Sign in with
Sign up | Sign in
Your question

Really odd problem with a file ,, any suggestions

Last response: in Windows XP
Share
August 21, 2005 12:55:15 PM

Archived from groups: alt.os.windows-xp,microsoft.public.windowsxp.general (More info?)

I have a computer that i'm working on ,, and i have discovered a little
oddity and can't find an answer to.

I open up task manager and i find a weird looking file running in the
process , let's call this file ekfitve.exe for example ,, then i find this
file in c:\windows\system32 folder ,,, if i put both windows side by side
and then end the process in task mgr ,, i can see this file change it's
name right in front of me ,,,then it appears with that name in task mgr.

The file is always a weird combo of letters and it never seems to repeat
itself ,,, i've tried deleting the file ,,but of course can't access it and
i've tried going through Xp's repair option to try and get it before it
loads ,, but of course with it changing it's name ,, what do i look for?
There's no way of locating it.

I was thinking of one last shot of getting this bugger ,,with any help from
here , before deep sixing the system and starting from scratch.

Any suggestions????

Thanks , Gord
Anonymous
August 21, 2005 12:55:16 PM

Archived from groups: alt.os.windows-xp,microsoft.public.windowsxp.general (More info?)

Format and reinstall.

--

"Instead of trying to bash me you should try to learn from me and
archive my posts so you can better help people in the future. If you don't
understand something I post then ask me my email is valid."

- pcbutts1.@thisoldtreehouse.com
- pcbutts1.@seedsv.com




LouisG wrote:
> I have a computer that i'm working on ,, and i have discovered a
> little oddity and can't find an answer to.
>
> I open up task manager and i find a weird looking file running in the
> process , let's call this file ekfitve.exe for example ,, then i find
> this file in c:\windows\system32 folder ,,, if i put both windows
> side by side and then end the process in task mgr ,, i can see this
> file change it's name right in front of me ,,,then it appears with
> that name in task mgr.
>
> The file is always a weird combo of letters and it never seems to
> repeat itself ,,, i've tried deleting the file ,,but of course can't
> access it and i've tried going through Xp's repair option to try and
> get it before it loads ,, but of course with it changing it's name ,,
> what do i look for? There's no way of locating it.
>
> I was thinking of one last shot of getting this bugger ,,with any
> help from here , before deep sixing the system and starting from
> scratch.
>
> Any suggestions????
>
> Thanks , Gord

--
Anonymous
August 21, 2005 1:19:32 PM

Archived from groups: alt.os.windows-xp,microsoft.public.windowsxp.general (More info?)

LouisG <imnot@home.com> wrote in
news:Xns96B964E7D447111241959@216.196.97.142:

> I have a computer that i'm working on ,, and i have discovered a
> little oddity and can't find an answer to.
>
> I open up task manager and i find a weird looking file running in the
> process , let's call this file ekfitve.exe for example ,, then i find
> this file in c:\windows\system32 folder ,,, if i put both windows side
> by side and then end the process in task mgr ,, i can see this file
> change it's name right in front of me ,,,then it appears with that
> name in task mgr.
>
> The file is always a weird combo of letters and it never seems to
> repeat itself ,,, i've tried deleting the file ,,but of course can't
> access it and i've tried going through Xp's repair option to try and
> get it before it loads ,, but of course with it changing it's name ,,
> what do i look for? There's no way of locating it.
>
> I was thinking of one last shot of getting this bugger ,,with any help
> from here , before deep sixing the system and starting from scratch.
>
> Any suggestions????
>
> Thanks , Gord

that's not a really odd problem, it's some type of spyware/adware, and this
is typical behavior.

try cleaning IN SAFE MODE, with M$ Antispyware, AdAware, and Spybot.
Related resources
August 21, 2005 1:23:36 PM

Archived from groups: alt.os.windows-xp,microsoft.public.windowsxp.general (More info?)

I've cleaned the computer with these ,, there are six accounts on this
computer , including the admin through safe mode , with three different
types of cleaners ,,including spybot ,, and they catch things , but it
still happens ,,,,the only thing that doesn't seem to get cleaned is a
key in the registry for Altnet.

DanS <t.h.i.s.n.t.h.a.t@a.d.e.l.p.h.i.a..n.e.t> wrote in
news:Xns96B969B485191idispcom@216.196.97.142:

> LouisG <imnot@home.com> wrote in
> news:Xns96B964E7D447111241959@216.196.97.142:
>
>> I have a computer that i'm working on ,, and i have discovered a
>> little oddity and can't find an answer to.
>>
>> I open up task manager and i find a weird looking file running in the
>> process , let's call this file ekfitve.exe for example ,, then i find
>> this file in c:\windows\system32 folder ,,, if i put both windows
>> side by side and then end the process in task mgr ,, i can see this
>> file change it's name right in front of me ,,,then it appears with
>> that name in task mgr.
>>
>> The file is always a weird combo of letters and it never seems to
>> repeat itself ,,, i've tried deleting the file ,,but of course can't
>> access it and i've tried going through Xp's repair option to try and
>> get it before it loads ,, but of course with it changing it's name ,,
>> what do i look for? There's no way of locating it.
>>
>> I was thinking of one last shot of getting this bugger ,,with any
>> help from here , before deep sixing the system and starting from
>> scratch.
>>
>> Any suggestions????
>>
>> Thanks , Gord
>
> that's not a really odd problem, it's some type of spyware/adware, and
> this is typical behavior.
>
> try cleaning IN SAFE MODE, with M$ Antispyware, AdAware, and Spybot.
>
>
Anonymous
August 21, 2005 1:53:07 PM

Archived from groups: alt.os.windows-xp,microsoft.public.windowsxp.general (More info?)

LouisG <imnot@home.com> wrote in news:Xns96B969B5E840B11241959@
216.196.97.142:

> I've cleaned the computer with these ,, there are six accounts on this
> computer , including the admin through safe mode , with three different
> types of cleaners ,,including spybot ,, and they catch things , but it
> still happens ,,,,the only thing that doesn't seem to get cleaned is a
> key in the registry for Altnet.
>

Is the AltNet from the Aurora company ? If it is, there will be an
Add/Remove Programs entry for it that doesn't work. This is a tough one to
get rid of if so.
August 21, 2005 2:04:37 PM

Archived from groups: alt.os.windows-xp,microsoft.public.windowsxp.general (More info?)

"LouisG" <imnot@home.com> wrote in message
news:Xns96B964E7D447111241959@216.196.97.142...
> I have a computer that i'm working on ,, and i have discovered a little
> oddity and can't find an answer to.
>
> I open up task manager and i find a weird looking file running in the
> process , let's call this file ekfitve.exe for example ,, then i find this
> file in c:\windows\system32 folder ,,, if i put both windows side by side
> and then end the process in task mgr ,, i can see this file change it's
> name right in front of me ,,,then it appears with that name in task mgr.
>
> The file is always a weird combo of letters and it never seems to repeat
> itself ,,, i've tried deleting the file ,,but of course can't access it
and
> i've tried going through Xp's repair option to try and get it before it
> loads ,, but of course with it changing it's name ,, what do i look for?
> There's no way of locating it.


it's a mutating virus...
you need to run a virus check with a recently updated virus checker...
but if you delete it and it returns...
you may need to backup your data and do a fresh install
Anonymous
August 21, 2005 2:12:54 PM

Archived from groups: microsoft.public.windowsxp.general (More info?)

Hi,

Nasty little virus you have there, and that name changing is a means of
protecting itself and preventing removal. It occurs as there is another
function in place that checks for the presence of the virus, and if not
there it creates a new instance (hence the name change you see). The way to
defeat it is in Safe mode where neither the bug or the check is active. From
there you will be able to delete the files involved and the registry entries
that load them. If you do not get the latter, then a new instance will be
created when you start in normal mode. Make sure to check the run keys in
all of the HKCU entries in addition to the HKLM keys.

--
Best of Luck,

Rick Rogers, aka "Nutcase" - Microsoft MVP
http://mvp.support.microsoft.com/
Associate Expert - WindowsXP Expert Zone
www.microsoft.com/windowsxp/expertzone
Windows help - www.rickrogers.org

"LouisG" <imnot@home.com> wrote in message
news:Xns96B964E7D447111241959@216.196.97.142...
>I have a computer that i'm working on ,, and i have discovered a little
> oddity and can't find an answer to.
>
> I open up task manager and i find a weird looking file running in the
> process , let's call this file ekfitve.exe for example ,, then i find this
> file in c:\windows\system32 folder ,,, if i put both windows side by side
> and then end the process in task mgr ,, i can see this file change it's
> name right in front of me ,,,then it appears with that name in task mgr.
>
> The file is always a weird combo of letters and it never seems to repeat
> itself ,,, i've tried deleting the file ,,but of course can't access it
> and
> i've tried going through Xp's repair option to try and get it before it
> loads ,, but of course with it changing it's name ,, what do i look for?
> There's no way of locating it.
>
> I was thinking of one last shot of getting this bugger ,,with any help
> from
> here , before deep sixing the system and starting from scratch.
>
> Any suggestions????
>
> Thanks , Gord
August 21, 2005 2:12:55 PM

Archived from groups: microsoft.public.windowsxp.general (More info?)

Thanks Rick ,, that's what i figured ,, i've run the anti virus through
this thing many times along with antispyware and keep nailing little
buggers ,,there's 6 accounts on this computer between normal and safe modes
and trying to eradicate this thing is just sending me in circles.

The only thing that the spyware scanners can't get rid of is one key in the
registry for Altnet , which was probably put there when this person
installed Kazaa ,,, tried every which way to get this deleted , but can't.

Could this be the culprit??

"Rick \"Nutcase\" Rogers" <rick@mvps.org> wrote in
news:#H#IvplpFHA.320@TK2MSFTNGP09.phx.gbl:



> Hi,
>
> Nasty little virus you have there, and that name changing is a means
> of protecting itself and preventing removal. It occurs as there is
> another function in place that checks for the presence of the virus,
> and if not there it creates a new instance (hence the name change you
> see). The way to defeat it is in Safe mode where neither the bug or
> the check is active. From there you will be able to delete the files
> involved and the registry entries that load them. If you do not get
> the latter, then a new instance will be created when you start in
> normal mode. Make sure to check the run keys in all of the HKCU
> entries in addition to the HKLM keys.
>
August 21, 2005 3:03:07 PM

Archived from groups: alt.os.windows-xp,microsoft.public.windowsxp.general (More info?)

Thanks,,,,,,,,,Frank,,,,,,,,,,,,,,for nothing,,,,,,,,,,,,,,,,,,

"Frank DeLucca, MS-MPV" <frank.delucca.microsoft@gmail.com> wrote in
news:20050821155250.08C0545796@smtp4.wanadoo.nl:

>
>
> "LouisG" <imnot@home.com> wrote in message
> news:Xns96B964E7D447111241959@216.196.97.142...
>>I have a computer that i'm working on ,, and i have discovered a
>>little
>> oddity and can't find an answer to.
>>
>> I open up task manager and i find a weird looking file running in the
>> process , let's call this file ekfitve.exe for example ,, then i find
>> this file in c:\windows\system32 folder ,,, if i put both windows
>> side by side and then end the process in task mgr ,, i can see this
>> file change it's name right in front of me ,,,then it appears with
>> that name in task mgr.
>>
>> The file is always a weird combo of letters and it never seems to
>> repeat itself ,,, i've tried deleting the file ,,but of course can't
>> access it and
>> i've tried going through Xp's repair option to try and get it before
>> it loads ,, but of course with it changing it's name ,, what do i
>> look for? There's no way of locating it.
>>
>> I was thinking of one last shot of getting this bugger ,,with any
>> help from
>> here , before deep sixing the system and starting from scratch.
>>
>> Any suggestions????
>>
>> Thanks , Gord
>>
>
> Your " , " key is b0rken. Replace your keyboard to get rid of your
> problems. O, and install Service Pak 2, if you haven't done so
> already.
>
August 21, 2005 4:16:03 PM

Archived from groups: microsoft.public.windowsxp.general (More info?)

LouisG wrote:

> Thanks Rick ,, that's what i figured ,, i've run the anti virus through
> this thing many times along with antispyware and keep nailing little
> buggers ,,there's 6 accounts on this computer between normal and safe modes
> and trying to eradicate this thing is just sending me in circles.
>
> The only thing that the spyware scanners can't get rid of is one key in the
> registry for Altnet , which was probably put there when this person
> installed Kazaa ,,, tried every which way to get this deleted , but can't.
>
> Could this be the culprit??
>
> "Rick \"Nutcase\" Rogers" <rick@mvps.org> wrote in
> news:#H#IvplpFHA.320@TK2MSFTNGP09.phx.gbl:
>
>
>
>
>>Hi,
>>
>>Nasty little virus you have there, and that name changing is a means
>>of protecting itself and preventing removal. It occurs as there is
>>another function in place that checks for the presence of the virus,
>>and if not there it creates a new instance (hence the name change you
>>see). The way to defeat it is in Safe mode where neither the bug or
>>the check is active. From there you will be able to delete the files
>>involved and the registry entries that load them. If you do not get
>>the latter, then a new instance will be created when you start in
>>normal mode. Make sure to check the run keys in all of the HKCU
>>entries in addition to the HKLM keys.
>>
>
>

Have you checked the permissions on that registry key?

BTW, please don't post Hijackthis logs here. Contrary to pcbutts1, and
he has been told many times, this is not the forum for it. But HJT is a
good resource. Download, run it, and post the log to one of the
specialty forums.

