View Full Version : Major popups, system hogging, etc.
I'm a generally experienced and safe computer user. I don't run unknown executables, keep myself behind a hardware firewall 90% of the time, regularly scan my system with some form of Anti-Virus software, etc.
However, about 2 days ago my friend was using my PC to play a game and appearantly he ran some sort of file that was supposed to alter the game (a trainer) and it has completely destroyed my computer. First it was just Smitfraud - which I tried to fix, then it was popups, then it was something else, and so on. I've been playing catchup for days and I'm finally just breaking down and asking some real experts for help.
I tried to run Panda, but my computer is so borked I can't really get through the entire thing without popups killing the iexplore.exe process, and thus destroying the scan. Here's my HJT log, so its a start I suppose.
Logfile of HijackThis v1.99.1
Scan saved at 5:10:35 PM, on 7/23/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\runservice.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\oodag.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Raxco\PerfectDisk\PDSched.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\lvpcef.exe
C:\WINDOWS\System32\cfgge.exe
C:\Program Files\Saitek\Software\Profiler.exe
C:\Program Files\Saitek\Software\SaiSmart.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\Logitech\G-series Software\LGDCore.exe
C:\Program Files\Logitech\G-series Software\LCDMon.exe
C:\WINDOWS\System32\ctfmon.exe
C:\dfndred_7.exe
C:\Program Files\Logitech\G-series Software\Applets\LCDPop3\LCDPOP3.exe
C:\Program Files\Logitech\G-series Software\Applets\LCDMedia.exe
C:\Program Files\Logitech\G-series Software\Applets\LCDClock.exe
C:\WINDOWS\System32\wfxqhv.exe
C:\WINDOWS\System32\zqskw.exe
C:\Program Files\Common Files\{D4EEE18C-0965-1033-0327-031109040001}\Update.exe
C:\program files\valve\steam\steam.exe
C:\WINDOWS\System32\services.exe
C:\WINDOWS\System32\cfgge.exe
C:\WINDOWS\System32\cfgge.exe
C:\DOCUME~1\Edward\LOCALS~1\Temp\18046\60711.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\hjt\HijackThis.exe
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.mrfindalot.com/search.asp?si=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.mrfindalot.com/search.asp?si=
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:8080;https=localhost8080
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\System32\cfgge.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,nankokp.exe
O1 - Hosts: comments (such as these) may be inserted on individual
O1 - Hosts: 66.208.106.116 l2authd.lineage2.com
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Profiler] C:\Program Files\Saitek\Software\Profiler.exe
O4 - HKLM\..\Run: [SaiSmart] C:\Program Files\Saitek\Software\SaiSmart.exe
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [Launch LGDCore] "C:\Program Files\Logitech\G-series Software\LGDCore.exe" /SHOWHIDE
O4 - HKLM\..\Run: [Launch LCDMon] "C:\Program Files\Logitech\G-series Software\LCDMon.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [StarSkin] C:\PROGRAM FILES\ROCKET DIVISION SOFTWARE\STARSKIN\STARSKIN.EXE -H
O4 - HKLM\..\Run: [defender] C:\\dfndred_7.exe
O4 - HKLM\..\Run: [keyboard] C:\\kybrded_7.exe
O4 - HKLM\..\Run: [lmttdd] C:\WINDOWS\System32\lvpcef.exe reg_run
O4 - HKLM\..\Run: [k6mmN5IOU] "C:\WINDOWS\System32\wfxqhv.exe"
O4 - HKLM\..\Run: [rpcc] rpcc.exe
O4 - HKLM\..\RunOnce: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKCU\..\Run: [Steam] "c:\program files\valve\steam\steam.exe" -silent
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - HKCU\..\Run: [P2kAutostart] C:\Documents and Settings\Edward\Desktop\Ringtones\P2kCommander-V329\P2kAutostart.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [hjbuf] C:\WINDOWS\System32\lvpcef.exe reg_run
O4 - HKCU\..\Run: [WinMedia] C:\DOCUME~1\Edward\LOCALS~1\Temp\803.tmp3072.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: edcdk.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O15 - Trusted Zone: http://click.getmirar.com (HKLM)
O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} - https://components.viewpoint.com/MTSInstallers/MetaStream3.cab?url=http://www.viewpoint.com/cgi-bin/installer.v4/vet_install_popup.pl?1&4&04.00.08.43&unknown&unknown&http://www.scion.com/scionConfigApp/scion/viewsection.jsp?forceLoad=1
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15015/CTSUEng.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {7B41B7AC-3496-4C13-A70F-DE6B60A6A8A8} (MGAME manager Class) - http://www.legendofares.com/download/mgusamanagerv1001.cab
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://zone.msn.com/bingame/luxr/default/mjolauncher.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {CAFEEFAC-0014-0001-0003-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_03) -
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/dim2/default/popcaploader_v6.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15021/CTPID.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Filter: text/html - {B5F86455-BF18-4E12-965A-6642A0AC0549} - C:\WINDOWS\System32\xeymi.dll
O20 - AppInit_DLLs: inicfg32.dll
O21 - SSODL: DCOM Server 2236 - {2C1CD3D7-86AC-4068-93BC-A02304BB2236} - C:\WINDOWS\System32\2236_27.dll
O21 - SSODL: mDkfDWfNpO - {D4EEE18D-7E44-4B27-E756-1FAAB40D7398} - C:\WINDOWS\System32\nte.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LicCtrl Service (LicCtrlService) - Unknown owner - C:\WINDOWS\runservice.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\System32\oodag.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: PDScheduler (PDSched) - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDSched.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
Quick Question - I'm trying to run ewido, to see if it can clean anything up. However, I cannot see any buttons - nothing. Anyone else had this problem? Know of a fix?
