 |  |  |  |  |  |  |  |
Please Help - Annoying Popup
 |
Hey! I'm new to this forum - and was directed here by a friend of me who said this forum was a great place to get help. I have installed Hijackthis to /programfiles/hijackthis/hijackthis.exe as you asked me to in the "sticky" and I closed all browsers and most application when scanning. So here is the log:
--------------------------
Logfile of HijackThis v1.99.1
Scan saved at 16:12:18, on 05/26/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Programfiler\MessengerPlus! 3\MsgPlus.exe
C:\Programfiler\iTunes\iTunesHelper.exe
C:\Programfiler\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\picsvr\picsvr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Programfiler\Internet Explorer\iexplore.exe
C:\Programfiler\iPod\bin\iPodService.exe
c:\windows\system32\nytizr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programfiler\Messenger\msmsgs.exe
C:\Programfiler\MSN Messenger\msnmsgr.exe
C:\Programfiler\ATI Technologies\ATI.ACE\CLI.exe
C:\Programfiler\Fellesfiler\3Com\LanSupportService.exe
C:\Programfiler\Fellesfiler\3Com\AllWirelessLansService.exe
C:\WINDOWS\explorer.exe
C:\Programmer\Hijackthis\HijackThis.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {ED103D9F-3070-4580-AB1E-E5C179C1AE41} - (no file)
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\Programfiler\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Programmer\DeamonTools 3.47\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Programfiler\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [Realmpegacidrule] C:\Documents and Settings\All Users\Programdata\shim bind real mpeg\Twotime.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Programfiler\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programfiler\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ATICCC] "C:\Programfiler\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [WebSpecials] rundll32 "C:\Program Files\WebSpecials\webspec.dll",run
O4 - HKLM\..\Run: [checkrun] C:\windows\system32\elitejso32.exe
O4 - HKLM\..\Run: [HELPER] C:\WINDOWS\system32\norway.exe -N
O4 - HKLM\..\Run: [firlnin] C:\Documents and Settings\SkyMarshall\Lokale innstillinger\Temporary Internet Files\Content.IE5\6NUDG7CF\delf061225[1].exe
O4 - HKLM\..\Run: [picsvr] C:\WINDOWS\system32\picsvr\picsvr.exe
O4 - HKLM\..\Run: [qtbads] c:\windows\system32\nytizr.exe
O4 - HKLM\..\RunOnce: [AAW] "C:\Programmer\Ad-Aware SE Personal\Ad-Aware.exe" "+b1"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Programfiler\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [acidace] C:\DOCUME~1\SKYMAR~1\PROGRA~1\FINDSU~1\less new.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Programfiler\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [WebSpecials] rundll32 "C:\Program Files\WebSpecials\webspec.dll",run
O4 - Global Startup: 3Com Launcher.lnk = C:\Programfiler\3Com\Launcher.exe
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Programfiler\ATI Technologies\ATI.ACE\CLI.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Programmer\WinZip\WZQKPICK.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary...r.cab31267.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1108507973919
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary...n.cab31267.cab
O20 - AppInit_DLLs: MsgPlusLoader.dll
O23 - Service: 3Com Wireless LAN Support (AllWirelessLansService) - 3Com Corp. - C:\Programfiler\Fellesfiler\3Com\AllWirelessLansService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: iPod-tjeneste (iPodService) - Apple Computer, Inc. - C:\Programfiler\iPod\bin\iPodService.exe
O23 - Service: 3Com LAN Support (LanSupportService) - 3Com Corporation - C:\Programfiler\Fellesfiler\3Com\LanSupportService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Programfiler\Fellesfiler\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe
------------------------------------------------------------------
The problem is popup, which bugs me in timed intervals (about 60seconds). I have searched with Spybot Seatch and Destroy and Ad-Aware SE Personal regulary, and they find and delete 40-50 critical objects every time I scan. But it's the same ones everytime. Why is this? Where is it coming from? I'm not surfing any questionable sites
I can post an image of the most frequent popup I get ...
