« previous next »
Pages: [1]

Author Topic: Need Spyware help Please.  (Read 882 times)

Offline chrislosch

  • Newbie
  • *
  • Posts: 5
  • Karma: +0/-0
    • View Profile
Need Spyware help Please.
« on: May 23, 2005, 08:25:41 AM »
Can someone please help me get rid of these pop-ups. Thank you in advance.

Logfile of HijackThis v1.99.1
Scan saved at 9:21:01 AM, on 5/23/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\WinTools\WToolsS.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\soundman.exe
C:\Program Files\NavNT\vptray.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mx.cctrenton.org/exchange/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://GLOBAL.ACER.COM/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://global.acer.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O4 - HKLM\..\Run: [SoundMan] soundman.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [PS1] C:\WINDOWS\System32\ps1.exe
O4 - HKLM\..\Run: [exp.exe] C:\WINDOWS\System32\exp.exe
O4 - HKLM\..\Run: [WinTask driver] C:\WINDOWS\System32\wintask.exe
O4 - HKLM\..\Run: [fpoknn] c:\windows\system32\gwzhrk.exe
O4 - HKLM\..\Run: [o48U36l] cluaze.exe
O4 - HKLM\..\Run: [checkrun] C:\windows\system32\eliteiez32.exe
O4 - HKCU\..\Run: [Z3r8RWJpP] cidmsnap.exe
O4 - HKCU\..\Run: [a-squared] "C:\Program Files\a2\a2guard.exe"
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: officejet 6100.lnk = ?
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://GLOBAL.ACER.COM/
O16 - DPF: Yahoo! MLB StatTracker - http://aud14.sports.sc5.yahoo.com/java/y/mlbst8408_x.cab
O16 - DPF: {10000000-1000-0000-1000-000000000000} - ms-its:mhtml:file://C:\foo.mht!http://www.free32.com/POP.CHM::/sp.exe
O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} - file://c:\counter.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst20040510.cab
O16 - DPF: {E6EB803E-DD89-11D3-80C4-0050DA2E09D0} (LightSurfUploadCtl Class) - http://prints.picturecenter.kodak.com/acti...loadControl.cab
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: System Startup Service  (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe (file missing)
O23 - Service: WinTools for IE service (WinToolsSvc) - Unknown owner - C:\Program Files\Common Files\WinTools\WToolsS.exe
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
Need Spyware help Please.
« Reply #1 on: May 23, 2005, 12:24:09 PM »
Can I have you download a few tools please

*Download and then Install
Ewido Trojan Scanner

When installing, under "Additional Options" Uncheck "Install background guard" and "Install scan via context menu".
When you run ewido for the first time, you will get a warning "Database could not be found!". Click OK. We'll fix that later
From the main ewido screen, click on Update in the left menu, then click the Start update button.
After the update finishes (the status bar at the bottom will display "Update successful")
Close out Ewido for now, we'll need it later

*Download and Install this small program
to help clean your temp folders,cookies, etc...
Windows Cleanup
Give the link time to load or try it twice, it may be busy
We'll need this later

*Download and UNZIP to desktop LQFix.zip, so you now have LQFix.bat and Elite.reg
extracted to the desktop
[attachment=237:attachment]
We'll need these later

*Download the Nail/Aurora Spyware Fix from NoIdea.US. (Alternate download link: dknoppix mirror)
UNZIP it to the desktop but do NOT run yet.

*I see you have A-Squared installed
Can I have you disable Asquared Guard protection so it won't interfere with any fixes we try

*Set Windows To Show Hidden Files and Folders
    * Click Start.
    * Open My Computer.
    * Select the Tools menu and click Folder Options.
    * Select the View Tab.
    * Under the Hidden files and folders heading select Show hidden files and folders.
    * Uncheck the Hide protected operating system files (recommended) option.
    * Uncheck the Hide Extensions for known file types
    * Click Yes to confirm.
    * Click OK.