HijackThis
http://www.majorgeeks.com/download.php?det=3155

Forums to Interpret HijackThis Logs:

http://www.spywareinfo.com/forums/
http://forum.aumha.org/viewforum.php?f=30
http://forums.tomcoyote.org/
http://www.wilderssecurity.com/

--
Rock
MS MVP Windows - Shell/User
Anonymous
August 21, 2005 7:14:53 PM

Archived from groups: microsoft.public.windowsxp.general (More info?)

Hi Louis,

While the spyware is an issue, it's not the cause of this problem, nor are
spyware cleaners the way to resolve it. Free virus removal tools that can be
used in Safe mode (run in all accounts beforereturning to normal mode):

http://vil.nai.com/vil/stinger/
http://www.emsisoft.com/en/
http://free.grisoft.com/doc/8/lng/us/tpl/v5/nid/3001#30...
http://www.f-secure.com/download-purchase/tools.shtml

--
Best of Luck,

Rick Rogers, aka "Nutcase" - Microsoft MVP
http://mvp.support.microsoft.com/
Associate Expert - WindowsXP Expert Zone
www.microsoft.com/windowsxp/expertzone
Windows help - www.rickrogers.org

"LouisG" <imnot@home.com> wrote in message
news:Xns96B96A55BA63F11241959@216.196.97.142...
> Thanks Rick ,, that's what i figured ,, i've run the anti virus through
> this thing many times along with antispyware and keep nailing little
> buggers ,,there's 6 accounts on this computer between normal and safe
> modes
> and trying to eradicate this thing is just sending me in circles.
>
> The only thing that the spyware scanners can't get rid of is one key in
> the
> registry for Altnet , which was probably put there when this person
> installed Kazaa ,,, tried every which way to get this deleted , but can't.
>
> Could this be the culprit??
>
> "Rick \"Nutcase\" Rogers" <rick@mvps.org> wrote in
> news:#H#IvplpFHA.320@TK2MSFTNGP09.phx.gbl:
>
>
>
>> Hi,
>>
>> Nasty little virus you have there, and that name changing is a means
>> of protecting itself and preventing removal. It occurs as there is
>> another function in place that checks for the presence of the virus,
>> and if not there it creates a new instance (hence the name change you
>> see). The way to defeat it is in Safe mode where neither the bug or
>> the check is active. From there you will be able to delete the files
>> involved and the registry entries that load them. If you do not get
>> the latter, then a new instance will be created when you start in
>> normal mode. Make sure to check the run keys in all of the HKCU
>> entries in addition to the HKLM keys.
>>
>
Anonymous
August 21, 2005 7:23:55 PM

Archived from groups: alt.os.windows-xp,microsoft.public.windowsxp.general (More info?)

Download, install, update and run all of the following.

Ad-Aware
http://www.pcbutts1.com/downloads/aawsepersonal.exe

Spybot search and destroy
http://www.pcbutts1.com/downloads/spybotsd14.exe

Ewido Security Suite Trial version
http://www.pcbutts1.com/downloads/ewidosetup.exe

Microsoft Windows AntiSpyware (Beta1)
http://www.microsoft.com/downloads/details.aspx?FamilyI...

If none of the above fixes the issue then download Hijack this, run it, save
a copy of the log file and cut and paste it back here to this group so that
I can analyze it. Ignore anyone who tells you to post it elsewhere. I need
to see it not them.


HijackThis
http://www.pcbutts1.com/downloads/HijackThis.zip

--


The best live web video on the internet http://www.seedsv.com/webdemo.htm
NEW Embedded system W/Linux. We now sell DVR cards.
See it all at http://www.seedsv.com/products.htm
Sharpvision simply the best http://www.seedsv.com



"LouisG" <imnot@home.com> wrote in message
news:Xns96B969B5E840B11241959@216.196.97.142...
> I've cleaned the computer with these ,, there are six accounts on this
> computer , including the admin through safe mode , with three different
> types of cleaners ,,including spybot ,, and they catch things , but it
> still happens ,,,,the only thing that doesn't seem to get cleaned is a
> key in the registry for Altnet.
>
> DanS <t.h.i.s.n.t.h.a.t@a.d.e.l.p.h.i.a..n.e.t> wrote in
> news:Xns96B969B485191idispcom@216.196.97.142:
>
>> LouisG <imnot@home.com> wrote in
>> news:Xns96B964E7D447111241959@216.196.97.142:
>>
>>> I have a computer that i'm working on ,, and i have discovered a
>>> little oddity and can't find an answer to.
>>>
>>> I open up task manager and i find a weird looking file running in the
>>> process , let's call this file ekfitve.exe for example ,, then i find
>>> this file in c:\windows\system32 folder ,,, if i put both windows
>>> side by side and then end the process in task mgr ,, i can see this
>>> file change it's name right in front of me ,,,then it appears with
>>> that name in task mgr.
>>>
>>> The file is always a weird combo of letters and it never seems to
>>> repeat itself ,,, i've tried deleting the file ,,but of course can't
>>> access it and i've tried going through Xp's repair option to try and
>>> get it before it loads ,, but of course with it changing it's name ,,
>>> what do i look for? There's no way of locating it.
>>>
>>> I was thinking of one last shot of getting this bugger ,,with any
>>> help from here , before deep sixing the system and starting from
>>> scratch.
>>>
>>> Any suggestions????
>>>
>>> Thanks , Gord
>>
>> that's not a really odd problem, it's some type of spyware/adware, and
>> this is typical behavior.
>>
>> try cleaning IN SAFE MODE, with M$ Antispyware, AdAware, and Spybot.
>>
>>
>
August 21, 2005 7:23:56 PM

Archived from groups: alt.os.windows-xp,microsoft.public.windowsxp.general (More info?)

Logfile of HijackThis v1.99.1
Scan saved at 11:39:19 AM, on 8/21/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Intel\Intel NetStructure VPN Client\icsrv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\System32\xzmofgh.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Labtec\moffice.exe
C:\Program Files\MessengerPlus! 3\MsgPlus.exe
C:\Program Files\Labtec\MOUSE32A.DAT
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
A:\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL =
http://www.iquicksearch.net/search.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
http://rogers.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
http://www.iquicksearch.net/search.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) =
about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title =
Microsoft Internet Explorer provided by Rogers Hi-Speed Internet
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: (no name) - SOFTWARE - (no file)
O2 - BHO: (no name) - {05304F16-6B90-4DF6-B537-A5AF69F3B5C2} - C:\PROGRA~
1\Lycos\IEagent\IEagent.dll (file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -
C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {12E63F60-1CF7-46D5-AEDF-6539DCA2A80C} - C:\PROGRA~
1\Lycos\IEagent\IEagent.dll (file missing)
O2 - BHO: (no name) - {1F302361-DE67-46C2-B076-F713FD319563} - C:\PROGRA~
1\Lycos\IEagent\IEagent.dll (file missing)
O2 - BHO: (no name) - {25B633B4-F5AC-42EA-A08B-6E0AA8E1574B} - C:\PROGRA~
1\Lycos\IEagent\IEagent.dll (file missing)
O2 - BHO: (no name) - {27E68F6D-F18D-4133-B8AB-C29D4F08962A} - C:\PROGRA~
1\Lycos\IEagent\IEagent.dll (file missing)
O2 - BHO: (no name) - {288A04BC-275E-4194-9B66-A03F809109A8} - C:\PROGRA~
1\Lycos\IEagent\IEagent.dll (file missing)
O2 - BHO: (no name) - {2A267F59-7549-4E90-A507-1CC19AE039B8} - C:\PROGRA~
1\Lycos\IEagent\IEagent.dll (file missing)
O2 - BHO: (no name) - {2B7BAEDB-E0E4-40A1-A852-603E01000116} - C:\PROGRA~
1\Lycos\IEagent\IEagent.dll (file missing)
O2 - BHO: (no name) - {2FE61C11-3C38-4CD4-85F1-F8ADFFC4DA11} - C:\PROGRA~
1\Lycos\IEagent\IEagent.dll (file missing)
O2 - BHO: (no name) - {31F6C1AE-E283-491E-81F5-4E8A590D90BF} - C:\PROGRA~
1\Lycos\IEagent\IEagent.dll (file missing)
O2 - BHO: (no name) - {3DBF3268-6A9D-4751-AD8C-B905F1AF596A} - C:\PROGRA~
1\Lycos\IEagent\IEagent.dll (file missing)
O2 - BHO: Scriptlet.Tools - {3E4563A4-2A9B-4912-BE38-906A0CB702CC} - C:
\DOCUME~1\ALLUSE~1\APPLIC~1\Tools\tools.dll
O2 - BHO: (no name) - {4100741B-0E67-422F-9458-4358139790CA} - C:\PROGRA~
1\Lycos\IEagent\IEagent.dll (file missing)
O2 - BHO: (no name) - {4163C8E3-8B29-4D05-AFAB-FB7C252B093D} - C:\PROGRA~
1\Lycos\IEagent\IEagent.dll (file missing)
O2 - BHO: (no name) - {43B036DC-143A-4EF5-9EF8-BEE04B0B9B33} - C:\PROGRA~
1\Lycos\IEagent\IEagent.dll (file missing)
O2 - BHO: (no name) - {49661D5C-D6E4-A035-C15E-DB98BB45A29F} - C:\WINDOWS
\System32\lny.dll
O2 - BHO: (no name) - {4B900EC1-C2DE-44D5-92C0-AD424BA59198} - C:\PROGRA~
1\Lycos\IEagent\IEagent.dll (file missing)
O2 - BHO: (no name) - {4BE852D9-F37D-430D-9BB8-C64D3864CF48} - C:\PROGRA~
1\Lycos\IEagent\IEagent.dll (file missing)
O2 - BHO: (no name) - {50304AFC-D621-4860-8F57-B2356A00CEF8} - C:\PROGRA~
1\Lycos\IEagent\IEagent.dll (file missing)
O2 - BHO: (no name) - {50EBBC08-EC30-4F25-B273-EA71CE928B71} - C:\PROGRA~
1\Lycos\IEagent\IEagent.dll (file missing)
O2 - BHO: (no name) - {516B5C4D-C164-4F31-9A66-A3642B718D33} - C:\PROGRA~
1\Lycos\IEagent\IEagent.dll (file missing)
O2 - BHO: (no name) - {5274F34D-27C5-43E9-97F4-E7631B35A83E} - C:\PROGRA~
1\Lycos\IEagent\IEagent.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program
Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {5B185C59-9E7A-4269-B2B0-B4598C29A020} - C:\PROGRA~
1\Lycos\IEagent\IEagent.dll (file missing)
O2 - BHO: (no name) - {5D878741-964E-46F3-A6A6-4E78CA79FFF9} - C:\PROGRA~
1\Lycos\IEagent\IEagent.dll (file missing)
O2 - BHO: (no name) - {611559C3-4AE0-E79B-345C-EDD8928B0427} - C:\DOCUME~
1\Alex\APPLIC~1\COOLMP~1\borerect.exe (file missing)
O2 - BHO: (no name) - {66192BC7-E190-4869-8196-538CBF6A7FCC} - C:\PROGRA~
1\Lycos\IEagent\IEagent.dll (file missing)
O2 - BHO: (no name) - {66935611-FC52-4D08-91AD-A8E8348216CB} - C:\PROGRA~
1\Lycos\IEagent\IEagent.dll (file missing)
O2 - BHO: (no name) - {69EAD774-5D52-4189-B454-7C0ED79DCB24} - C:\PROGRA~
1\Lycos\IEagent\IEagent.dll (file missing)
O2 - BHO: (no name) - {6C2F3C34-3745-4974-9070-00B42626D328} - C:\PROGRA~
1\Lycos\IEagent\IEagent.dll (file missing)
O2 - BHO: (no name) - {6FA7A7D4-42A6-4D33-8A99-5F5F635A4271} - C:\PROGRA~
1\Lycos\IEagent\IEagent.dll (file missing)
O2 - BHO: (no name) - {78820481-EDEF-4C47-BC5E-B098D4F1828E} - C:\PROGRA~
1\Lycos\IEagent\IEagent.dll (file missing)
O2 - BHO: (no name) - {7FC992CD-B6D9-4CAB-9713-FD401CD171EB} - C:\PROGRA~
1\Lycos\IEagent\IEagent.dll (file missing)
O2 - BHO: (no name) - {86904BCA-D91E-4CE3-986C-535E07547039} - C:\PROGRA~
1\Lycos\IEagent\IEagent.dll (file missing)
O2 - BHO: (no name) - {8F038E9C-E309-43F5-A8B5-C840A01EB73B} - C:\PROGRA~
1\Lycos\IEagent\IEagent.dll (file missing)
O2 - BHO: (no name) - {92E367C0-F36C-4302-BD38-108A45B33249} - C:\PROGRA~
1\Lycos\IEagent\IEagent.dll (file missing)
O2 - BHO: (no name) - {A1ED8367-FC52-48E1-A089-D547527F2226} - C:\PROGRA~
1\Lycos\IEagent\IEagent.dll (file missing)
O2 - BHO: (no name) - {A1FC27AB-D787-424B-B350-C9F5B6C39040} - C:\PROGRA~
1\Lycos\IEagent\IEagent.dll (file missing)
O2 - BHO: (no name) - {A3464DBE-BE74-4C2E-A6ED-4AC9C33A4E58} - C:\PROGRA~
1\Lycos\IEagent\IEagent.dll (file missing)
O2 - BHO: (no name) - {A9BAAB80-EDBC-4784-AB99-73AE226FEA25} - C:\PROGRA~
1\Lycos\IEagent\IEagent.dll (file missing)
O2 - BHO: (no name) - {B199BAFC-DB92-455E-AF16-77B0DD2DECF0} - C:\PROGRA~
1\Lycos\IEagent\IEagent.dll (file missing)
O2 - BHO: (no name) - {B570451E-00F7-4234-9225-6AD5194D17E2} - C:\PROGRA~
1\Lycos\IEagent\IEagent.dll (file missing)
O2 - BHO: (no name) - {B99E1544-FE8E-4AE1-BF16-C7CD05528AD7} - C:\PROGRA~
1\Lycos\IEagent\IEagent.dll (file missing)
O2 - BHO: (no name) - {BE111ACF-0E7B-4D59-944D-7AE096436D18} - C:\PROGRA~
1\Lycos\IEagent\IEagent.dll (file missing)
O2 - BHO: (no name) - {C17184CB-1239-4864-B89E-B5F80EA630F5} - C:\PROGRA~
1\Lycos\IEagent\IEagent.dll (file missing)
O2 - BHO: (no name) - {C1E368F7-DD7A-43D3-81EE-69EE5D7F3924} - C:\PROGRA~
1\Lycos\IEagent\IEagent.dll (file missing)
O2 - BHO: (no name) - {C68DE86F-9611-4738-9A85-3EE3BC847B30} - C:\PROGRA~
1\Lycos\IEagent\IEagent.dll (file missing)
O2 - BHO: (no name) - {CED69274-67B9-4AB8-BB0B-681294DDE067} - C:\PROGRA~
1\Lycos\IEagent\IEagent.dll (file missing)
O2 - BHO: (no name) - {D2F16FB3-FEE4-410F-A2F5-AE57CBA2AA1F} - C:\PROGRA~
1\Lycos\IEagent\IEagent.dll (file missing)
O2 - BHO: (no name) - {D31A67EC-58E1-4713-A05C-9C1C576161FE} - C:\PROGRA~
1\Lycos\IEagent\IEagent.dll (file missing)
O2 - BHO: (no name) - {D35E5601-7BA2-4DC2-BEC6-FEABBA88D4C9} - C:\PROGRA~
1\Lycos\IEagent\IEagent.dll (file missing)
O2 - BHO: (no name) - {D4603105-AA26-4D2C-9C6D-0FA6A878CAE8} - C:\PROGRA~
1\Lycos\IEagent\IEagent.dll (file missing)
O2 - BHO: (no name) - {D9967231-452F-4FCC-A9C7-DBA57FBF1F7D} - C:\PROGRA~
1\Lycos\IEagent\IEagent.dll (file missing)
O2 - BHO: (no name) - {DA021E5B-3F3F-4770-91B2-7B1D03135165} - C:\PROGRA~
1\Lycos\IEagent\IEagent.dll (file missing)
O2 - BHO: (no name) - {DA03C223-2073-4E29-A804-14CB8BEA824D} - C:\PROGRA~
1\Lycos\IEagent\IEagent.dll (file missing)
O2 - BHO: (no name) - {E2B5FB51-3CD3-44CA-A4A3-FE48C8F6022F} - C:\PROGRA~
1\Lycos\IEagent\IEagent.dll (file missing)
O2 - BHO: (no name) - {E4D72068-602F-48BF-967B-D763C185E79C} - C:\PROGRA~
1\Lycos\IEagent\IEagent.dll (file missing)
O2 - BHO: (no name) - {E4F45D9C-6EC3-4351-88B4-035AD6834456} - C:\PROGRA~
1\Lycos\IEagent\IEagent.dll (file missing)
O2 - BHO: (no name) - {E53C6742-A264-4950-BC5A-3DF5A7325AA3} - C:\PROGRA~
1\Lycos\IEagent\IEagent.dll (file missing)
O2 - BHO: (no name) - {EA01ABBE-FCC2-49E6-97CD-1ACE2C3FD5EB} - C:\PROGRA~
1\Lycos\IEagent\IEagent.dll (file missing)
O2 - BHO: (no name) - {ED32D562-5CA5-4D17-8430-3C3394897C55} - C:\PROGRA~
1\Lycos\IEagent\IEagent.dll (file missing)
O2 - BHO: (no name) - {F06B2B78-AA33-4AE1-A11A-EC4B41E006E6} - C:\PROGRA~
1\Lycos\IEagent\IEagent.dll (file missing)
O2 - BHO: (no name) - {FDA8A821-67B5-4E59-94E0-1728AF8919D0} - C:\PROGRA~
1\Lycos\IEagent\IEagent.dll (file missing)
O2 - BHO: (no name) - {FFF60A14-6FD8-40D7-A02C-9D7CFF458978} - C:\PROGRA~
1\Lycos\IEagent\IEagent.dll (file missing)
O3 - Toolbar: (no name) - {A27CB27E-2D1B-4A60-8843-75AE9419FD0E} - (no
file)
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no
file)
O3 - Toolbar: (no name) - {12EE7A5E-0674-42f9-A76B-000000004D00} - (no
file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:
\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD
Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes
\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime
\qttask.exe" -atboottime
O4 - HKLM\..\Run: [FLMOFFICE4DMOUSE] C:\Program Files\Labtec\moffice.exe
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3
\MsgPlus.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
/STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [egruxcg] C:\WINDOWS\System32\xzmofgh.exe r
O4 - HKLM\..\Run: [\tools.exe] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Tools
\tools.exe
O4 - HKLM\..\RunServices: [soundman] soundman.exe
O4 - HKLM\..\RunServices: [\tools.exe] C:\DOCUME~1\ALLUSE~1\APPLIC~1
\Tools\tools.exe
O4 - HKCU\..\Run: [wmegfi] C:\WINDOWS\System32\wmegfi.exe
O4 - HKCU\..\Run: [\tools.exe] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Tools
\tools.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:
\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -
C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-
00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-
12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-
12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-
0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-
0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -
C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-
00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: (no name) - {6685509E-B47B-4f47-8E16-9A5F3A62F683} -
file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm
(file missing) (HKCU)
O16 - DPF: {4EC8E993-32C1-47F5-A07A-5B0574655AD4} (WXcom Class) -
http://us.dl1.yimg.com/download.yahoo.com/dl/controls/y...
urrent.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool)
- http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} -
http://a1540.g.akamai.net/7/1540/52/20030530/qtinstall....
rth/us/win/QuickTimeInstaller.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -
http://update.microsoft.com/windowsupdate/v6/V5Controls...
eb_site.cab?1120351775546
O17 - HKLM\System\CCS\Services\Tcpip\..\{5BEA91D4-EEFA-4D4F-BE7E-
0DAA3A47C660}: NameServer = 49.10.68.10,209.226.175.223
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList =
tdbank.ca,ctwan.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList =
tdbank.ca,ctwan.com
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: SearchList =
tdbank.ca,ctwan.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList =
tdbank.ca,ctwan.com
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. -
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:
\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program
Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program
Files\ewido\security suite\ewidoguard.exe
O23 - Service: Intel® NetStructure(TM) VPN Client (ICService) - Unknown
owner - C:\Program Files\Intel\Intel NetStructure VPN Client\icsrv.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:
\Program Files\iPod\bin\iPodService.exe
O23 - Service: soundman - Unknown owner - C:\WINDOWS\System32
\soundman.exe" -service (file missing)
O23 - Service: System Startup Service (SvcProc) - Unknown owner - c:
\windows\SvcProc.exe
O23 - Service: Wi2n loahder - Unknown owner - C:\WINDOWS\System32
\SVCH0ST.exe" -service (file missing)