pskelley
2006-07-26, 21:43
Hello and welcome to the forum. You have a pretty good mess going here. I see E2Give, Alcan worn, Qoologic trojan and who knows what else. This junk attracts more junk so you need to keep the computer offline as much as possible until you are clean. If you still need help and are not receiving it elsewhere, let's start like this:
1) Please download E2TakeOut by Rubber Ducky from here:
http://www.malwarebytes.org/E2TakeOut.zip
Extract the file to your Desktop
Double click E2TakeOut.exe
Click the Begin Removal button
Wait until the program is finished scanning
Once done, it will produce a popup stating that the infection has been found and you need to reboot you computer to complete the removal
Reboot your computer
Once your computer has rebooted E2TakeOut will open and produce a report
Please copy/paste that report into your next reply
2) Thanks to Metallica and any others who helped with this fix. The instructions must be followed exctly if you want the fix to work.
1. Please download Ewido Anti-Malware (http://www.ewido.net/en/download/)
Install ewido anti-malware
Launch ewido, there should be an icon on your desktop, double-click it.
The program will now open to the main screen.
When you run ewido for the first time, you may get a warning "Database could not be found!". Click OK. We will fix this in a moment.
You will need to update ewido to the latest definition files.
On the left hand side of the main screen click update.
Then click on Start Update.
The update will start and a progress bar will show the updates being installed.
(the status bar at the bottom will display ("Update successful")
Exit Ewido, do not run the scan yet!
If you are having problems with the updater, you can use this link to manually update ewido.
ewido manual updates (http://download.ewido.net/ewido-signatures-full-current.exe)
2. Please download Brute Force Uninstaller (http://www.merijn.org/files/bfu.zip) to your desktop.
Right click the BFU folder on your desktop, and choose Extract All
Click "Next"
In the box to choose where to extract the files to,
Click "Browse"
Click on the + sign next to "My Computer"
Click on "Local Disk (C:) or whatever your primary drive is
Click "Make New Folder"
Type in BFU
Click "Next", and Uncheck the "Show Extracted Files" box and then click "Finish".
3. RIGHT-CLICK HERE (http://metallica.geekstogo.com/alcanshorty.bfu) and choose "Save As" (in IE it's "Save Target As") in order to download Alcra PLUS Remover.
Save it in the same folder you made earlier (c:\BFU).
Do not do anything with these yet!
Reboot your computer into Safe Mode. You can do this by restarting your computer and continually tapping F8 until a menu appears. Highlight Safe Mode and hit enter.
4. Once in Safe Mode, Open Ewido:
Click on scanner
Click on Complete System Scan and the scan will begin.
You will be prompted to clean the first infection.
Select "Perform action on all infections", then proceed.
Once the scan has completed, there will be a button located on the bottom of the screen named Save report
Click Save report.
Save the report .txt file to your desktop or a location where you can find it easily.
Close ewido anti-malware.
5. Then, please go to Start > My Computer and navigate to the C:\BFU folder.
Start the Brute Force Uninstaller by doubleclicking BFU.exe
Behind the scriptline to execute field click the folder icon http://metallica.geekstogo.com/foldericon.png and select alcanshorty.bfu
Press Execute and let the program do its job. (You ought to see a progress bar if you did this correctly.)
Wait for the complete script execution box to pop up and press OK.
Press exit to terminate the BFU program.
Reboot into normal windows and post the contents of Ewido text report that you saved, a new HiJackThis log and the E2TakeOut report. Please add any comments you think will help.
Thanks...pskelley
Safer Networking Forums
Followed those steps that you reccommended, and it seems to have cleared up alot.
Also had a good friend that really knows what he's doing come over and help out some. We cleared a few HJT entires that were either totally unecessary or suspicious. However, I lost the ewido report because my system rebooted at the end of the scan for some reason.
Here's the HJT log:
Logfile of HijackThis v1.99.1
Scan saved at 4:31:32 PM, on 7/28/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\runservice.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\oodag.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Raxco\PerfectDisk\PDSched.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Saitek\Software\Profiler.exe
C:\Program Files\Saitek\Software\SaiSmart.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\Logitech\G-series Software\LGDCore.exe
C:\Program Files\Logitech\G-series Software\LCDMon.exe
C:\Program Files\Logitech\G-series Software\Applets\LCDPop3\LCDPOP3.exe
C:\Program Files\Logitech\G-series Software\Applets\LCDMedia.exe
C:\Program Files\Logitech\G-series Software\Applets\LCDClock.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\hjt\HijackThis.exe
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:8080;https=localhost8080
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\System32\cfgge.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,nankokp.exe
O1 - Hosts: comments (such as these) may be inserted on individual
O1 - Hosts: 66.208.106.116 l2authd.lineage2.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: ClickCatcher MSIE handler - {16664845-0E00-11D2-8059-000000000000} - C:\Program Files\Common Files\ReGet Shared\Catcher.dll
O2 - BHO: (no name) - {206E52E0-D52E-11D4-AD54-0000E86C26F6} - C:\PROGRA~1\FRESHD~1\FRESHD~1\fdcatch.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: TGTSoft Explorer Toolbar Changer - {C333CF63-767F-4831-94AC-E683D962C63C} - C:\Program Files\TGTSoft\StyleXP\TGT_BHO.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Profiler] C:\Program Files\Saitek\Software\Profiler.exe
