Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

HJT log aurora + abetterinternet?


  • This topic is locked This topic is locked
5 replies to this topic

#1 tommen

tommen

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:12:03 PM

Posted 24 July 2005 - 09:29 AM

cheers!
got severe problems with spyware and adware a couple of days ago. been using different tools to try and clean out my box, and it's getting better, but still seems to recide some nasty stuff that keeps reinstalling itself. been using spybot, adaware, webroots spy sweeper (trial), Symantec Adware.BetterInternet Removal Tool and Microsoft Antispyware. microsoft seemed to clean out a lot of the stuff the others struggled with, but still, i get Transponder.ABetterInternet installed again. the pop-ups have stopped, at least for now, but MS antispyware have found it installed again.

i have tracked a few suspicious things:
- C:\WINDOWS\bbkrojpiy.exe (Aurora?)
- C:\Progra~1\Support.com\bin\tgcmd.exe

not sure what it is and it's probably more...

really appreciate any help.

peaceout
tom

HJT log:
Logfile of HijackThis v1.99.1
Scan saved at 16:24:00, on 24.07.2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Network ICE\BlackICE\blackd.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\acstp\icserv.exe
C:\WINDOWS\system32\acstp\wake_up.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\RegSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\System32\1XConfig.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\WINDOWS\System32\tdkmon.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
c:\windows\system32\duthot.exe
C:\Program Files\Apoint\Apoint.exe
C:\Progra~1\Support.com\bin\tgcmd.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\RSA Security\Web PassPort\Plug-In\system\sdtray.exe
C:\Program Files\RSA Security\Web PassPort\Plug-In\System\sdlss.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\ACNU\ACNUpdater.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\Network ICE\BlackICE\blackice.exe
C:\Program Files\Notmad Explorer\notmgr.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
c:\program files\acnu\acnupdatersvc.exe
C:\Program Files\Microsoft AntiSpyware\GIANTAntiSpywareMain.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = https://portal.work.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?p...B_PVER}&ar=home
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [TDK Global Pro ISDN Monitor] C:\WINDOWS\System32\tdkmon.exe
O4 - HKLM\..\Run: [Resume copy] copyfstq.exe /startup
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [tgcmd] "C:\Progra~1\Support.com\bin\tgcmd.exe " /nosystray
O4 - HKLM\..\Run: [eSupInit] "C:\Program Files\Support.com\bin\eSupCmd.exe" -inituser
O4 - HKLM\..\Run: [SDTray] "C:\Program Files\RSA Security\Web PassPort\Plug-In\system\sdtray.exe"
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [work Connection] "C:\Program Files\work Connection\9341989\Program\work Connection.exe"
O4 - HKLM\..\Run: [ymzpfh] c:\windows\system32\duthot.exe r
O4 - HKCU\..\Run: [aauclient] C:\Program Files\ACNU\ACNUpdater.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Creative Detector] C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R
O4 - Startup: Notmad Manager.lnk = C:\Program Files\Notmad Explorer\notmgr.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
O4 - Global Startup: RealSecure Desktop Protector.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=https://portal.work.com
O15 - Trusted Zone: *.work.com
O15 - Trusted Zone: *.work.com (HKLM)
O16 - DPF: BI Designer Content Transfer Applets - http://rmnordic.work.com/wdk/wdk/contentXf...ntXfer35FS2.cab
O16 - DPF: {2F175895-5819-4014-83BF-385FA6833677} (IObjSafety.eSupportWS) - https://esupport.work.com/inc/download/IObjSafety.ocx
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/...tiveXPlugin.cab
O16 - DPF: {B24F0664-7DDA-40B6-B38C-A4FD68DE8685} (CentraDownloaderCtl Class) - https://virtualclassroomext.work.com/SiteRo...aDownloader.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = work.com
O17 - HKLM\Software\..\Telephony: DomainName = work.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = work.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = work.com,dir.svc.work.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = work.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = work.com,dir.svc.work.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = work.com,dir.svc.work.com
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O20 - Winlogon Notify: Sebring - C:\WINDOWS\System32\LgNotify.dll
O23 - Service: ACNUSvc - - c:\program files\acnu\acnupdatersvc.exe
O23 - Service: Apache2 - Unknown owner - C:\Apache2\bin\Apache.exe" -k runservice (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: BlackICE - Internet Security Systems, Inc. - C:\Program Files\Network ICE\BlackICE\blackd.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: MC/Empower i.collect Service (iCollectService) - Unknown owner - C:\WINDOWS\system32\acstp\icserv.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: MySql - Unknown owner - C:/mysql/bin/mysqld-nt.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: OracleOraHome81ClientCache - Unknown owner - C:\oracle\ora81\BIN\ONRSD.EXE
O23 - Service: RapApp - Internet Security Systems, Inc. - C:\Program Files\Network ICE\BlackICE\RapApp.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: XircomService - Xircom - C:\PROGRAM FILES\XIRCOM\ISDN\XircomService.exe

BC AdBot (Login to Remove)

 


#2 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:01:03 PM

Posted 25 July 2005 - 11:52 AM

Hello tommen and welcome to the BC malware forum. After reviewing your log I see a few items that require our attention. Please print these directions and then proceed with the following steps in order.

