View Full Version : My system is hosed, e2give
I have acquired e2give and can't get rid of it. Multiple attempts with Spybot says its fixed it but within minutes of booting up my IE opens by itself and starts popping up full window advertisements. I've run Ad-Aware and AVG scans, get a clean bill of health and again within minutes get a whole boatload of new malware. I've tried these in safe mode but they just re-infect. I have attached the the panda-online scan and the hijack this scan. Please help! I also can't get rid of error-safe and the downloader trojan.
Panda
Adware:Adware/Zenosearch Not disinfected c:\windows\system32\dwdsregt.exe
Spyware:Spyware/Media-motor Not disinfected c:\windows\pop06ap2.exe
Adware:Adware/E2Give Not disinfected C:\Program Files\E2G\IeBHOs.dll
Potentially unwanted tool:Application/Winfixer2005 Not disinfected C:\Program Files\ErrorSafe Free\FRec.dll
Adware:Adware/E2Give Not disinfected C:\WINDOWS\system32\inicfg32.dll
Adware:adware/zenosearch Not disinfected C:\Documents and Settings\Games\Start Menu\Programs\Startup\Zeno.lnk
Adware:adware/mediatickets Not disinfected C:\WINDOWS\System32\oins.exe
Adware:adware program Not disinfected c:\windows\system32\data.~
Spyware:spyware/safesurf Not disinfected c:\windows\system32\irsmojyy.dll
Adware:adware/yazzle Not disinfected c:\windows\downloaded program files\YazzleActiveX.ocx
Adware:adware/dollarrevenue Not disinfected c:\VSL02.exe
Adware:adware/zenosearch Not disinfected C:\Documents and Settings\Games\Start Menu\Programs\Startup\Zeno.lnk
Adware:adware/pacimedia Not disinfected C:\Documents and Settings\Games\Desktop\Click to Find and Fix Errors.url
Spyware:spyware/media-motor Not disinfected c:\windows\unstall.exe
Adware:adware/webhancer Not disinfected c:\windows\webhdll.dll_tobedeleted
Adware:adware/e2give Not disinfected c:\program files\E2G
Adware:adware/popupsearches Not disinfected Windows Registry
Adware:adware/searchexe Not disinfected Windows Registry
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Games\Cookies\games@ad.yieldmanager[1].txt
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\Games\Cookies\games@adrevolver[1].txt
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\Games\Cookies\games@adrevolver[2].txt
Spyware:Cookie/Adtech Not disinfected C:\Documents and Settings\Games\Cookies\games@adtech[2].txt
Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\Games\Cookies\games@as-us.falkag[2].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Games\Cookies\games@belnk[1].txt
Spyware:Cookie/Enhance Not disinfected C:\Documents and Settings\Games\Cookies\games@c.enhance[1].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Games\Cookies\games@dist.belnk[2].txt
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Games\Cookies\games@realmedia[1].txt
Adware:Adware/Beginto Not disinfected C:\Documents and Settings\Games\Local Settings\Temp\b2search_v17.exe
Adware:Adware/MediaTickets Not disinfected C:\Documents and Settings\Games\Local Settings\Temp\ICD3.tmp\MediaTicketsInstaller.INF
Adware:Adware/MediaTickets Not disinfected C:\Documents and Settings\Games\Local Settings\Temp\ICD3.tmp\MediaTicketsInstaller.ocx
Adware:Adware/Yazzle Not disinfected C:\Documents and Settings\Games\Local Settings\Temp\ICD4.tmp\YazzleActiveX.ocx
Spyware:Spyware/SafeSurf Not disinfected C:\Documents and Settings\Games\Local Settings\Temp\s2co.6.exe[ExtractDLL.dll]
Adware:Adware/E2Give Not disinfected C:\Documents and Settings\Games\Local Settings\Temp\temp.frF62B
Adware:Adware/Yazzle Not disinfected C:\Documents and Settings\Games\Local Settings\Temp\YazzleActiveX.exe[YazzleActiveX.ocx]
Spyware:Spyware/SafeSurf Not disinfected C:\Documents and Settings\Games\Local Settings\Temporary Internet Files\Content.IE5\BV5R3LOW\IrsmInst[1].exe[ExtractDLL.dll]
Adware:Adware/Beginto Not disinfected C:\Documents and Settings\Games\Local Settings\Temporary Internet Files\Content.IE5\K9URQZSL\trafficsectorInst[1].exe[b2search_v17.exe]
