Options

Infected with something...

Unknown
edited April 2005 in Spyware & Virus Removal
I've been infected with something. I was viewing an online video and noticed several prgrams being installed without prompts, and now I am in pop-up hell!

I ran Ad-aware and Spybot, and here is a copy of my HiJack This log:

Logfile of HijackThis v1.98.2
Scan saved at 8:38:18 AM, on 4/21/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\gahlf\irllugf.exe
C:\WINDOWS\system32\NALNTSRV.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\NWTRAY.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\DIGStream\digstream.exe
C:\WINDOWS\system32\dpmw32.exe
C:\WINDOWS\system32\exp.exe
C:\WINDOWS\system32\wintask.exe
C:\WINDOWS\system32\Rtvhui.exe
C:\WINDOWS\system32\oudmd\urdd.exe
C:\Program Files\Media Access\MediaAccK.exe
C:\WINDOWS\system32\okjvum\jgsoks.exe
C:\WINDOWS\system32\hsbxl\jwsb.exe
C:\WINDOWS\system32\resni32.exe
C:\WINDOWS\ZTLPDLL.EXE
C:\WINDOWS\ZTLPENC.EXE
C:\WINDOWS\system32\recotepg.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Novell\GroupWise\Notify.exe
C:\Program Files\Sophos SWEEP for NT\ICMON.EXE
C:\Program Files\Handspring\HOTSYNC.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\qfgr\repxqyl.exe
C:\Program Files\Sophos SWEEP for NT\SWNETSUP.EXE
C:\Program Files\Sophos SWEEP for NT\SWEEPSRV.SYS
C:\Program Files\Sophos SWEEP for NT\SWUPDATE.EXE
C:\Program Files\CxtPls\CxtPls.exe
C:\Program Files\NaviSearch\bin\nls.exe
C:\Program Files\Media Access\MediaAccess.exe
C:\Novell\GroupWise\GRPWISE.EXE
C:\DOCUME~1\wwolf\LOCALS~1\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 10.1.1.101:8080
O2 - BHO: (no name) - {016235BE-59D4-4CEB-ADD5-E2378282A1D9} - C:\Program Files\CxtPls\cxtpls.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: NLS UrlCatcher Class - {AEECBFDA-12FA-4881-BDCE-8C3E1CE4B344} - C:\WINDOWS\system32\nvms.dll
O2 - BHO: &EliteSideBar - {ED103D9F-3070-4580-AB1E-E5C179C1AE41} - C:\WINDOWS\EliteSideBar\EliteSideBar 08.dll
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ZENRC Tray Icon] zentray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain
O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
O4 - HKLM\..\Run: [NDPS] C:\WINDOWS\system32\dpmw32.exe
O4 - HKLM\..\Run: [PaciSoft] C:\WINDOWS\system32\pacis.exe
O4 - HKLM\..\Run: [exp.exe] C:\WINDOWS\system32\exp.exe
O4 - HKLM\..\Run: [WinTask driver] C:\WINDOWS\system32\wintask.exe
O4 - HKLM\..\Run: [secure] C:\WINDOWS\system32\Rtvhui.exe
O4 - HKLM\..\Run: [urdd] C:\WINDOWS\system32\oudmd\urdd.exe
O4 - HKLM\..\Run: [Media Access] C:\Program Files\Media Access\MediaAccK.exe
O4 - HKLM\..\Run: [repxqyl] C:\WINDOWS\system32\qfgr\repxqyl.exe
O4 - HKLM\..\Run: [irllugf] C:\WINDOWS\system32\gahlf\irllugf.exe
O4 - HKLM\..\Run: [jgsoks] C:\WINDOWS\system32\okjvum\jgsoks.exe
O4 - HKLM\..\Run: [jwsb] C:\WINDOWS\system32\hsbxl\jwsb.exe
O4 - HKLM\..\Run: [etbrun] C:\windows\system32\elitejvb32.exe
O4 - HKLM\..\Run: [cfgmgr51] RunDLL32.EXE C:\WINDOWS\cfgmgr51.dll,DllRun
O4 - HKLM\..\Run: [u79j39S] resni32.exe
O4 - HKLM\..\Run: [ZTLPDLL] C:\WINDOWS\ZTLPDLL.EXE
O4 - HKLM\..\Run: [ZTLPENC] C:\WINDOWS\ZTLPENC.EXE
O4 - HKCU\..\Run: [fwqtRVe7e] recotepg.exe
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Handspring\HOTSYNC.EXE
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: GroupWise Notify.lnk = C:\Novell\GroupWise\Notify.exe
O4 - Global Startup: InterCheck Monitor.LNK = C:\Program Files\Sophos SWEEP for NT\ICMON.EXE
O8 - Extra context menu item: &Viewpoint Search - res://C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll/CXTSEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwebproducts/ei-2/SmileyCentralInitialSetup1.0.0.8-2.cab
O16 - DPF: {24D1BDCE-D835-11D6-BF84-0050047EA0E7} (BlueStream_Flash Class) - http://www.rovion.com/Controls/Rovion.cab
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://download.weatherbug.com/minibug/tricklers/AWS/MiniBugTransporter.cab?
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by14fd.bay14.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) - http://us.games2.yimg.com/download.games.yahoo.com/games/play/client/exentctl_0_0_0_2.ocx
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - file://C:\WINDOWS\msxml4.cab
O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} - http://install.wildtangent.com/bgn/partners/wtgeneric/tradewinds/install.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab32846.cab
O16 - DPF: {C0B285F6-DB2B-4908-9C58-F6D95397D747} - http://www.pacimedia.com/install/pcs_0002.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{C32DAF20-8F11-4B18-A218-8D08E7275B36}: NameServer = 10.1.1.1

I'm not quite sure about which programs might be causing the issues, nor do I remember how to identify them (I had to remove Home Search Assistant last year from an inherited computer). Any help would be greatly appreciated!

Thanks!

Bill

Comments

  • Buckeye_SamBuckeye_Sam Columbus, Ohio
    edited April 2005
    Please download and install A-Squared. You will have to register with them in order to install the updates, but it's free. Once updated, run a full scan and remove everything that is found.

    http://www.majorgeeks.com/download4281.html


    Reboot and post a new hijackthis log.
  • Wolftrap
    edited April 2005
    Here's the latest HiJack log:

    Logfile of HijackThis v1.98.2
    Scan saved at 10:15:06 AM, on 4/25/2005
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\xtfm\galtou.exe
    C:\WINDOWS\system32\NALNTSRV.EXE
    C:\WINDOWS\Explorer.exe
    C:\WINDOWS\system32\NWTRAY.EXE
    C:\WINDOWS\System32\nvsvc32.exe
    C:\Program Files\Sophos SWEEP for NT\SWNETSUP.EXE
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
    C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
    C:\Program Files\DIGStream\digstream.exe
    C:\WINDOWS\system32\Rtvhui.exe
    C:\Program Files\BullsEye Network\bin\bargains.exe
    C:\WINDOWS\system32\tskal.exe
    C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
    C:\Novell\GroupWise\Notify.exe
    C:\Program Files\Sophos SWEEP for NT\ICMON.EXE
    C:\Program Files\Handspring\HOTSYNC.EXE
    C:\Program Files\Sophos SWEEP for NT\SWUPDATE.EXE
    C:\WINDOWS\system32\bvjck\wfadfke.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\hijackthis\HijackThis.exe
    C:\WINDOWS\system32\wuauclt.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 10.1.1.101:8080
    F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
    O1 - Hosts: 216.39.69.102 view.atdmt.com
    O2 - BHO: CExtension Object - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - C:\WINDOWS\cfgmgr51.dll
    O2 - BHO: (no name) - {016235BE-59D4-4CEB-ADD5-E2378282A1D9} - C:\Program Files\CxtPls\cxtpls.dll
    O2 - BHO: BolgerObj Class - {302A3240-4805-4a34-97D7-1645A0B08410} - C:\WINDOWS\Bolger.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINDOWS\system32\msbe.dll
    O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
    O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
    O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain
    O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
    O4 - HKLM\..\Run: [WinTask driver] C:\WINDOWS\system32\wintask.exe
    O4 - HKLM\..\Run: [secure] C:\WINDOWS\system32\Rtvhui.exe
    O4 - HKLM\..\Run: [cfgmgr51] RunDLL32.EXE C:\WINDOWS\cfgmgr51.dll,DllRun
    O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
    O4 - HKLM\..\Run: [qxsirfo] C:\WINDOWS\system32\cfnqpg\qxsirfo.exe
    O4 - HKLM\..\Run: [wfadfke] C:\WINDOWS\system32\bvjck\wfadfke.exe
    O4 - HKLM\..\Run: [galtou] C:\WINDOWS\system32\xtfm\galtou.exe
    O4 - HKLM\..\Run: [etbrun] C:\windows\system32\eliteztg32.exe
    O4 - HKLM\..\Run: [BullsEye Network] C:\Program Files\BullsEye Network\bin\bargains.exe
    O4 - HKLM\..\Run: [u79j39S] unldde.exe
    O4 - HKLM\..\Run: [xjqmfvz] c:\windows\system32\abwmcq.exe
    O4 - HKCU\..\Run: [fwqtRVe7e] tskal.exe
    O4 - Startup: HotSync Manager.lnk = C:\Program Files\Handspring\HOTSYNC.EXE
    O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
    O4 - Global Startup: GroupWise Notify.lnk = C:\Novell\GroupWise\Notify.exe
    O4 - Global Startup: InterCheck Monitor.LNK = C:\Program Files\Sophos SWEEP for NT\ICMON.EXE
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {24D1BDCE-D835-11D6-BF84-0050047EA0E7} (BlueStream_Flash Class) - http://www.rovion.com/Controls/Rovion.cab
    O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://download.weatherbug.com/minibug/tricklers/AWS/MiniBugTransporter.cab?
    O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by14fd.bay14.hotmail.msn.com/resources/MsnPUpld.cab
    O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) - http://us.games2.yimg.com/download.games.yahoo.com/games/play/client/exentctl_0_0_0_2.ocx
    O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - file://C:\WINDOWS\msxml4.cab
    O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} - http://install.wildtangent.com/bgn/partners/wtgeneric/tradewinds/install.cab
    O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab32846.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{C32DAF20-8F11-4B18-A218-8D08E7275B36}: NameServer = 10.1.1.1
  • Wolftrap
    edited April 2005
    Here's the latest:

    Logfile of HijackThis v1.98.2
    Scan saved at 10:15:06 AM, on 4/25/2005
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\xtfm\galtou.exe
    C:\WINDOWS\system32\NALNTSRV.EXE
    C:\WINDOWS\Explorer.exe
    C:\WINDOWS\system32\NWTRAY.EXE
    C:\WINDOWS\System32\nvsvc32.exe
    C:\Program Files\Sophos SWEEP for NT\SWNETSUP.EXE
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
    C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
    C:\Program Files\DIGStream\digstream.exe
    C:\WINDOWS\system32\Rtvhui.exe
    C:\Program Files\BullsEye Network\bin\bargains.exe
    C:\WINDOWS\system32\tskal.exe
    C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
    C:\Novell\GroupWise\Notify.exe
    C:\Program Files\Sophos SWEEP for NT\ICMON.EXE
    C:\Program Files\Handspring\HOTSYNC.EXE
    C:\Program Files\Sophos SWEEP for NT\SWUPDATE.EXE
    C:\WINDOWS\system32\bvjck\wfadfke.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\hijackthis\HijackThis.exe
    C:\WINDOWS\system32\wuauclt.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 10.1.1.101:8080
    F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
    O1 - Hosts: 216.39.69.102 view.atdmt.com
    O2 - BHO: CExtension Object - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - C:\WINDOWS\cfgmgr51.dll
    O2 - BHO: (no name) - {016235BE-59D4-4CEB-ADD5-E2378282A1D9} - C:\Program Files\CxtPls\cxtpls.dll
    O2 - BHO: BolgerObj Class - {302A3240-4805-4a34-97D7-1645A0B08410} - C:\WINDOWS\Bolger.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINDOWS\system32\msbe.dll
    O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
    O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
    O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain
    O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
    O4 - HKLM\..\Run: [WinTask driver] C:\WINDOWS\system32\wintask.exe
    O4 - HKLM\..\Run: [secure] C:\WINDOWS\system32\Rtvhui.exe
    O4 - HKLM\..\Run: [cfgmgr51] RunDLL32.EXE C:\WINDOWS\cfgmgr51.dll,DllRun
    O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
    O4 - HKLM\..\Run: [qxsirfo] C:\WINDOWS\system32\cfnqpg\qxsirfo.exe
    O4 - HKLM\..\Run: [wfadfke] C:\WINDOWS\system32\bvjck\wfadfke.exe
    O4 - HKLM\..\Run: [galtou] C:\WINDOWS\system32\xtfm\galtou.exe
    O4 - HKLM\..\Run: [etbrun] C:\windows\system32\eliteztg32.exe
    O4 - HKLM\..\Run: [BullsEye Network] C:\Program Files\BullsEye Network\bin\bargains.exe
    O4 - HKLM\..\Run: [u79j39S] unldde.exe
    O4 - HKLM\..\Run: [xjqmfvz] c:\windows\system32\abwmcq.exe
    O4 - HKCU\..\Run: [fwqtRVe7e] tskal.exe
    O4 - Startup: HotSync Manager.lnk = C:\Program Files\Handspring\HOTSYNC.EXE
    O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
    O4 - Global Startup: GroupWise Notify.lnk = C:\Novell\GroupWise\Notify.exe
    O4 - Global Startup: InterCheck Monitor.LNK = C:\Program Files\Sophos SWEEP for NT\ICMON.EXE
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {24D1BDCE-D835-11D6-BF84-0050047EA0E7} (BlueStream_Flash Class) - http://www.rovion.com/Controls/Rovion.cab
    O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://download.weatherbug.com/minibug/tricklers/AWS/MiniBugTransporter.cab?
    O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by14fd.bay14.hotmail.msn.com/resources/MsnPUpld.cab
    O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) - http://us.games2.yimg.com/download.games.yahoo.com/games/play/client/exentctl_0_0_0_2.ocx
    O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - file://C:\WINDOWS\msxml4.cab
    O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} - http://install.wildtangent.com/bgn/partners/wtgeneric/tradewinds/install.cab
    O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab32846.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{C32DAF20-8F11-4B18-A218-8D08E7275B36}: NameServer = 10.1.1.1
  • Buckeye_SamBuckeye_Sam Columbus, Ohio
    edited April 2005
    Please remove these entries from Add/Remove Programs in the Control Panel(if present):

    Wild Tangent
    Viewpoint Manager
    Viewpoint Media Player
    Bulls Eye


    Please download the trial version of Ewido Security Suite here:
    http://www.ewido.net/en/download/
    Install it, and download all updates. Then exit Ewido once all updates are installed.


    Please run Notepad and copy the following text into a new file:
    @ECHO OFF
    cd %windir%
    Nail.exe /FULLREMOVE
    sc config SvcProc start= disabled
    sc stop SvcProc
    sc delete SvcProc
    attrib -s -r -h nail.exe
    attrib -s -r -h svcproc.exe
    del nail.exe
    del svcproc.exe
    cd %windir%\system32
    attrib -s -r -h DrPMon.dll
    del DrPMon.dll
    exit

    Save the file to the desktop as remove.bat and make sure the "Save as type" field says "All files".

    Reboot your computer into Safe Mode
    Once in Safe Mode, please double-click on remove.bat. A window should open and close very quickly --- this is normal.


    Please make sure that you can view all hidden files. Instructions on how to do this can be found here:
    How to see hidden files in Windows


    Run a full scan with Ewido, remove anything found, and then restart into normal mode and post the logfile from the scan for me.



    Now open up Hijackthis. Place a checkmark next to these entries, close all browsers and windows, and have HijackThis fix them by clicking Fix Checked:

    F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
    O1 - Hosts: 216.39.69.102 view.atdmt.com
    O2 - BHO: CExtension Object - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - C:\WINDOWS\cfgmgr51.dll
    O2 - BHO: (no name) - {016235BE-59D4-4CEB-ADD5-E2378282A1D9} - C:\Program Files\CxtPls\cxtpls.dll
    O2 - BHO: BolgerObj Class - {302A3240-4805-4a34-97D7-1645A0B08410} - C:\WINDOWS\Bolger.dll
    O2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINDOWS\system32\msbe.dll
    O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
    O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain
    O4 - HKLM\..\Run: [WinTask driver] C:\WINDOWS\system32\wintask.exe
    O4 - HKLM\..\Run: [secure] C:\WINDOWS\system32\Rtvhui.exe
    O4 - HKLM\..\Run: [cfgmgr51] RunDLL32.EXE C:\WINDOWS\cfgmgr51.dll,DllRun
    O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
    O4 - HKLM\..\Run: [qxsirfo] C:\WINDOWS\system32\cfnqpg\qxsirfo.exe
    O4 - HKLM\..\Run: [wfadfke] C:\WINDOWS\system32\bvjck\wfadfke.exe
    O4 - HKLM\..\Run: [galtou] C:\WINDOWS\system32\xtfm\galtou.exe
    O4 - HKLM\..\Run: [etbrun] C:\windows\system32\eliteztg32.exe
    O4 - HKLM\..\Run: [BullsEye Network] C:\Program Files\BullsEye Network\bin\bargains.exe
    O4 - HKLM\..\Run: [u79j39S] unldde.exe
    O4 - HKLM\..\Run: [xjqmfvz] c:\windows\system32\abwmcq.exe
    O4 - HKCU\..\Run: [fwqtRVe7e] tskal.exe
    O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - file://C:\WINDOWS\msxml4.cab
    O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} - http://install.wildtangent.com/bgn/...nds/install.cab



    Then delete these files or directories (Do not be concerned if they do not exist):

    C:\WINDOWS\msxml4.cab
    C:\WINDOWS\cfgmgr51.dll
    C:\WINDOWS\Bolger.dll
    C:\WINDOWS\Nail.exe
    C:\WINDOWS\system32\msbe.dll
    C:\WINDOWS\system32\tskal.exe
    C:\WINDOWS\system32\wintask.exe
    C:\WINDOWS\system32\Rtvhui.exe
    C:\WINDOWS\system32\cfnqpg <-- this folder
    C:\WINDOWS\system32\bvjck <-- this folder
    C:\WINDOWS\system32\xtfm <-- this folder
    C:\windows\system32\eliteztg32.exe
    c:\windows\system32\abwmcq.exe
    C:\Program Files\BullsEye Network <-- this folder
    C:\Program Files\AutoUpdate <-- this folder
    C:\Program Files\Viewpoint <-- this folder
    C:\Program Files\WildTangent <-- this folder
    C:\Program Files\CxtPls <-- this folder
    unldde.exe


    Restart your computer.

    You are using an outdated version of Hijackthis.
    Please download the current version of Hijackthis and post a new hijackthis log.

    http://www.short-media.com/download.php?d=245
Sign In or Register to comment.