MyTechSupport.ca :: Your Computer Technical Resource Headquarters! MyTechSupport.ca :: Your Computer Technical Resource Headquarters!
HOME FORUMS RESOURCES & TOOLS ARTICLES ONLINE STORE ABOUT US
Computer Support Forums arrow Internet & Network Support arrow Security & Viruses arrow Topic: Elitum.Elitebar, Virtual Bouncer, Nail.exe
November 14, 2019, 08:36:15 AM
 

Home Forum Rules Help Search Mobile Version Login Register

Welcome, Guest. Please login or register.
Did you miss your activation email?
November 14, 2019, 08:36:15 AM

Login with username, password and session length
 Featured Sites:
News
Welcome to MyTechSupport.ca! - Registration is FREE, so why not join our friendly community today?
  0 Members and 1 Guest are viewing this topic.
Pages: [1] Go Down Print
Author Topic: Elitum.Elitebar, Virtual Bouncer, Nail.exe  (Read 1921 times)
tseagrams7
Newbie
*

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 5


Bookmark and Share

View Profile
« on: May 08, 2005, 09:43:51 PM »

I have run Microsoft Antispyware, Ad-Aware, Spybot, and Symantec and still have viruses.
Please help!

Logfile of HijackThis v1.99.1
Scan saved at 4:21:41 PM, on 5/8/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\BCMSMMSG.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Scanner\ScanSoft\OmniPageSE\opware32.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\System32\qnqrby\pmpqo.exe
C:\WINDOWS\System32\Dxkytc.exe
C:\WINDOWS\System32\cnvcbcp.exe
C:\WINDOWS\System32\ctfmon.exe
c:\windows\system32\yqhuqw.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Documents and Settings\Tom the BOMB\Desktop\The WAR against viruses\hijackthis.exe
C:\WINDOWS\System32\wuauclt.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\System32\Searchx.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb06.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [ussmhyt] C:\WINDOWS\System32\ctufayk\ussmhyt.exe
O4 - HKLM\..\Run: [fqjnqgyq] C:\WINDOWS\System32\klbgyxv\fqjnqgyq.exe
O4 - HKLM\..\Run: [pxqnecbh] c:\windows\system32\pxqnecbh.exe -start
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [Omnipage] C:\Program Files\Scanner\ScanSoft\OmniPageSE\opware32.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [bviklbf] C:\WINDOWS\System32\memnro\bviklbf.exe
O4 - HKLM\..\Run: [xoxgfx] C:\WINDOWS\System32\mogwy\xoxgfx.exe
O4 - HKLM\..\Run: [isycibjx] C:\WINDOWS\System32\gelm\isycibjx.exe
O4 - HKLM\..\Run: [ltkgks] C:\WINDOWS\System32\rcnap\ltkgks.exe
O4 - HKLM\..\Run: [ubcj] C:\WINDOWS\System32\aiualhjw\ubcj.exe
O4 - HKLM\..\Run: [cyxrj] C:\WINDOWS\System32\ijpewwu\cyxrj.exe
O4 - HKLM\..\Run: [mboq] C:\WINDOWS\System32\ybuhaay\mboq.exe
O4 - HKLM\..\Run: [sylqkks] C:\WINDOWS\System32\mtuyy\sylqkks.exe
O4 - HKLM\..\Run: [wuhidhbv] C:\WINDOWS\System32\hphpby\wuhidhbv.exe
O4 - HKLM\..\Run: [xmwkhse] C:\WINDOWS\System32\rtep\xmwkhse.exe
O4 - HKLM\..\Run: [dbrtbiou] C:\WINDOWS\System32\sugs\dbrtbiou.exe
O4 - HKLM\..\Run: [aidxsiem] C:\WINDOWS\System32\guctjk\aidxsiem.exe
O4 - HKLM\..\Run: [qofrqe] C:\WINDOWS\System32\khqphj\qofrqe.exe
O4 - HKLM\..\Run: [pmpqo] C:\WINDOWS\System32\qnqrby\pmpqo.exe
O4 - HKLM\..\Run: [secure] C:\WINDOWS\System32\Dxkytc.exe
O4 - HKLM\..\Run: [43FU33P] cnvcbcp.exe
O4 - HKLM\..\Run: [checkrun] C:\windows\system32\elitehwl32.exe
O4 - HKLM\..\Run: [mjzomk] c:\windows\system32\yqhuqw.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)
O16 - DPF: {0C568603-D79D-11D2-87A7-00C04FF158BB} (BrowseFolderPopup Class) - http://download.mcafee.com/molbin/Shared/MGBrwFld.cab
O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} - file://c:\counter.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst20040510.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefender.com/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1095527938578
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real.com/gameconsole/Bundl...ArcadeRdxIE.cab
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Intel
Logged

