TheTechGuide Forum
General Category => Tech Clinic => Topic started by: chrislosch on May 23, 2005, 08:25:41 AM
-
Can someone please help me get rid of these pop-ups. Thank you in advance.
Logfile of HijackThis v1.99.1
Scan saved at 9:21:01 AM, on 5/23/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\WinTools\WToolsS.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\soundman.exe
C:\Program Files\NavNT\vptray.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HJT\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mx.cctrenton.org/exchange/ (http://\"http://mx.cctrenton.org/exchange/\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://GLOBAL.ACER.COM/ (http://\"http://GLOBAL.ACER.COM/\")
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://global.acer.com/ (http://\"http://global.acer.com/\")
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O4 - HKLM\..\Run: [SoundMan] soundman.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [PS1] C:\WINDOWS\System32\ps1.exe
O4 - HKLM\..\Run: [exp.exe] C:\WINDOWS\System32\exp.exe
O4 - HKLM\..\Run: [WinTask driver] C:\WINDOWS\System32\wintask.exe
O4 - HKLM\..\Run: [fpoknn] c:\windows\system32\gwzhrk.exe
O4 - HKLM\..\Run: [o48U36l] cluaze.exe
O4 - HKLM\..\Run: [checkrun] C:\windows\system32\eliteiez32.exe
O4 - HKCU\..\Run: [Z3r8RWJpP] cidmsnap.exe
O4 - HKCU\..\Run: [a-squared] "C:\Program Files\a2\a2guard.exe"
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: officejet 6100.lnk = ?
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://GLOBAL.ACER.COM/
O16 - DPF: Yahoo! MLB StatTracker - http://aud14.sports.sc5.yahoo.com/java/y/mlbst8408_x.cab (http://\"http://aud14.sports.sc5.yahoo.com/java/y/mlbst8408_x.cab\")
O16 - DPF: {10000000-1000-0000-1000-000000000000} - ms-its:mhtml:file://C:\foo.mht!http://www.free32.com/POP.CHM::/sp.exe
O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} - file://c:\counter.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst20040510.cab (http://\"http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab\")
O16 - DPF: {E6EB803E-DD89-11D3-80C4-0050DA2E09D0} (LightSurfUploadCtl Class) - http://prints.picturecenter.kodak.com/acti...loadControl.cab (http://\"http://prints.picturecenter.kodak.com/activex/LightSurfUploadControl.cab\")
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe (file missing)
O23 - Service: WinTools for IE service (WinToolsSvc) - Unknown owner - C:\Program Files\Common Files\WinTools\WToolsS.exe
-
Can I have you download a few tools please
*Download and then Install
Ewido Trojan Scanner (http://\"http://download.ewido.net/ewido-setup.exe\")
When installing, under "Additional Options" Uncheck "Install background guard" and "Install scan via context menu".
When you run ewido for the first time, you will get a warning "Database could not be found!". Click OK. We'll fix that later
From the main ewido screen, click on Update in the left menu, then click the Start update button.
After the update finishes (the status bar at the bottom will display "Update successful")
Close out Ewido for now, we'll need it later
*Download and Install this small program
to help clean your temp folders,cookies, etc...
Windows Cleanup (http://\"http://downloads.stevengould.org/cleanup/CleanUp40.exe\")
Give the link time to load or try it twice, it may be busy
We'll need this later
*Download and UNZIP to desktop LQFix.zip, so you now have LQFix.bat and Elite.reg
extracted to the desktop
[attachment=237:attachment]
We'll need these later
*Download the Nail/Aurora Spyware Fix (http://\"http://www.noidea.us/easyfile/file.php?download=20050515010747824\") from NoIdea.US. (Alternate download link: dknoppix mirror (http://\"http://www.dknoppix.com/cgi-bin/download.cgi?Nailfix\"))
UNZIP it to the desktop but do NOT run yet.
*I see you have A-Squared installed
Can I have you disable Asquared Guard protection so it won't interfere with any fixes we try
*Set Windows To Show Hidden Files and Folders
* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.
