1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

c++ runtime orroe on boot

Discussion in 'Spyware, Adware, Viruses and Malware Removal' started by 7rexeL, Feb 5, 2006.

  1. 7rexeL

    7rexeL Techie7 New Member

    Runtime Error!

    Program: C:\WINDOWS\EXPLORER.EXE

    Logfile of HijackThis v1.99.1
    Scan saved at 1:24:30 AM, on 1/1/2002
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Stardock\Object Desktop\WindowBlinds\wbload.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
    c:\windows\system32\oqbynx.exe
    C:\WINDOWS\system32\CTsvcCDA.exe
    C:\Program Files\Symantec AntiVirus\DefWatch.exe
    C:\WINDOWS\system32\taskswitch.exe
    C:\WINDOWS\system32\CTHELPER.EXE
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    C:\Program Files\Symantec AntiVirus\Rtvscan.exe
    D:\Program Files\Logitech\Keyboard\LCDMon.exe
    D:\Program Files\SmartBarXP\SmartBarXP.exe
    D:\Program Files\Logitech\Keyboard\Applets\LCDClock.exe
    D:\Program Files\Logitech\Keyboard\Applets\LCDMedia.exe
    C:\WINDOWS\system32\MsPMSPSv.exe
    C:\WINDOWS\system32\sbmthread.exe
    D:\Linksys\Norton\Norton AntiVirus\navapsvc.exe
    D:\Linksys\Norton\Norton AntiVirus\SAVScan.exe
    C:\WINDOWS\Explorer.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Documents and Settings\Administrator\Desktop\hijackthis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drsnsrch.com/sidesearch.cgi?id=
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = sas.r31.insightbb.com:8000
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.r31.insightbb.com;;localhost;<local>
    R3 - Default URLSearchHook is missing
    F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
    N3 - Netscape 7: user_pref("browser.startup.homepage", "http://netcenter.netscape.com/netcenter/"); (C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\bwo7vtrl.slt\prefs.js)
    N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CPROGRA%7E1%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\bwo7vtrl.slt\prefs.js)
    O2 - BHO: Band Class - {0007522A-2297-43C1-8EB1-C90B0FF20DA5} - blank (file missing)
    O2 - BHO: Band Class - {00F1D395-4744-40f0-A611-980F61AE2C59} - C:\WINDOWS\dsr.dll
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: ts - {4006DCA3-433D-4FC8-AC36-42DA7797DCB7} - C:\WINDOWS\system32\bho.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\KEEP\Spybot - Search & Destroy\SDHelper.dll (file missing)
    O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
    O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
    O2 - BHO: CNisExtBho Class - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
    O2 - BHO: VCS3IESupport Class - {B9D6B3C2-09AD-464A-8162-8C55114C808A} - blank (file missing)
    O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - D:\Linksys\Norton\Norton AntiVirus\NavShExt.dll
    O2 - BHO: BestOffers Shopping BHO - {F5DE8ADB-4A69-4e56-96AB-823171C8E9D8} - C:\Program Files\TBONAS\TBONlchr.dll (file missing)
    O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
    O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - D:\Linksys\Norton\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
    O3 - Toolbar: BestOffers Shopping v1.20 - {7FD44536-9DF0-4034-939F-5BD4D98E3187} - C:\Program Files\TBONAS\TBONlchr.dll (file missing)
    O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\system32\taskswitch.exe
    O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
    O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
    O4 - HKLM\..\Run: [schtasnks.exe] C:\WINDOWS\system32\schtasnks.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.1_02\bin\jusched.exe
    O4 - HKLM\..\Run: [satmat] C:\WINDOWS\satmat.exe
    O4 - HKLM\..\Run: [farmmext] C:\WINDOWS\farmmext.exe
    O4 - HKLM\..\Run: [HydraVisionDesktopManager] C:\Program Files\ATI Technologies\ATI HYDRAVISION\HydraDM.exe
    O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [Dinst] C:\WINDOWS\dinst.exe
    O4 - HKLM\..\Run: [Windows TaskAd] C:\Program Files\Windows TaskAd\WinTaskAd.exe
    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\Symantec AntiVirus\VPTray.exe
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [Launch LGDCore] "D:\Program Files\Logitech\Keyboard\LGDCore.exe" /SHOWHIDE
    O4 - HKLM\..\Run: [Launch LCDMon] "D:\Program Files\Logitech\Keyboard\LCDMon.exe"
    O4 - HKLM\..\Run: [krlftu] c:\windows\system32\oqbynx.exe r
    O4 - HKCU\..\Run: [Steam] "c:\program files\valve\steam\steam.exe" -silent
    O4 - HKCU\..\Run: [mqwi] C:\PROGRA~1\COMMON~1\mqwi\mqwim.exe
    O4 - HKCU\..\Run: [SmartBarXP] D:\Program Files\SmartBarXP\SmartBarXP.exe
    O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
    O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZS
    O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
    O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll (file missing)
    O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll (file missing)
    O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll (file missing)
    O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll (file missing)
    O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\AIM\aim.exe (file missing)
    O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
    O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
    O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
    O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
    O20 - Winlogon Notify: WB - C:\PROGRA~1\Stardock\Object Desktop\WindowBlinds\fastload.dll
    O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: AdobeVersionCue - Adobe Sytems - C:\Program Files\Adobe\Adobe Version Cue\service\VersionCue.exe
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
    O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
    O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPodService - Apple Computer, Inc. - D:\Program Files\Apple\iPod\bin\iPodService.exe
    O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
    O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - D:\Linksys\Norton\Norton AntiVirus\navapsvc.exe
    O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
    O23 - Service: SAVScan - Symantec Corporation - D:\Linksys\Norton\Norton AntiVirus\SAVScan.exe
    O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\Symantec Shared\Script Blocking\SBServ.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: System Startup Service (SvcProc) - Unknown owner - c:\windows\SvcProc.exe
    O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
     
