Help - Search - Members - Calendar
Full Version: WinCtlAdAlt.exe cloggin up my CPU Usage
Gladiator Security Forum > Malware Help Forum > HELP! Think you are Infected?
CallMeJosh
Jan 4 2005, 06:45 PM
I often use 2 accounts when I am on my computer... I have 2 gigs of RAM and this thing is sucking everything up... I run games on 2 or 3 differnt user names for various reasons... what is going on? How do I fix this problem? I have Norton as you can see... I just ran a scan and cleared everything out any ideas on how to fix this?

Logfile of HijackThis v1.99.0
Scan saved at 12:39:55 PM, on 1/4/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\apache\mysql\bin\mysqld-nt.exe
C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\AdvTools\NPROTECT.EXE
c:\apache\APACHE.EXE
C:\Program Files\AlienAutopsy\TEKS_Service.exe
C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\system32\svchost.exe
c:\apache\APACHE.EXE
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\UltraVNC\winvnc.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Windows ControlAd\WinCtlAd.exe
C:\Program Files\Windows ControlAd\WinCtlAdAlt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HiJackThis\HijackThis.exe
C:\Program Files\Windows ControlAd\WinCtlAd.exe
C:\Program Files\Windows ControlAd\WinCtlAd.exe
C:\Program Files\Windows ControlAd\WinCtlAd.exe
C:\Program Files\Windows ControlAd\WinCtlAd.exe
C:\Program Files\Windows ControlAd\WinCtlAd.exe
C:\Program Files\Windows ControlAd\WinCtlAd.exe
C:\Program Files\Windows ControlAd\WinCtlAd.exe
C:\Program Files\Windows ControlAd\WinCtlAd.exe
C:\Program Files\Windows ControlAd\WinCtlAdAlt.exe
C:\Program Files\Windows ControlAd\WinCtlAd.exe
C:\Program Files\Windows ControlAd\WinCtlAdAlt.exe
C:\Program Files\Windows ControlAd\WinCtlAd.exe
C:\Program Files\Windows ControlAd\WinCtlAdAlt.exe
C:\Program Files\Windows ControlAd\WinCtlAd.exe
C:\Program Files\Windows ControlAd\WinCtlAdAlt.exe
C:\Program Files\Windows ControlAd\WinCtlAd.exe
C:\Program Files\Windows ControlAd\WinCtlAdAlt.exe
C:\Program Files\Windows ControlAd\WinCtlAd.exe
C:\Program Files\Windows ControlAd\WinCtlAdAlt.exe
C:\Program Files\Windows ControlAd\WinCtlAd.exe
C:\Program Files\Windows ControlAd\WinCtlAd.exe
C:\Program Files\Windows ControlAd\WinCtlAdAlt.exe
C:\Program Files\Windows ControlAd\WinCtlAdAlt.exe
C:\Program Files\Windows ControlAd\WinCtlAd.exe
C:\Program Files\Windows ControlAd\WinCtlAdAlt.exe
C:\Program Files\Windows ControlAd\WinCtlAd.exe
C:\Program Files\Windows ControlAd\WinCtlAd.exe
C:\Program Files\Windows ControlAd\WinCtlAdAlt.exe
C:\Program Files\Windows ControlAd\WinCtlAd.exe
C:\Program Files\Windows ControlAd\WinCtlAdAlt.exe
C:\Program Files\Windows ControlAd\WinCtlAdAlt.exe
C:\Program Files\Windows ControlAd\WinCtlAd.exe
C:\Program Files\Windows ControlAd\WinCtlAdAlt.exe
C:\Program Files\Windows ControlAd\WinCtlAd.exe
C:\Program Files\Windows ControlAd\WinCtlAdAlt.exe
C:\Program Files\Windows ControlAd\WinCtlAd.exe
C:\Program Files\Windows ControlAd\WinCtlAdAlt.exe