 
Pancake
Global Moderator
Hero Member
*****

Karma: +78/-0
Offline Offline

Gender: Male
Posts: 3915


Bookmark and Share

View Profile
« Reply #1 on: May 09, 2005, 01:31:13 AM »

The malware startup, F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe, cannot be fixed using Hijack This:

To remove the startup and delete the file, go to Start > Run and type: cmd and hit Enter. When a command prompt opens, type: nail.exe /FullRemove (there is a space between nail.exe and the /) and hit Enter

Reboot your machine


3. This item  O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe is part of this hijack so do this.......

Go to Start > Run and type: services.msc and OK. Look for the below service:

O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe

When you find it, stop it if it is running, doubleclick on it and change the startup type to Disabled.

Next, go HERE and download SvcProc.reg to your Desktop. Doubleclick on it to merge it with your Registry and boot into Safe Mode (restart your PC and tap F8 as it restarts)and run Hijack This and check the below entry and click on Fix Checked.

O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe

Reboot your machine and post a fresh HJT Log as there is still more cleaning to be done..
« Last Edit: May 09, 2005, 01:32:26 AM by Pancake » Logged

An Australian Member of

EDDY
tseagrams7
Newbie
*

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 5


Bookmark and Share

View Profile
« Reply #2 on: May 10, 2005, 01:09:16 AM »

I was able to perform every step except for when I ran HJT, it did not show
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe
so I could not fix with HJT.


Logfile of HijackThis v1.99.1
Scan saved at 7:52:31 PM, on 5/9/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.exe
C:\Documents and Settings\Tom the BOMB\Desktop\The WAR against viruses\hijackthis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ycomp/defaults/sb/*http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ycomp/defaults/sp/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\System32\Searchx.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ycomp/defaults/sp/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb06.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [ussmhyt] C:\WINDOWS\System32\ctufayk\ussmhyt.exe
O4 - HKLM\..\Run: [fqjnqgyq] C:\WINDOWS\System32\klbgyxv\fqjnqgyq.exe
O4 - HKLM\..\Run: [pxqnecbh] c:\windows\system32\pxqnecbh.exe -start
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [Omnipage] C:\Program Files\Scanner\ScanSoft\OmniPageSE\opware32.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [bviklbf] C:\WINDOWS\System32\memnro\bviklbf.exe
O4 - HKLM\..\Run: [xoxgfx] C:\WINDOWS\System32\mogwy\xoxgfx.exe
O4 - HKLM\..\Run: [isycibjx] C:\WINDOWS\System32\gelm\isycibjx.exe
O4 - HKLM\..\Run: [ltkgks] C:\WINDOWS\System32\rcnap\ltkgks.exe
O4 - HKLM\..\Run: [ubcj] C:\WINDOWS\System32\aiualhjw\ubcj.exe
O4 - HKLM\..\Run: [cyxrj] C:\WINDOWS\System32\ijpewwu\cyxrj.exe
O4 - HKLM\..\Run: [mboq] C:\WINDOWS\System32\ybuhaay\mboq.exe
O4 - HKLM\..\Run: [sylqkks] C:\WINDOWS\System32\mtuyy\sylqkks.exe
O4 - HKLM\..\Run: [wuhidhbv] C:\WINDOWS\System32\hphpby\wuhidhbv.exe
O4 - HKLM\..\Run: [xmwkhse] C:\WINDOWS\System32\rtep\xmwkhse.exe
O4 - HKLM\..\Run: [dbrtbiou] C:\WINDOWS\System32\sugs\dbrtbiou.exe
O4 - HKLM\..\Run: [aidxsiem] C:\WINDOWS\System32\guctjk\aidxsiem.exe
O4 - HKLM\..\Run: [qofrqe] C:\WINDOWS\System32\khqphj\qofrqe.exe
O4 - HKLM\..\Run: [pmpqo] C:\WINDOWS\System32\qnqrby\pmpqo.exe
O4 - HKLM\..\Run: [secure] C:\WINDOWS\System32\Dxkytc.exe
O4 - HKLM\..\Run: [43FU33P] cnvcbcp.exe
O4 - HKLM\..\Run: [checkrun] C:\windows\system32\elitehwl32.exe
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\System32\ilinlm.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [yseuwuw] c:\windows\system32\nydzuwi.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: rcrt.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)
O16 - DPF: {0C568603-D79D-11D2-87A7-00C04FF158BB} (BrowseFolderPopup Class) - http://download.mcafee.com/molbin/Shared/MGBrwFld.cab
O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} - file://c:\counter.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefender.com/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1095527938578
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real.com/gameconsole/Bundler/CAB/RealArcadeRdxIE.cab
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe


Please advise.
Thank you for your time. -T
Logged

 
Pancake
Global Moderator
Hero Member
*****

Karma: +78/-0
Offline Offline

Gender: Male
Posts: 3915


Bookmark and Share

View Profile
« Reply #3 on: May 10, 2005, 03:01:42 AM »

Hi and Welcome
It may help you if you print out or copy this page for easy reference.. Make sure to work through the fixes in the exact order its listed. Please Keep your browser and all open programs closed (except firewalls and antivirus) when you are carrying out the fixes
.These instructions are for HJT v1.99.1 only


Download any of the required programs before attempting to start any of the fixes.



Turn off System Restore instructions (WinXP)
Rightclick My Computer | Properties | System Restore | check
« Last Edit: May 10, 2005, 03:03:45 AM by Pancake » Logged

An Australian Member of

EDDY
tseagrams7
Newbie
*

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 5


Bookmark and Share

View Profile
« Reply #4 on: May 12, 2005, 12:04:23 AM »

Hi Pancake.
Sorry this took so long to get back to you.  I followed everything you suggested and here is the HJT file.  Please advise.  Thanks again for your assistance. -T


Logfile of HijackThis v1.99.1
Scan saved at 6:56:08 PM, on 5/11/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb06.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Scanner\ScanSoft\OmniPageSE\opware32.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\System32\xevwgfv\ucjtl.exe
C:\WINDOWS\System32\mxgw\wujytks.exe
C:\WINDOWS\System32\ibutqj\nmscwx.exe
C:\WINDOWS\System32\yqbqfyy\thwyy.exe
C:\WINDOWS\System32\tjferw\dqhrpr.exe
C:\WINDOWS\System32\ajdh\retid.exe
C:\WINDOWS\System32\rbfojr\wqrubjnd.exe
C:\WINDOWS\System32\mqbce\eqjhyk.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\efrpsddu\ndvmw.exe
C:\WINDOWS\System32\amiv\lxfgjp.exe
C:\WINDOWS\System32\udtjyel\lndfoqr.exe
C:\WINDOWS\System32\vbjeyyv\ndffyx.exe
C:\WINDOWS\System32\styq\xtvsu.exe
C:\WINDOWS\System32\vlbqytgp\dwfdh.exe
C:\WINDOWS\System32\boofs.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Documents and Settings\Tom the BOMB\Desktop\The WAR against viruses\hijackthis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb06.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [Omnipage] C:\Program Files\Scanner\ScanSoft\OmniPageSE\opware32.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [equbtl] C:\WINDOWS\System32\nslxgd\equbtl.exe
O4 - HKLM\..\Run: [ucjtl] C:\WINDOWS\System32\xevwgfv\ucjtl.exe
O4 - HKLM\..\Run: [nmscwx] C:\WINDOWS\System32\ibutqj\nmscwx.exe
O4 - HKLM\..\Run: [thwyy] C:\WINDOWS\System32\yqbqfyy\thwyy.exe
O4 - HKLM\..\Run: [dqhrpr] C:\WINDOWS\System32\tjferw\dqhrpr.exe
O4 - HKLM\..\Run: [retid] C:\WINDOWS\System32\ajdh\retid.exe
O4 - HKLM\..\Run: [wqrubjnd] C:\WINDOWS\System32\rbfojr\wqrubjnd.exe
O4 - HKLM\..\Run: [eqjhyk] C:\WINDOWS\System32\mqbce\eqjhyk.exe
O4 - HKLM\..\Run: [ndvmw] C:\WINDOWS\System32\efrpsddu\ndvmw.exe
O4 - HKLM\..\Run: [lxfgjp] C:\WINDOWS\System32\amiv\lxfgjp.exe
O4 - HKLM\..\Run: [lndfoqr] C:\WINDOWS\System32\udtjyel\lndfoqr.exe
O4 - HKLM\..\Run: [ndffyx] C:\WINDOWS\System32\vbjeyyv\ndffyx.exe
O4 - HKLM\..\Run: [xtvsu] C:\WINDOWS\System32\styq\xtvsu.exe
O4 - HKLM\..\Run: [dwfdh] C:\WINDOWS\System32\vlbqytgp\dwfdh.exe
O4 - HKLM\..\Run: [wujytks] C:\WINDOWS\System32\mxgw\wujytks.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [L0w8RTjsg] boofs.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)
O16 - DPF: {0C568603-D79D-11D2-87A7-00C04FF158BB} (BrowseFolderPopup Class) - http://download.mcafee.com/molbin/Shared/MGBrwFld.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefender.com/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1095527938578
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real.com/gameconsole/Bundler/CAB/RealArcadeRdxIE.cab
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: System Startup Service  (SvcProc) - Unknown owner - c:\windows\SvcProc.exe (file missing)

