Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

HJT Log


  • Please log in to reply
4 replies to this topic

#1 act809

act809

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:07:24 AM

Posted 02 December 2004 - 04:19 PM

Hi I've scanned w/ Ad Aware SE and Spybot 1.3, after my computer started acting funny, and was able get rid of a lot of things. I use Mozilla Firefox, but I decided to try using Yahoo's Anti-Spy to see if there were any problems on my IE (which I was sure there was, which was why I started using Firefox). I got rid of the things that came up (there were hijackers, adware, malware, tracking cookies), but after that, my AOL instant messenger was acting weird, where the after I logged on, I got an "illegal operation" message w/ this under details: AIM caused an invalid page fault in
module KERNEL32.DLL at 0167:bff7b9f6.
Registers:
EAX=7fc39e61 CS=0167 EIP=bff7b9f6 EFLGS=00010202
EBX=7c38b4e0 SS=016f ESP=00540000 EBP=00540028
ECX=00541dd8 DS=016f ESI=00000001 FS=4fef
EDX=00000001 ES=016f EDI=816c8588 GS=0000
Bytes at CS:EIP:
57 89 65 e8 75 04 33 c0 eb 54 85 c0 74 4b c7 45
Stack dump:
00000001 7c38b4e0 7fc39e61 00000001 7c38b4e0 7fc39e61 00541dd8 bffc05b4 bff79250 ffffffff 00541de8 bff7ce23 7fc39e61 00000001 7fc33046 7fc39e61

So I've tried using Hijack This (also to see if there were any otehr problems on my poorly messed up computer) and this was my log:

Logfile of HijackThis v1.98.2
Scan saved at 3:56:29 PM, on 12/2/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\MDM.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\VIRUSSCAN\AVSYNMGR.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\HIDSERV.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\INTERNAT.EXE
C:\PROGRAM FILES\CANON CREATIVE\TEXTBRIDGE\BIN\INSTANTACCESS.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\WINDOWS\SYSTEM\AYEGEWY.EXE
C:\PROGRAM FILES\NIKON\NKVIEW4\NKVWMON.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\VIRUSSCAN\VSSTAT.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\VIRUSSCAN\AVCONSOL.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\VIRUSSCAN\VSHWIN32.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\VIRUSSCAN\WEBSCANX.EXE
C:\PROGRAM FILES\MOZILLA FIREFOX\FIREFOX.EXE
C:\UNZIPPED\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\SYSTEM\SearchBar.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.easywebsearch.nl/ie.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.easywebsearch.nl
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.easywebsearch.nl/ie.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.easywebsearch.nl
R3 - Default URLSearchHook is missing
N1 - Netscape 4: user_pref("browser.startup.homepage", "http://www.yahoo.com"); (C:\Program Files\Netscape\Users\name\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Viewpoint Toolbar BHO - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - (no file)
O2 - BHO: BHO Class - {C77E900A-FF55-400E-9BAA-E042C8212898} - (no file)
O2 - BHO: (no name) - {3A87300E-B71A-0FBF-8753-60550DF2724C} - C:\WINDOWS\SYSTEM\RWCEDA.DLL (file missing)
O2 - BHO: (no name) - {3BDE6056-B649-58B3-8753-60550DF3781F} - C:\WINDOWS\SYSTEM\EMPHVKED.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - (no file)
O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - (no file)
O3 - Toolbar: Easybar - {9AD55269-A21C-4260-BA7F-866FD09E8A8E} - (no file)
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [OEMCleanup] C:\WINDOWS\OPTIONS\OEMRESET.EXE
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [CriticalUpdate] c:\windows\SYSTEM\wucrtupd.exe -startup
O4 - HKLM\..\Run: [internat.exe] internat.exe
O4 - HKLM\..\Run: [InstantAccess] C:\PROGRA~1\CANONC~1\TEXTBR~1\BIN\INSTAN~1.EXE /h
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\Run: [ICSDCLT] c:\windows\rundll32.exe c:\windows\SYSTEM\icsdclt.dll,ICSClient
O4 - HKLM\..\Run: [ewupdater] C:\WINDOWS\EWUPDATER.EXE
O4 - HKLM\..\RunServices: [Hidserv] Hidserv.exe run
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [Machine Debug Manager] C:\WINDOWS\SYSTEM\MDM.EXE
O4 - HKLM\..\RunServices: [CVPND] "C:\Program Files\Towson University\Towson VPN Client\cvpnd.exe" start
O4 - HKLM\..\RunServices: [McAfeeVirusScanService] C:\Program Files\Network Associates\VirusScan\AVSYNMGR.EXE
O4 - HKLM\..\RunServices: [SSDPSRV] c:\windows\SYSTEM\ssdpsrv.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE" /background
O4 - HKCU\..\Run: [Iglmsdd] C:\WINDOWS\SYSTEM\ayegewy.exe
O4 - HKCU\..\Run: [AIM] C:\PROGRAM FILES\AIM\aim.exe -cnetwait.odl
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: NkVwMon.exe.lnk = C:\Program Files\Nikon\NkView4\NkVwMon.exe
O8 - Extra context menu item: Shorten URL - http://www.cjb.net/menuext.html
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
O8 - Extra context menu item: &ICQ Toolbar Search - res://C:\PROGRAM FILES\ICQTOOLBAR\TOOLBAR.DLL/SEARCH.HTML
O8 - Extra context menu item: &Viewpoint Search - res://C:\PROGRAM FILES\VIEWPOINT\VIEWPOINT TOOLBAR\VIEWBAR.DLL/CXTSEARCH.HTML
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM\AIM.EXE
O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O12 - Plugin for .wma: C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\npdsplay.dll
O16 - DPF: {DF6A0F17-0B1E-11D4-829D-00C04F6843FE} (Microsoft Office Tools on the Web Control) - http://dgl.microsoft.com/downloads/outc.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) -
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://www.comcastsupport.com/sdccommon/download/tgctlcm.cab
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - http://download2.citrix.com/FILES/en/produ...rent/ica32t.exe
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab
O16 - DPF: {435583D3-F647-4943-BB40-B0D64CB02718} (Snapfish File Upload ActiveX Control) - http://www.snapfish.com/SnapfishUpload.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/200404...meInstaller.exe
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab28578.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst_current.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 68.34.76.5,68.34.76.6