http://www.whinerz.com/bilder/spyware.jpg
Best regards
Eirik "SkyMarshall" Hafskjold
www.whinerz.com
--------------------------
Logfile of HijackThis v1.99.1
Scan saved at 16:12:18, on 05/26/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Programfiler\MessengerPlus! 3\MsgPlus.exe
C:\Programfiler\iTunes\iTunesHelper.exe
C:\Programfiler\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\picsvr\picsvr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Programfiler\Internet Explorer\iexplore.exe
C:\Programfiler\iPod\bin\iPodService.exe
c:\windows\system32\nytizr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programfiler\Messenger\msmsgs.exe
C:\Programfiler\MSN Messenger\msnmsgr.exe
C:\Programfiler\ATI Technologies\ATI.ACE\CLI.exe
C:\Programfiler\Fellesfiler\3Com\LanSupportService.exe
C:\Programfiler\Fellesfiler\3Com\AllWirelessLansService.exe
C:\WINDOWS\explorer.exe
C:\Programmer\Hijackthis\HijackThis.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {ED103D9F-3070-4580-AB1E-E5C179C1AE41} - (no file)
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\Programfiler\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Programmer\DeamonTools 3.47\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Programfiler\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [Realmpegacidrule] C:\Documents and Settings\All Users\Programdata\shim bind real mpeg\Twotime.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Programfiler\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programfiler\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ATICCC] "C:\Programfiler\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [WebSpecials] rundll32 "C:\Program Files\WebSpecials\webspec.dll",run
O4 - HKLM\..\Run: [checkrun] C:\windows\system32\elitejso32.exe
O4 - HKLM\..\Run: [HELPER] C:\WINDOWS\system32\norway.exe -N
O4 - HKLM\..\Run: [firlnin] C:\Documents and Settings\SkyMarshall\Lokale innstillinger\Temporary Internet Files\Content.IE5\6NUDG7CF\delf061225[1].exe
O4 - HKLM\..\Run: [picsvr] C:\WINDOWS\system32\picsvr\picsvr.exe
O4 - HKLM\..\Run: [qtbads] c:\windows\system32\nytizr.exe
O4 - HKLM\..\RunOnce: [AAW] "C:\Programmer\Ad-Aware SE Personal\Ad-Aware.exe" "+b1"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Programfiler\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [acidace] C:\DOCUME~1\SKYMAR~1\PROGRA~1\FINDSU~1\less new.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Programfiler\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [WebSpecials] rundll32 "C:\Program Files\WebSpecials\webspec.dll",run
O4 - Global Startup: 3Com Launcher.lnk = C:\Programfiler\3Com\Launcher.exe
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Programfiler\ATI Technologies\ATI.ACE\CLI.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Programmer\WinZip\WZQKPICK.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary...r.cab31267.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1108507973919
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary...n.cab31267.cab
O20 - AppInit_DLLs: MsgPlusLoader.dll
O23 - Service: 3Com Wireless LAN Support (AllWirelessLansService) - 3Com Corp. - C:\Programfiler\Fellesfiler\3Com\AllWirelessLansService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: iPod-tjeneste (iPodService) - Apple Computer, Inc. - C:\Programfiler\iPod\bin\iPodService.exe
O23 - Service: 3Com LAN Support (LanSupportService) - 3Com Corporation - C:\Programfiler\Fellesfiler\3Com\LanSupportService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Programfiler\Fellesfiler\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe
------------------------------------------------------------------
The problem is popup, which bugs me in timed intervals (about 60seconds). I have searched with Spybot Seatch and Destroy and Ad-Aware SE Personal regulary, and they find and delete 40-50 critical objects every time I scan. But it's the same ones everytime. Why is this? Where is it coming from? I'm not surfing any questionable sites
I can post an image of the most frequent popup I get ... http://www.whinerz.com/bilder/spyware.jpg
Best regards
Eirik "SkyMarshall" Hafskjold
www.whinerz.com
Hi SkyMarshall, welcome to DaniWeb 
Download Ewido Security Suite from here:
http://fileforum.betanews.com/detail...e/1098736486/1
Install it, and while installing, under Additional Options, uncheck Install background guard and Install scan via context menu.
From the main Ewido screen, click on Update in the left menu, and then click the Start update button. After the update finishes (the status bar at the bottom will display Update successful).
If you have problems updating see here: http://www.ewido.net/en/download/updates/
Close the program (don't scan yet).
Download Nailfix from here:
http://users.pandora.be/bluepatchy/nailfix.zip
Unzip it to your desktop, but do not run it yet.
Reboot into Safe Mode
Double-click on the Nailfix.bat on your desktop. Your desktop and icons will disappear and reappear, and a window should open and close very quickly -- this is normal.
Then run a full system scan with run Ewido (you will be posting the log from this scan later when back in normal mode). Note -- When you run Ewido for the first time, you will get a warning Database could not be found!, click OK when you do.
Reboot normally
Go to Add/Remove Programs in your Control Panel and remove (if found):
WebSpecials
Scan with hijackthis and have it fix the following entries:
O4 - HKLM\..\Run: [WebSpecials] rundll32 "C:\Program Files\WebSpecials\webspec.dll",run
O4 - HKLM\..\Run: [checkrun] C:\windows\system32\elitejso32.exe
O4 - HKLM\..\Run: [HELPER] C:\WINDOWS\system32\norway.exe -N
O4 - HKLM\..\Run: [firlnin] C:\Documents and Settings\SkyMarshall\Lokale innstillinger\Temporary Internet Files\Content.IE5\6NUDG7CF\delf061225[1].exe
O4 - HKLM\..\Run: [picsvr] C:\WINDOWS\system32\picsvr\picsvr.exe
O4 - HKLM\..\Run: [qtbads] c:\windows\system32\nytizr.exe
O4 - HKCU\..\Run: [WebSpecials] rundll32 "C:\Program Files\WebSpecials\webspec.dll",run
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe
Be sure to close any open windows, other then hijackthis, before hitting Fix checked.