* Under the Hidden files and folders heading select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Uncheck the Hide Extensions for known file types
* Click Yes to confirm.
* Click OK.
*Please Print this out or save these instructions to a Notepad file and save it to your Desktop
RESTART your Computer in SAFE MODE (http://\"http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001060608000039?OpenDocument&ExpandSection=4#_Section4\")
You can do this by tapping the F8 key as the system is restarting, after the single post beep, or use the link
I supplied for a more detailed explanation
Go to START>>>RUN>>>type in services.msc
Hit OK
In the next window, look on the right hand side for this service
name---- System Startup Service
Double click on it--- STOP the service--If running
In the drop down menu, change the startup type to Disabled
Do the same for this service name
WinTools for IE service
*Access your Add/Remove Programs via Control Panel and Remove
WinTools for IE
Stay in safe mode
Double-click on nailfix.cmd that you unzipped earlier. Your desktop and icons will disappear and reappear, and a window should open and close very quickly --- this is normal.
Double click on LQFix.bat, A window will open and close
Double click on Elite.reg and allow to add or merge to the registry
*Using Windows Explore, Find and delete these files or folders if found
FILES
C:\foo.mht
c:\counter.cab
C:\WINDOWS\System32\ps1.exe
C:\WINDOWS\System32\exp.exe
C:\WINDOWS\System32\wintask.exe
c:\windows\system32\gwzhrk.exe
C:\windows\system32\eliteiez32.exe
C:\WINDOWS\system32\cxtpls_loader.exe <-file, let me know if you found this one
Search for these files and remove if found
cluaze.exe
cidmsnap.exe
FOLDERS
C:\Program Files\Common Files\WinTools <-folder
C:\Program Files\CxtPls <-folder, let me know if you found this one
C:\Program Files\AutoUpdate <-folder, let me know if you found this one
*Open Windows CleanUp!>>START>>programs>>Cleanup!
Click on the CleanUp button
Decline to log off or Restart yet
Instead
Open Ewido
*Click on the Scanner button in the left menu, then click on the Start button. This scan can take quite a while to run, so please give it time to finish
=If ewido finds anything, it will pop up a notification. You can select "clean" and check the boxes "Perform action with all infections" and "Create encrypted backup" before clicking on OK.
When the scan finishes, click on "Save Report".
Do another scan with Hijackthis and put a check next to these entries:
Not all may exist anymore, but fix what is found
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O4 - HKLM\..\Run: [PS1] C:\WINDOWS\System32\ps1.exe
O4 - HKLM\..\Run: [exp.exe] C:\WINDOWS\System32\exp.exe
O4 - HKLM\..\Run: [WinTask driver] C:\WINDOWS\System32\wintask.exe
O4 - HKLM\..\Run: [fpoknn] c:\windows\system32\gwzhrk.exe
O4 - HKLM\..\Run: [o48U36l] cluaze.exe
O4 - HKLM\..\Run: [checkrun] C:\windows\system32\eliteiez32.exe
O4 - HKCU\..\Run: [Z3r8RWJpP] cidmsnap.exe
O16 - DPF: {10000000-1000-0000-1000-000000000000} - ms-its:mhtml:file://C:\foo.mht!http://www.free32.com/POP.CHM::/sp.exe
O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} - file://c:\counter.cab
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe (file missing)
O23 - Service: WinTools for IE service (WinToolsSvc) - Unknown owner - C:\Program Files\Common Files\WinTools\WToolsS.exe
After you have ticked the above entries, close All other open windows,
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis
Afterwards
Restart back to Normal mode
Back in Windows
Download and Install the free version of Ad-Aware SE Personal 1.05 (http://\"ftp://ftp.download.com/pub/win95/utilities/aawsepersonal.exe\")
Ensure you have this version or the paid version
Open Ad-Aware, ensure to click the check for updates now link and Connect to download the latest updates