*Please Print this out or save these instructions to a Notepad file and save it to your Desktop
RESTART your Computer in SAFE MODE
You can do this by tapping the F8 key as the system is restarting, after the single post beep, or use the link
I supplied for a more detailed explanation

Go to START>>>RUN>>>type in services.msc
Hit OK
In the next window, look on the right hand side for this service
name---- System Startup Service

Double click on it--- STOP the service--If running
In the drop down menu, change the startup type to Disabled
Do the same for this service name
WinTools for IE service

*Access your Add/Remove Programs via Control Panel and Remove
WinTools for IE

Stay in safe mode

Double-click on nailfix.cmd that you unzipped earlier.  Your desktop and icons will disappear and reappear, and a window should open and close very quickly --- this is normal.

Double click on LQFix.bat, A window will open and close
Double click on Elite.reg and allow to add or merge to the registry

*Using Windows Explore, Find and delete these files or folders if found
FILES
C:\foo.mht
c:\counter.cab
C:\WINDOWS\System32\ps1.exe
C:\WINDOWS\System32\exp.exe
C:\WINDOWS\System32\wintask.exe
c:\windows\system32\gwzhrk.exe
C:\windows\system32\eliteiez32.exe
C:\WINDOWS\system32\cxtpls_loader.exe <-file, let me know if you found this one

Search for these files and remove if found
cluaze.exe
cidmsnap.exe

FOLDERS
C:\Program Files\Common Files\WinTools <-folder
C:\Program Files\CxtPls <-folder, let me know if you found this one
C:\Program Files\AutoUpdate <-folder, let me know if you found this one

*Open Windows CleanUp!>>START>>programs>>Cleanup!
Click on the CleanUp button
Decline to log off or Restart yet

Instead
Open Ewido
*Click on the Scanner button in the left menu, then click on the Start button.  This scan can take quite a while to run, so please give it time to finish
=If ewido finds anything, it will pop up a notification.  You can select "clean" and check the boxes "Perform action with all infections" and "Create encrypted backup" before clicking on OK.
When the scan finishes, click on "Save Report".  

Do another scan with Hijackthis and put a check next to these entries:
Not all may exist anymore, but fix what is found

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O4 - HKLM\..\Run: [PS1] C:\WINDOWS\System32\ps1.exe
O4 - HKLM\..\Run: [exp.exe] C:\WINDOWS\System32\exp.exe
O4 - HKLM\..\Run: [WinTask driver] C:\WINDOWS\System32\wintask.exe
O4 - HKLM\..\Run: [fpoknn] c:\windows\system32\gwzhrk.exe
O4 - HKLM\..\Run: [o48U36l] cluaze.exe
O4 - HKLM\..\Run: [checkrun] C:\windows\system32\eliteiez32.exe
O4 - HKCU\..\Run: [Z3r8RWJpP] cidmsnap.exe

O16 - DPF: {10000000-1000-0000-1000-000000000000} - ms-its:mhtml:file://C:\foo.mht!http://www.free32.com/POP.CHM::/sp.exe
O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} - file://c:\counter.cab

O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe (file missing)
O23 - Service: WinTools for IE service (WinToolsSvc) - Unknown owner - C:\Program Files\Common Files\WinTools\WToolsS.exe

After you have ticked the above entries, close All other open windows,
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis

Afterwards
Restart back to Normal mode

Back in Windows
Download and Install the free version of Ad-Aware SE Personal 1.05
Ensure you have this version or the paid version
Open Ad-Aware, ensure to click the  check for updates now link and Connect to download the latest updates
Perform a Full system scan
When it's finished scanning
At this point you should either right click on the screen and and choose the "Select All" Objects option or individually put a checkmark in each objects checkbox
click on the Next button. Ad-Aware SE will now present you with a confirmation box as to whether or not you would like to remove the objects you have just selected. Press the "OK" button

RESTART your computer to finish the cleaning process

Back in Windows
Run another scan with Hijackthis and post a fresh Log
Could you also include the Report from Ewido's
« Last Edit: May 23, 2005, 01:05:06 PM by guestolo »
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Offline chrislosch

  • Newbie
  • *
  • Posts: 5
  • Karma: +0/-0
    • View Profile
Need Spyware help Please.
« Reply #2 on: May 23, 2005, 03:05:06 PM »
Thanks so much. Here are my reports: (Note: I had the AutoUpdate file)