O4 - HKLM\..\Run: [SaiSmart] C:\Program Files\Saitek\Software\SaiSmart.exe
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [Launch LGDCore] "C:\Program Files\Logitech\G-series Software\LGDCore.exe" /SHOWHIDE
O4 - HKLM\..\Run: [Launch LCDMon] "C:\Program Files\Logitech\G-series Software\LCDMon.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [StarSkin] C:\PROGRAM FILES\ROCKET DIVISION SOFTWARE\STARSKIN\STARSKIN.EXE -H
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKLM\..\Run: [lmttdd] C:\WINDOWS\System32\lvpcef.exe reg_run
O4 - HKCU\..\Run: [Steam] "c:\program files\valve\steam\steam.exe" -silent
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - HKCU\..\Run: [P2kAutostart] C:\Documents and Settings\Edward\Desktop\Ringtones\P2kCommander-V329\P2kAutostart.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [hjbuf] C:\WINDOWS\System32\lvpcef.exe reg_run
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15015/CTSUEng.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {7B41B7AC-3496-4C13-A70F-DE6B60A6A8A8} (MGAME manager Class) - http://www.legendofares.com/download/mgusamanagerv1001.cab
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://zone.msn.com/bingame/luxr/default/mjolauncher.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {CAFEEFAC-0014-0001-0003-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_03) -
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/dim2/default/popcaploader_v6.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15021/CTPID.cab
O18 - Filter: text/html - {B5F86455-BF18-4E12-965A-6642A0AC0549} - C:\WINDOWS\System32\xeymi.dll
O20 - Winlogon Notify: artm_newreg - C:\Documents and Settings\All Users\Documents\Settings\artm_new.dll
O20 - Winlogon Notify: gebaawx - gebaawx.dll (file missing)
O20 - Winlogon Notify: gebyy - C:\WINDOWS\System32\gebyy.dll (file missing)
O20 - Winlogon Notify: winghy32 - C:\WINDOWS\SYSTEM32\winghy32.dll
O21 - SSODL: mDkfDWfNpO - {D4EEE18D-7E44-4B27-E756-1FAAB40D7398} - C:\WINDOWS\System32\nte.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LicCtrl Service (LicCtrlService) - Unknown owner - C:\WINDOWS\runservice.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\System32\oodag.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: PDScheduler (PDSched) - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDSched.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
The E2TakeOut log I forgot to save like a moron - however I clearly remember saying that it cleaned stuff successfully.
Anything else you need? I have the BFU log, which is mostly full of "file not found" and "key not found" entires.
pskelley
2006-07-29, 00:13
Well, you need to decide if you want your friend to do this or me? I normally do not mind help, but this is a nasty complex fix, and we need one leader and the rest followers! You also need to start paying attention to directions and stop loosing information I need to see. Please do not remove anything from HJT unless I authorize it, most of what is in the log is necessary to the functioning of your computer.
Read about this one: C:\Documents and Settings\All Users\Documents\Settings\artm_new.dll
http://research.sunbelt-software.com/threatdisplay.aspx?name=Trojan-Proxy.Win32.Xorpix.Fam&threatid=44436
1) How to make files and folders visible:
Click Start > Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.
2) Please download ATF Cleaner by Atribune
http://www.atribune.org/public-beta/ATF-Cleaner.exe
Save it to your Desktop. We will use this later.
3) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\System32\cfgge.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,nankokp.exe
(next two, if you do not know why they are delete, check and remove them)
O1 - Hosts: comments (such as these) may be inserted on individual
O1 - Hosts: 66.208.106.116 l2authd.lineage2.com
O4 - HKLM\..\Run: [lmttdd] C:\WINDOWS\System32\lvpcef.exe reg_run
O4 - HKCU\..\Run: [hjbuf] C:\WINDOWS\System32\lvpcef.exe reg_run
O16 - DPF: {CAFEEFAC-0014-0001-0003-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_03) -
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/dim2/def...ploader_v6.cab
O18 - Filter: text/html - {B5F86455-BF18-4E12-965A-6642A0AC0549} - C:\WINDOWS\System32\xeymi.dll
O20 - Winlogon Notify: artm_newreg - C:\Documents and Settings\All Users\Documents\Settings\artm_new.dll
O20 - Winlogon Notify: gebaawx - gebaawx.dll (file missing)
O20 - Winlogon Notify: gebyy - C:\WINDOWS\System32\gebyy.dll (file missing)
O20 - Winlogon Notify: winghy32 - C:\WINDOWS\SYSTEM32\winghy32.dll
O21 - SSODL: mDkfDWfNpO - {D4EEE18D-7E44-4B27-E756-1FAAB40D7398} - C:\WINDOWS\System32\nte.dll (file missing)
Close all programs but HJT and all browser windows, then click on "Fix Checked"
RIGHT Click on Start then click on Explore. Locate and delete these files if they are there, do not miss any!!
C:\WINDOWS\System32\cfgge.exe
C:\WINDOWS\System32\gebyy.dll
C:\WINDOWS\System32\gebaawx.dll
C:\WINDOWS\System32\lvpcef.exe
C:\WINDOWS\System32\nankokp.exe
C:\WINDOWS\System32\nte.dll
C:\WINDOWS\SYSTEM32\winghy32.dll
C:\Documents and Settings\All Users\Documents\Settings\artm_new.dll
Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.
You have ewido, make sure it is updated and run according to these instructions in safe mode:
First download ewido anti-spyware from HERE (http://www.ewido.net/en/download/) and save that file to your desktop.
This is a 30 day trial of the program
Once you have downloaded ewido anti-spyware, locate the icon on the desktop and double-click it to launch the set up program.
Once the setup is complete you will need run ewido and update the definition files.