  2. 7rexeL

    7rexeL Techie7 New Member

    PC worked this morning, i bought a new case, now that the transplant is complete, i get this error...all hdd's cdrom's and etc are functioning properly- i can do anything and everything, but this error stays on the destop and if i click 'ok', explorer shuts down, and restarts, leaving the error again. i reset all my bios settings to factory defaults to no avail. norton, adaware, etc. detect no problems. my norton is up to date, however my ad-aware is the shareware version and thus i cannot update. i will restart shortly and re-sit my RAM sticks. maybe that will solve it. post again shortly.
     
  3. 7rexeL

    7rexeL Techie7 New Member

    Unfortunately, reseating my RAM didnt help..this time when windows came up, right before the error came up, a red 'x' appeared over the tray icon of norton, indicating ''Auto-Protect'' had been disabled, a few seconds later the 'x' disappeared....Very distrubing :eek:.

    Also, im noticing a few processes in task manager that i do not recognize... is it wise to be connected to the internet right now???

    LoL this is the most fun i've had since my senior prom ;)
     
  4. Neal

    Neal Dedicated Member

    Welcome to DAL,


    BEFORE BEGINNING, Please read completely through the instructions below and download the files from the links provided. You may want to save or print out these instructions for easier reference.

    First, download Ewido Security Suite.

    Next, download Lavasoft's Ad-Aware and the VX2 Cleaner Plug-in. Install Ad-Aware using the default options, then install vx2cleaner_inst.exe, taking all the defaults there as well.

    Run Ad-Aware, update to the latest definitions, then click on Add-ons in the lefthand column. Select VX2 Cleaner V2.0 and click Run Tool. Click "OK", then, if something is found, click "Clean" as in the directions given. Click "Close", and exit Ad-Aware.

    Reboot your PC and run Ad-Aware again. This time, click on the Start button in Ad-Aware, select "Perform smart system scan" and click Next. Once the scan finishes, click "Next" again. Select all objects found (right click anywhere in the list of found objects and click "Select All Objects"). Click "Next" one more time, then "OK" to confirm the removal.

    You will be prompted to set Ad-Aware to run on reboot, click "OK". Exit Ad-Aware and restart your PC once again.

    When Ad-Aware starts up, click on "Start", then "Next". Follow the steps above if anything is found, or click "Finish", then exit Ad-Aware.

