 |  |  |  |  |  |  |  |
First post, need help, so frustrated
 |
Right, I have McAfee Anytivirus and Antispyware, and put simply, it sucks, I also have Spybot Search & Destroy and Ad-aware but I cant detect and delete whatever virus/spyware i have on my comp at this giving moment.
Its eating my bandwith I use Firefox and I get popups from a program known as "Aurora" which I have no clue what it is, and I get popups in microsoft internet explorer also.
Furthermore whever I open Counter-Strike: Source I get a popup every time a map loads, just randomly, and I my ping goes through the roof and back down again (as if I was perminantly getting pinged)...
How the fawk can I stop all this crfap, my antiviruses and antispywares detect nout, or they'll detect something and say its removed but trhen you scan again and its still there...
Thanks in Advance X)
Its eating my bandwith I use Firefox and I get popups from a program known as "Aurora" which I have no clue what it is, and I get popups in microsoft internet explorer also.
Furthermore whever I open Counter-Strike: Source I get a popup every time a map loads, just randomly, and I my ping goes through the roof and back down again (as if I was perminantly getting pinged)...
How the fawk can I stop all this crfap, my antiviruses and antispywares detect nout, or they'll detect something and say its removed but trhen you scan again and its still there...
Thanks in Advance X)
Hi Daradus,
First of all- welcome to the site.
1. The standard fix for the Aurora infection can be found here.
2. In terms of general detection and cleaning, have a read through the suggestions in this thread.
3. If you need specific help from us after following the suggestions in the above links, please do the following:
Download the (free) HijackThis utility:
http://www.stevewolfonline.com/Downl...HijackThis.exe
Once downloaded, follow these instructions to install and run the program:
Create a folder outside of any Temp/Temporary folders for HJT and move it there now. A folder such such as C:\HijackThis or C:\Spyware Tools\HijackThis will do.
Run HijackThis, but do not have HJT fix anything yet; only have it scan your system! Once the scan is complete, the "Scan" button will turn into an option to "Save log...". Save the log in the folder you created for HiajckThis, open the log in Windows Notepad, and cut-n-paste the entire contents of the log here.
The log contents will tell us a lot about what "nasties" have crept into your system, and once we analyse the log we can tell you what to do from there.
First of all- welcome to the site.
1. The standard fix for the Aurora infection can be found here.
2. In terms of general detection and cleaning, have a read through the suggestions in this thread.
3. If you need specific help from us after following the suggestions in the above links, please do the following:
Download the (free) HijackThis utility:
http://www.stevewolfonline.com/Downl...HijackThis.exe
Once downloaded, follow these instructions to install and run the program:
Create a folder outside of any Temp/Temporary folders for HJT and move it there now. A folder such such as C:\HijackThis or C:\Spyware Tools\HijackThis will do.
Run HijackThis, but do not have HJT fix anything yet; only have it scan your system! Once the scan is complete, the "Scan" button will turn into an option to "Save log...". Save the log in the folder you created for HiajckThis, open the log in Windows Notepad, and cut-n-paste the entire contents of the log here.
The log contents will tell us a lot about what "nasties" have crept into your system, and once we analyse the log we can tell you what to do from there.
"May the Wombat of Happiness snuffle through your underbrush."
- Ancient Aborigine blessing
Please do not contact me by email or PM for help. We're all volunteers here, and only have so much free time to dedicate to our efforts.
However, if I've been working on a thread with you already, and seem to have "forgotten" your thread, please do send me a message. I try not to let things slip through the cracks, but it does happen sometimes.
- Ancient Aborigine blessing
Please do not contact me by email or PM for help. We're all volunteers here, and only have so much free time to dedicate to our efforts.
However, if I've been working on a thread with you already, and seem to have "forgotten" your thread, please do send me a message. I try not to let things slip through the cracks, but it does happen sometimes.
Ok thanks, Im going through the Aurora part now, but it seems my computer does not have a "System Startup Service" or "SvcProc" Service...
Ill reply once I do the rest though...