On the main screen select the icon "Update" then select the "Update now" link.
Next select the "Start Update" button, the update will start and a progress bar will show the updates being installed.
Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
Under "Reports"
Select "Automatically generate report after every scan"
Un-Select "Only if threats were found"
Close ewido anti-spyware, Do Not run a scan just yet, we will shortly.
Reboot your computer into SafeMode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight SafeMode then hit enter.
IMPORTANT: Do not open any other windows or programs while ewido is scanning, it may interfere with the scanning proccess:
Lauch ewido-anti-spyware by double-clicking the icon on your desktop.
Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan".
ewido will now begin the scanning process, be patient this may take a little time.
Once the scan is complete do the following:
If you have any infections you will prompted, then select "Apply all actions"
Next select the "Reports" icon at the top.
Select the "Save report as" button in the lower left hand of the screen and save it to a text file on your system (make sure to remember where you saved that file, this is important).
Close ewido and reboot your system back into Normal Mode and post the results of the ewido report scan and a new HJT log, add any comments you think will help.
Thanks
Alright, got all that done.
I ran the ATFCleaner, went back and tried to delete those files. None of them were there but winghy32.dll - which I was unable to delete, even in safe mode.
Here are the HJT and ewido logs.
Logfile of HijackThis v1.99.1
Scan saved at 11:49:06 AM, on 7/29/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\runservice.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\oodag.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Raxco\PerfectDisk\PDSched.exe
C:\Program Files\Saitek\Software\Profiler.exe
C:\Program Files\Saitek\Software\SaiSmart.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\Logitech\G-series Software\LGDCore.exe
C:\Program Files\Logitech\G-series Software\LCDMon.exe
C:\Program Files\Logitech\G-series Software\Applets\LCDPop3\LCDPOP3.exe
C:\Program Files\Logitech\G-series Software\Applets\LCDMedia.exe
C:\Program Files\Logitech\G-series Software\Applets\LCDClock.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\program files\valve\steam\steam.exe
C:\Documents and Settings\Edward\Desktop\Ringtones\P2kCommander-V329\P2kAutostart.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\hjt\HijackThis.exe
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:8080;https=localhost8080
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: ClickCatcher MSIE handler - {16664845-0E00-11D2-8059-000000000000} - C:\Program Files\Common Files\ReGet Shared\Catcher.dll
O2 - BHO: (no name) - {206E52E0-D52E-11D4-AD54-0000E86C26F6} - C:\PROGRA~1\FRESHD~1\FRESHD~1\fdcatch.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll (file missing)
O2 - BHO: TGTSoft Explorer Toolbar Changer - {C333CF63-767F-4831-94AC-E683D962C63C} - C:\Program Files\TGTSoft\StyleXP\TGT_BHO.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Profiler] C:\Program Files\Saitek\Software\Profiler.exe
O4 - HKLM\..\Run: [SaiSmart] C:\Program Files\Saitek\Software\SaiSmart.exe
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [Launch LGDCore] "C:\Program Files\Logitech\G-series Software\LGDCore.exe" /SHOWHIDE
O4 - HKLM\..\Run: [Launch LCDMon] "C:\Program Files\Logitech\G-series Software\LCDMon.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [StarSkin] C:\PROGRAM FILES\ROCKET DIVISION SOFTWARE\STARSKIN\STARSKIN.EXE -H
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKCU\..\Run: [Steam] "c:\program files\valve\steam\steam.exe" -silent
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - HKCU\..\Run: [P2kAutostart] C:\Documents and Settings\Edward\Desktop\Ringtones\P2kCommander-V329\P2kAutostart.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15015/CTSUEng.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {7B41B7AC-3496-4C13-A70F-DE6B60A6A8A8} (MGAME manager Class) - http://www.legendofares.com/download/mgusamanagerv1001.cab
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://zone.msn.com/bingame/luxr/default/mjolauncher.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15021/CTPID.cab
O20 - Winlogon Notify: artm_newreg - C:\Documents and Settings\All Users\Documents\Settings\artm_new.dll
O20 - Winlogon Notify: winghy32 - C:\WINDOWS\SYSTEM32\winghy32.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LicCtrl Service (LicCtrlService) - Unknown owner - C:\WINDOWS\runservice.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\System32\oodag.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: PDScheduler (PDSched) - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDSched.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
---------------------------------------------------------
ewido anti-spyware - Scan Report
---------------------------------------------------------
+ Created at: 11:41:55 AM 7/29/2006
+ Scan result:
C:\WINDOWS\RWR3YXJk\asappsrv.dll -> Adware.CommAd : No action taken.
C:\WINDOWS\RWR3YXJk\command.exe -> Adware.CommAd : No action taken.
C:\WINDOWS\unstall.exe -> Adware.MediaMotor : No action taken.
C:\WINDOWS\mirar.exe -> Adware.NetNucleus : No action taken.
C:\WINDOWS\system32\ghynf.exe -> Adware.SearchAssistant : No action taken.
C:\WINDOWS\System32n9nyb.exe -> Adware.Suggestor : No action taken.
C:\WINDOWS\system32\iqqr.exe -> Adware.Suggestor : No action taken.
C:\WINDOWS\system32\n9nyb.exe -> Adware.Suggestor : No action taken.
C:\WINDOWS\system32\jkkhfcc.dll -> Adware.Virtumonde : No action taken.
C:\WINDOWS\webhdll.dll_tobedeleted -> Adware.WebHancer : No action taken.
C:\WINDOWS\whCC-GIANT.exe/WhAgent.exe -> Adware.WebHancer : No action taken.