C:\Program Files\Windows ControlAd\WinCtlAd.exe
C:\Program Files\Windows ControlAd\WinCtlAd.exe
C:\Program Files\Windows ControlAd\WinCtlAdAlt.exe
C:\Program Files\Windows ControlAd\WinCtlAd.exe
C:\Program Files\Windows ControlAd\WinCtlAdAlt.exe
C:\Program Files\Windows ControlAd\WinCtlAd.exe
C:\Program Files\Windows ControlAd\WinCtlAdAlt.exe
C:\Program Files\Windows ControlAd\WinCtlAd.exe
C:\Program Files\Windows ControlAd\WinCtlAdAlt.exe
C:\Program Files\Windows ControlAd\WinCtlAdAlt.exe
C:\Program Files\Windows ControlAd\WinCtlAd.exe
C:\Program Files\Windows ControlAd\WinCtlAdAlt.exe
C:\Program Files\Windows ControlAd\WinCtlAd.exe
C:\Program Files\Windows ControlAd\WinCtlAdAlt.exe
C:\Program Files\Windows ControlAd\WinCtlAd.exe
C:\Program Files\Windows ControlAd\WinCtlAd.exe
C:\Program Files\Windows ControlAd\WinCtlAdAlt.exe
C:\Program Files\Windows ControlAd\WinCtlAd.exe
C:\Program Files\Windows ControlAd\WinCtlAdAlt.exe
C:\Program Files\Windows ControlAd\WinCtlAdAlt.exe
C:\Program Files\Windows ControlAd\WinCtlAd.exe
C:\Program Files\Windows ControlAd\WinCtlAd.exe
C:\Program Files\Windows ControlAd\WinCtlAdAlt.exe
C:\Program Files\Windows ControlAd\WinCtlAd.exe
C:\Program Files\Windows ControlAd\WinCtlAdAlt.exe
C:\Program Files\Windows ControlAd\WinCtlAd.exe
C:\Program Files\Windows ControlAd\WinCtlAdAlt.exe
C:\Program Files\Windows ControlAd\WinCtlAd.exe
C:\Program Files\Windows ControlAd\WinCtlAdAlt.exe
C:\Program Files\Windows ControlAd\WinCtlAd.exe
C:\Program Files\Windows ControlAd\WinCtlAdAlt.exe
C:\Program Files\Windows ControlAd\WinCtlAdAlt.exe
C:\Program Files\Windows ControlAd\WinCtlAd.exe
C:\Program Files\Windows ControlAd\WinCtlAd.exe
C:\Program Files\Windows ControlAd\WinCtlAdAlt.exe
C:\Program Files\Windows ControlAd\WinCtlAd.exe
C:\Program Files\Windows ControlAd\WinCtlAdAlt.exe
C:\Program Files\Windows ControlAd\WinCtlAd.exe
C:\Program Files\Windows ControlAd\WinCtlAdAlt.exe
C:\Program Files\Windows ControlAd\WinCtlAd.exe
C:\Program Files\Windows ControlAd\WinCtlAdAlt.exe
C:\Program Files\Windows ControlAd\WinCtlAd.exe
C:\Program Files\Windows ControlAd\WinCtlAdAlt.exe
C:\Program Files\Windows ControlAd\WinCtlAd.exe
C:\Program Files\Windows ControlAd\WinCtlAdAlt.exe
C:\Program Files\Windows ControlAd\WinCtlAd.exe
C:\Program Files\Windows ControlAd\WinCtlAdAlt.exe
C:\Program Files\Windows ControlAd\WinCtlAd.exe
C:\Program Files\Windows ControlAd\WinCtlAdAlt.exe
C:\Program Files\Windows ControlAd\WinCtlAd.exe
C:\Program Files\Windows ControlAd\WinCtlAdAlt.exe
C:\Program Files\Windows ControlAd\WinCtlAd.exe
C:\Program Files\Windows ControlAd\WinCtlAdAlt.exe
C:\Program Files\Windows ControlAd\WinCtlAd.exe
C:\Program Files\Windows ControlAd\WinCtlAdAlt.exe
C:\Program Files\Windows ControlAd\WinCtlAd.exe
C:\Program Files\Windows ControlAd\WinCtlAdAlt.exe
C:\Program Files\Windows ControlAd\WinCtlAd.exe
C:\Program Files\Windows ControlAd\WinCtlAdAlt.exe
C:\Program Files\Windows ControlAd\WinCtlAd.exe
C:\Program Files\Windows ControlAd\WinCtlAdAlt.exe