Ill reply once I do the rest though...
Ok here we go for the hijackthis stuff, I believe you may have your work cut out for you if its as bad as I suspect with my sister downloading anything that the internet asks her aslong as she's able to get pictures of Matt from busted saved into a folder afterwards -sigh-
Logfile of HijackThis v1.99.1
Scan saved at 10:54:50, on 29/08/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
c:\progra~1\mcafee\MCAFEE~1\MssSrv.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\essspk.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Messenger\msmsgs.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
c:\progra~1\intern~1\iexplore.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Paul\Desktop\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.ifiromvskazyzjkrybtzrectw...CsYoxO3Icj.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.qozyzgduukqjsupvrvyu.com/...cF7WWAuXCg.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.locall.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.games-fusion.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.zpecialoffer.com/results.asp?keyword=%s
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,userinit32.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {34966F4A-8C59-99EF-8A41-8631924AB270} - C:\DOCUME~1\Paul\APPLIC~1\ANTIBO~1\base ooze.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {6F559AEC-1187-9DB7-DC78-9DD7569F2ABC} - C:\DOCUME~1\Paul\APPLIC~1\ANTIBO~1\base ooze.exe
O2 - BHO: (no name) - {A42EFAF3-EA3F-AA26-A497-CBFB3599E295} - (no file)
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [EssSpkPhone] essspk.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Drivesettingsmultibait] C:\Documents and Settings\All Users\Application Data\funk army drive settings\LIVE CAST.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [_AntiSpyware] c:\progra~1\mcafee\MCAFEE~1\MssCli.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [HbTools] C:\Program Files\HbTools\Bin\4.6.4.0\HbtOEAddOn.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [Messantibaitcamp] C:\Documents and Settings\All Users\Application Data\Dogbibmessanti\stupid meet.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Steam] "c:\program files\valve\steam\steam.exe" -silent
O4 - HKCU\..\Run: [Each Clock] C:\DOCUME~1\Paul\APPLIC~1\JOYCOM~1\Does grey.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\Xfire.exe
O4 - Global Startup: Iolo Macro Magic.lnk = C:\Program Files\Iolo\Macro Magic\Macros.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=www.locall.net
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O20 - Winlogon Notify: crazydemona - crazydemona.dll (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee AntiSpyware Real-Time Scanner (McAfeeAntiSpyware) - McAfee, Inc. - c:\progra~1\mcafee\MCAFEE~1\MssSrv.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - McAfee, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Panda Process Protection Service (PavPrSrv) - Panda Software - C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
Edit this was takin before i scanned with edwido so I prolly got rid of some of it with edwido and the crazydemona thing is a keylogger lying dormant which I cant fnd the duplicate files of, it got downloaded uhm, 2 years ago if I remember correctly
Logfile of HijackThis v1.99.1
Scan saved at 10:54:50, on 29/08/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
c:\progra~1\mcafee\MCAFEE~1\MssSrv.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\essspk.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Messenger\msmsgs.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
c:\progra~1\intern~1\iexplore.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Paul\Desktop\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.ifiromvskazyzjkrybtzrectw...CsYoxO3Icj.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.qozyzgduukqjsupvrvyu.com/...cF7WWAuXCg.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.locall.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.games-fusion.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.zpecialoffer.com/results.asp?keyword=%s
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,userinit32.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {34966F4A-8C59-99EF-8A41-8631924AB270} - C:\DOCUME~1\Paul\APPLIC~1\ANTIBO~1\base ooze.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {6F559AEC-1187-9DB7-DC78-9DD7569F2ABC} - C:\DOCUME~1\Paul\APPLIC~1\ANTIBO~1\base ooze.exe
O2 - BHO: (no name) - {A42EFAF3-EA3F-AA26-A497-CBFB3599E295} - (no file)
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [EssSpkPhone] essspk.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Drivesettingsmultibait] C:\Documents and Settings\All Users\Application Data\funk army drive settings\LIVE CAST.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [_AntiSpyware] c:\progra~1\mcafee\MCAFEE~1\MssCli.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [HbTools] C:\Program Files\HbTools\Bin\4.6.4.0\HbtOEAddOn.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [Messantibaitcamp] C:\Documents and Settings\All Users\Application Data\Dogbibmessanti\stupid meet.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Steam] "c:\program files\valve\steam\steam.exe" -silent