    For a final cleanup, please install and run Ewido.
    1. When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
    2. When you run ewido for the first time, you may get a warning "Database could not be found!". Click OK. We will fix this in a moment.
    3. From the main ewido screen, click on update in the left menu, then click the Start update button.
    4. After the update finishes (the status bar at the bottom will display "Update successful")
    5. Click on the Scanner button in the left menu, then click on Complete System Scan. This scan can take quite a while to run.
    6. If ewido finds anything, it will pop up a notification. We have been finding some cases of false positives with the new version of Ewido, so we need to step through the fixes one-by-one. If Ewido finds something that you KNOW is legitimate (for example, parts of AVG Antivirus, pcAnywhere and the game "Risk" have been flagged), select "none" as the action. DO NOT check "Perform action with all infections". If you are unsure of an entry, select "none" for the time being. I'll see that in the log you will post later and let you know if ewido needs to be run again.
    7. When the scan finishes, click on "Save Report". This will create a text file. Make sure you know where to find this file again.

    Please finish up by rebooting your system once more, and posting a new HijackThis log and the log from the Ewido scan.

    Lots more to do, highly infected.
     
  5. 7rexeL

    7rexeL Techie7 New Member

    Ad-aware didnt prompt me to run on boot, and the option is blocked...so i ran full and smart scans multiple times, restarting between each, now im running ewido...takes so long going one-by-one :eek: I must admit, it is a thorough program. :D

    LoL so many programs tried to access the net, then norton caught two trojans trying to access the internet (during ewido scan)...amazing how active these malicious programs come alive as you start to clean them out
     
    Last edited: Feb 6, 2006
  6. 7rexeL

    7rexeL Techie7 New Member

    Apologise for the long wait, internet connection issues (unrelated- isp doing work)

    THIS IS SECOND RUN REPORT, FIRST IS BELOW
    ---------------------------------------------------------
    ewido anti-malware - Scan report
    ---------------------------------------------------------

    + Created on: 12:53:59 AM, 1/1/2002
    + Report-Checksum: 6289AAC8

    + Scan result:

    D:\My Documents\Xfire\downloads\goodgame_eswc_2005_us.rar/goodgame_eswc_2005(us)\src\83456.ico -> Not-A-Virus.IMFlooder.Win32.VB.dn : Ignored
    [2232] C:\WINDOWS\system32\zeerej.exe -> Trojan.Agent.cp : Cleaned with backup
    :mozilla.17:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\kqwr89n5.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
    :mozilla.19:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\kqwr89n5.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
    :mozilla.23:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\kqwr89n5.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
    :mozilla.27:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\kqwr89n5.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
    :mozilla.28:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\kqwr89n5.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
    :mozilla.29:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\kqwr89n5.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
    :mozilla.30:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\kqwr89n5.default\cookies.txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
    :mozilla.31:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\kqwr89n5.default\cookies.txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
    :mozilla.32:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\kqwr89n5.default\cookies.txt -> Spyware.Cookie.Atdmt : Cleaned with backup
    C:\WINDOWS\Nail.exe -> Adware.BetterInternet : Cleaned with backup
    C:\WINDOWS\svcproc.exe -> Adware.BetterInternet : Cleaned with backup
    C:\WINDOWS\system32\DrPMon.dll -> Adware.BetterInternet : Cleaned with backup
    D:\My Documents\Xfire\downloads\goodgame_eswc_2005_us.rar/goodgame_eswc_2005(us)\src\menu\.ico -> Not-A-Virus.IMFlooder.Win32.VB.dn : Error during cleaning


    ::Report End
     
    Last edited: Feb 8, 2006
  7. 7rexeL

    7rexeL Techie7 New Member

    This first ewido report is 57,311 chars long!! is there an alternate way to get it to you?? maybe an e-mail or somthing
     
  8. Neal

    Neal Dedicated Member

    Hi,

    Post a hijackthis log.

    Split it up in two different attachments if you have to on two different posts.
     