If you could tell me what to delete (and perhaps you might know what's wrong w/ my AIM?) I would greatly appreciate it. Thank you!

BC AdBot (Login to Remove)

 


#2 pskelley

pskelley

  • Members
  • 1,487 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:24 AM

Posted 04 December 2004 - 09:15 AM

Looking at this one...pskelley :thumbsup:
MS-MVP Windows Security 2007-08
Proud Member ASAP
UNITE Member 2006

#3 pskelley

pskelley

  • Members
  • 1,487 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:24 AM

Posted 04 December 2004 - 12:07 PM

Hello act809, Welcome to BleepingComputer.com. There is a lot of CRAP to clean out, not sure how it is affecting AIM just yet. We will see.

First, please look at this item for me. search for internat.exe and right click on it then open properties. Look at the link under the line. The properties information should look like what is described in the link. If not, please supply me with as much of the properties information as possible.
O4 - HKLM\..\Run: [internat.exe] internat.exe
http://www.liutilities.com/products/wintas...brary/internat/

Open Task Manager, then on the Processes Tab, look for these items and end process on them if they are there:
AYEGEWY.EXE
WUPDATER.EXE


Use these instruction to enable hidden files:
MANUAL INSTR FOR ENABLE HIDDEN FILES
* Double-click My Computer.
* Click the Tools menu, and then click Folder Options.
* Click the View tab.
* Clear "Hide file extensions for known file types."
* Under the "Hidden files" folder, select "Show hidden files and folders."
* Clear "Hide protected operating system files."
* Click Apply, and then click OK.