C:\WINDOWS\system32\__delete_on_reboot__2_2_3_6___2_7_._d_l_l_ -> Backdoor.Agent.adr : No action taken.
C:\WINDOWS\system32\mscdaux.dll -> Backdoor.Delf.aml : No action taken.
C:\WINDOWS\IFinst25.exe -> Backdoor.Ifinst : No action taken.
C:\WINDOWS\system32\__delete_on_reboot__c_f_g_g_e_._e_x_e_ -> Downloader.Qoologic.bj : No action taken.
C:\WINDOWS\system32\__delete_on_reboot__r_d_p_c_u_n_a_._d_l_l_ -> Downloader.Qoologic.bj : No action taken.
C:\WINDOWS\system32\rsefp.dat -> Downloader.Qoologic.bj : No action taken.
C:\WINDOWS\system32\slx.exer -> Downloader.Tibs.gc : No action taken.
C:\hjt\backups\backup-20060729-012151-562.dll -> Not-A-Virus.Downloader.Win32.PopCap.b : No action taken.
C:\WINDOWS\system32\components\flx5.dll -> Not-A-Virus.Hoax.Win32.Renos.dw : No action taken.
C:\WINDOWS\__delete_on_reboot__c_o_m_d_l_g_6_6_._d_l_l_ -> Proxy.Agent.ji : No action taken.
C:\WINDOWS\system32\clcbt.exe -> Proxy.Baber.a : No action taken.
:mozilla.127:C:\Documents and Settings\Edward\Application Data\Mozilla\Firefox\Profiles\default.frc\cookies.txt -> TrackingCookie.2o7 : No action taken.
:mozilla.247:C:\Documents and Settings\Edward\Application Data\Mozilla\Firefox\Profiles\default.frc\cookies.txt -> TrackingCookie.Adtech : No action taken.
:mozilla.248:C:\Documents and Settings\Edward\Application Data\Mozilla\Firefox\Profiles\default.frc\cookies.txt -> TrackingCookie.Adtech : No action taken.
:mozilla.194:C:\Documents and Settings\Edward\Application Data\Mozilla\Firefox\Profiles\default.frc\cookies.txt -> TrackingCookie.Advertising : No action taken.
:mozilla.195:C:\Documents and Settings\Edward\Application Data\Mozilla\Firefox\Profiles\default.frc\cookies.txt -> TrackingCookie.Advertising : No action taken.
:mozilla.196:C:\Documents and Settings\Edward\Application Data\Mozilla\Firefox\Profiles\default.frc\cookies.txt -> TrackingCookie.Advertising : No action taken.
:mozilla.197:C:\Documents and Settings\Edward\Application Data\Mozilla\Firefox\Profiles\default.frc\cookies.txt -> TrackingCookie.Advertising : No action taken.
:mozilla.198:C:\Documents and Settings\Edward\Application Data\Mozilla\Firefox\Profiles\default.frc\cookies.txt -> TrackingCookie.Advertising : No action taken.
:mozilla.75:C:\Documents and Settings\Edward\Application Data\Mozilla\Firefox\Profiles\default.frc\cookies.txt -> TrackingCookie.Atdmt : No action taken.
:mozilla.211:C:\Documents and Settings\Edward\Application Data\Mozilla\Firefox\Profiles\default.frc\cookies.txt -> TrackingCookie.Bluestreak : No action taken.
:mozilla.172:C:\Documents and Settings\Edward\Application Data\Mozilla\Firefox\Profiles\default.frc\cookies.txt -> TrackingCookie.Burstbeacon : No action taken.
:mozilla.169:C:\Documents and Settings\Edward\Application Data\Mozilla\Firefox\Profiles\default.frc\cookies.txt -> TrackingCookie.Burstnet : No action taken.
:mozilla.170:C:\Documents and Settings\Edward\Application Data\Mozilla\Firefox\Profiles\default.frc\cookies.txt -> TrackingCookie.Burstnet : No action taken.
:mozilla.171:C:\Documents and Settings\Edward\Application Data\Mozilla\Firefox\Profiles\default.frc\cookies.txt -> TrackingCookie.Burstnet : No action taken.
:mozilla.173:C:\Documents and Settings\Edward\Application Data\Mozilla\Firefox\Profiles\default.frc\cookies.txt -> TrackingCookie.Burstnet : No action taken.
:mozilla.174:C:\Documents and Settings\Edward\Application Data\Mozilla\Firefox\Profiles\default.frc\cookies.txt -> TrackingCookie.Burstnet : No action taken.
:mozilla.59:C:\Documents and Settings\Edward\Application Data\Mozilla\Firefox\Profiles\default.frc\cookies.txt -> TrackingCookie.Com : No action taken.
:mozilla.61:C:\Documents and Settings\Edward\Application Data\Mozilla\Firefox\Profiles\default.frc\cookies.txt -> TrackingCookie.Doubleclick : No action taken.
:mozilla.144:C:\Documents and Settings\Edward\Application Data\Mozilla\Firefox\Profiles\default.frc\cookies.txt -> TrackingCookie.Fastclick : No action taken.
:mozilla.185:C:\Documents and Settings\Edward\Application Data\Mozilla\Firefox\Profiles\default.frc\cookies.txt -> TrackingCookie.Hitbox : No action taken.
:mozilla.273:C:\Documents and Settings\Edward\Application Data\Mozilla\Firefox\Profiles\default.frc\cookies.txt -> TrackingCookie.Hitbox : No action taken.
:mozilla.96:C:\Documents and Settings\Edward\Application Data\Mozilla\Firefox\Profiles\default.frc\cookies.txt -> TrackingCookie.Hitbox : No action taken.