Logfile of HijackThis v1.99.1
Scan saved at 4:02:38 PM, on 5/23/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\soundman.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\a2\a2guard.exe
C:\Program Files\NavNT\rtvscan.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\PROGRA~1\WinZip\winzip32.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\DOCUME~1\closch\LOCALS~1\Temp\HijackThis.exe




---------------------------------------------------------
 ewido security suite - Scan report
---------------------------------------------------------

 + Created on:         3:49:46 PM, 5/23/2005
 + Report-Checksum:      C407DC2C

 + Date of database:      5/23/2005
 + Version of scan engine:   v3.0

 + Duration:            11 min
 + Scanned Files:         52708
 + Speed:            75.56 Files/Second
 + Infected files:         76
 + Removed files:         76
 + Files put in quarantine:      76
 + Files that could not be opened:   0
 + Files that could not be cleaned:   0

 + Binder:      Yes
 + Crypter:      Yes
 + Archives:      Yes

 + Scanned items:
   C:\

 + Scan result:
   C:\WINDOWS\system32\HookPopup.dll -> Spyware.DealHelper.ab -> Cleaned with backup
   C:\WINDOWS\system\lalak.exe -> TrojanDownloader.Small.aly -> Cleaned with backup
   C:\WINDOWS\Nail.exe -> Trojan.Nail -> Cleaned with backup
   C:\WINDOWS\bsx32\EECH1.bsx -> Spyware.BookedSpace -> Cleaned with backup
   C:\WINDOWS\bsx32\SPZ3.bsx -> Spyware.BookedSpace -> Cleaned with backup
   C:\WINDOWS\cfgmgr52.dll -> Spyware.BookedSpace.e -> Cleaned with backup
   C:\WINDOWS\cfgmgr52\EECH1.bsx -> Spyware.BookedSpace -> Cleaned with backup
   C:\WINDOWS\cfgmgr52\SPZ3.bsx -> Spyware.BookedSpace -> Cleaned with backup
   C:\WINDOWS\My404.exe -> Spyware.Hijacker.Generic -> Cleaned with backup
   C:\WINDOWS\lqkozepc.exe -> Spyware.BookedSpace.e -> Cleaned with backup
   C:\Documents and Settings\Administrator\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
   C:\Documents and Settings\closch\Local Settings\Temp\Cookies\closch@specificpop[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
   C:\Documents and Settings\closch\Local Settings\Temp\Cookies\closch@dcsi8dupuerp17vzhd59b2lwc_8u5u[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
   C:\Documents and Settings\closch\Local Settings\Temp\Cookies\closch@S0014-01-2-16-217494-54117[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
   C:\Documents and Settings\closch\Local Settings\Temp\Cookies\closch@S005-01-6-28-254547-85570[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
   C:\Documents and Settings\closch\Local Settings\Temp\Cookies\closch@S005-01-6-28-254547-85610[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
   C:\Documents and Settings\closch\Local Settings\Temp\Cookies\closch@S0014-01-2-16-217494-54117[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
   C:\Documents and Settings\closch\Local Settings\Temp\djebmm350.exe -> Spyware.Broadcap.a -> Cleaned with backup
   C:\Documents and Settings\closch\Local Settings\Temp\pcs_0006.exe -> Spyware.Pacer.b -> Cleaned with backup
   C:\Documents and Settings\closch\Cookies\closch@bannerads[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
   C:\Documents and Settings\closch\Cookies\[email protected][2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
   C:\Documents and Settings\closch\Cookies\closch@bannerads[4].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
   C:\Documents and Settings\closch\Cookies\closch@dcsi8dupuerp17vzhd59b2lwc_8u5u[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
   C:\Documents and Settings\closch\Cookies\closch@S005-01-6-28-254547-85570[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
   C:\Documents and Settings\closch\Cookies\closch@S0014-01-2-16-217494-54117[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
   C:\Documents and Settings\closch\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
   C:\Documents and Settings\closch\Cookies\closch@dcszqjbnh21e5hmqkbwitxmhi_8f9v[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
   C:\Documents and Settings\closch\Cookies\closch@geocities[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
   C:\Documents and Settings\closch\Cookies\closch@S0012-01-1-7-217494-47679[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
   C:\Documents and Settings\closch\Cookies\[email protected][2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
   C:\Documents and Settings\closch\Cookies\closch@S0014-01-2-16-217494-54117[4].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
   C:\Documents and Settings\closch\Cookies\closch@15876760[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
   C:\Documents and Settings\closch\Cookies\[email protected][2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
   C:\Documents and Settings\closch\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
   C:\Documents and Settings\closch\Cookies\closch@S005-01-6-28-254547-85570[3].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
   C:\Documents and Settings\closch\Cookies\closch@S0014-01-2-16-217494-54117[3].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
   C:\Documents and Settings\closch\Cookies\[email protected][2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