"pcbutts1" <pcbutts1@seedsv.com> wrote in
news:f01Oe.104$L77.17@newssvr19.news.prodigy.com:

> Download, install, update and run all of the following.
>
> Ad-Aware
> http://www.pcbutts1.com/downloads/aawsepersonal.exe
>
> Spybot search and destroy
> http://www.pcbutts1.com/downloads/spybotsd14.exe
>
> Ewido Security Suite Trial version
> http://www.pcbutts1.com/downloads/ewidosetup.exe
>
> Microsoft Windows AntiSpyware (Beta1)
> http://www.microsoft.com/downloads/details.aspx?FamilyI...
> 4C57-A8BD-DBF62EDA9671&displaylang=en
>
> If none of the above fixes the issue then download Hijack this, run
> it, save a copy of the log file and cut and paste it back here to this
> group so that I can analyze it. Ignore anyone who tells you to post it
> elsewhere. I need to see it not them.
>
>
> HijackThis
> http://www.pcbutts1.com/downloads/HijackThis.zip
>
Anonymous
August 21, 2005 7:23:57 PM

Archived from groups: alt.os.windows-xp,microsoft.public.windowsxp.general (More info?)

Have hijackthis fix these lines:


> Logfile of HijackThis v1.99.1
> Scan saved at 11:39:19 AM, on 8/21/2005
> Platform: Windows XP SP1 (WinNT 5.01.2600)
> MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
>
> Running processes:
> C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
> C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
> C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
> C:\Program Files\iTunes\iTunesHelper.exe
> C:\Program Files\QuickTime\qttask.exe
> C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
> C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
Anonymous
August 21, 2005 7:23:57 PM

Archived from groups: alt.os.windows-xp,microsoft.public.windowsxp.general (More info?)

You don't have a problem, but it could be spyware so format and reinstall.


--

"Instead of trying to bash me you should try to learn from me and
archive my posts so you can better help people in the future. If you don't
understand something I post then ask me my email is valid."