Go to the following locations and delete the highlighted files and folders:
C:\WINDOWS\system32\picsvr
C:\Program Files\WebSpecials
C:\windows\system32\elitejso32.exe
C:\WINDOWS\system32\norway.exe
C:\windows\system32\nytizr.exe
C:\WINDOWS\svcproc.exe
Note: if any of these cannot be deleted, boot into Safe Mode and try from there.
For every User listed under C:\Documents and Settings, delete the entire contents of these folders (not the folders themselves):
Local Settings\Temp
Cookies
History
Local Settings\Temporary Internet Files\Content.IE5
Delete the entire contents of your C:\Windows\Temp folder.
Delete the entire contents of your C:\Temp folder (if you have one).
Do a search for *.tmp and delete all entries found.
(Note: if any of these temporary files cannot be deleted while in normal mode, try Safe Mode.
Empty your Recycle Bin.
Do a search for new.exe and let us know where any entries are located.
Do you use Bittorrent?
Reboot (into normal mode), close any open browser windows, scan with hijackthis, and post a new log along with the log from the Ewido scan.
Download Ewido Security Suite from here:
http://fileforum.betanews.com/detail...e/1098736486/1
Install it, and while installing, under Additional Options, uncheck Install background guard and Install scan via context menu.
From the main Ewido screen, click on Update in the left menu, and then click the Start update button. After the update finishes (the status bar at the bottom will display Update successful).
If you have problems updating see here: http://www.ewido.net/en/download/updates/
Close the program (don't scan yet).
Download Nailfix from here:
http://users.pandora.be/bluepatchy/nailfix.zip
Unzip it to your desktop, but do not run it yet.
Reboot into Safe Mode
Double-click on the Nailfix.bat on your desktop. Your desktop and icons will disappear and reappear, and a window should open and close very quickly -- this is normal.
Then run a full system scan with run Ewido (you will be posting the log from this scan later when back in normal mode). Note -- When you run Ewido for the first time, you will get a warning Database could not be found!, click OK when you do.
Reboot normally
Go to Add/Remove Programs in your Control Panel and remove (if found):
WebSpecials
Scan with hijackthis and have it fix the following entries:
O4 - HKLM\..\Run: [WebSpecials] rundll32 "C:\Program Files\WebSpecials\webspec.dll",run
O4 - HKLM\..\Run: [checkrun] C:\windows\system32\elitejso32.exe
O4 - HKLM\..\Run: [HELPER] C:\WINDOWS\system32\norway.exe -N
O4 - HKLM\..\Run: [firlnin] C:\Documents and Settings\SkyMarshall\Lokale innstillinger\Temporary Internet Files\Content.IE5\6NUDG7CF\delf061225[1].exe
O4 - HKLM\..\Run: [picsvr] C:\WINDOWS\system32\picsvr\picsvr.exe
O4 - HKLM\..\Run: [qtbads] c:\windows\system32\nytizr.exe
O4 - HKCU\..\Run: [WebSpecials] rundll32 "C:\Program Files\WebSpecials\webspec.dll",run
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe
Be sure to close any open windows, other then hijackthis, before hitting Fix checked.
Go to the following locations and delete the highlighted files and folders:
C:\WINDOWS\system32\picsvr
C:\Program Files\WebSpecials
C:\windows\system32\elitejso32.exe
C:\WINDOWS\system32\norway.exe
C:\windows\system32\nytizr.exe
C:\WINDOWS\svcproc.exe
Note: if any of these cannot be deleted, boot into Safe Mode and try from there.
For every User listed under C:\Documents and Settings, delete the entire contents of these folders (not the folders themselves):
Local Settings\Temp
Cookies
History
Local Settings\Temporary Internet Files\Content.IE5
Delete the entire contents of your C:\Windows\Temp folder.
Delete the entire contents of your C:\Temp folder (if you have one).
Do a search for *.tmp and delete all entries found.
(Note: if any of these temporary files cannot be deleted while in normal mode, try Safe Mode.
Empty your Recycle Bin.
Do a search for new.exe and let us know where any entries are located.
Do you use Bittorrent?
Reboot (into normal mode), close any open browser windows, scan with hijackthis, and post a new log along with the log from the Ewido scan.