  9. 7rexeL

    7rexeL Techie7 New Member

    Logfile of HijackThis v1.99.1
    Scan saved at 11:10:47 PM, on 2/1/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
    C:\WINDOWS\system32\CTsvcCDA.exe
    C:\Program Files\Symantec AntiVirus\DefWatch.exe
    C:\Program Files\ewido anti-malware\ewidoctrl.exe
    C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    C:\Program Files\Stardock\Object Desktop\WindowBlinds\wbload.exe
    C:\Program Files\Symantec AntiVirus\Rtvscan.exe
    C:\WINDOWS\system32\MsPMSPSv.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.exe
    C:\WINDOWS\system32\taskswitch.exe
    C:\WINDOWS\system32\CTHELPER.EXE
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    D:\Program Files\Logitech\Keyboard\LCDMon.exe
    D:\Program Files\Logitech\Keyboard\Applets\LCDClock.exe
    D:\Program Files\Logitech\Keyboard\Applets\LCDMedia.exe
    D:\Linksys\Norton\Norton AntiVirus\navapsvc.exe
    D:\Linksys\Norton\Norton AntiVirus\SAVScan.exe
    C:\WINDOWS\system32\sol.exe
    C:\WINDOWS\system32\zeerej.exe
    D:\My Documents\Xfire\Xfire.exe
    D:\Program Files\SmartBarXP\SmartBarXP.exe
    C:\WINDOWS\system32\sbmthread.exe
    C:\PROGRA~1\MOZILLA FIREFOX\FIREFOX.EXE
    C:\Program Files\Outlook Express\msimn.exe
    D:\Linksys\Norton\Norton AntiVirus\OPScan.exe
    C:\Documents and Settings\Administrator\Desktop\hijackthis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = sas.r31.insightbb.com:8000
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.r31.insightbb.com;;localhost;<local>
    R3 - Default URLSearchHook is missing
    F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
    N3 - Netscape 7: user_pref("browser.startup.homepage", "http://netcenter.netscape.com/netcenter/"); (C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\bwo7vtrl.slt\prefs.js)
    N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CPROGRA%7E1%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\bwo7vtrl.slt\prefs.js)
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\KEEP\Spybot - Search & Destroy\SDHelper.dll (file missing)
    O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
    O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
    O2 - BHO: CNisExtBho Class - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
    O2 - BHO: VCS3IESupport Class - {B9D6B3C2-09AD-464A-8162-8C55114C808A} - blank (file missing)
    O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - D:\Linksys\Norton\Norton AntiVirus\NavShExt.dll
    O2 - BHO: BestOffers Shopping BHO - {F5DE8ADB-4A69-4e56-96AB-823171C8E9D8} - C:\Program Files\TBONAS\TBONlchr.dll (file missing)
    O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - D:\Linksys\Norton\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
    O3 - Toolbar: BestOffers Shopping v1.20 - {7FD44536-9DF0-4034-939F-5BD4D98E3187} - C:\Program Files\TBONAS\TBONlchr.dll (file missing)
    O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\system32\taskswitch.exe
    O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
    O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
    O4 - HKLM\..\Run: [schtasnks.exe] C:\WINDOWS\system32\schtasnks.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.1_02\bin\jusched.exe
    O4 - HKLM\..\Run: [satmat] C:\WINDOWS\satmat.exe
    O4 - HKLM\..\Run: [HydraVisionDesktopManager] C:\Program Files\ATI Technologies\ATI HYDRAVISION\HydraDM.exe
    O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\Symantec AntiVirus\VPTray.exe
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [Launch LGDCore] "D:\Program Files\Logitech\Keyboard\LGDCore.exe" /SHOWHIDE
    O4 - HKLM\..\Run: [Launch LCDMon] "D:\Program Files\Logitech\Keyboard\LCDMon.exe"
    O4 - HKCU\..\Run: [Steam] "c:\program files\valve\steam\steam.exe" -silent
    O4 - HKCU\..\Run: [mqwi] C:\PROGRA~1\COMMON~1\mqwi\mqwim.exe
    O4 - HKCU\..\Run: [SmartBarXP] D:\Program Files\SmartBarXP\SmartBarXP.exe
    O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
    O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZS
    O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
    O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll (file missing)
    O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll (file missing)
    O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll (file missing)
    O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll (file missing)
    O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\AIM\aim.exe (file missing)
    O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
    O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
    O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
    O20 - Winlogon Notify: WB - C:\PROGRA~1\Stardock\Object Desktop\WindowBlinds\fastload.dll
    O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: AdobeVersionCue - Adobe Sytems - C:\Program Files\Adobe\Adobe Version Cue\service\VersionCue.exe
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
    O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
    O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
    O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPodService - Apple Computer, Inc. - D:\Program Files\Apple\iPod\bin\iPodService.exe
    O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
    O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - D:\Linksys\Norton\Norton AntiVirus\navapsvc.exe
    O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
    O23 - Service: SAVScan - Symantec Corporation - D:\Linksys\Norton\Norton AntiVirus\SAVScan.exe
    O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\Symantec Shared\Script Blocking\SBServ.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: System Startup Service (SvcProc) - Unknown owner - c:\windows\SvcProc.exe
    O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
     