- pcbutts1.@thisoldtreehouse.com
- pcbutts1.@seedsv.com




LouisG wrote:
> Logfile of HijackThis v1.99.1
> Scan saved at 11:39:19 AM, on 8/21/2005
> Platform: Windows XP SP1 (WinNT 5.01.2600)
> MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
>
> Running processes:
> C:\WINDOWS\System32\smss.exe
> C:\WINDOWS\system32\winlogon.exe
> C:\WINDOWS\system32\services.exe
> C:\WINDOWS\system32\lsass.exe
> C:\WINDOWS\system32\svchost.exe
> C:\WINDOWS\System32\svchost.exe
> C:\WINDOWS\system32\spoolsv.exe
> C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
> C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
> C:\Program Files\ewido\security suite\ewidoctrl.exe
> C:\Program Files\ewido\security suite\ewidoguard.exe
> C:\Program Files\Intel\Intel NetStructure VPN Client\icsrv.exe
> C:\WINDOWS\System32\svchost.exe
> C:\WINDOWS\Explorer.exe
> C:\WINDOWS\System32\xzmofgh.exe
> C:\WINDOWS\System32\wuauclt.exe
> C:\WINDOWS\System32\wuauclt.exe
> C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
> C:\Program Files\iTunes\iTunesHelper.exe
> C:\Program Files\QuickTime\qttask.exe
> C:\Program Files\Labtec\moffice.exe
> C:\Program Files\MessengerPlus! 3\MsgPlus.exe
> C:\Program Files\Labtec\MOUSE32A.DAT
> C:\Program Files\iPod\bin\iPodService.exe
> C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
> C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
> A:\HijackThis.exe
>
> R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL =
> http://www.iquicksearch.net/search.htm
> R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
> about:blank
> R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
> http://rogers.yahoo.com
> R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant
> = http://www.iquicksearch.net/search.htm
> R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) =
> about:blank
> R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title =
> Microsoft Internet Explorer provided by Rogers Hi-Speed Internet
> R3 - Default URLSearchHook is missing
> F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
> O2 - BHO: (no name) - SOFTWARE - (no file)
> O2 - BHO: (no name) - {05304F16-6B90-4DF6-B537-A5AF69F3B5C2} -
> C:\PROGRA~ 1\Lycos\IEagent\IEagent.dll (file missing)
> O2 - BHO: AcroIEHlprObj Class -
> {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program
> Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
> O2 - BHO: (no name) - {12E63F60-1CF7-46D5-AEDF-6539DCA2A80C} -
> C:\PROGRA~ 1\Lycos\IEagent\IEagent.dll (file missing)
> O2 - BHO: (no name) - {1F302361-DE67-46C2-B076-F713FD319563} -
> C:\PROGRA~ 1\Lycos\IEagent\IEagent.dll (file missing)
> O2 - BHO: (no name) - {25B633B4-F5AC-42EA-A08B-6E0AA8E1574B} -
> C:\PROGRA~ 1\Lycos\IEagent\IEagent.dll (file missing)
> O2 - BHO: (no name) - {27E68F6D-F18D-4133-B8AB-C29D4F08962A} -
> C:\PROGRA~ 1\Lycos\IEagent\IEagent.dll (file missing)
> O2 - BHO: (no name) - {288A04BC-275E-4194-9B66-A03F809109A8} -
> C:\PROGRA~ 1\Lycos\IEagent\IEagent.dll (file missing)
> O2 - BHO: (no name) - {2A267F59-7549-4E90-A507-1CC19AE039B8} -
> C:\PROGRA~ 1\Lycos\IEagent\IEagent.dll (file missing)
> O2 - BHO: (no name) - {2B7BAEDB-E0E4-40A1-A852-603E01000116} -
> C:\PROGRA~ 1\Lycos\IEagent\IEagent.dll (file missing)
> O2 - BHO: (no name) - {2FE61C11-3C38-4CD4-85F1-F8ADFFC4DA11} -
> C:\PROGRA~ 1\Lycos\IEagent\IEagent.dll (file missing)
> O2 - BHO: (no name) - {31F6C1AE-E283-491E-81F5-4E8A590D90BF} -
> C:\PROGRA~ 1\Lycos\IEagent\IEagent.dll (file missing)
> O2 - BHO: (no name) - {3DBF3268-6A9D-4751-AD8C-B905F1AF596A} -
> C:\PROGRA~ 1\Lycos\IEagent\IEagent.dll (file missing)
> O2 - BHO: Scriptlet.Tools - {3E4563A4-2A9B-4912-BE38-906A0CB702CC} -
> C: \DOCUME~1\ALLUSE~1\APPLIC~1\Tools\tools.dll
> O2 - BHO: (no name) - {4100741B-0E67-422F-9458-4358139790CA} -
> C:\PROGRA~ 1\Lycos\IEagent\IEagent.dll (file missing)
> O2 - BHO: (no name) - {4163C8E3-8B29-4D05-AFAB-FB7C252B093D} -
> C:\PROGRA~ 1\Lycos\IEagent\IEagent.dll (file missing)
> O2 - BHO: (no name) - {43B036DC-143A-4EF5-9EF8-BEE04B0B9B33} -
> C:\PROGRA~ 1\Lycos\IEagent\IEagent.dll (file missing)
> O2 - BHO: (no name) - {49661D5C-D6E4-A035-C15E-DB98BB45A29F} -
> C:\WINDOWS \System32\lny.dll
> O2 - BHO: (no name) - {4B900EC1-C2DE-44D5-92C0-AD424BA59198} -
> C:\PROGRA~ 1\Lycos\IEagent\IEagent.dll (file missing)
> O2 - BHO: (no name) - {4BE852D9-F37D-430D-9BB8-C64D3864CF48} -
> C:\PROGRA~ 1\Lycos\IEagent\IEagent.dll (file missing)
> O2 - BHO: (no name) - {50304AFC-D621-4860-8F57-B2356A00CEF8} -
> C:\PROGRA~ 1\Lycos\IEagent\IEagent.dll (file missing)
> O2 - BHO: (no name) - {50EBBC08-EC30-4F25-B273-EA71CE928B71} -
> C:\PROGRA~ 1\Lycos\IEagent\IEagent.dll (file missing)
> O2 - BHO: (no name) - {516B5C4D-C164-4F31-9A66-A3642B718D33} -
> C:\PROGRA~ 1\Lycos\IEagent\IEagent.dll (file missing)
> O2 - BHO: (no name) - {5274F34D-27C5-43E9-97F4-E7631B35A83E} -
> C:\PROGRA~ 1\Lycos\IEagent\IEagent.dll (file missing)
> O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} -
> C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
> O2 - BHO: (no name) - {5B185C59-9E7A-4269-B2B0-B4598C29A020} -
> C:\PROGRA~ 1\Lycos\IEagent\IEagent.dll (file missing)
> O2 - BHO: (no name) - {5D878741-964E-46F3-A6A6-4E78CA79FFF9} -
> C:\PROGRA~ 1\Lycos\IEagent\IEagent.dll (file missing)
> O2 - BHO: (no name) - {611559C3-4AE0-E79B-345C-EDD8928B0427} -
> C:\DOCUME~ 1\Alex\APPLIC~1\COOLMP~1\borerect.exe (file missing)
> O2 - BHO: (no name) - {66192BC7-E190-4869-8196-538CBF6A7FCC} -
> C:\PROGRA~ 1\Lycos\IEagent\IEagent.dll (file missing)
> O2 - BHO: (no name) - {66935611-FC52-4D08-91AD-A8E8348216CB} -
> C:\PROGRA~ 1\Lycos\IEagent\IEagent.dll (file missing)
> O2 - BHO: (no name) - {69EAD774-5D52-4189-B454-7C0ED79DCB24} -
> C:\PROGRA~ 1\Lycos\IEagent\IEagent.dll (file missing)
> O2 - BHO: (no name) - {6C2F3C34-3745-4974-9070-00B42626D328} -
> C:\PROGRA~ 1\Lycos\IEagent\IEagent.dll (file missing)
> O2 - BHO: (no name) - {6FA7A7D4-42A6-4D33-8A99-5F5F635A4271} -
> C:\PROGRA~ 1\Lycos\IEagent\IEagent.dll (file missing)
> O2 - BHO: (no name) - {78820481-EDEF-4C47-BC5E-B098D4F1828E} -
> C:\PROGRA~ 1\Lycos\IEagent\IEagent.dll (file missing)
> O2 - BHO: (no name) - {7FC992CD-B6D9-4CAB-9713-FD401CD171EB} -
> C:\PROGRA~ 1\Lycos\IEagent\IEagent.dll (file missing)
> O2 - BHO: (no name) - {86904BCA-D91E-4CE3-986C-535E07547039} -
> C:\PROGRA~ 1\Lycos\IEagent\IEagent.dll (file missing)
> O2 - BHO: (no name) - {8F038E9C-E309-43F5-A8B5-C840A01EB73B} -
> C:\PROGRA~ 1\Lycos\IEagent\IEagent.dll (file missing)
> O2 - BHO: (no name) - {92E367C0-F36C-4302-BD38-108A45B33249} -
> C:\PROGRA~ 1\Lycos\IEagent\IEagent.dll (file missing)
> O2 - BHO: (no name) - {A1ED8367-FC52-48E1-A089-D547527F2226} -
> C:\PROGRA~ 1\Lycos\IEagent\IEagent.dll (file missing)
> O2 - BHO: (no name) - {A1FC27AB-D787-424B-B350-C9F5B6C39040} -
> C:\PROGRA~ 1\Lycos\IEagent\IEagent.dll (file missing)
> O2 - BHO: (no name) - {A3464DBE-BE74-4C2E-A6ED-4AC9C33A4E58} -
> C:\PROGRA~ 1\Lycos\IEagent\IEagent.dll (file missing)
> O2 - BHO: (no name) - {A9BAAB80-EDBC-4784-AB99-73AE226FEA25} -
> C:\PROGRA~ 1\Lycos\IEagent\IEagent.dll (file missing)
> O2 - BHO: (no name) - {B199BAFC-DB92-455E-AF16-77B0DD2DECF0} -
> C:\PROGRA~ 1\Lycos\IEagent\IEagent.dll (file missing)
> O2 - BHO: (no name) - {B570451E-00F7-4234-9225-6AD5194D17E2} -
> C:\PROGRA~ 1\Lycos\IEagent\IEagent.dll (file missing)
> O2 - BHO: (no name) - {B99E1544-FE8E-4AE1-BF16-C7CD05528AD7} -
> C:\PROGRA~ 1\Lycos\IEagent\IEagent.dll (file missing)
> O2 - BHO: (no name) - {BE111ACF-0E7B-4D59-944D-7AE096436D18} -
> C:\PROGRA~ 1\Lycos\IEagent\IEagent.dll (file missing)
> O2 - BHO: (no name) - {C17184CB-1239-4864-B89E-B5F80EA630F5} -
> C:\PROGRA~ 1\Lycos\IEagent\IEagent.dll (file missing)
> O2 - BHO: (no name) - {C1E368F7-DD7A-43D3-81EE-69EE5D7F3924} -
> C:\PROGRA~ 1\Lycos\IEagent\IEagent.dll (file missing)
> O2 - BHO: (no name) - {C68DE86F-9611-4738-9A85-3EE3BC847B30} -
> C:\PROGRA~ 1\Lycos\IEagent\IEagent.dll (file missing)
> O2 - BHO: (no name) - {CED69274-67B9-4AB8-BB0B-681294DDE067} -
> C:\PROGRA~ 1\Lycos\IEagent\IEagent.dll (file missing)
> O2 - BHO: (no name) - {D2F16FB3-FEE4-410F-A2F5-AE57CBA2AA1F} -
> C:\PROGRA~ 1\Lycos\IEagent\IEagent.dll (file missing)
> O2 - BHO: (no name) - {D31A67EC-58E1-4713-A05C-9C1C576161FE} -
> C:\PROGRA~ 1\Lycos\IEagent\IEagent.dll (file missing)
> O2 - BHO: (no name) - {D35E5601-7BA2-4DC2-BEC6-FEABBA88D4C9} -
> C:\PROGRA~ 1\Lycos\IEagent\IEagent.dll (file missing)
> O2 - BHO: (no name) - {D4603105-AA26-4D2C-9C6D-0FA6A878CAE8} -
> C:\PROGRA~ 1\Lycos\IEagent\IEagent.dll (file missing)
> O2 - BHO: (no name) - {D9967231-452F-4FCC-A9C7-DBA57FBF1F7D} -
> C:\PROGRA~ 1\Lycos\IEagent\IEagent.dll (file missing)
> O2 - BHO: (no name) - {DA021E5B-3F3F-4770-91B2-7B1D03135165} -
> C:\PROGRA~ 1\Lycos\IEagent\IEagent.dll (file missing)
> O2 - BHO: (no name) - {DA03C223-2073-4E29-A804-14CB8BEA824D} -
> C:\PROGRA~ 1\Lycos\IEagent\IEagent.dll (file missing)
> O2 - BHO: (no name) - {E2B5FB51-3CD3-44CA-A4A3-FE48C8F6022F} -
> C:\PROGRA~ 1\Lycos\IEagent\IEagent.dll (file missing)
> O2 - BHO: (no name) - {E4D72068-602F-48BF-967B-D763C185E79C} -
> C:\PROGRA~ 1\Lycos\IEagent\IEagent.dll (file missing)
> O2 - BHO: (no name) - {E4F45D9C-6EC3-4351-88B4-035AD6834456} -
> C:\PROGRA~ 1\Lycos\IEagent\IEagent.dll (file missing)
> O2 - BHO: (no name) - {E53C6742-A264-4950-BC5A-3DF5A7325AA3} -
> C:\PROGRA~ 1\Lycos\IEagent\IEagent.dll (file missing)
> O2 - BHO: (no name) - {EA01ABBE-FCC2-49E6-97CD-1ACE2C3FD5EB} -
> C:\PROGRA~ 1\Lycos\IEagent\IEagent.dll (file missing)
> O2 - BHO: (no name) - {ED32D562-5CA5-4D17-8430-3C3394897C55} -
> C:\PROGRA~ 1\Lycos\IEagent\IEagent.dll (file missing)
> O2 - BHO: (no name) - {F06B2B78-AA33-4AE1-A11A-EC4B41E006E6} -
> C:\PROGRA~ 1\Lycos\IEagent\IEagent.dll (file missing)
> O2 - BHO: (no name) - {FDA8A821-67B5-4E59-94E0-1728AF8919D0} -
> C:\PROGRA~ 1\Lycos\IEagent\IEagent.dll (file missing)
> O2 - BHO: (no name) - {FFF60A14-6FD8-40D7-A02C-9D7CFF458978} -
> C:\PROGRA~ 1\Lycos\IEagent\IEagent.dll (file missing)
> O3 - Toolbar: (no name) - {A27CB27E-2D1B-4A60-8843-75AE9419FD0E} - (no
> file)
> O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no
> file)
> O3 - Toolbar: (no name) - {12EE7A5E-0674-42f9-A76B-000000004D00} - (no
> file)
> O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:
> \WINDOWS\System32\msdxm.ocx
> O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD
> Creator 5\DirectCD\DirectCD.exe"
> O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes
> \iTunesHelper.exe"
> O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime
> \qttask.exe" -atboottime
> O4 - HKLM\..\Run: [FLMOFFICE4DMOUSE] C:\Program
> Files\Labtec\moffice.exe O4 - HKLM\..\Run: [MessengerPlus3]
> "C:\Program Files\MessengerPlus! 3 \MsgPlus.exe"
> O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
> /STARTUP
> O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
> O4 - HKLM\..\Run: [egruxcg] C:\WINDOWS\System32\xzmofgh.exe r
> O4 - HKLM\..\Run: [\tools.exe] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Tools
> \tools.exe
> O4 - HKLM\..\RunServices: [soundman] soundman.exe
> O4 - HKLM\..\RunServices: [\tools.exe] C:\DOCUME~1\ALLUSE~1\APPLIC~1
> \Tools\tools.exe
> O4 - HKCU\..\Run: [wmegfi] C:\WINDOWS\System32\wmegfi.exe
> O4 - HKCU\..\Run: [\tools.exe] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Tools
> \tools.exe
> O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:
> \PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
> O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501}
> - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
> O9 - Extra 'Tools' menuitem: Sun Java Console -
> {08B0E5C0-4FCB-11CF-AAA5- 00401C608501} - C:\Program
> Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
> O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-
> 12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file
> missing) O9 - Extra 'Tools' menuitem: PartyPoker.com -
> {B7FE5D70-9AA2-40F1-9C6B- 12A255F085E1} - C:\Program
> Files\PartyPoker\PartyPoker.exe (file missing) O9 - Extra button:
> Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9- 0050045C3C96} -
> C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
> O9 - Extra 'Tools' menuitem: Yahoo! Messenger -
> {E5D12C4E-7B4F-11D3-B5C9- 0050045C3C96} -
> C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
> O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683}
> - C:\Program Files\Messenger\MSMSGS.EXE
> O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-
> 00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
> O9 - Extra button: (no name) - {6685509E-B47B-4f47-8E16-9A5F3A62F683}
> - file://C:\Program
> Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing)
> (HKCU)
> O16 - DPF: {4EC8E993-32C1-47F5-A07A-5B0574655AD4} (WXcom Class) -
> http://us.dl1.yimg.com/download.yahoo.com/dl/controls/y...
> urrent.cab
> O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload
> Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
> O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} -
> http://a1540.g.akamai.net/7/1540/52/20030530/qtinstall....
> rth/us/win/QuickTimeInstaller.exe
> O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl
> Class) -
> http://update.microsoft.com/windowsupdate/v6/V5Controls...
> eb_site.cab?1120351775546
> O17 - HKLM\System\CCS\Services\Tcpip\..\{5BEA91D4-EEFA-4D4F-BE7E-
> 0DAA3A47C660}: NameServer = 49.10.68.10,209.226.175.223
> O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList =
> tdbank.ca,ctwan.com
> O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList =
> tdbank.ca,ctwan.com
> O17 - HKLM\System\CS3\Services\Tcpip\Parameters: SearchList =
> tdbank.ca,ctwan.com
> O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList =
> tdbank.ca,ctwan.com
> O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
> O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o.
> - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
> O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:
> \PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
> O23 - Service: ewido security suite control - ewido networks -
> C:\Program Files\ewido\security suite\ewidoctrl.exe
> O23 - Service: ewido security suite guard - ewido networks -
> C:\Program Files\ewido\security suite\ewidoguard.exe
> O23 - Service: Intel® NetStructure(TM) VPN Client (ICService) -
> Unknown owner - C:\Program Files\Intel\Intel NetStructure VPN
> Client\icsrv.exe O23 - Service: iPod Service (iPodService) - Apple
> Computer, Inc. - C: \Program Files\iPod\bin\iPodService.exe
> O23 - Service: soundman - Unknown owner - C:\WINDOWS\System32
> \soundman.exe" -service (file missing)
> O23 - Service: System Startup Service (SvcProc) - Unknown owner - c:
> \windows\SvcProc.exe
> O23 - Service: Wi2n loahder - Unknown owner - C:\WINDOWS\System32
> \SVCH0ST.exe" -service (file missing)
>
>
>
>
> "pcbutts1" <pcbutts1@seedsv.com> wrote in
> news:f01Oe.104$L77.17@newssvr19.news.prodigy.com:
>
>> Download, install, update and run all of the following.
>>
>> Ad-Aware
>> http://www.pcbutts1.com/downloads/aawsepersonal.exe
>>
>> Spybot search and destroy
>> http://www.pcbutts1.com/downloads/spybotsd14.exe
>>
>> Ewido Security Suite Trial version
>> http://www.pcbutts1.com/downloads/ewidosetup.exe
>>
>> Microsoft Windows AntiSpyware (Beta1)
>> http://www.microsoft.com/downloads/details.aspx?FamilyI...
>> 4C57-A8BD-DBF62EDA9671&displaylang=en
>>
>> If none of the above fixes the issue then download Hijack this, run
>> it, save a copy of the log file and cut and paste it back here to
>> this group so that I can analyze it. Ignore anyone who tells you to
>> post it elsewhere. I need to see it not them.
>>
>>
>> HijackThis
>> http://www.pcbutts1.com/downloads/HijackThis.zip