Links to help you help yourself :
Protect Your PC & Avoid Infections -- http://www.daniweb.com/techtalkforums/thread27519.html
Cleanup Procedures & Tools -- http://www.daniweb.com/techtalkforums/thread27570.html
Infection Removal & HijackThis Use -- http://www.daniweb.com/techtalkforums/thread28196.html
Protect Your PC & Avoid Infections -- http://www.daniweb.com/techtalkforums/thread27519.html
Cleanup Procedures & Tools -- http://www.daniweb.com/techtalkforums/thread27570.html
Infection Removal & HijackThis Use -- http://www.daniweb.com/techtalkforums/thread28196.html
Hey, and thank you for the fast reply.
I have followed every step, and done the following:
C:\WINDOWS\system32\picsvr - DELETED
C:\Program Files\WebSpecials - NOT FOUND
C:\windows\system32\elitejso32.exe - NOT FOUND (but found "ELITEJSO32.EXE-0F14EC11.pf" in c:/windows/prefetch)
C:\WINDOWS\system32\norway.exe - NOT FOUND
C:\windows\system32\nytizr.exe - NOT FOUND
C:\WINDOWS\svcproc.exe - NOT FOUND (also located as *.pf in windows/prefatch)
Deleted windows/temp and c:/temp and searched for all *.tmp and deleted thos as well.
Did a scan for "new.exe" ... but it wasn't located anywhere
Files that could not be deleted from Local/temp:
- Perflib_Perfdata_818
- Perflib_Perfdata_79c
And as for your question about bittorrent: There has been no *.torrent-files in any shape or form on my drives since my last format. I did a check in add/remove programs, and I could not find any webspecials or anything else I don't know what is.
--------------------------
HIJACK THIS - LOG
Logfile of HijackThis v1.99.1
Scan saved at 13:25:44, on 05/27/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmer\Ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Programmer\DeamonTools 3.47\daemon.exe
C:\Programfiler\MessengerPlus! 3\MsgPlus.exe
C:\Programfiler\iTunes\iTunesHelper.exe
C:\Programfiler\QuickTime\qttask.exe
C:\Programfiler\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programfiler\Messenger\msmsgs.exe
C:\Programfiler\MSN Messenger\msnmsgr.exe
C:\Programfiler\3Com\Launcher.exe
C:\Programfiler\ATI Technologies\ATI.ACE\CLI.exe
C:\Programmer\WinZip\WZQKPICK.EXE
C:\Programfiler\Internet Explorer\iexplore.exe
C:\Programfiler\iPod\bin\iPodService.exe
C:\Programfiler\Fellesfiler\3Com\LanSupportService.exe
C:\Programfiler\Fellesfiler\3Com\AllWirelessLansService.exe
C:\PROGRA~1\3Com\WLANMA~1\Activate.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Programmer\Hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.inpoc.no/
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {ED103D9F-3070-4580-AB1E-E5C179C1AE41} - (no file)
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\Programfiler\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Programmer\DeamonTools 3.47\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Programfiler\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [Realmpegacidrule] C:\Documents and Settings\All Users\Programdata\shim bind real mpeg\Twotime.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Programfiler\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programfiler\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ATICCC] "C:\Programfiler\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [firlnin] C:\Documents and Settings\SkyMarshall\Lokale innstillinger\Temporary Internet Files\Content.IE5\6NUDG7CF\delf061225[1].exe
O4 - HKLM\..\Run: [xncvrq] c:\windows\system32\urfystk.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Programfiler\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [acidace] C:\DOCUME~1\SKYMAR~1\PROGRA~1\FINDSU~1\less new.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Programfiler\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: 3Com Launcher.lnk = C:\Programfiler\3Com\Launcher.exe
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Programfiler\ATI Technologies\ATI.ACE\CLI.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Programmer\WinZip\WZQKPICK.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary...r.cab31267.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1108507973919
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary...n.cab31267.cab
O20 - AppInit_DLLs: MsgPlusLoader.dll