O4 - HKCU\..\Run: [Each Clock] C:\DOCUME~1\Paul\APPLIC~1\JOYCOM~1\Does grey.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\Xfire.exe
O4 - Global Startup: Iolo Macro Magic.lnk = C:\Program Files\Iolo\Macro Magic\Macros.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=www.locall.net
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O20 - Winlogon Notify: crazydemona - crazydemona.dll (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee AntiSpyware Real-Time Scanner (McAfeeAntiSpyware) - McAfee, Inc. - c:\progra~1\mcafee\MCAFEE~1\MssSrv.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - McAfee, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Panda Process Protection Service (PavPrSrv) - Panda Software - C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
Edit this was takin before i scanned with edwido so I prolly got rid of some of it with edwido and the crazydemona thing is a keylogger lying dormant which I cant fnd the duplicate files of, it got downloaded uhm, 2 years ago if I remember correctly
Please close any open browser windows, scan with HijackThis, and post a new log; AND post the results from your Ewido scan
Links to help you help yourself :
Protect Your PC & Avoid Infections -- http://www.daniweb.com/techtalkforums/thread27519.html
Cleanup Procedures & Tools -- http://www.daniweb.com/techtalkforums/thread27570.html
Infection Removal & HijackThis Use -- http://www.daniweb.com/techtalkforums/thread28196.html
Protect Your PC & Avoid Infections -- http://www.daniweb.com/techtalkforums/thread27519.html
Cleanup Procedures & Tools -- http://www.daniweb.com/techtalkforums/thread27570.html
Infection Removal & HijackThis Use -- http://www.daniweb.com/techtalkforums/thread28196.html
Right ok, so no explorer/firefox open this time, i closed most active programs anyways, such as Steam/MSN/AOL
Oh and for the record, everytime I restart my comp I have a new homepage which is complete jibberish and never loads, such as www.gjsgnbsdnvaevjerjghsrhnbsrg.com
And After using Edwido I got a lil trigger happy and deleted all the infections it found first go, how can I get a log of that/ I probably havent evn looked hard enough but yeah at the moment im ill and cant be bothered dealing with such things...
Logfile of HijackThis v1.99.1
Scan saved at 07:36:46, on 30/08/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
c:\progra~1\mcafee\MCAFEE~1\MssSrv.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
c:\progra~1\intern~1\iexplore.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Paul\Desktop\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.ifiromvskazyzjkrybtzrectw...CsYoxO3Icj.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.qozyzgduukqjsupvrvyu.com/...cF7WWAuXCg.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.locall.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.games-fusion.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.zpecialoffer.com/results.asp?keyword=%s
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,userinit32.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {34966F4A-8C59-99EF-8A41-8631924AB270} - C:\DOCUME~1\Paul\APPLIC~1\ANTIBO~1\base ooze.exe (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {6F559AEC-1187-9DB7-DC78-9DD7569F2ABC} - C:\DOCUME~1\Paul\APPLIC~1\ANTIBO~1\base ooze.exe (file missing)
O2 - BHO: (no name) - {A42EFAF3-EA3F-AA26-A497-CBFB3599E295} - (no file)
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Drivesettingsmultibait] C:\Documents and Settings\All Users\Application Data\funk army drive settings\LIVE CAST.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [_AntiSpyware] c:\progra~1\mcafee\MCAFEE~1\MssCli.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [HbTools] C:\Program Files\HbTools\Bin\4.6.4.0\HbtOEAddOn.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [Messantibaitcamp] C:\Documents and Settings\All Users\Application Data\Dogbibmessanti\stupid meet.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Steam] "c:\program files\valve\steam\steam.exe" -silent
O4 - HKCU\..\Run: [Each Clock] C:\DOCUME~1\Paul\APPLIC~1\JOYCOM~1\Does grey.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\Xfire.exe
O4 - Global Startup: Iolo Macro Magic.lnk = C:\Program Files\Iolo\Macro Magic\Macros.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=www.locall.net
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee AntiSpyware Real-Time Scanner (McAfeeAntiSpyware) - McAfee, Inc. - c:\progra~1\mcafee\MCAFEE~1\MssSrv.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - McAfee, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Panda Process Protection Service (PavPrSrv) - Panda Software - C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
Oh and for the record, everytime I restart my comp I have a new homepage which is complete jibberish and never loads, such as www.gjsgnbsdnvaevjerjghsrhnbsrg.com
And After using Edwido I got a lil trigger happy and deleted all the infections it found first go, how can I get a log of that/ I probably havent evn looked hard enough but yeah at the moment im ill and cant be bothered dealing with such things...