--
Anonymous
August 21, 2005 9:26:58 PM

Archived from groups: alt.os.windows-xp,microsoft.public.windowsxp.general (More info?)

Ignore that other pcbutts1 he is a name forging troll. Follow the advice I
give you. If you are not sure who the real one is just email me my email is
valid. You can also check the message headers and my sig file at the bottom
of this message.

You are infected with Aurora/Nail follow the instructions below and then
post another hijackthis log.
Please download ewido security suite it is a free version of the program.
http://www.pcbutts1.com/downloads/ewidosetup.exe
Install ewido security suite
When installing, under "Additional Options" uncheck..
Install background guard
Install scan via context menu
Launch ewido, there should be an icon on your desktop, double-click it.
The program will now open to the main screen.
When you run ewido for the first time, you will get a warning "Database
could not be found!". Click OK. We will fix this in a moment.
You will need to update ewido to the latest definition files.
On the left hand side of the main screen click update.
Then click on Start Update.
The update will start and a progress bar will show the updates being
installed.
(the status bar at the bottom will display "Update successful")
Exit ewido. DO NOT SCAN YET.

Download CCleaner and install it, but do not run it yet.
http://www.pcbutts1.com/downloads/ccsetup122.exe

Please download this file: Revised Installer for the Nailfix Utility
http://www.pcbutts1.com/downloads/nailfix1.exe
Save it to your desktop.
DO NOT RUN IT YET.

Next configure Windows to show all files

Do one of the following:
In Windows XP, on the taskbar, click Start > My Computer.
In Windows 2000/Me/98, on the Windows desktop, double-click the My Computer
icon.
Do one of the following:
In Windows XP/2000/Me, on the Tools menu, click Folder Options.
In Windows 98, on the View menu, click Folder Options.
On the View tab, uncheck Hide file extensions for known file types.
Do one of the following:
In Windows XP/2000/Me, uncheck Hide protected operating system files. Then,
under the "Hidden files" folder, click Show hidden files and folders.
In Windows 98, in the Advanced Settings box, under the "Hidden files"
folder, click Show all files.
If you see a warning message, click Yes.
Click Apply.
Click OK.

Next, please reboot your computer in SafeMode by doing the following:
Restart your computer.After hearing your computer beep once during startup,
but before the Windows icon appears, press F8.Instead of Windows loading as
normal, a menu should appear
Select the first option, to run Windows in Safe Mode.
Once in Safe Mode, please double-click on nailfix.exe.
Click "Next" in the setup
Make sure "Run Nailfix" is checked and click "Finish".
Your desktop and icons will disappear and reappear, and a window should open
and close very quickly --- this is normal.

Now open ewido and do a scan of your system.
Click on scanner
Click on Complete System Scan and the scan will begin.
NOTE: During some scans with ewido it is finding cases of false positives.**
You will need to step through the process of cleaning files one-by-one.
If ewido detects a file you KNOW to be legitimate, select none as the
action.
DO NOT select "Perform action on all infections"
If you are unsure of any entry found select none for now as the action.
Once the scan has completed, there will be a button located on the bottom of
the screen named Save report
Click Save report.
Save the report .txt file to your desktop or a location where you can find
it easily.
**(Ewido for example has been flagging parts of AVG Anti-Virus, pcAnywhere
and the game "Risk")

Download HijackThis http://www.pcbutts1.com/downloads/HijackThis.zip
Now run HijackThis, click Scan, and place a checkmark next to each of the
following items:

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe

Close all open windows except for HJT, then click the Fix Checked button.
Close HJT.

Locate and delete the following File
C:\WINDOWS\Nail.exe
For Windows NT or 2000 it would be
C:\winnt\Nail.exe

Now run CCleaner
Uncheck "Cookies" under "Internet Explorer".
If running Firefox: click on the "Applications" tab and uncheck "Cookies"
under "Firefox".
Click on Run Cleaner in the lower right-hand corner. This can take quite a
while to run.

Finally, restart your computer in normal mode and please post a new
HijackThis log, as well as the report log from the Ewido scan by using Add
Reply.

If IE is not working, the links I gave you are direct download links and
should work. If they don't then paste them into another browser or explorer
window. If you have no other browser then email me with a valid email
address and I will send you one. We will fix IE after all the spyware is
gone.




--


The best live web video on the internet http://www.seedsv.com/webdemo.htm
NEW Embedded system W/Linux. We now sell DVR cards.
See it all at http://www.seedsv.com/products.htm
Sharpvision simply the best http://www.seedsv.com
August 21, 2005 9:26:59 PM

Archived from groups: alt.os.windows-xp,microsoft.public.windowsxp.general (More info?)

Okay ,, here are the two new logs,,,

Logfile of HijackThis v1.99.1
Scan saved at 5:44:11 PM, on 8/21/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Intel\Intel NetStructure VPN Client\icsrv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Labtec\moffice.exe
C:\Program Files\MessengerPlus! 3\MsgPlus.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Labtec\MOUSE32A.DAT
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\taskmgr.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18
\2cf41f1db14bc8f414e16e1555b77108\update\update.exe
C:\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL =
http://www.iquicksearch.net/search.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
http://www.ifmvfyojbuqhzwmrrthdou.com/tXqXi73nsPy1MshyB...
WVpwQWGcyhr1BiqNldfHza2mEDP8C.jpg
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) =
about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title =
Microsoft Internet Explorer provided by Rogers Hi-Speed Internet
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -
C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Scriptlet.Tools - {3E4563A4-2A9B-4912-BE38-906A0CB702CC} - C:
\DOCUME~1\ALLUSE~1\APPLIC~1\Tools\tools.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program
Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {611559C3-4AE0-E79B-345C-EDD8928B0427} - C:\DOCUME~
1\Alex\APPLIC~1\COOLMP~1\borerect.exe (file missing)
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD
Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes
\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime
\qttask.exe" -atboottime
O4 - HKLM\..\Run: [FLMOFFICE4DMOUSE] C:\Program Files\Labtec\moffice.exe
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3
\MsgPlus.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
/STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [\tools.exe] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Tools
\tools.exe
O4 - HKLM\..\RunServices: [soundman] soundman.exe
O4 - HKLM\..\RunServices: [\tools.exe] C:\DOCUME~1\ALLUSE~1\APPLIC~1
\Tools\tools.exe
O4 - HKCU\..\Run: [\tools.exe] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Tools
\tools.exe
O8 - Extra context menu item: &Search -
http://bar.mywebsearch.com/menusearch.html?p=ZSzeb04440...
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:
\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -
C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-
00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-
0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-
0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -
C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-
00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool)
- http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -
http://update.microsoft.com/windowsupdate/v6/V5Controls...
eb_site.cab?1120351775546
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. -
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:
\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program
Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Intel® NetStructure(TM) VPN Client (ICService) - Unknown
owner - C:\Program Files\Intel\Intel NetStructure VPN Client\icsrv.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:
\Program Files\iPod\bin\iPodService.exe
O23 - Service: soundman - Unknown owner - C:\WINDOWS\System32
\soundman.exe" -service (file missing)
O23 - Service: Wi2n loahder - Unknown owner - C:\WINDOWS\System32
\SVCH0ST.exe" -service (file missing)


---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 5:31:27 PM, 8/21/2005
+ Report-Checksum: D492D10F

+ Scan result:

HKLM\SOFTWARE\Altnet -> Spyware.Altnet : Error during cleaning
HKLM\SOFTWARE\Altnet\Dashboard -> Spyware.Altnet : Error during
cleaning
HKLM\SOFTWARE\Altnet\Dashboard\Messages -> Spyware.Altnet : Error
during cleaning
C:\RECYCLER\S-1-5-21-1060284298-1715567821-839522115-500\Dc8.exe ->
Trojan.Agent.gp : Cleaned with backup
C:\WINDOWS\system32\EGCOMLIB_1035.dll -> Dialer.Generic : Cleaned
with backup


::Report End



What do suggest now?? And thanks for your help.

"pcbutts1" <pcbutts1@seedsv.com> wrote in
news:CP2Oe.37$sV7.36@newssvr21.news.prodigy.com:

> Ignore that other pcbutts1 he is a name forging troll. Follow the
> advice I give you. If you are not sure who the real one is just email
> me my email is valid. You can also check the message headers and my
> sig file at the bottom of this message.
>
> You are infected with Aurora/Nail follow the instructions below and
> then post another hijackthis log.
> Please download ewido security suite it is a free version of the
> program. http://www.pcbutts1.com/downloads/ewidosetup.exe
> Install ewido security suite
> When installing, under "Additional Options" uncheck..
> Install background guard
> Install scan via context menu
> Launch ewido, there should be an icon on your desktop, double-click
> it. The program will now open to the main screen.
> When you run ewido for the first time, you will get a warning
> "Database could not be found!". Click OK. We will fix this in a
> moment. You will need to update ewido to the latest definition files.
> On the left hand side of the main screen click update.
> Then click on Start Update.
> The update will start and a progress bar will show the updates being
> installed.
> (the status bar at the bottom will display "Update successful")
> Exit ewido. DO NOT SCAN YET.
>
> Download CCleaner and install it, but do not run it yet.
> http://www.pcbutts1.com/downloads/ccsetup122.exe
>
> Please download this file: Revised Installer for the Nailfix Utility
> http://www.pcbutts1.com/downloads/nailfix1.exe
> Save it to your desktop.
> DO NOT RUN IT YET.
>
> Next configure Windows to show all files
>
> Do one of the following:
> In Windows XP, on the taskbar, click Start > My Computer.
> In Windows 2000/Me/98, on the Windows desktop, double-click the My
> Computer icon.
> Do one of the following:
> In Windows XP/2000/Me, on the Tools menu, click Folder Options.
> In Windows 98, on the View menu, click Folder Options.
> On the View tab, uncheck Hide file extensions for known file types.
> Do one of the following:
> In Windows XP/2000/Me, uncheck Hide protected operating system files.
> Then, under the "Hidden files" folder, click Show hidden files and
> folders. In Windows 98, in the Advanced Settings box, under the
> "Hidden files" folder, click Show all files.
> If you see a warning message, click Yes.
> Click Apply.
> Click OK.
>
> Next, please reboot your computer in SafeMode by doing the following:
> Restart your computer.After hearing your computer beep once during
> startup, but before the Windows icon appears, press F8.Instead of
> Windows loading as normal, a menu should appear
> Select the first option, to run Windows in Safe Mode.
> Once in Safe Mode, please double-click on nailfix.exe.
> Click "Next" in the setup
> Make sure "Run Nailfix" is checked and click "Finish".
> Your desktop and icons will disappear and reappear, and a window
> should open and close very quickly --- this is normal.
>
> Now open ewido and do a scan of your system.
> Click on scanner
> Click on Complete System Scan and the scan will begin.
> NOTE: During some scans with ewido it is finding cases of false
> positives.** You will need to step through the process of cleaning
> files one-by-one. If ewido detects a file you KNOW to be legitimate,
> select none as the action.
> DO NOT select "Perform action on all infections"
> If you are unsure of any entry found select none for now as the
> action. Once the scan has completed, there will be a button located on
> the bottom of the screen named Save report
> Click Save report.
> Save the report .txt file to your desktop or a location where you can
> find it easily.
> **(Ewido for example has been flagging parts of AVG Anti-Virus,
> pcAnywhere and the game "Risk")
>
> Download HijackThis http://www.pcbutts1.com/downloads/HijackThis.zip
> Now run HijackThis, click Scan, and place a checkmark next to each of
> the following items:
>
> F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
>
> Close all open windows except for HJT, then click the Fix Checked
> button. Close HJT.
>
> Locate and delete the following File
> C:\WINDOWS\Nail.exe
> For Windows NT or 2000 it would be
> C:\winnt\Nail.exe
>
> Now run CCleaner
> Uncheck "Cookies" under "Internet Explorer".
> If running Firefox: click on the "Applications" tab and uncheck
> "Cookies" under "Firefox".
> Click on Run Cleaner in the lower right-hand corner. This can take
> quite a while to run.
>
> Finally, restart your computer in normal mode and please post a new
> HijackThis log, as well as the report log from the Ewido scan by using
> Add Reply.
>
> If IE is not working, the links I gave you are direct download links
> and should work. If they don't then paste them into another browser or
> explorer window. If you have no other browser then email me with a
> valid email address and I will send you one. We will fix IE after all
> the spyware is gone.
>
>
>
>
Anonymous
August 21, 2005 9:27:00 PM

Archived from groups: alt.os.windows-xp,microsoft.public.windowsxp.general (More info?)