O23 - Service: 3Com Wireless LAN Support (AllWirelessLansService) - 3Com Corp. - C:\Programfiler\Fellesfiler\3Com\AllWirelessLansService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: ewido security suite control - ewido networks - C:\Programmer\Ewido\security suite\ewidoctrl.exe
O23 - Service: iPod-tjeneste (iPodService) - Apple Computer, Inc. - C:\Programfiler\iPod\bin\iPodService.exe
O23 - Service: 3Com LAN Support (LanSupportService) - 3Com Corporation - C:\Programfiler\Fellesfiler\3Com\LanSupportService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Programfiler\Fellesfiler\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe (file missing)
------------------------------
EWIDO SCAN RESULTS
---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------
+ Created on: 12:57:17, 05/27/2005
+ Report-Checksum: 2D8412C2
+ Date of database: 05/27/2005
+ Version of scan engine: v3.0
+ Duration: 15 min
+ Scanned Files: 76283
+ Speed: 83.23 Files/Second
+ Infected files: 29
+ Removed files: 29
+ Files put in quarantine: 29
+ Files that could not be opened: 0
+ Files that could not be cleaned: 0
+ Binder: Yes
+ Crypter: Yes
+ Archives: Yes
+ Scanned items:
C:\
D:\
E:\
F:\
G:\
+ Scan result:
C:\Documents and Settings\SkyMarshall\Cookies\skymarshall@cgi-bin[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\SkyMarshall\Cookies\skymarshall@search.msn[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\SkyMarshall\Cookies\skymarshall@xiti[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\SkyMarshall\Lokale innstillinger\Temp\Del417.tmp -> TrojanDownloader.Small.asf -> Cleaned with backup
C:\Documents and Settings\SkyMarshall\Lokale innstillinger\Temp\download-mattie--.exe -> Spyware.MediaMotor.a -> Cleaned with backup
C:\Documents and Settings\SkyMarshall\Lokale innstillinger\Temp\firlnin.exe -> Spyware.DelphinMedia.Viewer.f -> Cleaned with backup
C:\Documents and Settings\SkyMarshall\Lokale innstillinger\Temp\NNCLXA638.EXE -> Spyware.NewDotNet -> Cleaned with backup
C:\Documents and Settings\SkyMarshall\Lokale innstillinger\Temp\res37C.tmp -> Spyware.180Solutions -> Cleaned with backup
C:\Documents and Settings\SkyMarshall\Lokale innstillinger\Temp\res418.tmp -> Spyware.180Solutions -> Cleaned with backup
C:\Documents and Settings\SkyMarshall\Lokale innstillinger\Temp\simpletraffic.exe -> TrojanDropper.Small.nm -> Cleaned with backup
C:\Documents and Settings\SkyMarshall\Lokale innstillinger\Temp\temp.fr1C00 -> Trojan.Agent.db -> Cleaned with backup
C:\Documents and Settings\SkyMarshall\Lokale innstillinger\Temp\temp.fr8FCD -> Spyware.BetterInternet -> Cleaned with backup
C:\Documents and Settings\SkyMarshall\Lokale innstillinger\Temp\temp.frABA8\EliteToolBar version 60.dll -> Spyware.EliteBar.af -> Cleaned with backup
C:\Documents and Settings\SkyMarshall\Lokale innstillinger\Temp\uninstall.exe -> Spyware.EliteBar.q -> Cleaned with backup
C:\Documents and Settings\SkyMarshall\Lokale innstillinger\Temp\uppicsvr.exe -> TrojanDownloader.Delmed.b -> Cleaned with backup
C:\Programfiler\Fellesfiler\Uninstall Information\RemoveDisplayUtility.exe -> Spyware.DelphinMedia.Viewer.f -> Cleaned with backup
C:\WINDOWS\mm63.ocx -> Spyware.MediaMotor.a -> Cleaned with backup
C:\WINDOWS\NDNuninstall6_38.exe -> Spyware.NewDotNet -> Cleaned with backup
C:\WINDOWS\norway.exe -> Dialer.Generic -> Cleaned with backup
C:\WINDOWS\seeve.exe -> Spyware.MediaMotor.f -> Cleaned with backup
C:\WINDOWS\system32\elitejso32.exe -> Spyware.Hijacker.Generic -> Cleaned with backup
C:\WINDOWS\system32\elitenjl32.exe -> Spyware.Hijacker.Generic -> Cleaned with backup
C:\WINDOWS\system32\norway.exe -> Dialer.Generic -> Cleaned with backup
C:\WINDOWS\system32\nytizr.exe -> Trojan.Agent.cp -> Cleaned with backup
C:\WINDOWS\system32\picsvr\picsvr.exe -> TrojanDownloader.Delmed.b -> Cleaned with backup
C:\WINDOWS\system32\temperror32.dat -> Spyware.Hijacker.Generic -> Cleaned with backup
C:\WINDOWS\system32\unregister.exe -> Spyware.VB.f -> Cleaned with backup
C:\WINDOWS\system32\urfystk.exe -> Trojan.Agent.cp -> Cleaned with backup
C:\WINDOWS\tdhvpaedc.exe -> Spyware.BetterInternet -> Cleaned with backup
::Report End
--------------------
I do however get an error on boot now when entering windows, that windows can't locate "nail.exe" ... should I just delete the "nail"-folders?