Logfile of HijackThis v1.99.1
Scan saved at 07:36:46, on 30/08/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
c:\progra~1\mcafee\MCAFEE~1\MssSrv.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
c:\progra~1\intern~1\iexplore.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Paul\Desktop\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.ifiromvskazyzjkrybtzrectw...CsYoxO3Icj.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.qozyzgduukqjsupvrvyu.com/...cF7WWAuXCg.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.locall.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.games-fusion.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.zpecialoffer.com/results.asp?keyword=%s
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,userinit32.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {34966F4A-8C59-99EF-8A41-8631924AB270} - C:\DOCUME~1\Paul\APPLIC~1\ANTIBO~1\base ooze.exe (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {6F559AEC-1187-9DB7-DC78-9DD7569F2ABC} - C:\DOCUME~1\Paul\APPLIC~1\ANTIBO~1\base ooze.exe (file missing)
O2 - BHO: (no name) - {A42EFAF3-EA3F-AA26-A497-CBFB3599E295} - (no file)
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Drivesettingsmultibait] C:\Documents and Settings\All Users\Application Data\funk army drive settings\LIVE CAST.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [_AntiSpyware] c:\progra~1\mcafee\MCAFEE~1\MssCli.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [HbTools] C:\Program Files\HbTools\Bin\4.6.4.0\HbtOEAddOn.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [Messantibaitcamp] C:\Documents and Settings\All Users\Application Data\Dogbibmessanti\stupid meet.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Steam] "c:\program files\valve\steam\steam.exe" -silent
O4 - HKCU\..\Run: [Each Clock] C:\DOCUME~1\Paul\APPLIC~1\JOYCOM~1\Does grey.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\Xfire.exe
O4 - Global Startup: Iolo Macro Magic.lnk = C:\Program Files\Iolo\Macro Magic\Macros.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=www.locall.net
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee AntiSpyware Real-Time Scanner (McAfeeAntiSpyware) - McAfee, Inc. - c:\progra~1\mcafee\MCAFEE~1\MssSrv.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - McAfee, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Panda Process Protection Service (PavPrSrv) - Panda Software - C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
Sorry for the delay in responding to this.
Go to Add or Remove Programs in your Control Panel and remove (if present):
HbTools
Please right-click in an open area of your desktop and select New, Folder; give the new folder a name such as HJT or HijackThis, and then drag the hijackthis.exe icon that is on your desktop into this new folder.
Reboot into Safe Mode and do a complete system scan with Ewido allowing it to fix whatever it finds. Note: you will be posting this log with your next reply.