Looks clean.


--

"Instead of trying to bash me you should try to learn from me and
archive my posts so you can better help people in the future. If you don't
understand something I post then ask me my email is valid."

- pcbutts1.@thisoldtreehouse.com
- pcbutts1.@seedsv.com




LouisG wrote:
> Okay ,, here are the two new logs,,,
>
> Logfile of HijackThis v1.99.1
> Scan saved at 5:44:11 PM, on 8/21/2005
> Platform: Windows XP SP1 (WinNT 5.01.2600)
> MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
>
> Running processes:
> C:\WINDOWS\System32\smss.exe
> C:\WINDOWS\system32\winlogon.exe
> C:\WINDOWS\system32\services.exe
> C:\WINDOWS\system32\lsass.exe
> C:\WINDOWS\system32\svchost.exe
> C:\WINDOWS\System32\svchost.exe
> C:\WINDOWS\system32\spoolsv.exe
> C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
> C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
> C:\Program Files\ewido\security suite\ewidoctrl.exe
> C:\Program Files\Intel\Intel NetStructure VPN Client\icsrv.exe
> C:\WINDOWS\System32\svchost.exe
> C:\WINDOWS\Explorer.EXE
> C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
> C:\Program Files\iTunes\iTunesHelper.exe
> C:\Program Files\QuickTime\qttask.exe
> C:\Program Files\Labtec\moffice.exe
> C:\Program Files\MessengerPlus! 3\MsgPlus.exe
> C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
> C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
> C:\Program Files\iPod\bin\iPodService.exe
> C:\Program Files\Labtec\MOUSE32A.DAT
> C:\WINDOWS\System32\wuauclt.exe
> C:\WINDOWS\System32\taskmgr.exe
> C:\WINDOWS\System32\wuauclt.exe
> C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18
> \2cf41f1db14bc8f414e16e1555b77108\update\update.exe
> C:\HijackThis.exe
>
> R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL =
> http://www.iquicksearch.net/search.htm
> R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
> http://www.ifmvfyojbuqhzwmrrthdou.com/tXqXi73nsPy1MshyB...
> WVpwQWGcyhr1BiqNldfHza2mEDP8C.jpg
> R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) =
> about:blank
> R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title =
> Microsoft Internet Explorer provided by Rogers Hi-Speed Internet
> O2 - BHO: AcroIEHlprObj Class -
> {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program
> Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
> O2 - BHO: Scriptlet.Tools - {3E4563A4-2A9B-4912-BE38-906A0CB702CC} -
> C: \DOCUME~1\ALLUSE~1\APPLIC~1\Tools\tools.dll
> O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} -
> C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
> O2 - BHO: (no name) - {611559C3-4AE0-E79B-345C-EDD8928B0427} -
> C:\DOCUME~ 1\Alex\APPLIC~1\COOLMP~1\borerect.exe (file missing)
> O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD
> Creator 5\DirectCD\DirectCD.exe"
> O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes
> \iTunesHelper.exe"
> O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime
> \qttask.exe" -atboottime
> O4 - HKLM\..\Run: [FLMOFFICE4DMOUSE] C:\Program
> Files\Labtec\moffice.exe O4 - HKLM\..\Run: [MessengerPlus3]
> "C:\Program Files\MessengerPlus! 3 \MsgPlus.exe"
> O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
> /STARTUP
> O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
> O4 - HKLM\..\Run: [\tools.exe] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Tools
> \tools.exe
> O4 - HKLM\..\RunServices: [soundman] soundman.exe
> O4 - HKLM\..\RunServices: [\tools.exe] C:\DOCUME~1\ALLUSE~1\APPLIC~1
> \Tools\tools.exe
> O4 - HKCU\..\Run: [\tools.exe] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Tools
> \tools.exe
> O8 - Extra context menu item: &Search -
> http://bar.mywebsearch.com/menusearch.html?p=ZSzeb04440...
> O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:
> \PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
> O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501}
> - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
> O9 - Extra 'Tools' menuitem: Sun Java Console -
> {08B0E5C0-4FCB-11CF-AAA5- 00401C608501} - C:\Program
> Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
> O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-
> 0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
> O9 - Extra 'Tools' menuitem: Yahoo! Messenger -
> {E5D12C4E-7B4F-11D3-B5C9- 0050045C3C96} -
> C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
> O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683}
> - C:\Program Files\Messenger\MSMSGS.EXE
> O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-
> 00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
> O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload
> Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
> O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl
> Class) -
> http://update.microsoft.com/windowsupdate/v6/V5Controls...
> eb_site.cab?1120351775546
> O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o.
> - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
> O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:
> \PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
> O23 - Service: ewido security suite control - ewido networks -
> C:\Program Files\ewido\security suite\ewidoctrl.exe
> O23 - Service: Intel® NetStructure(TM) VPN Client (ICService) -
> Unknown owner - C:\Program Files\Intel\Intel NetStructure VPN
> Client\icsrv.exe O23 - Service: iPod Service (iPodService) - Apple
> Computer, Inc. - C: \Program Files\iPod\bin\iPodService.exe
> O23 - Service: soundman - Unknown owner - C:\WINDOWS\System32
> \soundman.exe" -service (file missing)
> O23 - Service: Wi2n loahder - Unknown owner - C:\WINDOWS\System32
> \SVCH0ST.exe" -service (file missing)
>
>
> ---------------------------------------------------------
> ewido security suite - Scan report
> ---------------------------------------------------------
>
> + Created on: 5:31:27 PM, 8/21/2005
> + Report-Checksum: D492D10F
>
> + Scan result:
>
> HKLM\SOFTWARE\Altnet -> Spyware.Altnet : Error during cleaning
> HKLM\SOFTWARE\Altnet\Dashboard -> Spyware.Altnet : Error during
> cleaning
> HKLM\SOFTWARE\Altnet\Dashboard\Messages -> Spyware.Altnet : Error
> during cleaning
> C:\RECYCLER\S-1-5-21-1060284298-1715567821-839522115-500\Dc8.exe ->
> Trojan.Agent.gp : Cleaned with backup
> C:\WINDOWS\system32\EGCOMLIB_1035.dll -> Dialer.Generic : Cleaned
> with backup
>
>
>>> Report End
>
>
>
> What do suggest now?? And thanks for your help.
>
> "pcbutts1" <pcbutts1@seedsv.com> wrote in
> news:CP2Oe.37$sV7.36@newssvr21.news.prodigy.com:
>
>> Ignore that other pcbutts1 he is a name forging troll. Follow the
>> advice I give you. If you are not sure who the real one is just email
>> me my email is valid. You can also check the message headers and my
>> sig file at the bottom of this message.
>>
>> You are infected with Aurora/Nail follow the instructions below and
>> then post another hijackthis log.
>> Please download ewido security suite it is a free version of the
>> program. http://www.pcbutts1.com/downloads/ewidosetup.exe
>> Install ewido security suite
>> When installing, under "Additional Options" uncheck..
>> Install background guard
>> Install scan via context menu
>> Launch ewido, there should be an icon on your desktop, double-click
>> it. The program will now open to the main screen.
>> When you run ewido for the first time, you will get a warning
>> "Database could not be found!". Click OK. We will fix this in a
>> moment. You will need to update ewido to the latest definition files.
>> On the left hand side of the main screen click update.
>> Then click on Start Update.
>> The update will start and a progress bar will show the updates being
>> installed.
>> (the status bar at the bottom will display "Update successful")
>> Exit ewido. DO NOT SCAN YET.
>>
>> Download CCleaner and install it, but do not run it yet.
>> http://www.pcbutts1.com/downloads/ccsetup122.exe
>>
>> Please download this file: Revised Installer for the Nailfix Utility
>> http://www.pcbutts1.com/downloads/nailfix1.exe
>> Save it to your desktop.
>> DO NOT RUN IT YET.
>>
>> Next configure Windows to show all files
>>
>> Do one of the following:
>> In Windows XP, on the taskbar, click Start > My Computer.
>> In Windows 2000/Me/98, on the Windows desktop, double-click the My
>> Computer icon.
>> Do one of the following:
>> In Windows XP/2000/Me, on the Tools menu, click Folder Options.
>> In Windows 98, on the View menu, click Folder Options.
>> On the View tab, uncheck Hide file extensions for known file types.
>> Do one of the following:
>> In Windows XP/2000/Me, uncheck Hide protected operating system files.
>> Then, under the "Hidden files" folder, click Show hidden files and
>> folders. In Windows 98, in the Advanced Settings box, under the
>> "Hidden files" folder, click Show all files.
>> If you see a warning message, click Yes.
>> Click Apply.
>> Click OK.
>>
>> Next, please reboot your computer in SafeMode by doing the following:
>> Restart your computer.After hearing your computer beep once during
>> startup, but before the Windows icon appears, press F8.Instead of
>> Windows loading as normal, a menu should appear
>> Select the first option, to run Windows in Safe Mode.
>> Once in Safe Mode, please double-click on nailfix.exe.
>> Click "Next" in the setup
>> Make sure "Run Nailfix" is checked and click "Finish".
>> Your desktop and icons will disappear and reappear, and a window
>> should open and close very quickly --- this is normal.
>>
>> Now open ewido and do a scan of your system.
>> Click on scanner
>> Click on Complete System Scan and the scan will begin.
>> NOTE: During some scans with ewido it is finding cases of false
>> positives.** You will need to step through the process of cleaning
>> files one-by-one. If ewido detects a file you KNOW to be legitimate,
>> select none as the action.
>> DO NOT select "Perform action on all infections"
>> If you are unsure of any entry found select none for now as the
>> action. Once the scan has completed, there will be a button located
>> on the bottom of the screen named Save report
>> Click Save report.
>> Save the report .txt file to your desktop or a location where you can
>> find it easily.
>> **(Ewido for example has been flagging parts of AVG Anti-Virus,
>> pcAnywhere and the game "Risk")
>>
>> Download HijackThis http://www.pcbutts1.com/downloads/HijackThis.zip
>> Now run HijackThis, click Scan, and place a checkmark next to each of
>> the following items:
>>
>> F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
>>
>> Close all open windows except for HJT, then click the Fix Checked
>> button. Close HJT.
>>
>> Locate and delete the following File
>> C:\WINDOWS\Nail.exe
>> For Windows NT or 2000 it would be
>> C:\winnt\Nail.exe
>>
>> Now run CCleaner
>> Uncheck "Cookies" under "Internet Explorer".
>> If running Firefox: click on the "Applications" tab and uncheck
>> "Cookies" under "Firefox".
>> Click on Run Cleaner in the lower right-hand corner. This can take
>> quite a while to run.
>>
>> Finally, restart your computer in normal mode and please post a new
>> HijackThis log, as well as the report log from the Ewido scan by
>> using Add Reply.
>>
>> If IE is not working, the links I gave you are direct download links
>> and should work. If they don't then paste them into another browser
>> or explorer window. If you have no other browser then email me with a
>> valid email address and I will send you one. We will fix IE after all
>> the spyware is gone.

--
August 21, 2005 9:27:01 PM

Archived from groups: alt.os.windows-xp,microsoft.public.windowsxp.general (More info?)

"pcbutts1" <pcbuttshead1@seedsv.cum> wrote in
news:1124662548.cf3b34cc4689750171a2f3ba90f4b9ef@teranews:

> Looks clean.
>
>
Thank you very much,,,,but it's not and you know it.
August 22, 2005 12:03:09 AM

Archived from groups: microsoft.public.windowsxp.general (More info?)

LouisG wrote:

> Okay ,, here are the two new logs,,,
>
> Logfile of HijackThis v1.99.1
> Scan saved at 5:44:11 PM, on 8/21/2005
> Platform: Windows XP SP1 (WinNT 5.01.2600)
> MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
>

Louis, don't post Hijackthis logs here. This is not the place for it.
Post it to one of the specialty forums for it.

Forums to Interpret HijackThis Logs:

http://www.spywareinfo.com/forums/
http://forum.aumha.org/viewforum.php?f=30
http://forums.tomcoyote.org/
http://www.wilderssecurity.com/

--
Rock
MS MVP Windows - Shell/User
Anonymous
August 22, 2005 2:18:11 AM

Archived from groups: alt.os.windows-xp,microsoft.public.windowsxp.general (More info?)