Thanks
I have followed every step, and done the following:
C:\WINDOWS\system32\picsvr - DELETED
C:\Program Files\WebSpecials - NOT FOUND
C:\windows\system32\elitejso32.exe - NOT FOUND (but found "ELITEJSO32.EXE-0F14EC11.pf" in c:/windows/prefetch)
C:\WINDOWS\system32\norway.exe - NOT FOUND
C:\windows\system32\nytizr.exe - NOT FOUND
C:\WINDOWS\svcproc.exe - NOT FOUND (also located as *.pf in windows/prefatch)
Deleted windows/temp and c:/temp and searched for all *.tmp and deleted thos as well.
Did a scan for "new.exe" ... but it wasn't located anywhere
Files that could not be deleted from Local/temp:
- Perflib_Perfdata_818
- Perflib_Perfdata_79c
And as for your question about bittorrent: There has been no *.torrent-files in any shape or form on my drives since my last format. I did a check in add/remove programs, and I could not find any webspecials or anything else I don't know what is.
--------------------------
HIJACK THIS - LOG
Logfile of HijackThis v1.99.1
Scan saved at 13:25:44, on 05/27/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmer\Ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Programmer\DeamonTools 3.47\daemon.exe
C:\Programfiler\MessengerPlus! 3\MsgPlus.exe
C:\Programfiler\iTunes\iTunesHelper.exe
C:\Programfiler\QuickTime\qttask.exe
C:\Programfiler\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programfiler\Messenger\msmsgs.exe
C:\Programfiler\MSN Messenger\msnmsgr.exe
C:\Programfiler\3Com\Launcher.exe
C:\Programfiler\ATI Technologies\ATI.ACE\CLI.exe
C:\Programmer\WinZip\WZQKPICK.EXE
C:\Programfiler\Internet Explorer\iexplore.exe
C:\Programfiler\iPod\bin\iPodService.exe
C:\Programfiler\Fellesfiler\3Com\LanSupportService.exe
C:\Programfiler\Fellesfiler\3Com\AllWirelessLansService.exe
C:\PROGRA~1\3Com\WLANMA~1\Activate.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Programmer\Hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.inpoc.no/
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {ED103D9F-3070-4580-AB1E-E5C179C1AE41} - (no file)
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\Programfiler\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Programmer\DeamonTools 3.47\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Programfiler\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [Realmpegacidrule] C:\Documents and Settings\All Users\Programdata\shim bind real mpeg\Twotime.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Programfiler\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programfiler\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ATICCC] "C:\Programfiler\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [firlnin] C:\Documents and Settings\SkyMarshall\Lokale innstillinger\Temporary Internet Files\Content.IE5\6NUDG7CF\delf061225[1].exe
O4 - HKLM\..\Run: [xncvrq] c:\windows\system32\urfystk.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Programfiler\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [acidace] C:\DOCUME~1\SKYMAR~1\PROGRA~1\FINDSU~1\less new.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Programfiler\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: 3Com Launcher.lnk = C:\Programfiler\3Com\Launcher.exe
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Programfiler\ATI Technologies\ATI.ACE\CLI.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Programmer\WinZip\WZQKPICK.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary...r.cab31267.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1108507973919
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary...n.cab31267.cab
O20 - AppInit_DLLs: MsgPlusLoader.dll
O23 - Service: 3Com Wireless LAN Support (AllWirelessLansService) - 3Com Corp. - C:\Programfiler\Fellesfiler\3Com\AllWirelessLansService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: ewido security suite control - ewido networks - C:\Programmer\Ewido\security suite\ewidoctrl.exe
O23 - Service: iPod-tjeneste (iPodService) - Apple Computer, Inc. - C:\Programfiler\iPod\bin\iPodService.exe
O23 - Service: 3Com LAN Support (LanSupportService) - 3Com Corporation - C:\Programfiler\Fellesfiler\3Com\LanSupportService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Programfiler\Fellesfiler\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe (file missing)
------------------------------
EWIDO SCAN RESULTS
---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------
+ Created on: 12:57:17, 05/27/2005
+ Report-Checksum: 2D8412C2
+ Date of database: 05/27/2005
+ Version of scan engine: v3.0
+ Duration: 15 min
+ Scanned Files: 76283
+ Speed: 83.23 Files/Second
+ Infected files: 29
+ Removed files: 29
+ Files put in quarantine: 29