Adware:Adware/PopupSearches Not disinfected C:\Documents and Settings\Games\Local Settings\Temporary Internet Files\Content.IE5\K9URQZSL\trafficsectorInst[1].exe[b2search_v17.exe][²θΗ]
Spyware:Spyware/New.net Not disinfected C:\NNSCAA638.EXE
Potentially unwanted tool:Application/ErrorSafe Not disinfected C:\Program Files\ErrorSafe Free\EmtERSF.exe
Potentially unwanted tool:Application/ErrorSafe Not disinfected C:\Program Files\ErrorSafe Free\ESSPChck.dll
Potentially unwanted tool:Application/Winfixer2005 Not disinfected C:\Program Files\ErrorSafe Free\FlFxr15.dll
Potentially unwanted tool:Application/ErrorSafe Not disinfected C:\Program Files\ErrorSafe Free\InstHelp.exe
Adware:Adware/PurityScan Not disinfected C:\Program Files\Snowball Wars\SnowballWars.exe
Adware:Adware/DollarRevenue Not disinfected C:\Program Files\Snowball Wars\uninstaller.exe
Adware:Adware/PurityScan Not disinfected C:\Trelew.exe
Adware:Adware/Mirar Not disinfected C:\WINDOWS\mirar.exe
Virus:Trj/Downloader.IGY Not Disinfected C:\WINDOWS\pi1_36.exe
Adware:Adware/Zenosearch Not disinfected C:\WINDOWS\system32\psdsregp.exe
Spyware:Spyware/SafeSurf Not disinfected C:\WINDOWS\system32\UnIrimon.exe
Adware:Adware/WebHancer Not disinfected C:\WINDOWS\whCC-GIANT.exe
Adware:Adware/Zenosearch Not disinfected C:\ZIGID003.exe
Here's the hijack log.
Logfile of HijackThis v1.99.1
Scan saved at 10:59:39 PM, on 5/27/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\QuickTime\qttask.exe
C:\defender23.exe
C:\WINDOWS\pop06ap2.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\attwde.exe
C:\Program Files\ErrorSafe Free\UERS.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\WINDOWS\system32\lwintqez.exe
C:\WINDOWS\System32\attwde.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
c:\windows\system32\dwdsregt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\HijackThis\hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.meloco.com/index.php?i=sm
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: web compressor - {23FB5ADD-DA37-4a40-9FC0-B0E2384CDE92} - C:\WINDOWS\System32\nsh5.dll
O2 - BHO: CControl Object - {3643ABC2-21BF-46B9-B230-F247DB0C6FD6} - C:\Program Files\E2G\IeBHOs.dll
O2 - BHO: (no name) - {385010C7-C957-4981-8527-3DF202740D76} - C:\Program Files\Windows NT\horemoh.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: RieMon Class - {70F6A776-579A-4C95-BA88-134253907752} - C:\WINDOWS\System32\irsmojyy.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [defender] C:\\defender23.exe
O4 - HKLM\..\Run: [pop06ap] C:\WINDOWS\pop06ap2.exe
O4 - HKLM\..\Run: [{A8-86-67-72-ZN}] c:\windows\system32\dwdsregt.exe GID003
O4 - HKLM\..\Run: [BrowserUpdateSched] C:\WINDOWS\system32\lwintqez.exe GID003
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [attwde] C:\WINDOWS\System32\attwde.exe
O4 - HKCU\..\Run: [ErrorSafe] "C:\Program Files\ErrorSafe Free\UERS.exe" /min
O4 - HKCU\..\Run: [irssyncd] C:\WINDOWS\System32\irssyncd.exe
O4 - HKCU\..\RunOnce: [attwde] C:\WINDOWS\System32\attwde.exe
O4 - Startup: Zeno.lnk = C:\WINDOWS\system32\lwintqez.exe
O4 - Startup: Z_Start.lnk = C:\WINDOWS\system32\psdsregp.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O15 - Trusted Zone: *.media-motor.net
O15 - Trusted Zone: *.mmohsix.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5526B4C6-63D6-41A1-9783-0FABF529859A} (mm06ocx.mm06ocxf) - mk:@MSITStore:C:\DOCUME~1\Games\LOCALS~1\Temp\mma.chm::/alien.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - AppInit_DLLs: inicfg32.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
I had smitfraud earlier and it appears to be fixed as far as I can tell but ran the fix program for it anyway and the scan result follows.
SmitFraudFix v2.49
Scan done at 23:28:31.04, Sat 05/27/2006
Run from C:\Documents and Settings\Games\Desktop\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600]
Fix ran in normal mode
»»»»»»»»»»»»»»»»»»»»»»»» C:\
C:\defender??.exe FOUND !
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS
C:\WINDOWS\pop06ap2.exe FOUND !
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32
»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Games\Application Data
»»»»»»»»»»»»»»»»»»»»»»»» Start Menu
»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Games\FAVORI~1
»»»»»»»»»»»»»»»»»»»»»»»» Desktop
»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files
»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys
»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection
»»»»»»»»»»»»»»»»»»»»»»»» End
Hello.
While waiting for assistance please read:
You and Windows, a joint effort (http://forums.spybot.info/showpost.php?p=25290&postcount=4)
I followed the fix scenario in the Smitfraud sticky to the letter.
I no longer have error safe installed so I think that is cleaned up. But even in safe mode E2Give shows up right after I follow all the "clean" steps using Eweido, Spybot, Adware and AVG virus scanner. In fact is shows up right after Eweido says its cleaned. I also ran registry mechanic between each step to fix any broken links. Nothing works.
I have not installed SP2 yet since the system isn't clean. I have 4 computers and somehow missed this one when I recently re-built it. Gah.
So still looking for some help.
:)
If you have not received assistance by tomorrow, please go here and post a link back to this topic to flag a helper.
If you have waited four days for advice post here. (http://forums.spybot.info/showthread.php?p=4836#post4836)
Cheers.
LonnyRJones
2006-05-31, 19:07
Hi
Since youve been troubleshooting on your own i need to see a fresh hijackthis log.
Im curious why youve never updated windows ?
Dont do it untill we've cl;eaned it up.
I rebuilt the system a couple of months ago over a long weekend and ran out of time to finish the SP2 install. I have some online games that the kids play that needed to be updated with patches to eliminate conflicts with SP2 and they didn't want to wait. So I postponed it and then forgot. I'll rectify that as soon as I'm all clean.
I'll run fresh scans and post them.
Logfile of HijackThis v1.99.1
Scan saved at 6:42:45 PM, on 5/31/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\System32\tdopm.exe
C:\HijackThis\hijackthis\HijackThis.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: CControl Object - {3643ABC2-21BF-46B9-B230-F247DB0C6FD6} - C:\Program Files\E2G\IeBHOs.dll (file missing)
O2 - BHO: (no name) - {385010C7-C957-4981-8527-3DF202740D76} - blank (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: RieMon Class - {70F6A776-579A-4C95-BA88-134253907752} - C:\WINDOWS\System32\irsmvhcg.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [BrowserUpdateSched] C:\WINDOWS\system32\lwintqez.exe GID003
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [irssyncd] C:\WINDOWS\System32\irssyncd.exe
O4 - Startup: Zeno.lnk = C:\WINDOWS\system32\lwintqez.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O15 - Trusted Zone: *.mmohsix.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5526B4C6-63D6-41A1-9783-0FABF529859A} (mm06ocx.mm06ocxf) - mk:@MSITStore:C:\DOCUME~1\Games\LOCALS~1\Temp\mma.chm::/alien.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - AppInit_DLLs: inicfg32.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
Incident Status Location
Adware:Adware/E2Give Not disinfected C:\WINDOWS\system32\inicfg32.dll
Adware:adware/zenosearch Not disinfected C:\Documents and Settings\Games\Start Menu\Programs\Startup\Zeno.lnk
Spyware:spyware/safesurf Not disinfected c:\windows\system32\irsmojyy.dll
Adware:adware program Not disinfected c:\windows\system32\key.~
Adware:adware/zenosearch Not disinfected C:\Documents and Settings\Games\Start Menu\Programs\Startup\Zeno.lnk
Adware:adware/dollarrevenue Not disinfected c:\windows\keyboard231.dat
Spyware:spyware/media-motor Not disinfected c:\windows\unstall.exe
Adware:adware/e2give Not disinfected c:\program files\E2G
Adware:adware/mediatickets Not disinfected Windows Registry
Adware:adware/webhancer Not disinfected Windows Registry
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Games\Cookies\games@overture[1].txt
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\Games\Cookies\games@zedo[2].txt
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Games\Desktop\SmitfraudFix\SmitfraudFix\Process.exe
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Games\Desktop\SmitfraudFix.zip[SmitfraudFix/Process.exe]
Spyware:Spyware/SafeSurf Not disinfected C:\Documents and Settings\Games\Local Settings\Temp\ExtractDLL.dll
Adware:Adware/MediaTickets Not disinfected C:\Documents and Settings\Games\Local Settings\Temp\ICD3.tmp\MediaTicketsInstaller.INF
Spyware:Spyware/SafeSurf Not disinfected C:\Documents and Settings\Games\Local Settings\Temp\qms1.tmp
Spyware:Spyware/SafeSurf Not disinfected C:\Documents and Settings\Games\Local Settings\Temp\qms2.tmp
Spyware:Spyware/SafeSurf Not disinfected C:\Documents and Settings\Games\Local Settings\Temporary Internet Files\Content.IE5\Q1MHGLWJ\SSInstaller[1].exe
Adware:Adware/E2Give Not disinfected C:\Program Files\E2G\__delete_on_reboot__IeBHOs.dll
Potentially unwanted tool:Application/Processor Not disinfected C:\WINDOWS\system32\Process.exe
Spyware:Spyware/SafeSurf Not disinfected C:\WINDOWS\system32\UnIrimon.exe
LonnyRJones
2006-06-01, 02:57
Start Hijackthis and place a check next to these items If there.