That ewido log is too short make sure you update it and run it again. Have
hijackthis fix the following lines

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL =
http://www.iquicksearch.net/search.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
http://www.ifmvfyojbuqhzwmrrthdou.com/tXqXi73nsPy1MshyB...
WVpwQWGcyhr1BiqNldfHza2mEDP8C.jpg
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) =
about:blank
O2 - BHO: Scriptlet.Tools - {3E4563A4-2A9B-4912-BE38-906A0CB702CC} - C:
\DOCUME~1\ALLUSE~1\APPLIC~1\Tools\tools.dll
O2 - BHO: (no name) - {611559C3-4AE0-E79B-345C-EDD8928B0427} - C:\DOCUME~
1\Alex\APPLIC~1\COOLMP~1\borerect.exe (file missing)

O4 - HKLM\..\Run: [\tools.exe] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Tools
\tools.exe
O4 - HKLM\..\RunServices: [soundman] soundman.exe
O4 - HKLM\..\RunServices: [\tools.exe] C:\DOCUME~1\ALLUSE~1\APPLIC~1
\Tools\tools.exe
O4 - HKCU\..\Run: [\tools.exe] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Tools
\tools.exe
O8 - Extra context menu item: &Search -
http://bar.mywebsearch.com/menusearch.html?p=ZSzeb04440...
O23 - Service: Wi2n loahder - Unknown owner - C:\WINDOWS\System32
\SVCH0ST.exe" -service (file missing)

Download, install, update and run all of the following. make sure you update
all of them and let them delete Allnet it is spyware, if you want to use P2P
software then use Limewire www.limewire.com.

Ad-Aware
http://www.pcbutts1.com/downloads/aawsepersonal.exe

Spybot search and destroy
http://www.pcbutts1.com/downloads/spybotsd14.exe

Ewido Security Suite Trial version
http://www.pcbutts1.com/downloads/ewidosetup.exe

Microsoft Windows AntiSpyware (Beta1)
http://www.microsoft.com/downloads/details.aspx?FamilyI...


--


The best live web video on the internet http://www.seedsv.com/webdemo.htm
NEW Embedded system W/Linux. We now sell DVR cards.
See it all at http://www.seedsv.com/products.htm
Sharpvision simply the best http://www.seedsv.com



"LouisG" <imnot@home.com> wrote in message
news:Xns96B9B65FDAFAB11241959@216.196.97.142...
> Okay ,, here are the two new logs,,,
>
> Logfile of HijackThis v1.99.1
> Scan saved at 5:44:11 PM, on 8/21/2005
> Platform: Windows XP SP1 (WinNT 5.01.2600)
> MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
>
> Running processes:
> C:\WINDOWS\System32\smss.exe
> C:\WINDOWS\system32\winlogon.exe
> C:\WINDOWS\system32\services.exe
> C:\WINDOWS\system32\lsass.exe
> C:\WINDOWS\system32\svchost.exe
> C:\WINDOWS\System32\svchost.exe
> C:\WINDOWS\system32\spoolsv.exe
> C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
> C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
> C:\Program Files\ewido\security suite\ewidoctrl.exe
> C:\Program Files\Intel\Intel NetStructure VPN Client\icsrv.exe
> C:\WINDOWS\System32\svchost.exe
> C:\WINDOWS\Explorer.EXE
> C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
> C:\Program Files\iTunes\iTunesHelper.exe
> C:\Program Files\QuickTime\qttask.exe
> C:\Program Files\Labtec\moffice.exe
> C:\Program Files\MessengerPlus! 3\MsgPlus.exe
> C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
> C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
> C:\Program Files\iPod\bin\iPodService.exe
> C:\Program Files\Labtec\MOUSE32A.DAT
> C:\WINDOWS\System32\wuauclt.exe
> C:\WINDOWS\System32\taskmgr.exe
> C:\WINDOWS\System32\wuauclt.exe
> C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18
> \2cf41f1db14bc8f414e16e1555b77108\update\update.exe
> C:\HijackThis.exe
>
> R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL =
> http://www.iquicksearch.net/search.htm
> R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
> http://www.ifmvfyojbuqhzwmrrthdou.com/tXqXi73nsPy1MshyB...
> WVpwQWGcyhr1BiqNldfHza2mEDP8C.jpg
> R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) =
> about:blank
> R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title =
> Microsoft Internet Explorer provided by Rogers Hi-Speed Internet
> O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -
> C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
> O2 - BHO: Scriptlet.Tools - {3E4563A4-2A9B-4912-BE38-906A0CB702CC} - C:
> \DOCUME~1\ALLUSE~1\APPLIC~1\Tools\tools.dll
> O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program
> Files\Spybot - Search & Destroy\SDHelper.dll
> O2 - BHO: (no name) - {611559C3-4AE0-E79B-345C-EDD8928B0427} - C:\DOCUME~
> 1\Alex\APPLIC~1\COOLMP~1\borerect.exe (file missing)
> O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD
> Creator 5\DirectCD\DirectCD.exe"
> O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes
> \iTunesHelper.exe"
> O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime
> \qttask.exe" -atboottime
> O4 - HKLM\..\Run: [FLMOFFICE4DMOUSE] C:\Program Files\Labtec\moffice.exe
> O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3
> \MsgPlus.exe"
> O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
> /STARTUP
> O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
> O4 - HKLM\..\Run: [\tools.exe] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Tools
> \tools.exe
> O4 - HKLM\..\RunServices: [soundman] soundman.exe
> O4 - HKLM\..\RunServices: [\tools.exe] C:\DOCUME~1\ALLUSE~1\APPLIC~1
> \Tools\tools.exe
> O4 - HKCU\..\Run: [\tools.exe] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Tools
> \tools.exe
> O8 - Extra context menu item: &Search -
> http://bar.mywebsearch.com/menusearch.html?p=ZSzeb04440...
> O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:
> \PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
> O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -
> C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
> O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-
> 00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
> O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-
> 0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
> O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-
> 0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
> O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -
> C:\Program Files\Messenger\MSMSGS.EXE
> O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-
> 00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
> O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool)
> - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
> O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -
> http://update.microsoft.com/windowsupdate/v6/V5Controls...
> eb_site.cab?1120351775546
> O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. -
> C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
> O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:
> \PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
> O23 - Service: ewido security suite control - ewido networks - C:\Program
> Files\ewido\security suite\ewidoctrl.exe
> O23 - Service: Intel® NetStructure(TM) VPN Client (ICService) - Unknown
> owner - C:\Program Files\Intel\Intel NetStructure VPN Client\icsrv.exe
> O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:
> \Program Files\iPod\bin\iPodService.exe
> O23 - Service: soundman - Unknown owner - C:\WINDOWS\System32
> \soundman.exe" -service (file missing)
> O23 - Service: Wi2n loahder - Unknown owner - C:\WINDOWS\System32
> \SVCH0ST.exe" -service (file missing)
>
>
> ---------------------------------------------------------
> ewido security suite - Scan report
> ---------------------------------------------------------
>
> + Created on: 5:31:27 PM, 8/21/2005
> + Report-Checksum: D492D10F
>
> + Scan result:
>
> HKLM\SOFTWARE\Altnet -> Spyware.Altnet : Error during cleaning
> HKLM\SOFTWARE\Altnet\Dashboard -> Spyware.Altnet : Error during
> cleaning
> HKLM\SOFTWARE\Altnet\Dashboard\Messages -> Spyware.Altnet : Error
> during cleaning
> C:\RECYCLER\S-1-5-21-1060284298-1715567821-839522115-500\Dc8.exe ->
> Trojan.Agent.gp : Cleaned with backup
> C:\WINDOWS\system32\EGCOMLIB_1035.dll -> Dialer.Generic : Cleaned
> with backup
>
>
> ::Report End
>
>
>
> What do suggest now?? And thanks for your help.
>
> "pcbutts1" <pcbutts1@seedsv.com> wrote in
> news:CP2Oe.37$sV7.36@newssvr21.news.prodigy.com:
>
>> Ignore that other pcbutts1 he is a name forging troll. Follow the
>> advice I give you. If you are not sure who the real one is just email
>> me my email is valid. You can also check the message headers and my
>> sig file at the bottom of this message.
>>
>> You are infected with Aurora/Nail follow the instructions below and
>> then post another hijackthis log.
>> Please download ewido security suite it is a free version of the
>> program. http://www.pcbutts1.com/downloads/ewidosetup.exe
>> Install ewido security suite
>> When installing, under "Additional Options" uncheck..
>> Install background guard
>> Install scan via context menu
>> Launch ewido, there should be an icon on your desktop, double-click
>> it. The program will now open to the main screen.
>> When you run ewido for the first time, you will get a warning
>> "Database could not be found!". Click OK. We will fix this in a
>> moment. You will need to update ewido to the latest definition files.
>> On the left hand side of the main screen click update.
>> Then click on Start Update.
>> The update will start and a progress bar will show the updates being
>> installed.
>> (the status bar at the bottom will display "Update successful")
>> Exit ewido. DO NOT SCAN YET.
>>
>> Download CCleaner and install it, but do not run it yet.
>> http://www.pcbutts1.com/downloads/ccsetup122.exe
>>
>> Please download this file: Revised Installer for the Nailfix Utility
>> http://www.pcbutts1.com/downloads/nailfix1.exe
>> Save it to your desktop.
>> DO NOT RUN IT YET.
>>
>> Next configure Windows to show all files
>>
>> Do one of the following:
>> In Windows XP, on the taskbar, click Start > My Computer.
>> In Windows 2000/Me/98, on the Windows desktop, double-click the My
>> Computer icon.
>> Do one of the following:
>> In Windows XP/2000/Me, on the Tools menu, click Folder Options.
>> In Windows 98, on the View menu, click Folder Options.
>> On the View tab, uncheck Hide file extensions for known file types.
>> Do one of the following:
>> In Windows XP/2000/Me, uncheck Hide protected operating system files.
>> Then, under the "Hidden files" folder, click Show hidden files and
>> folders. In Windows 98, in the Advanced Settings box, under the
>> "Hidden files" folder, click Show all files.
>> If you see a warning message, click Yes.
>> Click Apply.
>> Click OK.
>>
>> Next, please reboot your computer in SafeMode by doing the following:
>> Restart your computer.After hearing your computer beep once during
>> startup, but before the Windows icon appears, press F8.Instead of
>> Windows loading as normal, a menu should appear
>> Select the first option, to run Windows in Safe Mode.
>> Once in Safe Mode, please double-click on nailfix.exe.
>> Click "Next" in the setup
>> Make sure "Run Nailfix" is checked and click "Finish".
>> Your desktop and icons will disappear and reappear, and a window
>> should open and close very quickly --- this is normal.
>>
>> Now open ewido and do a scan of your system.
>> Click on scanner
>> Click on Complete System Scan and the scan will begin.
>> NOTE: During some scans with ewido it is finding cases of false
>> positives.** You will need to step through the process of cleaning
>> files one-by-one. If ewido detects a file you KNOW to be legitimate,
>> select none as the action.
>> DO NOT select "Perform action on all infections"
>> If you are unsure of any entry found select none for now as the
>> action. Once the scan has completed, there will be a button located on
>> the bottom of the screen named Save report
>> Click Save report.
>> Save the report .txt file to your desktop or a location where you can
>> find it easily.
>> **(Ewido for example has been flagging parts of AVG Anti-Virus,
>> pcAnywhere and the game "Risk")
>>
>> Download HijackThis http://www.pcbutts1.com/downloads/HijackThis.zip
>> Now run HijackThis, click Scan, and place a checkmark next to each of
>> the following items:
>>
>> F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
>>
>> Close all open windows except for HJT, then click the Fix Checked
>> button. Close HJT.
>>
>> Locate and delete the following File
>> C:\WINDOWS\Nail.exe
>> For Windows NT or 2000 it would be
>> C:\winnt\Nail.exe
>>
>> Now run CCleaner
>> Uncheck "Cookies" under "Internet Explorer".
>> If running Firefox: click on the "Applications" tab and uncheck
>> "Cookies" under "Firefox".
>> Click on Run Cleaner in the lower right-hand corner. This can take
>> quite a while to run.
>>
>> Finally, restart your computer in normal mode and please post a new
>> HijackThis log, as well as the report log from the Ewido scan by using
>> Add Reply.
>>
>> If IE is not working, the links I gave you are direct download links
>> and should work. If they don't then paste them into another browser or
>> explorer window. If you have no other browser then email me with a
>> valid email address and I will send you one. We will fix IE after all
>> the spyware is gone.
>>
>>
>>
>>
>
August 22, 2005 2:18:12 AM

Archived from groups: alt.os.windows-xp,microsoft.public.windowsxp.general (More info?)

I've got all those programs updated and it runs ,, catchs Altnet ,, but
says it can't delete as it's in memory and asks if it can run on start up
,, but still can't rid the system of it.