Now, still in Safe Mode, scan with HijackThis and have it fix the following entries:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.ifiromvskazyzjkrybtzrect...tCsYoxO3Icj.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.qozyzgduukqjsupvrvyu.com...YcF7WWAuXCg.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.zpecialoffer.com/results.asp?keyword=%s
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: (no name) - {34966F4A-8C59-99EF-8A41-8631924AB270} - C:\DOCUME~1\Paul\APPLIC~1\ANTIBO~1\base ooze.exe (file missing)
O2 - BHO: (no name) - {6F559AEC-1187-9DB7-DC78-9DD7569F2ABC} - C:\DOCUME~1\Paul\APPLIC~1\ANTIBO~1\base ooze.exe (file missing)
O2 - BHO: (no name) - {A42EFAF3-EA3F-AA26-A497-CBFB3599E295} - (no file)
O4 - HKLM\..\Run: [Drivesettingsmultibait] C:\Documents and Settings\All Users\Application Data\funk army drive settings\LIVE CAST.exe
O4 - HKLM\..\Run: [HbTools] C:\Program Files\HbTools\Bin\4.6.4.0\HbtOEAddOn.exe
O4 - HKLM\..\Run: [Messantibaitcamp] C:\Documents and Settings\All Users\Application Data\Dogbibmessanti\stupid meet.exe
O4 - HKCU\..\Run: [Each Clock] C:\DOCUME~1\Paul\APPLIC~1\JOYCOM~1\Does grey.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
Close any open windows, other then HijackThis, and hit Fix checked.
Go to the following locations and delete the highlighted files and folders:
C:\Documents and Settings\All Users\Application Data\funk army drive settings
C:\Program Files\HbTools
C:\Documents and Settings\All Users\Application Data\Dogbibmessanti
Do a search for the following files and give us the complete folder name that they are in (if possible), and then delete the files.
base ooze.exe
Does grey.exe
Empty your Recycle Bin and reboot normally.
Have a look at this thread regarding LimeWire -- http://www.daniweb.com/techtalkforum...light=limewire
Close any open browser windows, scan with HijackThis, and post a new log along with the Ewido log.
Go to Add or Remove Programs in your Control Panel and remove (if present):
HbTools
Please right-click in an open area of your desktop and select New, Folder; give the new folder a name such as HJT or HijackThis, and then drag the hijackthis.exe icon that is on your desktop into this new folder.
Reboot into Safe Mode and do a complete system scan with Ewido allowing it to fix whatever it finds. Note: you will be posting this log with your next reply.
Now, still in Safe Mode, scan with HijackThis and have it fix the following entries:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.ifiromvskazyzjkrybtzrect...tCsYoxO3Icj.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.qozyzgduukqjsupvrvyu.com...YcF7WWAuXCg.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.zpecialoffer.com/results.asp?keyword=%s
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: (no name) - {34966F4A-8C59-99EF-8A41-8631924AB270} - C:\DOCUME~1\Paul\APPLIC~1\ANTIBO~1\base ooze.exe (file missing)
O2 - BHO: (no name) - {6F559AEC-1187-9DB7-DC78-9DD7569F2ABC} - C:\DOCUME~1\Paul\APPLIC~1\ANTIBO~1\base ooze.exe (file missing)
O2 - BHO: (no name) - {A42EFAF3-EA3F-AA26-A497-CBFB3599E295} - (no file)
O4 - HKLM\..\Run: [Drivesettingsmultibait] C:\Documents and Settings\All Users\Application Data\funk army drive settings\LIVE CAST.exe
O4 - HKLM\..\Run: [HbTools] C:\Program Files\HbTools\Bin\4.6.4.0\HbtOEAddOn.exe
O4 - HKLM\..\Run: [Messantibaitcamp] C:\Documents and Settings\All Users\Application Data\Dogbibmessanti\stupid meet.exe
O4 - HKCU\..\Run: [Each Clock] C:\DOCUME~1\Paul\APPLIC~1\JOYCOM~1\Does grey.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
Close any open windows, other then HijackThis, and hit Fix checked.
Go to the following locations and delete the highlighted files and folders:
C:\Documents and Settings\All Users\Application Data\funk army drive settings
C:\Program Files\HbTools
C:\Documents and Settings\All Users\Application Data\Dogbibmessanti
Do a search for the following files and give us the complete folder name that they are in (if possible), and then delete the files.
base ooze.exe
Does grey.exe
Empty your Recycle Bin and reboot normally.