O2 - BHO: (no name) - {385010C7-C957-4981-8527-3DF202740D76} - blank (file missing)
O2 - BHO: RieMon Class - {70F6A776-579A-4C95-BA88-134253907752} - C:\WINDOWS\System32\irsmvhcg.dll (file missing)
O4 - HKLM\..\Run: C:\WINDOWS\system32\lwintqez.exe GID003
O4 - HKCU\..\Run: [irssyncd] C:\WINDOWS\System32\irssyncd.exe
O4 - Startup: Zeno.lnk = C:\WINDOWS\system32\lwintqez.exe
O16 - DPF: {5526B4C6-63D6-41A1-9783-0FABF529859A} (mm06ocx.mm06ocxf) -
mk:@MSITStore:C:\DOCUME~1\Games\LOCALS~1\Temp\mma.chm::/alien.cab
====================================
Hit fix checked and close Hijackthis.
Launch Notepad (not wordpad), and copy and paste the contents of the code box below into a new text file.
Save it as file name: "fixme.reg" (not including the quotes). Save as file type: All files (*.*) and save it on your Desktop.
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"="inicfg32.dllxxx"
[-HKEY_CLASSES_ROOT\CLSID\{3643ABC2-21BF-46B9-B230-F247DB0C6FD6}]
[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run]
Now double-click on the fixme.reg file you saved and click on the Yes button when it asks if you would like to merge the information. Once you get a successful message delete fixme.reg.
[B]Restart the PC
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Now run Hijackthis again and fix these items
O2 - BHO: CControl Object - {3643ABC2-21BF-46B9-B230-F247DB0C6FD6} - C:\Program Files\E2G\IeBHOs.dll (file missing)
O20 - AppInit_DLLs: inicfg32.dllxxx
==================================
Make and post a fresh hijackthis log
Ok, I'll do this when I get home from work this evening.
I followed instructions. Here is the fresh HiJack. E2Give is still popping up as an infection from Ewido. Also HiJack had an error occur when I tried to remove "020 - AppInit_Dll......" I tried it twice and HiJack error'd each time.
Logfile of HijackThis v1.99.1
Scan saved at 10:02:02 PM, on 6/2/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\HijackThis\hijackthis\HijackThis.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: CControl Object - {3643ABC2-21BF-46B9-B230-F247DB0C6FD6} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Startup: Zeno.lnk = C:\WINDOWS\system32\lwintqez.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O15 - Trusted Zone: *.mmohsix.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - AppInit_DLLs: inicfg32.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
I just noticed the "02 - BHO Control object..." showed up again also after I removed it.
LonnyRJones
2006-06-03, 04:49
Re-make the reg file mentioned above, merge it then immediately restart your PC
I tried half a dozen times. I can't reboot fast enough before I get an E2Give message from Ewido. Re-infects immediately.
In fact, the second I click "fixme.reg" I get an Ewido message. When I click "add information to the registry" and then reboot, the second I click RESTART I get another Ewido message on E2Give.
I even tried powering off immediately after FIXME.REG. Still saw the Ewido message before power shut off.
LonnyRJones
2006-06-03, 05:19
Hi
Turn off ewido's active/resident protection and try again, its getting in the way , apperently.
Ewido is just showing that E2Give is alive and kicking, doesn't interfere. But I deactivated it. Ran FIXME, rebooted, ran a new hijiack tried to delete "020 - AppInit..." and HiJack bombs every time. Heres a copy of the log.