Perform a Full system scan
When it's finished scanning
At this point you should either right click on the screen and and choose the "Select All" Objects option or individually put a checkmark in each objects checkbox
click on the Next button. Ad-Aware SE will now present you with a confirmation box as to whether or not you would like to remove the objects you have just selected. Press the "OK" button
RESTART your computer to finish the cleaning process
Back in Windows
Run another scan with Hijackthis and post a fresh Log
Could you also include the Report from Ewido's
-
Thanks so much. Here are my reports: (Note: I had the AutoUpdate file)
Logfile of HijackThis v1.99.1
Scan saved at 4:02:38 PM, on 5/23/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\soundman.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\a2\a2guard.exe
C:\Program Files\NavNT\rtvscan.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\PROGRA~1\WinZip\winzip32.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\DOCUME~1\closch\LOCALS~1\Temp\HijackThis.exe
---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------
+ Created on: 3:49:46 PM, 5/23/2005
+ Report-Checksum: C407DC2C
+ Date of database: 5/23/2005
+ Version of scan engine: v3.0
+ Duration: 11 min
+ Scanned Files: 52708
+ Speed: 75.56 Files/Second
+ Infected files: 76
+ Removed files: 76
+ Files put in quarantine: 76
+ Files that could not be opened: 0
+ Files that could not be cleaned: 0
+ Binder: Yes
+ Crypter: Yes
+ Archives: Yes
+ Scanned items:
C:\
+ Scan result:
C:\WINDOWS\system32\HookPopup.dll -> Spyware.DealHelper.ab -> Cleaned with backup
C:\WINDOWS\system\lalak.exe -> TrojanDownloader.Small.aly -> Cleaned with backup
C:\WINDOWS\Nail.exe -> Trojan.Nail -> Cleaned with backup
C:\WINDOWS\bsx32\EECH1.bsx -> Spyware.BookedSpace -> Cleaned with backup
C:\WINDOWS\bsx32\SPZ3.bsx -> Spyware.BookedSpace -> Cleaned with backup
C:\WINDOWS\cfgmgr52.dll -> Spyware.BookedSpace.e -> Cleaned with backup
C:\WINDOWS\cfgmgr52\EECH1.bsx -> Spyware.BookedSpace -> Cleaned with backup
C:\WINDOWS\cfgmgr52\SPZ3.bsx -> Spyware.BookedSpace -> Cleaned with backup
C:\WINDOWS\My404.exe -> Spyware.Hijacker.Generic -> Cleaned with backup
C:\WINDOWS\lqkozepc.exe -> Spyware.BookedSpace.e -> Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\closch\Local Settings\Temp\Cookies\closch@specificpop[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\closch\Local Settings\Temp\Cookies\closch@dcsi8dupuerp17vzhd59b2lwc_8u5u[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\closch\Local Settings\Temp\Cookies\closch@S0014-01-2-16-217494-54117[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\closch\Local Settings\Temp\Cookies\closch@S005-01-6-28-254547-85570[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\closch\Local Settings\Temp\Cookies\closch@S005-01-6-28-254547-85610[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\closch\Local Settings\Temp\Cookies\closch@S0014-01-2-16-217494-54117[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\closch\Local Settings\Temp\djebmm350.exe -> Spyware.Broadcap.a -> Cleaned with backup
C:\Documents and Settings\closch\Local Settings\Temp\pcs_0006.exe -> Spyware.Pacer.b -> Cleaned with backup
C:\Documents and Settings\closch\Cookies\closch@bannerads[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\closch\Cookies\[email protected][2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\closch\Cookies\closch@bannerads[4].