Scan with HijackThis and check each of these line items:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\SYSTEM\SearchBar.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.easywebsearch.nl/ie.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.easywebsearch.nl
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.easywebsearch.nl/ie.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.easywebsearch.nl
R3 - Default URLSearchHook is missing
O2 - BHO: Viewpoint Toolbar BHO - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - (no file)
O2 - BHO: BHO Class - {C77E900A-FF55-400E-9BAA-E042C8212898} - (no file)
O2 - BHO: (no name) - {3A87300E-B71A-0FBF-8753-60550DF2724C} - C:\WINDOWS\SYSTEM\RWCEDA.DLL (file missing)
O2 - BHO: (no name) - {3BDE6056-B649-58B3-8753-60550DF3781F} - C:\WINDOWS\SYSTEM\EMPHVKED.DLL
O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - (no file)
O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - (no file)
O3 - Toolbar: Easybar - {9AD55269-A21C-4260-BA7F-866FD09E8A8E} - (no file)
O4 - HKLM\..\Run: [ewupdater] C:\WINDOWS\EWUPDATER.EXE
O4 - HKCU\..\Run: [Iglmsdd] C:\WINDOWS\SYSTEM\ayegewy.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) -
-Netster

With all browser windows and programs closed, click on "Fix Checked"

I have a request here from the boss, grinler. He would like a copy of EWUPDATER before you delete it. If possible, copy the file to an email and send it to him at: grinler@yahoo.com He would appreciate this.

Open Windows Explorer (Windows key+e), drill down and delete the following files if found, just the file not the folder.

C:\WINDOWS\SYSTEM\AYEGEWY.EXEC:\WINDOWS\EWUPDATER.EXE

Run clean manager: Start, Run type "cleanmgr" without the quotes then ok. Allow windows to remove anything it locates.

Empty the recycle bin and reboot the computer. Using Add Reply to stay in this same thread, post a new log. Include the information asked for above, and any feedback you think we should have.

Thanks...pskelley
MS-MVP Windows Security 2007-08
Proud Member ASAP
UNITE Member 2006

#4 act809

act809
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:07:24 AM

Posted 04 December 2004 - 10:49 PM

Thank you for your response!

Regarding internat.exe:
When I searched the file, I found two things:
- The first was internat.exe in the C:\WINDOWS\SYSTEM folder; the properties of this one is like what is described in the link.
- The second was internat.exe in C:\Program Files\Support.com\backup\in . Within the folder was 28672_5559d61cd_ (file). The properties info looked like what was described in the link as well.

This computer has OS Windows ’98, so I did not have the Task Manager/Processes Tab, but when I checked for running programs (Ctrl+Alt+Del), Ayegewy was running, but I did not find the WUPDATER.EXE

Again, because I have 98, I wasn’t able to go through all the instructions you gave for enabling hidden files; there is no “Hide protect OS system files” button.

I followed your instructions in the order in which you wrote them, so although I was able to find and delete C:\WINDOWS\SYSTEM\AYEGEWY.EXE, I could not find C:/WINDOWS/EWUPDATER.EXE

..Just a little curious though; what are ayegewy.exe and ewupdater.exe? I’m not quite sure about ewupdater but I know ayegewy has been sitting around on my computer for about two years.

Here is the new log:

Logfile of HijackThis v1.98.2
Scan saved at 10:49:03 PM, on 12/4/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\MDM.EXE
C:\PROGRAM FILES\TOWSON UNIVERSITY\TOWSON VPN CLIENT\CVPND.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\VIRUSSCAN\AVSYNMGR.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\HIDSERV.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\INTERNAT.EXE
C:\PROGRAM FILES\CANON CREATIVE\TEXTBRIDGE\BIN\INSTANTACCESS.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\PROGRAM FILES\AIM\AIM.EXE
C:\PROGRAM FILES\NIKON\NKVIEW4\NKVWMON.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\VIRUSSCAN\VSSTAT.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\VIRUSSCAN\AVCONSOL.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\VIRUSSCAN\VSHWIN32.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\VIRUSSCAN\WEBSCANX.EXE
C:\PROGRAM FILES\MOZILLA FIREFOX\FIREFOX.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\WINWORD.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\UNZIPPED\HIJACKTHIS\HIJACKTHIS.EXE