   C:\Documents and Settings\closch\Cookies\closch@10620967[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
   C:\Documents and Settings\closch\Cookies\closch@bannerads[5].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
   C:\Documents and Settings\closch\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
   C:\Documents and Settings\closch\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
   C:\Documents and Settings\closch\Cookies\closch@bannerads[3].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
   C:\Documents and Settings\closch\Cookies\closch@72067136[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
   C:\Documents and Settings\closch\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
   C:\Documents and Settings\closch\Cookies\closch@exitexchange[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
   C:\Documents and Settings\closch\Cookies\closch@dcs9vjhcvoifwzvpkr3ppi958_9w3d[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
   C:\Documents and Settings\closch\Cookies\closch@shopnav[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
   C:\Documents and Settings\closch\Cookies\closch@S109821[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
   C:\Documents and Settings\closch\Cookies\closch@dcsw8cxeoau4fifujx3tdt6ky_7s8w[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
   C:\Documents and Settings\closch\Cookies\closch@exitexchange[3].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
   C:\System Volume Information\_restore{38A44F46-57B2-4F3E-96A3-F4596F62DCF3}\RP474\A0020344.exe -> TrojanDownloader.Wintool.e -> Cleaned with backup
   C:\System Volume Information\_restore{38A44F46-57B2-4F3E-96A3-F4596F62DCF3}\RP474\A0020349.exe -> Spyware.BargainBuddy -> Cleaned with backup
   C:\System Volume Information\_restore{38A44F46-57B2-4F3E-96A3-F4596F62DCF3}\RP474\A0020352.exe -> Spyware.WebSearch.aj -> Cleaned with backup
   C:\System Volume Information\_restore{38A44F46-57B2-4F3E-96A3-F4596F62DCF3}\RP474\A0020368.dll -> Spyware.CoolBar.a -> Cleaned with backup
   C:\System Volume Information\_restore{38A44F46-57B2-4F3E-96A3-F4596F62DCF3}\RP474\A0020370.exe -> Spyware.DealHelper.x -> Cleaned with backup
   C:\System Volume Information\_restore{38A44F46-57B2-4F3E-96A3-F4596F62DCF3}\RP474\A0020373.exe -> Spyware.Apropos -> Cleaned with backup
   C:\System Volume Information\_restore{38A44F46-57B2-4F3E-96A3-F4596F62DCF3}\RP474\A0020383.exe -> TrojanDownloader.Intexp.c -> Cleaned with backup
   C:\System Volume Information\_restore{38A44F46-57B2-4F3E-96A3-F4596F62DCF3}\RP474\A0020384.dll -> Spyware.VirtualBouncer.g -> Cleaned with backup
   C:\System Volume Information\_restore{38A44F46-57B2-4F3E-96A3-F4596F62DCF3}\RP474\A0020385.dll -> Spyware.VirtualBouncer.g -> Cleaned with backup
   C:\System Volume Information\_restore{38A44F46-57B2-4F3E-96A3-F4596F62DCF3}\RP474\A0020386.dll -> Spyware.VirtualBouncer.g -> Cleaned with backup
   C:\System Volume Information\_restore{38A44F46-57B2-4F3E-96A3-F4596F62DCF3}\RP474\A0020387.dll -> Spyware.VirtualBouncer.g -> Cleaned with backup
   C:\System Volume Information\_restore{38A44F46-57B2-4F3E-96A3-F4596F62DCF3}\RP474\A0020389.exe -> Spyware.BargainBuddy.n -> Cleaned with backup
   C:\System Volume Information\_restore{38A44F46-57B2-4F3E-96A3-F4596F62DCF3}\RP474\A0020414.exe -> Trojan.Nail -> Cleaned with backup
   C:\System Volume Information\_restore{38A44F46-57B2-4F3E-96A3-F4596F62DCF3}\RP474\A0020466.dll -> Trojan.Agent.db -> Cleaned with backup
   C:\System Volume Information\_restore{38A44F46-57B2-4F3E-96A3-F4596F62DCF3}\RP474\A0020520.EXE -> Trojan.AproposAd -> Cleaned with backup
   C:\System Volume Information\_restore{38A44F46-57B2-4F3E-96A3-F4596F62DCF3}\RP474\A0020521.EXE -> Trojan.AproposAd -> Cleaned with backup
   C:\System Volume Information\_restore{38A44F46-57B2-4F3E-96A3-F4596F62DCF3}\RP474\A0020529.exe -> Trojan.AproposAd -> Cleaned with backup
   C:\System Volume Information\_restore{38A44F46-57B2-4F3E-96A3-F4596F62DCF3}\RP474\A0020530.exe -> Trojan.AproposAd -> Cleaned with backup
   C:\System Volume Information\_restore{38A44F46-57B2-4F3E-96A3-F4596F62DCF3}\RP475\A0020574.exe -> Trojan.Nail -> Cleaned with backup
   C:\System Volume Information\_restore{38A44F46-57B2-4F3E-96A3-F4596F62DCF3}\RP475\A0020575.exe -> Spyware.Hijacker.Generic -> Cleaned with backup
   C:\System Volume Information\_restore{38A44F46-57B2-4F3E-96A3-F4596F62DCF3}\RP475\A0020576.exe -> Spyware.Hijacker.Generic -> Cleaned with backup
   C:\System Volume Information\_restore{38A44F46-57B2-4F3E-96A3-F4596F62DCF3}\RP475\A0020577.dll -> Spyware.EliteBar.af -> Cleaned with backup
   C:\System Volume Information\_restore{38A44F46-57B2-4F3E-96A3-F4596F62DCF3}\RP475\A0020578.exe -> TrojanDownloader.Apropo.g -> Cleaned with backup
   C:\System Volume Information\_restore{38A44F46-57B2-4F3E-96A3-F4596F62DCF3}\RP475\A0020581.exe -> Spyware.Apropos -> Cleaned with backup
   C:\System Volume Information\_restore{38A44F46-57B2-4F3E-96A3-F4596F62DCF3}\RP475\A0020584.dll -> Spyware.Wintol.y -> Cleaned with backup
   C:\System Volume Information\_restore{38A44F46-57B2-4F3E-96A3-F4596F62DCF3}\RP475\A0020585.exe -> TrojanDownloader.Wintool.f -> Cleaned with backup