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\closch\Cookies\closch@dcsi8dupuerp17vzhd59b2lwc_8u5u[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\closch\Cookies\closch@S005-01-6-28-254547-85570[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\closch\Cookies\closch@S0014-01-2-16-217494-54117[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\closch\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\closch\Cookies\closch@dcszqjbnh21e5hmqkbwitxmhi_8f9v[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\closch\Cookies\closch@geocities[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\closch\Cookies\closch@S0012-01-1-7-217494-47679[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\closch\Cookies\[email protected][2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\closch\Cookies\closch@S0014-01-2-16-217494-54117[4].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\closch\Cookies\closch@15876760[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\closch\Cookies\[email protected][2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\closch\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\closch\Cookies\closch@S005-01-6-28-254547-85570[3].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\closch\Cookies\closch@S0014-01-2-16-217494-54117[3].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\closch\Cookies\[email protected][2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\closch\Cookies\closch@10620967[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\closch\Cookies\closch@bannerads[5].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\closch\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\closch\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\closch\Cookies\closch@bannerads[3].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\closch\Cookies\closch@72067136[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\closch\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\closch\Cookies\closch@exitexchange[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\closch\Cookies\closch@dcs9vjhcvoifwzvpkr3ppi958_9w3d[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\closch\Cookies\closch@shopnav[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\closch\Cookies\closch@S109821[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\closch\Cookies\closch@dcsw8cxeoau4fifujx3tdt6ky_7s8w[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\closch\Cookies\closch@exitexchange[3].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\System Volume Information\_restore{38A44F46-57B2-4F3E-96A3-F4596F62DCF3}\RP474\A0020344.exe -> TrojanDownloader.Wintool.e -> Cleaned with backup
C:\System Volume Information\_restore{38A44F46-57B2-4F3E-96A3-F4596F62DCF3}\RP474\A0020349.exe -> Spyware.BargainBuddy -> Cleaned with backup
C:\System Volume Information\_restore{38A44F46-57B2-4F3E-96A3-F4596F62DCF3}\RP474\A0020352.exe -> Spyware.WebSearch.aj -> Cleaned with backup
C:\System Volume Information\_restore{38A44F46-57B2-4F3E-96A3-F4596F62DCF3}\RP474\A0020368.dll -> Spyware.CoolBar.a -> Cleaned with backup
C:\System Volume Information\_restore{38A44F46-57B2-4F3E-96A3-F4596F62DCF3}\RP474\A0020370.exe -> Spyware.DealHelper.x -> Cleaned with backup
C:\System Volume Information\_restore{38A44F46-57B2-4F3E-96A3-F4596F62DCF3}\RP474\A0020373.exe -> Spyware.Apropos -> Cleaned with backup
C:\System Volume Information\_restore{38A44F46-57B2-4F3E-96A3-F4596F62DCF3}\RP474\A0020383.exe -> TrojanDownloader.Intexp.c -> Cleaned with backup
C:\System Volume Information\_restore{38A44F46-57B2-4F3E-96A3-F4596F62DCF3}\RP474\A0020384.dll -> Spyware.VirtualBouncer.g -> Cleaned with backup
C:\System Volume Information\_restore{38A44F46-57B2-4F3E-96A3-F4596F62DCF3}\RP474\A0020385.dll -> Spyware.VirtualBouncer.g -> Cleaned with backup
C:\System Volume Information\_restore{38A44F46-57B2-4F3E-96A3-F4596F62DCF3}\RP474\A0020386.dll -> Spyware.VirtualBouncer.g -> Cleaned with backup
C:\System Volume Information\_restore{38A44F46-57B2-4F3E-96A3-F4596F62DCF3}\RP474\A0020387.dll -> Spyware.VirtualBouncer.g -> Cleaned with backup