Logfile of HijackThis v1.99.1
Scan saved at 11:24:43 PM, on 6/2/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\HijackThis\hijackthis\HijackThis.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O15 - Trusted Zone: *.mmohsix.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - AppInit_DLLs: inicfg32.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
An unexpected error has occurred at procedure: modBackup_MakeBackup(sItem=O20 - AppInit_DLLs: inicfg32.dll)
Error #5 - Invalid procedure call or argument
Please email me at merijn@spywareinfo.com, reporting the following:
* What you were trying to fix when the error occurred, if applicable
* How you can reproduce the error
* A complete HijackThis scan log, if possible
Windows version: Windows NT 5.01.2600
MSIE version: 6.0.2600.0000
HijackThis version: 1.99.1
This message has been copied to your clipboard.
Click OK to continue the rest of the scan.
LonnyRJones
2006-06-03, 05:42
The Hijackthis error when fixing a 020 appininit file is normal
Do you have e2g listed in addremove programs ? if so use its uninstaller
e2Give is not listed in add/remove programs
I can manually delete it from the registry if thats what needs to be done. Just need to know where and what values.
Going to bed, will check back in the morning.
LonnyRJones
2006-06-03, 06:14
That reg merge has never failed before, we can use avenger
1: Please download The Avenger (http://swandog46.geekstogo.com/avenger.zip) by Swandog46 to your Desktop.
Click on Avenger.zip to open the file
Extract avenger.exe to your desktop2: Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):
Registry values to replace with dummy:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows | AppInit_DLLs
Registry keys to delete:
HKLM\software\e2g
HKLM\software\microsoft\windows\currentversion\explorer\browser helper objects\{3643abc2-21bf-46b9-b230-f247db0c6fd6}
Files to delete:
c:\windows\system32\iniwin32.dll
Folders to delete:
C:\Program Files\E2G
Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.
3: Now, start The Avenger program by clicking on its icon on your desktop.
Under "Script file to execute" choose "Input Script Manually".
Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
Paste the text copied to clipboard into this window by pressing (Ctrl+V).
Click Done
Now click on the Green Light to begin execution of the script
Answer "Yes" twice when prompted.4: The Avenger will automatically do the following:
It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
On reboot, it will briefly open a black command window on your desktop, this is normal.
After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.5: Please copy/paste the content of c:\avenger.txt into your reply along with a fresh HJT log by using Add/Reply[/quote]
Here is the Avenger Text
Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\vmakaxgh
*******************
Script file located at: \??\C:\Documents and Settings\pnaixyuy.txt
Script file opened successfully.
Script file read successfully
Backups directory opened successfully at C:\Avenger
*******************
Beginning to process script file:
File c:\windows\system32\iniwin32.dll not found!
Deletion of file c:\windows\system32\iniwin32.dll failed!
Could not process line:
c:\windows\system32\iniwin32.dll
Status: 0xc0000034
Folder C:\Program Files\E2G deleted successfully.
Registry value HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows|AppInit_DLLs replaced with dummy successfully.
Registry key HKLM\software\e2g deleted successfully.
Registry key HKLM\software\microsoft\windows\currentversion\explorer\browser helper objects\{3643abc2-21bf-46b9-b230-f247db0c6fd6} deleted successfully.
Completed script processing.
*******************
Finished! Terminate.
Logfile of HijackThis v1.99.1
Scan saved at 12:55:54 PM, on 6/3/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\WINDOWS\system32\notepad.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\HijackThis\hijackthis\HijackThis.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O15 - Trusted Zone: *.mmohsix.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
LonnyRJones
2006-06-03, 20:24
I see why the reg merge failed, I had another e2g dll listed, My fault.
Manualy delete this file C:\windows\system32\inicfg32.dll
Any problems now ?
Ok, I followed up with an Ewido scan which found a few more objects and a Spybot scan which found a few more things.
I fixed using both tools, rebooted and a repeat scan came up clear for both.
I then ran an Ad-Aware scan which found e2Give again and another downloader. I used Ad-Aware's fix and a follow up scan again showed no critical objects. So I think we're all clean!?
Can I install SP2?
LonnyRJones
2006-06-04, 05:06
"Can I install SP2?"
Please do, you will neen to keep revisiting windows-update until no further critical updates are available, also usually there are updates out the second Tuesday of each month.
Ok, will do. Thank so much for your help. You are a gentleman and a scholar! :crowned:
LonnyRJones
2006-06-07, 18:13
Im Glad we could help
Since the problems are solved Im going to close the topic now, this keeps others with similar problems from posting there logs/question here, they should start a new topic.
If you should need to post another log for the same PC let Me or Tashi know.