Logged

 
Pancake
Global Moderator
Hero Member
*****

Karma: +78/-0
Offline Offline

Gender: Male
Posts: 3915


Bookmark and Share

View Profile
« Reply #5 on: May 12, 2005, 12:39:41 AM »

Hi...A few more to fix.

It may help you if you print out or copy this page for easy reference.. Make sure to work through the fixes in the exact order its listed. Please Keep your browser and all open programs closed (except firewalls and antivirus) when you are carrying out the fixes
.These instructions are for HJT v1.99.1 only




Turn off System Restore instructions (WinXP)
Rightclick My Computer | Properties | System Restore | check
Logged

An Australian Member of

EDDY
tseagrams7
Newbie
*

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 5


Bookmark and Share

View Profile
« Reply #6 on: May 12, 2005, 03:54:47 AM »

OK, here is the latest.  Thanks Pancake! - T


Logfile of HijackThis v1.99.1
Scan saved at 10:48:44 PM, on 5/11/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1

(6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\ewido\security

suite\ewidoctrl.exe
C:\Program Files\ewido\security

suite\ewidoguard.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\h

pztsb06.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program

Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\Microsoft

AntiSpyware\gcasServ.exe
C:\Program

Files\Scanner\ScanSoft\OmniPageSE\opware32.e

xe
C:\Program Files\Roxio\Easy CD Creator

5\DirectCD\DirectCD.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Microsoft

AntiSpyware\gcasDtServ.exe
C:\Documents and Settings\Tom the

BOMB\Desktop\The WAR against

viruses\hijackthis.exe

R1 - HKCU\Software\Microsoft\Internet

Explorer\Main,Search Bar =

file://C:\WINDOWS\System32\Searchx.htm
R1 - HKCU\Software\Microsoft\Internet

Explorer\Main,Search Page =

http://red.clientapps.yahoo.com/customize/yc

omp/defaults/sp/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet

Explorer\Main,Start Page =

http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet

Explorer\Main,Search Bar =

file://C:\WINDOWS\System32\Searchx.htm
R1 - HKLM\Software\Microsoft\Internet

Explorer\Main,Search Page =

http://red.clientapps.yahoo.com/customize/yc

omp/defaults/sp/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet

Explorer\Main,Start Page =

http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet

Explorer\SearchURL,(Default) =

http://red.clientapps.yahoo.com/customize/yc

omp/defaults/su/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet

Explorer\SearchURL,(Default) =

http://red.clientapps.yahoo.com/customize/yc

omp/defaults/su/*http://www.yahoo.com
R1 -

HKCU\Software\Microsoft\Windows\CurrentVersi

on\Internet Settings,ProxyOverride =

127.0.0.1
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE

C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility]

C:\WINDOWS\System32\spool\drivers\w32x86\3\h

pztsb06.exe
O4 - HKLM\..\Run: [vptray]

C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [NeroFilterCheck]

C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched]

C:\Program

Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program

Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [Omnipage] C:\Program

Files\Scanner\ScanSoft\OmniPageSE\opware32.e

xe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [diagent] "C:\Program

Files\Creative\SBLive\Diagnostics\diagent.ex

e" startup
O4 - HKLM\..\Run: [AdaptecDirectCD]

C:\Program Files\Roxio\Easy CD Creator

5\DirectCD\DirectCD.exe
O4 - HKCU\..\Run: [ctfmon.exe]