:mozilla.97:C:\Documents and Settings\Edward\Application Data\Mozilla\Firefox\Profiles\default.frc\cookies.txt -> TrackingCookie.Hitbox : No action taken.
:mozilla.98:C:\Documents and Settings\Edward\Application Data\Mozilla\Firefox\Profiles\default.frc\cookies.txt -> TrackingCookie.Hitbox : No action taken.
:mozilla.166:C:\Documents and Settings\Edward\Application Data\Mozilla\Firefox\Profiles\default.frc\cookies.txt -> TrackingCookie.Mediaplex : No action taken.
:mozilla.89:C:\Documents and Settings\Edward\Application Data\Mozilla\Firefox\Profiles\default.frc\cookies.txt -> TrackingCookie.Questionmarket : No action taken.
:mozilla.90:C:\Documents and Settings\Edward\Application Data\Mozilla\Firefox\Profiles\default.frc\cookies.txt -> TrackingCookie.Questionmarket : No action taken.
:mozilla.95:C:\Documents and Settings\Edward\Application Data\Mozilla\Firefox\Profiles\default.frc\cookies.txt -> TrackingCookie.Questionmarket : No action taken.
:mozilla.85:C:\Documents and Settings\Edward\Application Data\Mozilla\Firefox\Profiles\default.frc\cookies.txt -> TrackingCookie.Serving-sys : No action taken.
:mozilla.86:C:\Documents and Settings\Edward\Application Data\Mozilla\Firefox\Profiles\default.frc\cookies.txt -> TrackingCookie.Serving-sys : No action taken.
:mozilla.87:C:\Documents and Settings\Edward\Application Data\Mozilla\Firefox\Profiles\default.frc\cookies.txt -> TrackingCookie.Serving-sys : No action taken.
:mozilla.88:C:\Documents and Settings\Edward\Application Data\Mozilla\Firefox\Profiles\default.frc\cookies.txt -> TrackingCookie.Serving-sys : No action taken.
:mozilla.102:C:\Documents and Settings\Edward\Application Data\Mozilla\Firefox\Profiles\default.frc\cookies.txt -> TrackingCookie.Statcounter : No action taken.
:mozilla.103:C:\Documents and Settings\Edward\Application Data\Mozilla\Firefox\Profiles\default.frc\cookies.txt -> TrackingCookie.Statcounter : No action taken.
:mozilla.114:C:\Documents and Settings\Edward\Application Data\Mozilla\Firefox\Profiles\default.frc\cookies.txt -> TrackingCookie.Tacoda : No action taken.
:mozilla.115:C:\Documents and Settings\Edward\Application Data\Mozilla\Firefox\Profiles\default.frc\cookies.txt -> TrackingCookie.Tacoda : No action taken.
:mozilla.116:C:\Documents and Settings\Edward\Application Data\Mozilla\Firefox\Profiles\default.frc\cookies.txt -> TrackingCookie.Tacoda : No action taken.
:mozilla.117:C:\Documents and Settings\Edward\Application Data\Mozilla\Firefox\Profiles\default.frc\cookies.txt -> TrackingCookie.Tacoda : No action taken.
:mozilla.118:C:\Documents and Settings\Edward\Application Data\Mozilla\Firefox\Profiles\default.frc\cookies.txt -> TrackingCookie.Tacoda : No action taken.
:mozilla.222:C:\Documents and Settings\Edward\Application Data\Mozilla\Firefox\Profiles\default.frc\cookies.txt -> TrackingCookie.Trafficmp : No action taken.
:mozilla.223:C:\Documents and Settings\Edward\Application Data\Mozilla\Firefox\Profiles\default.frc\cookies.txt -> TrackingCookie.Trafficmp : No action taken.
:mozilla.224:C:\Documents and Settings\Edward\Application Data\Mozilla\Firefox\Profiles\default.frc\cookies.txt -> TrackingCookie.Trafficmp : No action taken.
:mozilla.225:C:\Documents and Settings\Edward\Application Data\Mozilla\Firefox\Profiles\default.frc\cookies.txt -> TrackingCookie.Trafficmp : No action taken.
:mozilla.226:C:\Documents and Settings\Edward\Application Data\Mozilla\Firefox\Profiles\default.frc\cookies.txt -> TrackingCookie.Trafficmp : No action taken.
:mozilla.227:C:\Documents and Settings\Edward\Application Data\Mozilla\Firefox\Profiles\default.frc\cookies.txt -> TrackingCookie.Trafficmp : No action taken.
:mozilla.228:C:\Documents and Settings\Edward\Application Data\Mozilla\Firefox\Profiles\default.frc\cookies.txt -> TrackingCookie.Trafficmp : No action taken.
:mozilla.76:C:\Documents and Settings\Edward\Application Data\Mozilla\Firefox\Profiles\default.frc\cookies.txt -> TrackingCookie.Tribalfusion : No action taken.
:mozilla.80:C:\Documents and Settings\Edward\Application Data\Mozilla\Firefox\Profiles\default.frc\cookies.txt -> TrackingCookie.Tribalfusion : No action taken.
:mozilla.81:C:\Documents and Settings\Edward\Application Data\Mozilla\Firefox\Profiles\default.frc\cookies.txt -> TrackingCookie.Tribalfusion : No action taken.
:mozilla.51:C:\Documents and Settings\Edward\Application Data\Mozilla\Firefox\Profiles\default.frc\cookies.txt -> TrackingCookie.Yieldmanager : No action taken.
:mozilla.52:C:\Documents and Settings\Edward\Application Data\Mozilla\Firefox\Profiles\default.frc\cookies.txt -> TrackingCookie.Yieldmanager : No action taken.