+ Files that could not be opened: 0
+ Files that could not be cleaned: 0
+ Binder: Yes
+ Crypter: Yes
+ Archives: Yes
+ Scanned items:
C:\
D:\
E:\
F:\
G:\
+ Scan result:
C:\Documents and Settings\SkyMarshall\Cookies\skymarshall@cgi-bin[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\SkyMarshall\Cookies\skymarshall@search.msn[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\SkyMarshall\Cookies\skymarshall@xiti[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\SkyMarshall\Lokale innstillinger\Temp\Del417.tmp -> TrojanDownloader.Small.asf -> Cleaned with backup
C:\Documents and Settings\SkyMarshall\Lokale innstillinger\Temp\download-mattie--.exe -> Spyware.MediaMotor.a -> Cleaned with backup
C:\Documents and Settings\SkyMarshall\Lokale innstillinger\Temp\firlnin.exe -> Spyware.DelphinMedia.Viewer.f -> Cleaned with backup
C:\Documents and Settings\SkyMarshall\Lokale innstillinger\Temp\NNCLXA638.EXE -> Spyware.NewDotNet -> Cleaned with backup
C:\Documents and Settings\SkyMarshall\Lokale innstillinger\Temp\res37C.tmp -> Spyware.180Solutions -> Cleaned with backup
C:\Documents and Settings\SkyMarshall\Lokale innstillinger\Temp\res418.tmp -> Spyware.180Solutions -> Cleaned with backup
C:\Documents and Settings\SkyMarshall\Lokale innstillinger\Temp\simpletraffic.exe -> TrojanDropper.Small.nm -> Cleaned with backup
C:\Documents and Settings\SkyMarshall\Lokale innstillinger\Temp\temp.fr1C00 -> Trojan.Agent.db -> Cleaned with backup
C:\Documents and Settings\SkyMarshall\Lokale innstillinger\Temp\temp.fr8FCD -> Spyware.BetterInternet -> Cleaned with backup
C:\Documents and Settings\SkyMarshall\Lokale innstillinger\Temp\temp.frABA8\EliteToolBar version 60.dll -> Spyware.EliteBar.af -> Cleaned with backup
C:\Documents and Settings\SkyMarshall\Lokale innstillinger\Temp\uninstall.exe -> Spyware.EliteBar.q -> Cleaned with backup
C:\Documents and Settings\SkyMarshall\Lokale innstillinger\Temp\uppicsvr.exe -> TrojanDownloader.Delmed.b -> Cleaned with backup
C:\Programfiler\Fellesfiler\Uninstall Information\RemoveDisplayUtility.exe -> Spyware.DelphinMedia.Viewer.f -> Cleaned with backup
C:\WINDOWS\mm63.ocx -> Spyware.MediaMotor.a -> Cleaned with backup
C:\WINDOWS\NDNuninstall6_38.exe -> Spyware.NewDotNet -> Cleaned with backup
C:\WINDOWS\norway.exe -> Dialer.Generic -> Cleaned with backup
C:\WINDOWS\seeve.exe -> Spyware.MediaMotor.f -> Cleaned with backup
C:\WINDOWS\system32\elitejso32.exe -> Spyware.Hijacker.Generic -> Cleaned with backup
C:\WINDOWS\system32\elitenjl32.exe -> Spyware.Hijacker.Generic -> Cleaned with backup
C:\WINDOWS\system32\norway.exe -> Dialer.Generic -> Cleaned with backup
C:\WINDOWS\system32\nytizr.exe -> Trojan.Agent.cp -> Cleaned with backup
C:\WINDOWS\system32\picsvr\picsvr.exe -> TrojanDownloader.Delmed.b -> Cleaned with backup
C:\WINDOWS\system32\temperror32.dat -> Spyware.Hijacker.Generic -> Cleaned with backup
C:\WINDOWS\system32\unregister.exe -> Spyware.VB.f -> Cleaned with backup
C:\WINDOWS\system32\urfystk.exe -> Trojan.Agent.cp -> Cleaned with backup
C:\WINDOWS\tdhvpaedc.exe -> Spyware.BetterInternet -> Cleaned with backup
::Report End
--------------------
I do however get an error on boot now when entering windows, that windows can't locate "nail.exe" ... should I just delete the "nail"-folders?
Thanks
•
•
Join Date: Feb 2004
Posts: 10,083
Reputation: 
Solved Threads: 765
You have a few things there that need removing...
-
First of all could you click Start>Settings>Control Panel>Add or Remove Programs and uninstall 'Window Search', 'Window Searching', 'Lop.com', 'LOP SEARCH', 'Browser Enhancer', or 'Ultimate Browser Enhancer' if listed. You may be given a code to insert, do so and reboot when done. If not listed there, run the Lop Remover from:
http://www.thespykiller.co.uk/downloads.htm
Uninstall Messenger Plus as it comes bundled with LOP, one of the infections you currently enjoy. You can reinstall Messenger Plus without the sponsor.
-
Run HiJackThis and click "Scan", then check(tick) the following, if present:
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: (no name) - {ED103D9F-3070-4580-AB1E-E5C179C1AE41} - (no file)
O4 - HKLM\..\Run: [Realmpegacidrule] C:\Documents and Settings\All Users\Programdata\shim bind real mpeg\Twotime.exe
O4 - HKLM\..\Run: [firlnin] C:\Documents and Settings\SkyMarshall\Lokale innstillinger\Temporary Internet Files\Content.IE5\6NUDG7CF\delf061225[1].exe
O4 - HKLM\..\Run: [xncvrq] c:\windows\system32\urfystk.exe
O4 - HKCU\..\Run: [acidace] C:\DOCUME~1\SKYMAR~1\PROGRA~1\FINDSU~1\less new.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe (file missing)
Now, with all windows closed except HiJackThis, click "Fix checked".