C:\System Volume Information\_restore{38A44F46-57B2-4F3E-96A3-F4596F62DCF3}\RP474\A0020389.exe -> Spyware.BargainBuddy.n -> Cleaned with backup
C:\System Volume Information\_restore{38A44F46-57B2-4F3E-96A3-F4596F62DCF3}\RP474\A0020414.exe -> Trojan.Nail -> Cleaned with backup
C:\System Volume Information\_restore{38A44F46-57B2-4F3E-96A3-F4596F62DCF3}\RP474\A0020466.dll -> Trojan.Agent.db -> Cleaned with backup
C:\System Volume Information\_restore{38A44F46-57B2-4F3E-96A3-F4596F62DCF3}\RP474\A0020520.EXE -> Trojan.AproposAd -> Cleaned with backup
C:\System Volume Information\_restore{38A44F46-57B2-4F3E-96A3-F4596F62DCF3}\RP474\A0020521.EXE -> Trojan.AproposAd -> Cleaned with backup
C:\System Volume Information\_restore{38A44F46-57B2-4F3E-96A3-F4596F62DCF3}\RP474\A0020529.exe -> Trojan.AproposAd -> Cleaned with backup
C:\System Volume Information\_restore{38A44F46-57B2-4F3E-96A3-F4596F62DCF3}\RP474\A0020530.exe -> Trojan.AproposAd -> Cleaned with backup
C:\System Volume Information\_restore{38A44F46-57B2-4F3E-96A3-F4596F62DCF3}\RP475\A0020574.exe -> Trojan.Nail -> Cleaned with backup
C:\System Volume Information\_restore{38A44F46-57B2-4F3E-96A3-F4596F62DCF3}\RP475\A0020575.exe -> Spyware.Hijacker.Generic -> Cleaned with backup
C:\System Volume Information\_restore{38A44F46-57B2-4F3E-96A3-F4596F62DCF3}\RP475\A0020576.exe -> Spyware.Hijacker.Generic -> Cleaned with backup
C:\System Volume Information\_restore{38A44F46-57B2-4F3E-96A3-F4596F62DCF3}\RP475\A0020577.dll -> Spyware.EliteBar.af -> Cleaned with backup
C:\System Volume Information\_restore{38A44F46-57B2-4F3E-96A3-F4596F62DCF3}\RP475\A0020578.exe -> TrojanDownloader.Apropo.g -> Cleaned with backup
C:\System Volume Information\_restore{38A44F46-57B2-4F3E-96A3-F4596F62DCF3}\RP475\A0020581.exe -> Spyware.Apropos -> Cleaned with backup
C:\System Volume Information\_restore{38A44F46-57B2-4F3E-96A3-F4596F62DCF3}\RP475\A0020584.dll -> Spyware.Wintol.y -> Cleaned with backup
C:\System Volume Information\_restore{38A44F46-57B2-4F3E-96A3-F4596F62DCF3}\RP475\A0020585.exe -> TrojanDownloader.Wintool.f -> Cleaned with backup
::Report End
-
Please post another log from Hijackthis and include the WHOLE log
You only posted the top portion
ONLY run Hijackthis from this location
C:\HJT\HijackThis.exe
Also, let me know if you acutually Downloaded and ran Windows CleanUp! before you ran Ewido's in safe mode
-
Here is the new log. And I forgot that when I originally tried running Windows Clean-up the link wasn't working and I forgot to go back to it. It still isn't working.
Logfile of HijackThis v1.99.1
Scan saved at 8:42:04 AM, on 5/24/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\soundman.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\WINDOWS\System32\wuauclt.exe
C:\HJT\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mx.cctrenton.org/exchange/ (http://\"http://mx.cctrenton.org/exchange/\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://GLOBAL.ACER.COM/ (http://\"http://GLOBAL.ACER.COM/\")
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://global.acer.com/ (http://\"http://global.acer.com/\")
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O4 - HKLM\..\Run: [SoundMan] soundman.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKCU\..\Run: [a-squared] "C:\Program Files\a2\a2guard.exe"
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: officejet 6100.lnk = ?
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://GLOBAL.ACER.COM/
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst20040510.cab (http://\"http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab\")
O16 - DPF: {E6EB803E-DD89-11D3-80C4-0050DA2E09D0} (LightSurfUploadCtl Class) - http://prints.picturecenter.kodak.com/acti...loadControl.cab (http://\"http://prints.picturecenter.kodak.com/activex/LightSurfUploadControl.cab\")
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe