settings\Temp\DUL\aurareco.exe -> Spyware.BetterInternet -> Cleaned with backup C:\Documents and Settings\Glen\Local Settings\Temp\ELI\aurareco.exe -> Spyware.BetterInternet -> Cleaned with backup C:\Documents and Settings\Glen\Local Settings\Temp\EUW\aurareco.exe -> Spyware.BetterInternet -> Cleaned with backup C:\Documents and Settings\Glen\Local Settings\Temp\FCB\aurareco.exe -> Spyware.BetterInternet -> Cleaned with backup C:\Documents and Settings\Glen\Local Settings\Temp\FCD\aurareco.exe -> Spyware.BetterInternet -> Cleaned with backup C:\Documents and Settings\Glen\Local Settings\Temp\FCZ\aurareco.exe -> Spyware.BetterInternet -> Cleaned with backup C:\Documents and Settings\Glen\Local Settings\Temp\fFGFHQp.exe -> TrojanDownloader.IstBar.ir -> Cleaned with backup C:\Documents and Settings\Glen\Local Settings\Temp\GID\aurareco.exe -> Spyware.BetterInternet -> Cleaned with backup C:\Documents and Settings\Glen\Local Settings\Temp\HDF\aurareco.exe -> Spyware.BetterInternet -> Cleaned with backup C:\Documents and Settings\Glen\Local Settings\Temp\HDH\aurareco.exe -> Spyware.BetterInternet -> Cleaned with backup C:\Documents and Settings\Glen\Local Settings\Temp\HDS\aurareco.exe -> Spyware.BetterInternet -> Cleaned with backup C:\Documents and Settings\Glen\Local Settings\Temp\HKE\aurareco.exe -> Spyware.BetterInternet -> Cleaned with backup C:\Documents and Settings\Glen\Local Settings\Temp\HOJ\aurareco.exe -> Spyware.BetterInternet -> Cleaned with backup C:\Documents and Settings\Glen\Local Settings\Temp\HXF\aurareco.exe -> Spyware.BetterInternet -> Cleaned with backup C:\Documents and Settings\Glen\Local Settings\Temp\i74.tmp -> Spyware.SurfSide.a -> Cleaned with backup C:\Documents and Settings\Glen\Local Settings\Temp\IFT\aurareco.exe -> Spyware.BetterInternet -> Cleaned with backup C:\Documents and Settings\Glen\Local Settings\Temp\IHM\aurareco.exe -> Spyware.BetterInternet -> Cleaned with backup C:\Documents and Settings\Glen\Local Settings\Temp\IHX\aurareco.exe -> Spyware.BetterInternet -> Cleaned with backup C:\Documents and Settings\Glen\Local Settings\Temp\ISS\aurareco.exe -> Spyware.BetterInternet -> Cleaned with backup C:\Documents and Settings\Glen\Local Settings\Temp\IUL\aurareco.exe -> Spyware.BetterInternet -> Cleaned with backup C:\Documents and Settings\Glen\Local Settings\Temp\JAG\aurareco.exe -> Spyware.BetterInternet -> Cleaned with backup C:\Documents and Settings\Glen\Local Settings\Temp\JJL\aurareco.exe -> Spyware.BetterInternet -> Cleaned with backup C:\Documents and Settings\Glen\Local Settings\Temp\JWG\aurareco.exe -> Spyware.BetterInternet -> Cleaned with backup C:\Documents and Settings\Glen\Local Settings\Temp\JWV\aurareco.exe -> Spyware.BetterInternet -> Cleaned with backup C:\Documents and Settings\Glen\Local Settings\Temp\JYD\aurareco.exe -> Spyware.BetterInternet -> Cleaned with backup C:\Documents and Settings\Glen\Local Settings\Temp\KAT\aurareco.exe -> Spyware.BetterInternet -> Cleaned with backup C:\Documents and Settings\Glen\Local Settings\Temp\LEU\aurareco.exe -> Spyware.BetterInternet -> Cleaned with backup C:\Documents and Settings\Glen\Local Settings\Temp\LKL\aurareco.exe -> Spyware.BetterInternet -> Cleaned with backup C:\Documents and Settings\Glen\Local Settings\Temp\LTF\aurareco.exe -> Spyware.BetterInternet -> Cleaned with backup C:\Documents and Settings\Glen\Local Settings\Temp\LXM\aurareco.exe -> Spyware.BetterInternet -> Cleaned with backup C:\Documents and Settings\Glen\Local Settings\Temp\MBZ\aurareco.exe -> Spyware.BetterInternet -> Cleaned with backup C:\Documents and Settings\Glen\Local Settings\Temp\MIF\aurareco.exe -> Spyware.BetterInternet -> Cleaned with backup C:\Documents and Settings\Glen\Local Settings\Temp\MIS\aurareco.exe -> Spyware.BetterInternet -> Cleaned with backup C:\Documents and Settings\Glen\Local Settings\Temp\MMX\aurareco.exe -> Spyware.BetterInternet -> Cleaned with backup C:\Documents and Settings\Glen\Local Settings\Temp\NOU\aurareco.exe -> Spyware.BetterInternet -> Cleaned with backup C:\Documents and Settings\Glen\Local Settings\Temp\NSM\aurareco.exe -> Spyware.BetterInternet -> Cleaned with backup C:\Documents and Settings\Glen\Local Settings\Temp\NSS\aurareco.exe -> Spyware.BetterInternet -> Cleaned with backup C:\Documents and Settings\Glen\Local Settings\Temp\NUJ\aurareco.exe -> Spyware.BetterInternet -> Cleaned with backup C:\Documents and Settings\Glen\Local Settings\Temp\OFE\aurareco.exe -> Spyware.BetterInternet -> Cleaned with backup C:\Documents and Settings\Glen\Local Settings\Temp\OJU\aurareco.exe -> Spyware.BetterInternet -> Cleaned with backup C:\Documents and Settings\Glen\Local Settings\Temp\OYS\aurareco.exe -> Spyware.BetterInternet -> Cleaned with backup C:\Documents and Settings\Glen\Local Settings\Temp\PLG\aurareco.exe -> Spyware.BetterInternet -> Cleaned with backup C:\Documents and Settings\Glen\Local Settings\Temp\PND\aurareco.exe -> Spyware.BetterInternet -> Cleaned with backup C:\Documents and Settings\Glen\Local Settings\Temp\PNO\aurareco.exe -> Spyware.BetterInternet -> Cleaned with backup C:\Documents and Settings\Glen\Local Settings\Temp\PPN\aurareco.exe -> Spyware.BetterInternet -> Cleaned with backup C:\Documents and Settings\Glen\Local Settings\Temp\PYS\aurareco.exe -> Spyware.BetterInternet -> Cleaned with backup C:\Documents and Settings\Glen\Local Settings\Temp\QCD\aurareco.exe -> Spyware.BetterInternet -> Cleaned with backup C:\Documents and Settings\Glen\Local Settings\Temp\QCM\aurareco.exe -> Spyware.BetterInternet -> Cleaned with backup C:\Documents and Settings\Glen\Local Settings\Temp\QCQ\aurareco.exe -> Spyware.BetterInternet -> Cleaned with backup C:\Documents and Settings\Glen\Local Settings\Temp\QIH\aurareco.exe -> Spyware.BetterInternet -> Cleaned with backup C:\Documents and Settings\Glen\Local Settings\Temp\QPR\aurareco.exe -> Spyware.BetterInternet -> Cleaned with backup C:\Documents and Settings\Glen\Local Settings\Temp\RBM\aurareco.exe -> Spyware.BetterInternet -> Cleaned with backup C:\Documents and Settings\Glen\Local Settings\Temp\res7E.tmp -> Spyware.180Solutions -> Cleaned with backup C:\Documents and Settings\Glen\Local Settings\Temp\RIQ\aurareco.exe -> Spyware.BetterInternet -> Cleaned with backup C:\Documents and Settings\Glen\Local Settings\Temp\RVE\aurareco.exe -> Spyware.BetterInternet -> Cleaned with backup C:\Documents and Settings\Glen\Local Settings\Temp\SDW\aurareco.exe -> Spyware.BetterInternet -> Cleaned with backup C:\Documents and Settings\Glen\Local Settings\Temp\SOL\aurareco.exe -> Spyware.BetterInternet -> Cleaned with backup C:\Documents and Settings\Glen\Local Settings\Temp\SZC\aurareco.exe -> Spyware.BetterInternet -> Cleaned with backup C:\Documents and Settings\Glen\Local Settings\Temp\TBPS.exe -> Spyware.WebSearch.af -> Cleaned with backup C:\Documents and Settings\Glen\Local Settings\Temp\temp.fr340D\MediaAccC.dll -> Spyware.WinAD.af -> Cleaned with backup C:\Documents and Settings\Glen\Local Settings\Temp\temp.fr340D\MediaAccess.exe -> Spyware.MediaPass -> Cleaned with backup C:\Documents and Settings\Glen\Local Settings\Temp\temp.fr711E\NavHelper\v2.0.4c\NHelper.dll -> Spyware.NavExcel.f -> Cleaned with backup C:\Documents and Settings\Glen\Local Settings\Temp\temp.fr711E\NavHelper\v2.0.4c\NHUninstaller.exe -> Spyware.Navexcel -> Cleaned with backup C:\Documents and Settings\Glen\Local Settings\Temp\temp.fr711E\NavHelper\v2.0.4c\NHUpdater.exe -> Spyware.NavExcel -> Cleaned with backup C:\Documents and Settings\Glen\Local Settings\Temp\temp.fr9CC4\EliteToolBar version 60.dll -> Spyware.EliteBar.af -> Cleaned with backup C:\Documents and Settings\Glen\Local Settings\Temp\temp.frD8C7 -> Trojan.Agent.db -> Cleaned with backup C:\Documents and Settings\Glen\Local Settings\Temp\THM\aurareco.exe -> Spyware.BetterInternet -> Cleaned with backup C:\Documents and Settings\Glen\Local Settings\Temp\TJA\aurareco.exe -> Spyware.BetterInternet -> Cleaned with backup C:\Documents and Settings\Glen\Local Settings\Temp\toolbar.dll -> Spyware.Toolbar -> Cleaned with backup C:\Documents and Settings\Glen\Local Settings\Temp\TUN\aurareco.exe -> Spyware.BetterInternet -> Cleaned with backup C:\Documents and Settings\Glen\Local Settings\Temp\UAT\aurareco.exe -> Spyware.BetterInternet -> Cleaned with backup C:\Documents and Settings\Glen\Local Settings\Temp\ULI\aurareco.exe -> Spyware.BetterInternet -> Cleaned with backup C:\Documents and Settings\Glen\Local Settings\Temp\UPN\aurareco.exe -> Spyware.BetterInternet -> Cleaned with backup C:\Documents and Settings\Glen\Local Settings\Temp\UYF\aurareco.exe -> Spyware.BetterInternet -> Cleaned with backup C:\Documents and Settings\Glen\Local Settings\Temp\UYJ\aurareco.exe -> Spyware.BetterInternet -> Cleaned with backup C:\Documents and Settings\Glen\Local Settings\Temp\VCX\aurareco.exe -> Spyware.BetterInternet -> Cleaned with backup C:\Documents and Settings\Glen\Local Settings\Temp\VEJ\aurareco.exe -> Spyware.BetterInternet -> Cleaned with backup C:\Documents and Settings\Glen\Local Settings\Temp\VGX\aurareco.exe -> Spyware.BetterInternet -> Cleaned with backup C:\Documents and Settings\Glen\Local Settings\Temp\VIQ\aurareco.exe -> Spyware.BetterInternet -> Cleaned with backup C:\Documents and Settings\Glen\Local Settings\Temp\VPN\aurareco.exe -> Spyware.BetterInternet -> Cleaned with backup C:\Documents and Settings\Glen\Local Settings\Temp\VTS\aurareco.exe -> Spyware.BetterInternet -> Cleaned with backup C:\Documents and Settings\Glen\Local Settings\Temp\WGT\aurareco.exe -> Spyware.BetterInternet -> Cleaned with backup C:\Documents and Settings\Glen\Local Settings\Temp\WGX\aurareco.exe -> Spyware.BetterInternet -> Cleaned with backup C:\Documents and Settings\Glen\Local Settings\Temp\XBZ\aurareco.exe -> Spyware.BetterInternet -> Cleaned with backup C:\Documents and Settings\Glen\Local Settings\Temp\XMK\aurareco.exe -> Spyware.BetterInternet -> Cleaned with backup C:\Documents and Settings\Glen\Local Settings\Temp\XSF\aurareco.exe -> Spyware.BetterInternet -> Cleaned with backup C:\Documents and Settings\Glen\Local Settings\Temp\YQR\aurareco.exe -> Spyware.BetterInternet -> Cleaned with backup C:\Documents and Settings\Glen\Local Settings\Temp\YSO\aurareco.exe -> Spyware.BetterInternet -> Cleaned with backup C:\Documents and Settings\Glen\Local Settings\Temp\ZAC\aurareco.exe -> Spyware.BetterInternet -> Cleaned with backup C:\Documents and Settings\Glen\Local Settings\Temp\ZLG\aurareco.exe -> Spyware.BetterInternet -> Cleaned with backup C:\Documents and Settings\Glen\Local Settings\Temp\ZWG\aurareco.exe -> Spyware.BetterInternet -> Cleaned with backup C:\Documents and Settings\Glen\Local Settings\Temp\ZWK\aurareco.exe -> Spyware.BetterInternet -> Cleaned with backup C:\Temp\EDow.exe -> TrojanDownloader.Wintool.e -> Cleaned with backup C:\Temp\salmhook.dll -> Spyware.180solutions -> Cleaned with backup C:\WINDOWS\Bolger.dll_tobedeleted -> Spyware.BetterInternet -> Cleaned with backup C:\WINDOWS\Downloaded Program Files\abasa5jrp_.exe -> Spyware.Sahat.o -> Cleaned with backup C:\WINDOWS\Downloaded Program Files\hochkaod3_.exe -> Spyware.Sahat.o -> Cleaned with backup C:\WINDOWS\Downloaded Program Files\lkir8l2gm_.dll -> Spyware.Sahat.l -> Cleaned with backup C:\WINDOWS\hnxymmfeoru.exe -> Spyware.BetterInternet -> Cleaned with backup C:\WINDOWS\installer_SIAC.exe -> TrojanDownloader.Adload.a -> Cleaned with backup C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\056J8DEN\protector_update[1].exe -> Spyware.Hijacker.Generic -> Cleaned with backup C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\WXIV49YZ\protector_update[1].exe -> Spyware.Hijacker.Generic -> Cleaned with backup C:\WINDOWS\system32\elitemhg32.exe -> Spyware.Hijacker.Generic -> Cleaned with backup C:\WINDOWS\system32\elitemxs32.exe -> Spyware.Hijacker.Generic -> Cleaned with backup C:\WINDOWS\system32\elitepls32.exe -> Spyware.Hijacker.Generic -> Cleaned with backup C:\WINDOWS\system32\Eqinkb.exe -> Spyware.DealHelper.ac -> Cleaned with backup C:\WINDOWS\system32\temperror32.dat -> Spyware.Hijacker.Generic -> Cleaned with backup C:\WINDOWS\system32\wlkwatv.exe -> Trojan.Agent.cp -> Cleaned with backup ::Report End Now heres the Hijack log: Logfile of HijackThis v1.99.1 Scan saved at 9:42:13 AM, on 5/21/2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Stardock\SDMCP.exe C:\Program Files\Stardock\Object Desktop\WindowBlinds\wbload.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\Program Files\ewido\security suite\ewidoctrl.exe C:\Program Files\ewido\security suite\ewidoguard.exe C:\Program Files\Norton AntiVirus\navapsvc.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\UAService7.exe C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\HijackThis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = www.google.com R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.com R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = R3 - URLSearchHook: (no name) - _{CA0E28FA-1AFD-4C21-A8DC-70EB5BE2F076} - (no file) O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe" O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k O4 - HKLM\..\Run: [\\PERSONAL-Z6AS0S\EPSON Stylus Photo R300 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE /P48 "\\PERSONAL-Z6AS0S\EPSON Stylus Photo R300 Series" /O6 "USB001" /M "Stylus Photo R300" O4 - HKLM\..\Run: [JVM0.12] C:\WINDOWS\system32\noyfedyw.exe O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [BootSkin Startup Jobs] "C:\PROGRA~1\Stardock\WINCUS~1\BootSkin\BootSkin.exe" /StartupJobs O4 - HKLM\..\Run: [LogonStudio] "C:\Program Files\WinCustomize\LogonStudio\logonstudio.exe" /RANDOM O4 - HKLM\..\Run: [uvboyzy] c:\windows\system32\uvboyzy.exe O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM\..\Run: [Media Access] C:\Program Files\Media Access\MediaAccK.exe O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKCU\..\Run: [Desktop Weather 3] C:\PROGRA~1\THEWEA~1\THEWEA~1.EXE O4 - HKCU\..\Run: [DWHeartbeatMonitor] C:\PROGRA~1\THEWEA~1\DWHeartbeatMonitor.exe O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1099593321984 O20 - Winlogon Notify: MCPClient - C:\Program Files\Common Files\Stardock\mcpstub.dll O20 - Winlogon Notify: WB - C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\fastload.dll O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Sony DADC Austria AG. - C:\WINDOWS\system32\UAService7.exe As for Find-It's, I tried to run it but was given an error: "C:\WINDOWS\system32\cmd.exe C:\WINDOWS\SYSTEM32\AUTOEXEC.NT. The system file is not suitable for running MS-DOS and Microsoft Windows applications. Chose 'Close' to terminate the application." It gives the options of 'Close' and 'Ignore', they both bring up the message again. |
|
|
|
|
05-21-2005, 05:38 PM
|
#4 (permalink) |
|
Assistant Manager, TSF Academy; Moderator/Analyst Security Team
Join Date: Jan 2005
Location: Ohio
Posts: 24,048
OS: WinXP and Vista
|
Hi,
Please print out or copy this page to Notepad since you will not have any of browsers open while you are fixing this.. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. Again, you should not have any open browsers when you are following the procedures below. Go to My Computer->Tools/View->Folder Options->View tab and make sure that 'Show hidden files and folders' (or 'Show all files') is enabled. Also make sure that 'Display the contents of system folders' is checked. If you have Windows XP, the search feature is a little different. When you click on 'All files and folders' on the left pane, click on the 'More advanced options' at the bottom. Make sure that 'Search system folders', 'Search hidden files and folders', and 'Search subfolders' are checked. Reboot your system in Safe Mode (By repeatedly tapping the F8 key until the menu appears). Uninstall the following via the Add/Remove Panel (Start->(Settings)->Control Panel->Add/Remove Programs) if they exist: Media Access SideFind Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any): R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = R3 - URLSearchHook: (no name) - _{CA0E28FA-1AFD-4C21-A8DC-70EB5BE2F076} - (no file) O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k O4 - HKLM\..\Run: [JVM0.12] C:\WINDOWS\system32\noyfedyw.exe O4 - HKLM\..\Run: [uvboyzy] c:\windows\system32\uvboyzy.exe O4 - HKLM\..\Run: [Media Access] C:\Program Files\Media Access\MediaAccK.exe Delete the following Files indicated in RED and Folders indicated in BLUE if they still exist. C:\WINDOWS\system32\noyfedyw.exe c:\windows\system32\uvboyzy.exe C:\Program Files\Media Access C:\Program Files\Sidefind--if it was found in the Add/Remove Restart in Normal Mode. Regarding the error in running FindIts.bat: Copy autoexec.nt from c:\windows\repair\ folder to c:\windows\system32\ folder. Then run the tool again and post that log here. If it still won’t run for you: Please empty any Quarantine folder in your antivirus program and purge all recovery items in the Spybot program (if you use it) before running this tool. Download the Mwav virus checker at http://www.mwti.net/antivirus/mwav.asp (Use Link 3) 1. Save it to a folder. 2. Reboot into Safe Mode. 3. Double click the Mwav.exe file. This is a stand alone tool and NOT just a virus checker......so it won't install anything. 4. Select all local drives, scan all files, and press SCAN. When it is completed, anything found will be displayed in the lower pane. 5. In the Virus Log Information Pane...... Left click and highlight all the information in the Lower pane --- Use &CTRL C &on your keyboard to copy everything found in the lower pane and save it to a notepad file *Note* If prompted that a virus was found and you need to purchase the product to remove the malware, just close out the prompt and let it continue scanning. We are not going to use this to remove anything...but to ID the bad files. Once you copy that to a Notepad file...highlight the text and copy it here. So, I will need: New HijackThis log FindIt's.bat log (or Mwav log if FindIt's won't run) Last edited by Ried; 05-21-2005 at 05:40 PM. |
|
|
|
|
05-21-2005, 06:38 PM
|
#5 (permalink) |
|
Registered User
Join Date: May 2005
Posts: 20
OS: XP
|
Find-It works now, heres the log.
Microsoft Windows XP [Version 5.1.2600] The current date is: Sat 05/21/2005 PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE. »»»»»»»»»»»»»»»»»»»»»»»» Todo Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»»» »»»»»»»»»»»»»»»»»»»»»»»» aurora Files found »»»»»»»»»»»»»»»»»»»»»»»»»»» »»»»»»»»»»»»»»»»»»»»»»»» Suspect's »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» Dont delete file's in the section without guidance If any doubt back them up first »»»»» lagitamate file's can/will show in this section. * UPX! C:\WINDOWS\System32\FMOD.DLL * UPX! C:\WINDOWS\System32\MACDEC.DLL »»»»»»»»»»»»»»»»»»»»»»»» Buddy file's »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» »»»»»»»»»»»»»»»»»»»»»»»» SAHAgent Files found »»»»»»»»»»»»»»»»»»»»»»»»» »»»»»»»»»»»»»»»»»»»»»»»» Misc checks »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» »»»»» Check for Windows\SYSTEM32\cache32_rtneg* folder. Volume in drive C has no label. Volume Serial Number is D805-618F Directory of C:\WINDOWS\SYSTEM32 »»»»» Checking for SAHAgent ico files. Volume in drive C has no label. Volume Serial Number is D805-618F Directory of C:\WINDOWS\system32 »»»»»»»»»»»»»»»»»»»»»»»». And heres HiJack's Logfile of HijackThis v1.99.1 Scan saved at 9:37:36 PM, on 5/21/2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\Program Files\ewido\security suite\ewidoctrl.exe C:\Program Files\ewido\security suite\ewidoguard.exe C:\Program Files\Norton AntiVirus\navapsvc.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\UAService7.exe C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe C:\Program Files\Common Files\Stardock\SDMCP.exe C:\Program Files\Stardock\Object Desktop\WindowBlinds\wbload.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Winamp\winamp.exe C:\Program Files\HijackThis\HijackThis.exe C:\Program Files\Messenger\msmsgs.exe R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = www.google.com R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.com R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe" O4 - HKLM\..\Run: [\\PERSONAL-Z6AS0S\EPSON Stylus Photo R300 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE /P48 "\\PERSONAL-Z6AS0S\EPSON Stylus Photo R300 Series" /O6 "USB001" /M "Stylus Photo R300" O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [BootSkin Startup Jobs] "C:\PROGRA~1\Stardock\WINCUS~1\BootSkin\BootSkin.exe" /StartupJobs O4 - HKLM\..\Run: [LogonStudio] "C:\Program Files\WinCustomize\LogonStudio\logonstudio.exe" /RANDOM O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKCU\..\Run: [Desktop Weather 3] C:\PROGRA~1\THEWEA~1\THEWEA~1.EXE O4 - HKCU\..\Run: [DWHeartbeatMonitor] C:\PROGRA~1\THEWEA~1\DWHeartbeatMonitor.exe O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1099593321984 O20 - Winlogon Notify: MCPClient - C:\Program Files\Common Files\Stardock\mcpstub.dll O20 - Winlogon Notify: WB - C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\fastload.dll O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Sony DADC Austria AG. - C:\WINDOWS\system32\UAService7.exe |
|
|
|
|
05-21-2005, 07:20 PM
|
#6 (permalink) |
|
Assistant Manager, TSF Academy; Moderator/Analyst Security Team
Join Date: Jan 2005
Location: Ohio
Posts: 24,048