Step #1

Download and install ewido security suite. Update the program and then close it. Do not run it yet.

Step #2

Download nailfix.zip and unzip it to its own folder.

Step #3

Start in Safe Mode Using the F8 method:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until the boot menu appears.
  • Use the arrow keys to select the Safe Mode menu item.
  • Press the Enter key.
Step #4

Navigate to the folder you unzipped nailfix.zip into and double-click on nailfix.cmd. Your desktop and icons will disappear and reappear, and a window should open and close very quickly --- this is normal.

Step #5

Start ewido and do the following:
  • Click on the Scanner button.
  • Check the following checkboxes:
    • Binder
    • Crypter
    • Archives (if available)
  • Click on the Start button.
  • If anything is found you will be prompted to clean the first infected file found. Choose Clean and put a checkmark in the checkbox for Perform action on all infections and click the Ok button to continue the scan.
  • When the scan is complete close ewido.
Step #6

Start HijackThis and click the Scan button to perform a scan. Look for the following items and click in the checkbox in front of each item to select it:R3 - Default URLSearchHook is missing
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O4 - HKLM\..\Run: [ymzpfh] c:\windows\system32\duthot.exe r

Now close ALL open windows except HijackThis and click the Fix Checked button to finish the repair.

Step #7

We need to make sure all hidden files are showing so please:
  • Click Start.
  • Open My Computer.
  • Select the Tools menu and click Folder Options.
  • Select the View tab.
  • Under the Hidden files and folders heading select Show hidden files and folders.
  • Uncheck the Hide file extensions for known types option.
  • Uncheck the Hide protected operating system files (recommended) option.
  • Click Yes to confirm.
  • Click OK.
Find the following files/folders and delete them (don't worry if they are already gone):c:\windows\system32\duthot.exe
Step #8

OK. Reboot your computer normally, start HijackThis and perform a new scan. Use the Add Reply button to post your new log file back here along with details of any problems you encountered performing the above steps and I will review it when it comes in.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#3 tommen

tommen
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:12:03 PM

Posted 31 July 2005 - 02:15 PM

hey!
thank you very much for your reply. i have been travelling abroad for some days, just got back to attend to the problem today.

have executed all your tasks. looks better now. the MS antispyware doesn't pick up abetterinternet anymore. gonna run some more scans to see if the others find anything now.

anyway, here are the HJT-log. appreciate your help if there is more bad stuff in there. again, thanx!