Have a look at this thread regarding LimeWire -- http://www.daniweb.com/techtalkforum...light=limewire
Close any open browser windows, scan with HijackThis, and post a new log along with the Ewido log.
Right I havent got around to the limewire thing yet, but so far so good I believe, only thing is...some files werent found on the Hijak this scan which worried me;
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.qozyzgduukqjsupvrvyu.com...YcF7WWAuXCg.htm
O4 - HKLM\..\Run: [Drivesettingsmultibait] C:\Documents and Settings\All Users\Application Data\funk army drive settings\LIVE CAST.exe
O4 - HKLM\..\Run: [HbTools] C:\Program Files\HbTools\Bin\4.6.4.0\HbtOEAddOn.exe
O4 - HKLM\..\Run: [Messantibaitcamp] C:\Documents and Settings\All Users\Application Data\Dogbibmessanti\stupid meet.exe
O4 - HKCU\..\Run: [Each Clock] C:\DOCUME~1\Paul\APPLIC~1\JOYCOM~1\Does grey.exe
And when I searched, Hbtools wasnt in my programs, and base ooze.exe was not to be found either, the rest has all went bye bye though :p
I found Does Grey.exe here
C:\Documents and Settings\All Users\Application Data\Joy Comp Bend
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.qozyzgduukqjsupvrvyu.com...YcF7WWAuXCg.htm
O4 - HKLM\..\Run: [Drivesettingsmultibait] C:\Documents and Settings\All Users\Application Data\funk army drive settings\LIVE CAST.exe
O4 - HKLM\..\Run: [HbTools] C:\Program Files\HbTools\Bin\4.6.4.0\HbtOEAddOn.exe
O4 - HKLM\..\Run: [Messantibaitcamp] C:\Documents and Settings\All Users\Application Data\Dogbibmessanti\stupid meet.exe
O4 - HKCU\..\Run: [Each Clock] C:\DOCUME~1\Paul\APPLIC~1\JOYCOM~1\Does grey.exe
And when I searched, Hbtools wasnt in my programs, and base ooze.exe was not to be found either, the rest has all went bye bye though :p
I found Does Grey.exe here
C:\Documents and Settings\All Users\Application Data\Joy Comp Bend
Don't worry too much about the things you couldn't find or that were no longer there, Add/Remove Programs, Ewido, and the other fixes with HJT probably cleared them up already.
Go to C:\Documents and Settings\All Users\Application Data and delete the Joy Comp Bend folder.
Please post your new HijackThis and Ewido logs.
Go to C:\Documents and Settings\All Users\Application Data and delete the Joy Comp Bend folder.
Please post your new HijackThis and Ewido logs.
|
Similar Threads
- New to php and getting frustrated (HTML and CSS)
Other Threads in the Viruses, Spyware and other Nasties Forum
- Previous Thread: need help surfsidekick3
- Next Thread: Strange Virus creates strange troble in the registry
| Thread Tools | Search this Thread |
You need to join our community in order to build your list of favorite forums. You can visit the forum index for a listing of all forums.
Related Forum Features
Latest Viruses, Spyware and other Nasties Posts
adware anti-malware anti-virussitesaccessissue antivirus apple audio avg backtoschoolspeech bar blackhat botnet botnets censorship china commercial commercials conficker connect control crosssitescripting cyber cybercrime cyberwarfare domains e-mafia education email europe exam facebook fancheckvirus gaming gtaiv halloween hijack hosting internet iphone kaspersky legal logfiles mail malware mcafee messagelabs microsoft mobile msn nazi news obama onlinethreats paedophile panel parents patch phishing police policeprovirusmba-mblockedinternetaccess president privacy pro problem reliability report research risk rogueantivirus samhain sans scareware school search security seopoisoning sites software spam spyware spywareexternalwindows7adminstratortrojans sqlinjection symantec teen translate trojan unabletoaccessanti-virussites unwanted update usa virus viruses war warning windows worm yahoo zeroday