N1 - Netscape 4: user_pref("browser.startup.homepage", "http://www.yahoo.com"); (C:\Program Files\Netscape\Users\tip601\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [OEMCleanup] C:\WINDOWS\OPTIONS\OEMRESET.EXE
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [CriticalUpdate] c:\windows\SYSTEM\wucrtupd.exe -startup
O4 - HKLM\..\Run: [internat.exe] internat.exe
O4 - HKLM\..\Run: [InstantAccess] C:\PROGRA~1\CANONC~1\TEXTBR~1\BIN\INSTAN~1.EXE /h
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\Run: [ICSDCLT] c:\windows\rundll32.exe c:\windows\SYSTEM\icsdclt.dll,ICSClient
O4 - HKLM\..\RunServices: [Hidserv] Hidserv.exe run
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [Machine Debug Manager] C:\WINDOWS\SYSTEM\MDM.EXE
O4 - HKLM\..\RunServices: [CVPND] "C:\Program Files\Towson University\Towson VPN Client\cvpnd.exe" start
O4 - HKLM\..\RunServices: [McAfeeVirusScanService] C:\Program Files\Network Associates\VirusScan\AVSYNMGR.EXE
O4 - HKLM\..\RunServices: [SSDPSRV] c:\windows\SYSTEM\ssdpsrv.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE" /background
O4 - HKCU\..\Run: [AIM] C:\PROGRAM FILES\AIM\aim.exe -cnetwait.odl
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: NkVwMon.exe.lnk = C:\Program Files\Nikon\NkView4\NkVwMon.exe
O8 - Extra context menu item: Shorten URL - http://www.cjb.net/menuext.html
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
O8 - Extra context menu item: &ICQ Toolbar Search - res://C:\PROGRAM FILES\ICQTOOLBAR\TOOLBAR.DLL/SEARCH.HTML
O8 - Extra context menu item: &Viewpoint Search - res://C:\PROGRAM FILES\VIEWPOINT\VIEWPOINT TOOLBAR\VIEWBAR.DLL/CXTSEARCH.HTML
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM\AIM.EXE
O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O12 - Plugin for .wma: C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\npdsplay.dll
O16 - DPF: {DF6A0F17-0B1E-11D4-829D-00C04F6843FE} (Microsoft Office Tools on the Web Control) - http://dgl.microsoft.com/downloads/outc.cab
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://www.comcastsupport.com/sdccommon/download/tgctlcm.cab
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - http://download2.citrix.com/FILES/en/produ...rent/ica32t.exe
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab
O16 - DPF: {435583D3-F647-4943-BB40-B0D64CB02718} (Snapfish File Upload ActiveX Control) - http://www.snapfish.com/SnapfishUpload.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/200404...meInstaller.exe
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab28578.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst_current.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 68.34.76.5,68.34.76.6

Again, thank you very much!

#5 pskelley

pskelley

  • Members
  • 1,487 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:24 AM

Posted 05 December 2004 - 06:28 PM

Hello act809, First let me apologize. I work with Windows Xp Operating System so much, I am sorry that I issued instructions for it. I will try to not let that happen again. Let me address your question as to what those two items are.
The first on "ayegewy.exe" is unidentifiable
and as such is is probably a random named trojan of some type. Try a www.google.com search yourself. With over 1.5 billion or so entries, anything Google can not identify is going to be removed. As a malware writer, one of the benefits besides $$ is you get to call your garbage anything you wish.

The other item, "ewupdater.exe" is EasyWebSearch adware updater, and you can view CastleCops information here: http://computercops.biz/startuplist-6074.html and view more information via a Google search if you wish. This is the item management wanted to access so they could learn more about it.

This item: "internat.exe" appears to be valid as your feedback indicate it has to do with "Microsofts multi-lingual features in Microsoft Windows. This program is important for the stable and secure running of your computer and should not be terminated."

Let's remove these two. you may remove any 016 item that you know you do not use any longer. They are ActiveX contols, and would be replaced if you visit the site again.

Scan with HijackThis and check these two lines:

O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/200404...meInstaller.exe

Close all browser windows and programs and click on "Fix Checked:

Having said all of this, let me say that you did a great job following my WindowsXp instructions, :thumbsup: and I thank you for your hard work. You reward is a clean log, and now I have some great instructions from Tony Klein, Texruss and ChrisRLG to help you stay that way:

http://forums.net-integration.net/index.php?showtopic=3051
http://russelltexas.com/malware/allclear.htm
http://www.cjwd.demon.co.uk/compsafetyonline.html

Thanks...pskelley
BleepingComputer.com
MS-MVP Windows Security 2007-08
Proud Member ASAP
UNITE Member 2006




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users