:mozilla.53:C:\Documents and Settings\Edward\Application Data\Mozilla\Firefox\Profiles\default.frc\cookies.txt -> TrackingCookie.Yieldmanager : No action taken.
C:\VundoFix Backups\DP.sys -> Trojan.Agent.ny : No action taken.
C:\WINDOWS\system32\oiqobkxv.exe -> Trojan.Agent.ny : No action taken.
C:\WINDOWS\uni_eh.exe -> Trojan.VB.tg : No action taken.
::Report end
Thanks for all the help, sorry about earlier.
pskelley
2006-07-29, 19:35
Follow the instructions here: http://www.bleepingcomputer.com/tutorials/tutorial42.html#delreb
How to use the Delete on Reboot tool
At times you may find a file that stubbornly refuses to be deleted by conventional means. HijackThis introduced, in version 1.98.2, a method to have Windows delete the file as it boots up, before the file has the chance to load. To do this follow these steps:
Start Hijackthis
Click on the Config button
Click on the Misc Tools button
Click on the button labeled Delete a file on reboot...
A new window will open asking you to select the file that you would like to delete on reboot. Navigate to the file and click on it once, and then click on the Open button.
You will now be asked if you would like to reboot your computer to delete the file. Click on the Yes button if you would like to reboot now, otherwise click on the No button to reboot later.
These are the files you are deleting, you may enter them both before you reboot:
C:\Documents and Settings\All Users\Documents\Settings\artm_new.dll
C:\WINDOWS\SYSTEM32\winghy32.dll
Start the computer in safe mode: http://www.bleepingcomputer.com/tutorials/tutorial61.html
Once you are in safe mode, check to make sure these files are gone:
C:\Documents and Settings\All Users\Documents\Settings\artm_new.dll
C:\WINDOWS\SYSTEM32\winghy32.dll
Now run ewido again and this time when it finds something choose delete or quarantine, anything but "no action taken"
Post a new HJT log and a new ewido scan report.
Thanks
Everything seems to be going just fine now, here's the logs. Anything looking trashy in there?
Thanks.
Logfile of HijackThis v1.99.1
Scan saved at 5:13:39 AM, on 7/30/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\runservice.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\oodag.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Raxco\PerfectDisk\PDSched.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Saitek\Software\Profiler.exe
C:\Program Files\Saitek\Software\SaiSmart.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\Logitech\G-series Software\LGDCore.exe
C:\Program Files\Logitech\G-series Software\LCDMon.exe
C:\Program Files\Logitech\G-series Software\Applets\LCDPop3\LCDPOP3.exe
C:\Program Files\Logitech\G-series Software\Applets\LCDMedia.exe
C:\Program Files\Logitech\G-series Software\Applets\LCDClock.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\program files\valve\steam\steam.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\hjt\HijackThis.exe
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:8080;https=localhost8080
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: ClickCatcher MSIE handler - {16664845-0E00-11D2-8059-000000000000} - C:\Program Files\Common Files\ReGet Shared\Catcher.dll
O2 - BHO: (no name) - {206E52E0-D52E-11D4-AD54-0000E86C26F6} - C:\PROGRA~1\FRESHD~1\FRESHD~1\fdcatch.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll (file missing)
O2 - BHO: TGTSoft Explorer Toolbar Changer - {C333CF63-767F-4831-94AC-E683D962C63C} - C:\Program Files\TGTSoft\StyleXP\TGT_BHO.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Profiler] C:\Program Files\Saitek\Software\Profiler.exe
O4 - HKLM\..\Run: [SaiSmart] C:\Program Files\Saitek\Software\SaiSmart.exe
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [Launch LGDCore] "C:\Program Files\Logitech\G-series Software\LGDCore.exe" /SHOWHIDE
O4 - HKLM\..\Run: [Launch LCDMon] "C:\Program Files\Logitech\G-series Software\LCDMon.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [StarSkin] C:\PROGRAM FILES\ROCKET DIVISION SOFTWARE\STARSKIN\STARSKIN.EXE -H
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKCU\..\Run: [Steam] "c:\program files\valve\steam\steam.exe" -silent
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - HKCU\..\Run: [P2kAutostart] C:\Documents and Settings\Edward\Desktop\Ringtones\P2kCommander-V329\P2kAutostart.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15015/CTSUEng.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {7B41B7AC-3496-4C13-A70F-DE6B60A6A8A8} (MGAME manager Class) - http://www.legendofares.com/download/mgusamanagerv1001.cab
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://zone.msn.com/bingame/luxr/default/mjolauncher.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15021/CTPID.cab
O20 - Winlogon Notify: artm_newreg - C:\Documents and Settings\All Users\Documents\Settings\artm_new.dll (file missing)
O20 - Winlogon Notify: winghy32 - winghy32.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LicCtrl Service (LicCtrlService) - Unknown owner - C:\WINDOWS\runservice.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\System32\oodag.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: PDScheduler (PDSched) - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDSched.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
---------------------------------------------------------
ewido anti-spyware - Scan Report
---------------------------------------------------------
+ Created at: 5:07:33 AM 7/30/2006
+ Scan result:
:mozilla.115:C:\Documents and Settings\Edward\Application Data\Mozilla\Firefox\Profiles\default.frc\cookies.txt -> TrackingCookie.Adbrite : No action taken.
:mozilla.116:C:\Documents and Settings\Edward\Application Data\Mozilla\Firefox\Profiles\default.frc\cookies.txt -> TrackingCookie.Adbrite : No action taken.