Logfile of HijackThis v1.99.1
Scan saved at 21:09:25, on 31.07.2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Network ICE\BlackICE\blackd.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\system32\acstp\icserv.exe
C:\WINDOWS\system32\acstp\wake_up.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\RegSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\System32\1XConfig.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\WINDOWS\System32\tdkmon.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Apoint\Apoint.exe
C:\Progra~1\Support.com\bin\tgcmd.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\RSA Security\Web PassPort\Plug-In\system\sdtray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\ACNU\ACNUpdater.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\RSA Security\Web PassPort\Plug-In\System\sdlss.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Network ICE\BlackICE\blackice.exe
C:\Program Files\Microsoft AntiSpyware\GIANTAntiSpywareMain.exe
C:\Program Files\Notmad Explorer\notmgr.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
c:\program files\acnu\acnupdatersvc.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = https://portal.work.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?p...B_PVER}&ar=home
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [TDK Global Pro ISDN Monitor] C:\WINDOWS\System32\tdkmon.exe
O4 - HKLM\..\Run: [Resume copy] copyfstq.exe /startup
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [tgcmd] "C:\Progra~1\Support.com\bin\tgcmd.exe " /nosystray
O4 - HKLM\..\Run: [eSupInit] "C:\Program Files\Support.com\bin\eSupCmd.exe" -inituser
O4 - HKLM\..\Run: [SDTray] "C:\Program Files\RSA Security\Web PassPort\Plug-In\system\sdtray.exe"
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [work Connection] "C:\Program Files\work Connection\9341989\Program\work Connection.exe"
O4 - HKCU\..\Run: [aauclient] C:\Program Files\ACNU\ACNUpdater.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Creative Detector] C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R
O4 - Startup: Microsoft AntiSpyware.lnk = C:\Program Files\Microsoft AntiSpyware\GIANTAntiSpywareMain.exe
O4 - Startup: Notmad Manager.lnk = C:\Program Files\Notmad Explorer\notmgr.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
O4 - Global Startup: RealSecure Desktop Protector.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=https://portal.work.com
O15 - Trusted Zone: *.work.com
O15 - Trusted Zone: *.work.com (HKLM)
O16 - DPF: BI Designer Content Transfer Applets - http://rmnordic.work.com/wdk/wdk/contentXf...ntXfer35FS2.cab
O16 - DPF: {2F175895-5819-4014-83BF-385FA6833677} (IObjSafety.eSupportWS) - https://esupport.work.com/inc/download/IObjSafety.ocx
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/...tiveXPlugin.cab
O16 - DPF: {B24F0664-7DDA-40B6-B38C-A4FD68DE8685} (CentraDownloaderCtl Class) - https://virtualclassroomext.work.com/SiteRo...aDownloader.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = work.com
O17 - HKLM\Software\..\Telephony: DomainName = work.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = work.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = work.com,dir.svc.work.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = work.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = work.com,dir.svc.work.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = work.com,dir.svc.work.com
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O20 - Winlogon Notify: Sebring - C:\WINDOWS\System32\LgNotify.dll
O23 - Service: ACNUSvc - - c:\program files\acnu\acnupdatersvc.exe
O23 - Service: Apache2 - Unknown owner - C:\Apache2\bin\Apache.exe" -k runservice (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: BlackICE - Internet Security Systems, Inc. - C:\Program Files\Network ICE\BlackICE\blackd.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: MC/Empower i.collect Service (iCollectService) - Unknown owner - C:\WINDOWS\system32\acstp\icserv.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: MySql - Unknown owner - C:/mysql/bin/mysqld-nt.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: OracleOraHome81ClientCache - Unknown owner - C:\oracle\ora81\BIN\ONRSD.EXE
O23 - Service: RapApp - Internet Security Systems, Inc. - C:\Program Files\Network ICE\BlackICE\RapApp.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: XircomService - Xircom - C:\PROGRAM FILES\XIRCOM\ISDN\XircomService.exe

#4 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:01:03 PM

Posted 31 July 2005 - 05:11 PM

Hi tommen. the log looks clean. Good job! How are things running? Any problems?

We have a couple of last steps to perform and then you're all set.

First, let's reset your hidden/system files and folders. System files are hidden for a reason and we don't want to have them openly available and susceptible to accidental deletion.
  • Click Start.
  • Open My Computer.
  • Select the Tools menu and click Folder Options.
  • Select the View tab.
  • Under the Hidden files and folders heading UNSELECT Show hidden files and folders.
  • CHECK the Hide protected operating system files (recommended) option.
  • Click Yes to confirm.
  • Click OK.
Next, let's clean your restore points and set a new one:

Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs from changing those files. This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected)
  • Turn off System Restore.
    • On the Desktop, right-click My Computer.
    • Click Properties.
    • Click the System Restore tab.
    • CHECK Turn off System Restore.
    • Click Apply, and then click OK.
  • Restart your computer.
  • Turn ON System Restore.
    • On the Desktop, right-click My Computer.
    • Click Properties.
    • Click the System Restore tab.
    • UN-Check Turn off System Restore.
    • Click Apply, and then click OK.
System Restore will now be active again.

Now that you are clean, to help protect your computer in the future I recommend the following free programs:
  • SpywareBlaster to help prevent spyware from installing in the first place.
  • SpywareGuard to catch and block spyware before it can execute.
  • IESpy-Ad to block access to malicious websites so you cannot be redirected to them from an infected site or email.
You already have a good firewall and a good antivirus application intalled and running. It is important to have both to protect your system, and to keep them updated.

To keep your operating system up to date visit Microsoft Windows Update monthly. Microsoft puts out new updates on the 2nd Tuesday of every month so be sure to check regularly.

And to keep your system clean be aware of what emails you open, what websites you visit, and update and run these free malware scanners once a week:To learn more about how to protect yourself while on the internet read this article by Tony Klien: So how did I get infected in the first place?

Have a safe and happy computing day!

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#5 tommen

tommen
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:12:03 PM

Posted 01 August 2005 - 02:36 AM

cheers
it all looks good now. the scans i ran with MS antispyware was clean and with evido it found a couple of objects infected. but they where all in the system-restore folder. i turned it off, restarted and back on again. will run some more tests, but belive it will all be good!

thank you very much for your help OT! it was highly appreciated.

peaceout
tom

#6 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:01:03 PM

Posted 01 August 2005 - 07:55 AM

You're very welcome tommen. I'm glad that we could help.

Now that your malware issues have been resolved I will close this topic. If you need it reopened for this same issue then please PM me. If you have any new issues in the future then please start a new topic.

Cheers.

Keep on computing!

OT :thumbsup:
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users