First post, need help, so frustrated

Question

Daradus 0 Newbie Poster

18 Years Ago

Right, I have McAfee Anytivirus and Antispyware, and put simply, it sucks, I also have Spybot Search & Destroy and Ad-aware but I cant detect and delete whatever virus/spyware i have on my comp at this giving moment.

Its eating my bandwith I use Firefox and I get popups from a program known as "Aurora" which I have no clue what it is, and I get popups in microsoft internet explorer also.

Furthermore whever I open Counter-Strike: Source I get a popup every time a map loads, just randomly, and I my ping goes through the roof and back down again (as if I was perminantly getting pinged)...

How the fawk can I stop all this crfap, my antiviruses and antispywares detect nout, or they'll detect something and say its removed but trhen you scan again and its still there...

Thanks in Advance X)

windows-virus

3 Contributors
9 Replies
191 Views
1 Week Discussion Span
Latest Post 18 Years Ago Latest Post by dlh6213

All 9 Replies

DMR 152 Wombat At Large

18 Years Ago

Hi Daradus,

First of all- welcome to the site. :)

1. The standard fix for the Aurora infection can be found here.

2. In terms of general detection and cleaning, have a read through the suggestions in this thread.

3. If you need specific help from us after following the suggestions in the above links, please do the following:

Download the (free) HijackThis utility:

http://www.stevewolfonline.com/Downloads/DMR/Spyware%20Tools/HJT/HijackThis.exe

Once downloaded, follow these instructions to install and run the program:

Create a folder outside of any Temp/Temporary folders for HJT and move it there now. A folder such such as C:\HijackThis or C:\Spyware Tools\HijackThis will do.

Run HijackThis, but do not have HJT fix anything yet; only have it scan your system! Once the scan is complete, the "Scan" button will turn into an option to "Save log...". Save the log in the folder you created for HiajckThis, open the log in Windows Notepad, and cut-n-paste the entire contents of the log here.

The log contents will tell us a lot about what "nasties" have crept into your system, and once we analyse the log we can tell you what to do from there.

dlh6213 27 Posting Maven

18 Years Ago

Please close any open browser windows, scan with HijackThis, and post a new log; AND post the results from your Ewido scan :)

dlh6213 27 Posting Maven

18 Years Ago

Sorry for the delay in responding to this.

Go to Add or Remove Programs in your Control Panel and remove (if present):

HbTools

Please right-click in an open area of your desktop and select New, Folder; give the new folder a name such as HJT or HijackThis, and then drag the hijackthis.exe icon that is on your desktop into this new folder.

Reboot into Safe Mode and do a complete system scan with Ewido allowing it to fix whatever it finds. Note: you will be posting this log with your next reply.

Now, still in Safe Mode, scan with HijackThis and have it fix the following entries:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.ifiromvskazyzjkrybtzrect...tCsYoxO3Icj.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.qozyzgduukqjsupvrvyu.com...YcF7WWAuXCg.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.zpecialoffer.com/results.asp?keyword=%s
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: (no name) - {34966F4A-8C59-99EF-8A41-8631924AB270} - C:\DOCUME~1\Paul\APPLIC~1\ANTIBO~1\base ooze.exe (file missing)
O2 - BHO: (no name) - {6F559AEC-1187-9DB7-DC78-9DD7569F2ABC} - C:\DOCUME~1\Paul\APPLIC~1\ANTIBO~1\base ooze.exe (file missing)
O2 - BHO: (no name) - {A42EFAF3-EA3F-AA26-A497-CBFB3599E295} - (no file)
O4 - HKLM\..\Run: [Drivesettingsmultibait] C:\Documents and Settings\All Users\Application Data\funk army drive settings\LIVE CAST.exe
O4 - HKLM\..\Run: [HbTools] C:\Program Files\HbTools\Bin\4.6.4.0\HbtOEAddOn.exe
O4 - HKLM\..\Run: [Messantibaitcamp] C:\Documents and Settings\All Users\Application Data\Dogbibmessanti\stupid meet.exe
O4 - HKCU\..\Run: [Each Clock] C:\DOCUME~1\Paul\APPLIC~1\JOYCOM~1\Does grey.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab

Close any open windows, other then HijackThis, and hit Fix checked.

Go to the following locations and delete the highlighted files and folders:

C:\Documents and Settings\All Users\Application Data\funk army drive settings
C:\Program Files\HbTools
C:\Documents and Settings\All Users\Application Data\Dogbibmessanti

Do a search for the following files and give us the complete folder name that they are in (if possible), and then delete the files.

base ooze.exe
Does grey.exe

Empty your Recycle Bin and reboot normally.

Have a look at this thread regarding LimeWire -- http://www.daniweb.com/techtalkforums/showthread.php?t=31290&highlight=limewire

Close any open browser windows, scan with HijackThis, and post a new log along with the Ewido log.

Reply to this topic

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.

Daradus 0 Newbie Poster · Answer 1 · 2005-08-29T15:47:00+00:00

Ok thanks, Im going through the Aurora part now, but it seems my computer does not have a "System Startup Service" or "SvcProc" Service...
Ill reply once I do the rest though...

Daradus 0 Newbie Poster · Answer 2 · 2005-08-29T15:56:10+00:00

Ok here we go for the hijackthis stuff, I believe you may have your work cut out for you if its as bad as I suspect with my sister downloading anything that the internet asks her aslong as she's able to get pictures of Matt from busted saved into a folder afterwards -sigh-

Logfile of HijackThis v1.99.1
Scan saved at 10:54:50, on 29/08/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
c:\progra~1\mcafee\MCAFEE~1\MssSrv.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\essspk.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Messenger\msmsgs.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
c:\progra~1\intern~1\iexplore.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Paul\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.ifiromvskazyzjkrybtzrectw.com/n7AsxFQCf/EkDehwdJ6Jw08ln1p0ot6iHbn8D/pjtQ6w6nZ0jIfcZtCsYoxO3Icj.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.qozyzgduukqjsupvrvyu.com/n7AsxFQCf/EF3EQJzY0n/LbROAgZ1TBsYcF7WWAuXCg.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.locall.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.games-fusion.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.zpecialoffer.com/results.asp?keyword=%s
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,userinit32.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {34966F4A-8C59-99EF-8A41-8631924AB270} - C:\DOCUME~1\Paul\APPLIC~1\ANTIBO~1\base ooze.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {6F559AEC-1187-9DB7-DC78-9DD7569F2ABC} - C:\DOCUME~1\Paul\APPLIC~1\ANTIBO~1\base ooze.exe
O2 - BHO: (no name) - {A42EFAF3-EA3F-AA26-A497-CBFB3599E295} - (no file)
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [EssSpkPhone] essspk.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Drivesettingsmultibait] C:\Documents and Settings\All Users\Application Data\funk army drive settings\LIVE CAST.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [_AntiSpyware] c:\progra~1\mcafee\MCAFEE~1\MssCli.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [HbTools] C:\Program Files\HbTools\Bin\4.6.4.0\HbtOEAddOn.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [Messantibaitcamp] C:\Documents and Settings\All Users\Application Data\Dogbibmessanti\stupid meet.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Steam] "c:\program files\valve\steam\steam.exe" -silent
O4 - HKCU\..\Run: [Each Clock] C:\DOCUME~1\Paul\APPLIC~1\JOYCOM~1\Does grey.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\Xfire.exe
O4 - Global Startup: Iolo Macro Magic.lnk = C:\Program Files\Iolo\Macro Magic\Macros.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=www.locall.net
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O20 - Winlogon Notify: crazydemona - crazydemona.dll (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee AntiSpyware Real-Time Scanner (McAfeeAntiSpyware) - McAfee, Inc. - c:\progra~1\mcafee\MCAFEE~1\MssSrv.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - McAfee, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Panda Process Protection Service (PavPrSrv) - Panda Software - C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe

Edit this was takin before i scanned with edwido so I prolly got rid of some of it with edwido and the crazydemona thing is a keylogger lying dormant which I cant fnd the duplicate files of, it got downloaded uhm, 2 years ago if I remember correctly

Daradus 0 Newbie Poster · Answer 3 · 2005-08-30T12:39:21+00:00

Right ok, so no explorer/firefox open this time, i closed most active programs anyways, such as Steam/MSN/AOL

Oh and for the record, everytime I restart my comp I have a new homepage which is complete jibberish and never loads, such as www.gjsgnbsdnvaevjerjghsrhnbsrg.com
And After using Edwido I got a lil trigger happy and deleted all the infections it found first go, how can I get a log of that/ I probably havent evn looked hard enough but yeah at the moment im ill and cant be bothered dealing with such things...

Logfile of HijackThis v1.99.1
Scan saved at 07:36:46, on 30/08/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
c:\progra~1\mcafee\MCAFEE~1\MssSrv.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
c:\progra~1\intern~1\iexplore.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Paul\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.ifiromvskazyzjkrybtzrectw.com/n7AsxFQCf/EkDehwdJ6Jw08ln1p0ot6iHbn8D/pjtQ6w6nZ0jIfcZtCsYoxO3Icj.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.qozyzgduukqjsupvrvyu.com/n7AsxFQCf/EF3EQJzY0n/LbROAgZ1TBsYcF7WWAuXCg.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.locall.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.games-fusion.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.zpecialoffer.com/results.asp?keyword=%s
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,userinit32.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {34966F4A-8C59-99EF-8A41-8631924AB270} - C:\DOCUME~1\Paul\APPLIC~1\ANTIBO~1\base ooze.exe (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {6F559AEC-1187-9DB7-DC78-9DD7569F2ABC} - C:\DOCUME~1\Paul\APPLIC~1\ANTIBO~1\base ooze.exe (file missing)
O2 - BHO: (no name) - {A42EFAF3-EA3F-AA26-A497-CBFB3599E295} - (no file)
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Drivesettingsmultibait] C:\Documents and Settings\All Users\Application Data\funk army drive settings\LIVE CAST.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [_AntiSpyware] c:\progra~1\mcafee\MCAFEE~1\MssCli.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [HbTools] C:\Program Files\HbTools\Bin\4.6.4.0\HbtOEAddOn.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [Messantibaitcamp] C:\Documents and Settings\All Users\Application Data\Dogbibmessanti\stupid meet.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Steam] "c:\program files\valve\steam\steam.exe" -silent
O4 - HKCU\..\Run: [Each Clock] C:\DOCUME~1\Paul\APPLIC~1\JOYCOM~1\Does grey.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\Xfire.exe
O4 - Global Startup: Iolo Macro Magic.lnk = C:\Program Files\Iolo\Macro Magic\Macros.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=www.locall.net
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee AntiSpyware Real-Time Scanner (McAfeeAntiSpyware) - McAfee, Inc. - c:\progra~1\mcafee\MCAFEE~1\MssSrv.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - McAfee, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Panda Process Protection Service (PavPrSrv) - Panda Software - C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe

Daradus 0 Newbie Poster · Answer 4 · 2005-09-01T20:14:25+00:00

up? :S

btw today's random homepage = http://www.jriabrrhabzvwobfki.biz/n7AsxFQCf/EF3EQJzY0n/FXFTvGbQNbKYcF7WWAuXCg.htm

Daradus 0 Newbie Poster · Answer 5 · 2005-09-07T07:03:38+00:00

Right I havent got around to the limewire thing yet, but so far so good I believe, only thing is...some files werent found on the Hijak this scan which worried me;

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.qozyzgduukqjsupvrvyu.com...YcF7WWAuXCg.htm
O4 - HKLM\..\Run: [Drivesettingsmultibait] C:\Documents and Settings\All Users\Application Data\funk army drive settings\LIVE CAST.exe
O4 - HKLM\..\Run: [HbTools] C:\Program Files\HbTools\Bin\4.6.4.0\HbtOEAddOn.exe
O4 - HKLM\..\Run: [Messantibaitcamp] C:\Documents and Settings\All Users\Application Data\Dogbibmessanti\stupid meet.exe
O4 - HKCU\..\Run: [Each Clock] C:\DOCUME~1\Paul\APPLIC~1\JOYCOM~1\Does grey.exe

And when I searched, Hbtools wasnt in my programs, and base ooze.exe was not to be found either, the rest has all went bye bye though :p

I found Does Grey.exe here
C:\Documents and Settings\All Users\Application Data\Joy Comp Bend

dlh6213 27 Posting Maven Team Colleague · Answer 6 · 2005-09-07T09:22:58+00:00

Don't worry too much about the things you couldn't find or that were no longer there, Add/Remove Programs, Ewido, and the other fixes with HJT probably cleared them up already.

Go to C:\Documents and Settings\All Users\Application Data and delete the Joy Comp Bend folder.

Please post your new HijackThis and Ewido logs.

First post, need help, so frustrated

Recommended Answers Collapse Answers

All 9 Replies

Recommended Answers