"pcbutts1" <pcbutts1@seedsv.com> wrote in
news:D 47Oe.48$5k1.26@newssvr27.news.prodigy.net:

> That ewido log is too short make sure you update it and run it again.
> Have hijackthis fix the following lines
>
> R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL =
> http://www.iquicksearch.net/search.htm
> R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
> http://www.ifmvfyojbuqhzwmrrthdou.com/tXqXi73nsPy1MshyB...
> Oh WVpwQWGcyhr1BiqNldfHza2mEDP8C.jpg
> R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) =
> about:blank
> O2 - BHO: Scriptlet.Tools - {3E4563A4-2A9B-4912-BE38-906A0CB702CC} -
> C: \DOCUME~1\ALLUSE~1\APPLIC~1\Tools\tools.dll
> O2 - BHO: (no name) - {611559C3-4AE0-E79B-345C-EDD8928B0427} -
> C:\DOCUME~ 1\Alex\APPLIC~1\COOLMP~1\borerect.exe (file missing)
>
> O4 - HKLM\..\Run: [\tools.exe] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Tools
> \tools.exe
> O4 - HKLM\..\RunServices: [soundman] soundman.exe
> O4 - HKLM\..\RunServices: [\tools.exe] C:\DOCUME~1\ALLUSE~1\APPLIC~1
> \Tools\tools.exe
> O4 - HKCU\..\Run: [\tools.exe] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Tools
> \tools.exe
> O8 - Extra context menu item: &Search -
> http://bar.mywebsearch.com/menusearch.html?p=ZSzeb04440...
> O23 - Service: Wi2n loahder - Unknown owner - C:\WINDOWS\System32
> \SVCH0ST.exe" -service (file missing)
>
> Download, install, update and run all of the following. make sure you
> update all of them and let them delete Allnet it is spyware, if you
> want to use P2P software then use Limewire www.limewire.com.
>
> Ad-Aware
> http://www.pcbutts1.com/downloads/aawsepersonal.exe
>
> Spybot search and destroy
> http://www.pcbutts1.com/downloads/spybotsd14.exe
>
> Ewido Security Suite Trial version
> http://www.pcbutts1.com/downloads/ewidosetup.exe
>
> Microsoft Windows AntiSpyware (Beta1)
> http://www.microsoft.com/downloads/details.aspx?FamilyI...
> 4C57-A8BD-DBF62EDA9671&displaylang=en
>
>
Anonymous
August 22, 2005 2:18:13 AM

Archived from groups: alt.os.windows-xp,microsoft.public.windowsxp.general (More info?)

Format and reinstall.


--

"Instead of trying to bash me you should try to learn from me and
archive my posts so you can better help people in the future. If you don't
understand something I post then ask me my email is valid."

- pcbutts1.@thisoldtreehouse.com
- pcbutts1.@seedsv.com




LouisG wrote:
> I've got all those programs updated and it runs ,, catchs Altnet ,,
> but says it can't delete as it's in memory and asks if it can run on
> start up ,, but still can't rid the system of it.
>
>
> "pcbutts1" <pcbutts1@seedsv.com> wrote in
> news:D 47Oe.48$5k1.26@newssvr27.news.prodigy.net:
>
>> That ewido log is too short make sure you update it and run it again.
>> Have hijackthis fix the following lines
>>
>> R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL =
>> http://www.iquicksearch.net/search.htm
>> R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
>> http://www.ifmvfyojbuqhzwmrrthdou.com/tXqXi73nsPy1MshyB...
>> Oh WVpwQWGcyhr1BiqNldfHza2mEDP8C.jpg
>> R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) =
>> about:blank
>> O2 - BHO: Scriptlet.Tools - {3E4563A4-2A9B-4912-BE38-906A0CB702CC} -
>> C: \DOCUME~1\ALLUSE~1\APPLIC~1\Tools\tools.dll
>> O2 - BHO: (no name) - {611559C3-4AE0-E79B-345C-EDD8928B0427} -
>> C:\DOCUME~ 1\Alex\APPLIC~1\COOLMP~1\borerect.exe (file missing)
>>
>> O4 - HKLM\..\Run: [\tools.exe] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Tools
>> \tools.exe
>> O4 - HKLM\..\RunServices: [soundman] soundman.exe
>> O4 - HKLM\..\RunServices: [\tools.exe] C:\DOCUME~1\ALLUSE~1\APPLIC~1
>> \Tools\tools.exe
>> O4 - HKCU\..\Run: [\tools.exe] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Tools
>> \tools.exe
>> O8 - Extra context menu item: &Search -
>> http://bar.mywebsearch.com/menusearch.html?p=ZSzeb04440...
>> O23 - Service: Wi2n loahder - Unknown owner - C:\WINDOWS\System32
>> \SVCH0ST.exe" -service (file missing)
>>
>> Download, install, update and run all of the following. make sure you
>> update all of them and let them delete Allnet it is spyware, if you
>> want to use P2P software then use Limewire www.limewire.com.
>>
>> Ad-Aware
>> http://www.pcbutts1.com/downloads/aawsepersonal.exe
>>
>> Spybot search and destroy
>> http://www.pcbutts1.com/downloads/spybotsd14.exe
>>
>> Ewido Security Suite Trial version
>> http://www.pcbutts1.com/downloads/ewidosetup.exe
>>
>> Microsoft Windows AntiSpyware (Beta1)
>> http://www.microsoft.com/downloads/details.aspx?FamilyI...
>> 4C57-A8BD-DBF62EDA9671&displaylang=en
Anonymous
August 22, 2005 2:42:17 AM

Archived from groups: alt.os.windows-xp,microsoft.public.windowsxp.general (More info?)

Ad-aware and spybot will get it.

--


The best live web video on the internet http://www.seedsv.com/webdemo.htm
NEW Embedded system W/Linux. We now sell DVR cards.
See it all at http://www.seedsv.com/products.htm
Sharpvision simply the best http://www.seedsv.com



"LouisG" <imnot@home.com> wrote in message
news:Xns96B9BB477465C11241959@216.196.97.142...
> I've got all those programs updated and it runs ,, catchs Altnet ,, but
> says it can't delete as it's in memory and asks if it can run on start up
> ,, but still can't rid the system of it.
>
>
> "pcbutts1" <pcbutts1@seedsv.com> wrote in
> news:D 47Oe.48$5k1.26@newssvr27.news.prodigy.net:
>
>> That ewido log is too short make sure you update it and run it again.
>> Have hijackthis fix the following lines
>>
>> R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL =
>> http://www.iquicksearch.net/search.htm
>> R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
>> http://www.ifmvfyojbuqhzwmrrthdou.com/tXqXi73nsPy1MshyB...
>> Oh WVpwQWGcyhr1BiqNldfHza2mEDP8C.jpg
>> R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) =
>> about:blank
>> O2 - BHO: Scriptlet.Tools - {3E4563A4-2A9B-4912-BE38-906A0CB702CC} -
>> C: \DOCUME~1\ALLUSE~1\APPLIC~1\Tools\tools.dll
>> O2 - BHO: (no name) - {611559C3-4AE0-E79B-345C-EDD8928B0427} -
>> C:\DOCUME~ 1\Alex\APPLIC~1\COOLMP~1\borerect.exe (file missing)
>>
>> O4 - HKLM\..\Run: [\tools.exe] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Tools
>> \tools.exe
>> O4 - HKLM\..\RunServices: [soundman] soundman.exe
>> O4 - HKLM\..\RunServices: [\tools.exe] C:\DOCUME~1\ALLUSE~1\APPLIC~1
>> \Tools\tools.exe
>> O4 - HKCU\..\Run: [\tools.exe] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Tools
>> \tools.exe
>> O8 - Extra context menu item: &Search -
>> http://bar.mywebsearch.com/menusearch.html?p=ZSzeb04440...
>> O23 - Service: Wi2n loahder - Unknown owner - C:\WINDOWS\System32
>> \SVCH0ST.exe" -service (file missing)
>>
>> Download, install, update and run all of the following. make sure you
>> update all of them and let them delete Allnet it is spyware, if you
>> want to use P2P software then use Limewire www.limewire.com.
>>
>> Ad-Aware
>> http://www.pcbutts1.com/downloads/aawsepersonal.exe
>>
>> Spybot search and destroy
>> http://www.pcbutts1.com/downloads/spybotsd14.exe
>>
>> Ewido Security Suite Trial version
>> http://www.pcbutts1.com/downloads/ewidosetup.exe
>>
>> Microsoft Windows AntiSpyware (Beta1)
>> http://www.microsoft.com/downloads/details.aspx?FamilyI...
>> 4C57-A8BD-DBF62EDA9671&displaylang=en
>>
>>
>
August 22, 2005 3:07:47 AM

Archived from groups: microsoft.public.windowsxp.general (More info?)

Thank you!

--

All the Best,
Kelly (MS-MVP)

Troubleshooting Windows XP
http://www.kellys-korner-xp.com
http://www.kellys-korner-xp.com/taskbarplus!.htm


"Rock" <rock@mail.nospam.net> wrote in message
news:eM%23BIYspFHA.616@TK2MSFTNGP15.phx.gbl...
> LouisG wrote:
>
>> Okay ,, here are the two new logs,,,
>>
>> Logfile of HijackThis v1.99.1
>> Scan saved at 5:44:11 PM, on 8/21/2005
>> Platform: Windows XP SP1 (WinNT 5.01.2600)
>> MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
>>
>
> Louis, don't post Hijackthis logs here. This is not the place for it.
> Post it to one of the specialty forums for it.
>
> Forums to Interpret HijackThis Logs:
>
> http://www.spywareinfo.com/forums/
> http://forum.aumha.org/viewforum.php?f=30
> http://forums.tomcoyote.org/
> http://www.wilderssecurity.com/
>
> --
> Rock
> MS MVP Windows - Shell/User
>
Anonymous
August 22, 2005 1:48:13 PM

Archived from groups: alt.os.windows-xp,microsoft.public.windowsxp.general (More info?)

You don't have a problem, but it could be spyware so format and reinstall.


--

"Instead of trying to bash me you should try to learn from me and
archive my posts so you can better help people in the future. If you don't
understand something I post then ask me my email is valid."

- pcbutts1.@thisoldtreehouse.com
- pcbutts1.@seedsv.com




LouisG wrote:
> I have a computer that i'm working on ,, and i have discovered a
> little oddity and can't find an answer to.
>
> I open up task manager and i find a weird looking file running in the
> process , let's call this file ekfitve.exe for example ,, then i find
> this file in c:\windows\system32 folder ,,, if i put both windows
> side by side and then end the process in task mgr ,, i can see this
> file change it's name right in front of me ,,,then it appears with
> that name in task mgr.
>
> The file is always a weird combo of letters and it never seems to
> repeat itself ,,, i've tried deleting the file ,,but of course can't
> access it and i've tried going through Xp's repair option to try and
> get it before it loads ,, but of course with it changing it's name ,,
> what do i look for? There's no way of locating it.
>
> I was thinking of one last shot of getting this bugger ,,with any
> help from here , before deep sixing the system and starting from
> scratch.
>
> Any suggestions????
>
> Thanks , Gord

--
August 23, 2005 6:23:53 AM

Archived from groups: microsoft.public.windowsxp.general (More info?)

Kelly wrote:

> Thank you!
>

YW...nice seeing you back, though only occasionally.

--
Rock
MS MVP Windows - Shell/User
August 24, 2005 6:06:04 AM

Archived from groups: microsoft.public.windowsxp.general (More info?)

Thank you, Rock. Is nice to be missed, I think! <w>

Have been so busy with school taking back in.

--

All the Best,
Kelly (MS-MVP)

Troubleshooting Windows XP
http://www.kellys-korner-xp.com
http://www.kellys-korner-xp.com/taskbarplus!.htm


"Rock" <rock@mail.nospam.net> wrote in message
news:uzddiR8pFHA.2776@TK2MSFTNGP10.phx.gbl...
> Kelly wrote:
>
>> Thank you!
>>
>
> YW...nice seeing you back, though only occasionally.
>
> --
> Rock
> MS MVP Windows - Shell/User
>
August 24, 2005 6:10:37 AM

Archived from groups: microsoft.public.windowsxp.general (More info?)

Kelly wrote:

> Thank you, Rock. Is nice to be missed, I think! <w>
>
> Have been so busy with school taking back in.
>

Lol..rereading what I wrote it could be interpreted as meaning
occasionally it's nice to see you back here, or...it's nice seeing you
back here since lately it's been only occasionally. I'm sure you know
which branch I meant ;-)

You're going back to school...

--
Rock
MS MVP Windows - Shell/User
August 25, 2005 5:03:08 AM

Archived from groups: microsoft.public.windowsxp.general (More info?)

Caught the correct branch and thanks again! <w>

As for school, not me three degrees are enough. Will get to my masters one
day (I hope)!

Meant my boys still at home. High School took back for them two weeks now.
Summer was short and Halo2 driven. I survived that; however, the 360 is
just around the corner. :o )

--

All the Best,
Kelly (MS-MVP)

Troubleshooting Windows XP
http://www.kellys-korner-xp.com
http://www.kellys-korner-xp.com/taskbarplus!.htm


"Rock" <rock@mail.nospam.net> wrote in message
news:%23rWPyuIqFHA.2240@tk2msftngp13.phx.gbl...
> Kelly wrote:
>
>> Thank you, Rock. Is nice to be missed, I think! <w>
>>
>> Have been so busy with school taking back in.
>>
>
> Lol..rereading what I wrote it could be interpreted as meaning
> occasionally it's nice to see you back here, or...it's nice seeing you
> back here since lately it's been only occasionally. I'm sure you know
> which branch I meant ;-)
>
> You're going back to school...
>
> --
> Rock
> MS MVP Windows - Shell/User
>
August 25, 2005 6:33:27 AM

Archived from groups: microsoft.public.windowsxp.general (More info?)

Kelly wrote:
> Caught the correct branch and thanks again! <w>
>
> As for school, not me three degrees are enough. Will get to my masters one
> day (I hope)!
>
> Meant my boys still at home. High School took back for them two weeks now.
> Summer was short and Halo2 driven. I survived that; however, the 360 is
> just around the corner. :o )
>

It's always something.

--
Rock
MS MVP Windows - Shell/User
!