::Report End
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
Need Spyware help Please.
« Reply #3 on: May 23, 2005, 03:25:24 PM »
Please post another log from Hijackthis and include the WHOLE log
You only posted the top portion

ONLY run Hijackthis from this location
C:\HJT\HijackThis.exe

Also, let me know if you acutually Downloaded and ran Windows CleanUp! before you ran Ewido's in safe mode
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Offline chrislosch

  • Newbie
  • *
  • Posts: 5
  • Karma: +0/-0
    • View Profile
Need Spyware help Please.
« Reply #4 on: May 24, 2005, 07:43:42 AM »
Here is the new log. And I forgot that when I originally tried running Windows Clean-up the link wasn't working and I forgot to go back to it. It still isn't working.

Logfile of HijackThis v1.99.1
Scan saved at 8:42:04 AM, on 5/24/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\soundman.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\WINDOWS\System32\wuauclt.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mx.cctrenton.org/exchange/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://GLOBAL.ACER.COM/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://global.acer.com/
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O4 - HKLM\..\Run: [SoundMan] soundman.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKCU\..\Run: [a-squared] "C:\Program Files\a2\a2guard.exe"
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: officejet 6100.lnk = ?
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://GLOBAL.ACER.COM/
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst20040510.cab
O16 - DPF: {E6EB803E-DD89-11D3-80C4-0050DA2E09D0} (LightSurfUploadCtl Class) - http://prints.picturecenter.kodak.com/acti...loadControl.cab
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
Logged
Pages: [1]
« previous next »