OS: WinXP and Vista
|
Hello,
Download KillBox http://www.greyknight17.com/spy/KillBox.exe. Do not run it yet. Reboot into Safe Mode. Run KillBox and check the box that says 'End Explorer Shell While Killing File'. Next click on 'Delete on Reboot'. For each of the following files below, check the box that says 'Unregister .dll Before Deleting' if it's not grayed out. Copy and paste each of the following into KillBox (hitting the X button for each file - choose NO when it asks if you want to reboot): C:\WINDOWS\System32\MACDEC.DLL Using Windows Explorer delete MACDEC.dll within the specified path if it still exists. Reboot into Normal Mode and run FindIts.bat again and post one more FindIt's.bat log. |
|
|
|
|
05-21-2005, 08:40 PM
|
#7 (permalink) |
|
Registered User
Join Date: May 2005
Posts: 20
OS: XP
|
Newest Findit log:
Microsoft Windows XP [Version 5.1.2600] The current date is: Sat 05/21/2005 PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE. »»»»»»»»»»»»»»»»»»»»»»»» Todo Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»»» »»»»»»»»»»»»»»»»»»»»»»»» aurora Files found »»»»»»»»»»»»»»»»»»»»»»»»»»» »»»»»»»»»»»»»»»»»»»»»»»» Suspect's »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» Dont delete file's in the section without guidance If any doubt back them up first »»»»» lagitamate file's can/will show in this section. * UPX! C:\WINDOWS\System32\FMOD.DLL »»»»»»»»»»»»»»»»»»»»»»»» Buddy file's »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» »»»»»»»»»»»»»»»»»»»»»»»» SAHAgent Files found »»»»»»»»»»»»»»»»»»»»»»»»» »»»»»»»»»»»»»»»»»»»»»»»» Misc checks »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» »»»»» Check for Windows\SYSTEM32\cache32_rtneg* folder. Volume in drive C has no label. Volume Serial Number is D805-618F Directory of C:\WINDOWS\SYSTEM32 »»»»» Checking for SAHAgent ico files. Volume in drive C has no label. Volume Serial Number is D805-618F Directory of C:\WINDOWS\system32 »»»»»»»»»»»»»»»»»»»»»»»». |
|
|
|
|
05-21-2005, 08:48 PM
|
#8 (permalink) |
|
Assistant Manager, TSF Academy; Moderator/Analyst Security Team
Join Date: Jan 2005
Location: Ohio
Posts: 24,048
OS: WinXP and Vista
|
Hi KainOcelot,
Your logs are clean. Are there any more problems? If not, you should be all set. Turn off System Restore Click Start > Right Click My Computer > Properties. Click the System Restore tab and Check "Turn off System Restore" or "Turn off System Restore on all drives". Click Apply. When turning off System Restore, the existing restore points will be deleted. Click Yes to do this then Click OK. Now reenable system restore. This will prevent any reinfection from any previous restore points. To help prevent future spyware installations/infections, please read the Anti-Spyware Tutorial http://www.greyknight17.com/spyware.htm#prevent and use the tools/programs provided. |
|
|
|
|
05-21-2005, 08:56 PM
|
#9 (permalink) |
|
Registered User
Join Date: May 2005
Posts: 20
OS: XP
|
I hope thats it, the canada.exe icon was still on my desktop, but I blocked and cleaned it with ewido so hopefully that takes care of it. I really appreciate the help, thanks again for the quick responses and knowledgable info =)
|
|
|
|
| Thread Tools | |
|
|