C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Adobe Gamma Loader.lnk

= ?
O4 - Global Startup: Microsoft Office.lnk =

C:\Program Files\Microsoft

Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to

Microsoft Excel -

res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EX

E/3000
O9 - Extra button: (no name) -

{08B0E5C0-4FCB-11CF-AAA5-00401C608501} -

C:\Program

Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java

Console -

{08B0E5C0-4FCB-11CF-AAA5-00401C608501} -

C:\Program

Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: (no name) -

{CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no

file)
O9 - Extra button: MoneySide -

{E023F504-0C5A-4750-A1E7-A9046DEA8A21} -

C:\Program Files\Microsoft

Money\System\mnyviewer.dll
O9 - Extra button: Messenger -

{FB5F1910-F110-11d2-BB9E-00C04F795683} -

C:\Program Files\Messenger\MSMSGS.EXE (file

missing)
O9 - Extra 'Tools' menuitem: Messenger -

{FB5F1910-F110-11d2-BB9E-00C04F795683} -

C:\Program Files\Messenger\MSMSGS.EXE (file

missing)
O16 - DPF:

{0C568603-D79D-11D2-87A7-00C04FF158BB}

(BrowseFolderPopup Class) -

http://download.mcafee.com/molbin/Shared/MGB

rwFld.cab
O16 - DPF:

{30528230-99F7-4BB4-88D8-FA1D4F56A2AB}

(YInstStarter Class) -

http://us.dl1.yimg.com/download.yahoo.com/dl

/installs/yinst20040510.cab
O16 - DPF:

{5D86DDB5-BDF9-441B-9E9E-D4730F4EE499}

(BDSCANONLINE Control) -

http://www.bitdefender.com/scan8/oscan8.cab
O16 - DPF:

{6414512B-B978-451D-A0D8-FCFDF33E833C}

(WUWebControl Class) -

http://v5.windowsupdate.microsoft.com/v5cons

umer/V5Controls/en/x86/client/wuweb_site.cab

?1095527938578
O16 - DPF:

{B942A249-D1E7-4C11-98AE-FCB76B08747F}

(RealArcadeRdxIE Class) -

http://games-dl.real.com/gameconsole/Bundler

/CAB/RealArcadeRdxIE.cab
O20 - Winlogon Notify: NavLogon -

C:\WINDOWS\System32\NavLogon.dll
O23 - Service: Creative Service for CDROM

Access - Creative Technology Ltd -

C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: DefWatch - Symantec

Corporation -

C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: ewido security suite control

- ewido networks - C:\Program

Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard -

ewido networks - C:\Program

Files\ewido\security suite\ewidoguard.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel

Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: NVIDIA Display Driver Service

(NVSvc) - NVIDIA Corporation -

C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: System Startup Service  

(SvcProc) - Unknown owner -

c:\windows\SvcProc.exe (file missing)

Logged

 
Pancake
Global Moderator
Hero Member
*****

Karma: +78/-0
Offline Offline

Gender: Male
Posts: 3915


Bookmark and Share

View Profile
« Reply #7 on: May 12, 2005, 05:11:28 AM »

Your log is now clean.If you turned off Restore,turn it back on and create a Restore Point,

Please use this as   Your Guide to Spyware Prevention and use the tools provided.
Logged

An Australian Member of

EDDY
tseagrams7
Newbie
*

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 5


Bookmark and Share

View Profile
« Reply #8 on: May 12, 2005, 10:55:27 PM »

Pancake,
Thanks sooooo much for helping me out - you're the best.  Could you give me your email address so we can talk offline from the forum?
Thanks again for all your time and efforts. -T
Logged

 
Pancake
Global Moderator
Hero Member
*****

Karma: +78/-0
Offline Offline

Gender: Male
Posts: 3915


Bookmark and Share

View Profile
« Reply #9 on: May 13, 2005, 01:46:19 AM »

pancake@mytechsupport.ca
Logged

An Australian Member of

EDDY
Pages: [1] Go Up Print 
 
Jump to:  

Powered by MySQL Powered by PHP

Powered by SMF 1.1.21 | SMF © 2015, Simple Machines

Valid XHTML 1.0! Valid CSS!

Disclaimer
This site is NOT responsible for any damage that the information on this site may cause to your system. Everything you try, whether inspired by the response given from this site or not, is entirely at your own risk. All product names and company names used herein are for identification purpose only and may be trademarks or registered trademarks of their respective owners. We are in no way affiliated or representing any of the companies on this site unless specified.
Back to Top
Stop Spam Harvesters, Join Project Honey Pot Fight Back Against Spammers! Get Firefox! Get Thunderbird! View Sylvain Amyots profile on LinkedIn
Back to Top
Google visited last this page September 19, 2018, 02:54:49 AM