===============
Locate and delete the following item(s), if present. Make sure your able to view system and hidden files/ folders:
files...
C:\WINDOWS\Nail.exe
c:\windows\system32\urfystk.exe
folders...
C:\Documents and Settings\All Users\Programdata\shim bind real mpeg
C:\DOCUME~1\SKYMAR~1\PROGRA~1\FINDSU~1
-
Note that some of these file(s) may or may not be present. If present, and cannot be deleted because they're 'in use', try deleting them in "Safe Mode".
-
Reboot.
===============
After rebooting, rescan with hijackthis and post back a new log. Let me know how everything goes.
-
First of all could you click Start>Settings>Control Panel>Add or Remove Programs and uninstall 'Window Search', 'Window Searching', 'Lop.com', 'LOP SEARCH', 'Browser Enhancer', or 'Ultimate Browser Enhancer' if listed. You may be given a code to insert, do so and reboot when done. If not listed there, run the Lop Remover from:
http://www.thespykiller.co.uk/downloads.htm
Uninstall Messenger Plus as it comes bundled with LOP, one of the infections you currently enjoy
. You can reinstall Messenger Plus without the sponsor.-
Run HiJackThis and click "Scan", then check(tick) the following, if present:
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: (no name) - {ED103D9F-3070-4580-AB1E-E5C179C1AE41} - (no file)
O4 - HKLM\..\Run: [Realmpegacidrule] C:\Documents and Settings\All Users\Programdata\shim bind real mpeg\Twotime.exe
O4 - HKLM\..\Run: [firlnin] C:\Documents and Settings\SkyMarshall\Lokale innstillinger\Temporary Internet Files\Content.IE5\6NUDG7CF\delf061225[1].exe
O4 - HKLM\..\Run: [xncvrq] c:\windows\system32\urfystk.exe
O4 - HKCU\..\Run: [acidace] C:\DOCUME~1\SKYMAR~1\PROGRA~1\FINDSU~1\less new.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe (file missing)
Now, with all windows closed except HiJackThis, click "Fix checked".
===============
Locate and delete the following item(s), if present. Make sure your able to view system and hidden files/ folders:
files...
C:\WINDOWS\Nail.exe
c:\windows\system32\urfystk.exe
folders...
C:\Documents and Settings\All Users\Programdata\shim bind real mpeg
C:\DOCUME~1\SKYMAR~1\PROGRA~1\FINDSU~1
-
Note that some of these file(s) may or may not be present. If present, and cannot be deleted because they're 'in use', try deleting them in "Safe Mode".
-
Reboot.
===============
After rebooting, rescan with hijackthis and post back a new log. Let me know how everything goes.
Proud member of ASAP (Alliance of Security analysis Professionals).
Opera AVAST anti-virus Comodo Firewall Spywareblaster
Opera AVAST anti-virus Comodo Firewall Spywareblaster
|
Similar Threads
- Problems Acessing Memory (Windows NT / 2000 / XP)
- MS windows office 2000 standard closes itself (Windows Software)
- New annoying popup (Viruses, Spyware and other Nasties)
- Hotoffers and error "windows error message" help needed (Viruses, Spyware and other Nasties)
Other Threads in the Viruses, Spyware and other Nasties Forum
- Previous Thread: Search Bar across bottom of screen
- Next Thread: i have an aurora popup, please help
| Thread Tools | Search this Thread |
Latest Viruses, Spyware and other Nasties Posts
Related Forum Features
Tag cloud for Viruses, Spyware and other Nasties
adobe adware anti-malware anti-virussitesaccessissue antivirus apple attack audio avg backtoschoolspeech bar blackhat botnet botnets censorship china commercial commercials conficker connect control crosssitescripting cyber cybercrime cyberwarfare ddos domains e-mafia education email europe exam exploit facebook fake fancheckvirus gaming gumblar hijack hosting internet iphone kaspersky legal logfiles mail malware mcafee mega-d messagelabs microsoft mobile msn news obama panel parents patch phishing police policeprovirusmba-mblockedinternetaccess president privacy pro problem redirect redirecting reliability report research risk rogueantivirus scareware school search security seopoisoning software spam spyware spywareexternalwindows7adminstratortrojans sqlinjection symantec system teen threat trojan unabletoaccessanti-virussites unwanted update usa virus viruses vista volume vulnerability warning windows worm zero-day