  10. Neal

    Neal Dedicated Member

    Hi, The Epolvy trojan you had is gone but that nail infection is still there, seems these things are getting tougher all the time, Nail usually goes real easy but this one is going to be stubborn so let's do some cleaning first then we will do the nail fix again.


    look in add/remove program and remove if present "MywebSearch"

    Reboot if removed


    Go here to learn how to show hidden files/folders:

    http://www.xtra.co.nz/help/0,,4155-1916458,00.html#5


    Download Clean.bat to your desktop(Save page as or Save as): for later use to clean out your TEMPORARY and PREFETCH files.
    http://www.thatcomputerguy.us/downloads/clean.bat


    Download CCleaner from here:
    http://www.majorgeeks.com/download4191.html
    or here:
    http://www.filehippo.com/download_ccleaner.html

    don't run the tool just yet please.
    Install it. The windows tab should be opened in the upper left of the program. Click analyze and then click run cleaner. Just use the windows tab that is up front by default.

    1.Uncheck "Cookies" under "Internet Explorer".

    2.If you are running Firefox: ,then click on the "Applications" tab and uncheck "Cookies" under "Firefox".


    Please download Nailfix from here:
    http://www.noidea.us/easyfile/file.php?download=20050515010747824
    Unzip it to the desktop but please do NOT run it yet.

    Alternate sites for Nailfix down load:

    ZIP file version:
    http://www.noidea.us/easyfile/file.php?dow...050515010747824

    EXE "Setup" version:
    Official site: http://www.noidea.us/easyfile/file.php?dow...050711214630636

    Mirrors:
    http://www.spywareedge.net/nf/nailfix.exe



    Run hijackthis again and click on the scan button and put checks next to these:


    R3 - Default URLSearchHook is missing

    O2 - BHO: VCS3IESupport Class - {B9D6B3C2-09AD-464A-8162-8C55114C808A} - blank (file missing)
    O2 - BHO: BestOffers Shopping BHO - {F5DE8ADB-4A69-4e56-96AB-823171C8E9D8} - C:\Program Files\TBONAS\TBONlchr.dll (file missing)

    O3 - Toolbar: BestOffers Shopping v1.20 - {7FD44536-9DF0-4034-939F-5BD4D98E3187} - C:\Program Files\TBONAS\TBONlchr.dll (file missing)
    O3 - Toolbar: BestOffers Shopping v1.20 - {7FD44536-9DF0-4034-939F-5BD4D98E3187} - C:\Program Files\TBONAS\TBONlchr.dll (file missing)

    O4 - HKLM\..\Run: [schtasnks.exe] C:\WINDOWS\system32\schtasnks.exe
    O4 - HKLM\..\Run: [satmat] C:\WINDOWS\satmat.exe
    O4 - HKCU\..\Run: [mqwi] C:\PROGRA~1\COMMON~1\mqwi\mqwim.exe

    O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZS



    Nothing open but hijackthis and click "fix checked"


    Now reboot into safe mode by tapping your F8 key upon restart and safe mode screen appears, select safe mode and press enter.


    Now hunt for and delete if present:-Still in safe mode

    C:\WINDOWS\system32\schtasnks.exe < file
    C:\WINDOWS\satmat.exe < file
    C:\Program Files\Common Files\mqwi < folder


    Now run that clean batch file you created earlier, type in 'Y' a couple of times and press enter at the prompts.


    Now run CCleaner useing the windows tab only please


    Reboot back into safe mode:

    1) Restart your computer
    2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
    3) Instead of Windows loading as normal, a menu should appear
    4) Select the first option, to run Windows in Safe Mode.


    Once in Safe Mode, please double-click on Nailfix.cmd. Your desktop and icons will disappear and reappear, and a window should open and close very quickly --- this is normal.

    Then please run Ewido, and run a full scan. Save the logfile from the scan.

    Next please run HijackThis, click Scan, and check:

    F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe

    Close all open windows except for HijackThis and click Fix Checked.

    Restart your computer in normal mode and please post a new HijackThis log, as well as the log from the Ewido scan.