:mozilla.72:C:\Documents and Settings\Edward\Application Data\Mozilla\Firefox\Profiles\default.frc\cookies.txt -> TrackingCookie.Adbrite : No action taken.
:mozilla.51:C:\Documents and Settings\Edward\Application Data\Mozilla\Firefox\Profiles\default.frc\cookies.txt -> TrackingCookie.Advertising : No action taken.
:mozilla.52:C:\Documents and Settings\Edward\Application Data\Mozilla\Firefox\Profiles\default.frc\cookies.txt -> TrackingCookie.Advertising : No action taken.
:mozilla.53:C:\Documents and Settings\Edward\Application Data\Mozilla\Firefox\Profiles\default.frc\cookies.txt -> TrackingCookie.Advertising : No action taken.
:mozilla.54:C:\Documents and Settings\Edward\Application Data\Mozilla\Firefox\Profiles\default.frc\cookies.txt -> TrackingCookie.Advertising : No action taken.
:mozilla.55:C:\Documents and Settings\Edward\Application Data\Mozilla\Firefox\Profiles\default.frc\cookies.txt -> TrackingCookie.Advertising : No action taken.
:mozilla.44:C:\Documents and Settings\Edward\Application Data\Mozilla\Firefox\Profiles\default.frc\cookies.txt -> TrackingCookie.Atdmt : No action taken.
C:\Documents and Settings\Edward\Cookies\edward@atdmt[2].txt -> TrackingCookie.Atdmt : No action taken.
C:\Documents and Settings\Edward\Cookies\edward@com[1].txt -> TrackingCookie.Com : No action taken.
C:\Documents and Settings\Edward\Cookies\edward@doubleclick[2].txt -> TrackingCookie.Doubleclick : No action taken.
:mozilla.63:C:\Documents and Settings\Edward\Application Data\Mozilla\Firefox\Profiles\default.frc\cookies.txt -> TrackingCookie.Mediaplex : No action taken.
:mozilla.46:C:\Documents and Settings\Edward\Application Data\Mozilla\Firefox\Profiles\default.frc\cookies.txt -> TrackingCookie.Overture : No action taken.
:mozilla.67:C:\Documents and Settings\Edward\Application Data\Mozilla\Firefox\Profiles\default.frc\cookies.txt -> TrackingCookie.Tacoda : No action taken.
:mozilla.68:C:\Documents and Settings\Edward\Application Data\Mozilla\Firefox\Profiles\default.frc\cookies.txt -> TrackingCookie.Tacoda : No action taken.
:mozilla.69:C:\Documents and Settings\Edward\Application Data\Mozilla\Firefox\Profiles\default.frc\cookies.txt -> TrackingCookie.Tacoda : No action taken.
:mozilla.70:C:\Documents and Settings\Edward\Application Data\Mozilla\Firefox\Profiles\default.frc\cookies.txt -> TrackingCookie.Tacoda : No action taken.
:mozilla.64:C:\Documents and Settings\Edward\Application Data\Mozilla\Firefox\Profiles\default.frc\cookies.txt -> TrackingCookie.Tribalfusion : No action taken.
:mozilla.65:C:\Documents and Settings\Edward\Application Data\Mozilla\Firefox\Profiles\default.frc\cookies.txt -> TrackingCookie.Tribalfusion : No action taken.
:mozilla.110:C:\Documents and Settings\Edward\Application Data\Mozilla\Firefox\Profiles\default.frc\cookies.txt -> TrackingCookie.Yieldmanager : No action taken.
:mozilla.111:C:\Documents and Settings\Edward\Application Data\Mozilla\Firefox\Profiles\default.frc\cookies.txt -> TrackingCookie.Yieldmanager : No action taken.
:mozilla.112:C:\Documents and Settings\Edward\Application Data\Mozilla\Firefox\Profiles\default.frc\cookies.txt -> TrackingCookie.Yieldmanager : No action taken.
::Report end
pskelley
2006-07-30, 14:01
Just a little more to do, are you running Java? I don't see it running in the log, but I see this line:
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll (file missing)
If you are not using Java you can remove that line with HJT, with the missing file it is not working anyway.
(use HJT to remove these dead lines also)
O20 - Winlogon Notify: artm_newreg - C:\Documents and Settings\All Users\Documents\Settings\artm_new.dll (file missing) G
O20 - Winlogon Notify: winghy32 - winghy32.dll (file missing)
ewido anti-spyware - Scan Report Created at: 5:07:33 AM 7/30/2006
When you run ewido, you need to delete the junk it finds, when you: No action taken <<< take no action you are wasting your time running the program, the junk remains.
Here is some great information from Tony Klein, Texruss, ChrisRLG and Grinler to help you stay clean and safe online:
http://boards.cexx.org/viewtopic.php?t=957
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml
ewido is a great program but it does use some resources. Once the trial is over you can update and use the scanner for as long as you wish, but unless you purchase it you should turn it off completely so it does not run unless you start it manually.
System Restore does not know the good files from the bad. In case bad stuff has gotten into your System Restore files, follow the instructions in this link to get clean System Restore files. Turn it off, reboot then turn it back on:
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001111912274039?Open&src=sec_doc_nam
tasha:) will close your topic in a day or so.
Thanks...pskelley
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.
I don't really no why ewido is saying "No action taken". Those files that are listed there were all moved into the quarantine area - which I have now deleted because it was full of all that crap.
I even have the default action set to "Quarantine" so I am left clueless. Thanks alot for your help here pskelley - its really appreciated.
This topic has been closed to prevent others with similar issues posting in it.
If you need it re-opened please send me or your helper a pm and provide a link to the thread.
Applies only to the original topic starter.