C:\Program Files\Windows ControlAd\WinCtlAd.exe
C:\Program Files\Windows ControlAd\WinCtlAdAlt.exe
C:\Program Files\Windows ControlAd\WinCtlAd.exe
C:\Program Files\Windows ControlAd\WinCtlAdAlt.exe
C:\Program Files\Windows ControlAd\WinCtlAd.exe
C:\Program Files\Windows ControlAd\WinCtlAdAlt.exe
C:\Program Files\Windows ControlAd\WinCtlAd.exe
C:\Program Files\Windows ControlAd\WinCtlAdAlt.exe
C:\Program Files\Windows ControlAd\WinCtlAd.exe
C:\Program Files\Windows ControlAd\WinCtlAdAlt.exe
C:\Program Files\Windows ControlAd\WinCtlAd.exe
C:\Program Files\Windows ControlAd\WinCtlAd.exe
C:\Program Files\Windows ControlAd\WinCtlAdAlt.exe
C:\Program Files\Windows ControlAd\WinCtlAd.exe
C:\Program Files\Windows ControlAd\WinCtlAdAlt.exe
C:\Program Files\Windows ControlAd\WinCtlAd.exe
C:\Program Files\Windows ControlAd\WinCtlAdAlt.exe
C:\Program Files\Windows ControlAd\WinCtlAd.exe
C:\Program Files\Windows ControlAd\WinCtlAdAlt.exe
C:\Program Files\Windows ControlAd\WinCtlAd.exe
C:\Program Files\Windows ControlAd\WinCtlAdAlt.exe
C:\Program Files\Windows ControlAd\WinCtlAd.exe
C:\Program Files\Windows ControlAd\WinCtlAdAlt.exe
C:\Program Files\Windows ControlAd\WinCtlAd.exe
C:\Program Files\Windows ControlAd\WinCtlAdAlt.exe
C:\Program Files\Windows ControlAd\WinCtlAd.exe
C:\Program Files\Windows ControlAd\WinCtlAdAlt.exe
C:\Program Files\Windows ControlAd\WinCtlAd.exe
C:\Program Files\Windows ControlAd\WinCtlAd.exe
C:\Program Files\Windows ControlAd\WinCtlAdAlt.exe
C:\Program Files\Windows ControlAd\WinCtlAdAlt.exe
C:\Program Files\Windows ControlAd\WinCtlAd.exe
C:\Program Files\Windows ControlAd\WinCtlAdAlt.exe
C:\Program Files\Windows ControlAd\WinCtlAd.exe
C:\Program Files\Windows ControlAd\WinCtlAd.exe
C:\Program Files\Windows ControlAd\WinCtlAdAlt.exe
C:\Program Files\Windows ControlAd\WinCtlAd.exe
C:\Program Files\Windows ControlAd\WinCtlAdAlt.exe
C:\Program Files\Windows ControlAd\WinCtlAd.exe
C:\Program Files\Windows ControlAd\WinCtlAdAlt.exe
C:\Program Files\Windows ControlAd\WinCtlAd.exe
C:\Program Files\Windows ControlAd\WinCtlAdAlt.exe
C:\Program Files\Windows ControlAd\WinCtlAd.exe
C:\Program Files\Windows ControlAd\WinCtlAdAlt.exe
C:\Program Files\Windows ControlAd\WinCtlAd.exe
C:\Program Files\Windows ControlAd\WinCtlAdAlt.exe
C:\Program Files\Windows ControlAd\WinCtlAd.exe
C:\Program Files\Windows ControlAd\WinCtlAdAlt.exe
C:\Program Files\Windows ControlAd\WinCtlAd.exe
C:\Program Files\Windows ControlAd\WinCtlAdAlt.exe
C:\Program Files\Windows ControlAd\WinCtlAd.exe
C:\Program Files\Windows ControlAd\WinCtlAdAlt.exe
C:\Program Files\Windows ControlAd\WinCtlAd.exe
C:\Program Files\Windows ControlAd\WinCtlAdAlt.exe
C:\Program Files\Windows ControlAd\WinCtlAd.exe
C:\Program Files\Windows ControlAd\WinCtlAdAlt.exe
C:\Program Files\Windows ControlAd\WinCtlAd.exe
C:\Program Files\Windows ControlAd\WinCtlAdAlt.exe
C:\Program Files\Windows ControlAd\WinCtlAd.exe
C:\Program Files\Windows ControlAd\WinCtlAd.exe
C:\Program Files\Windows ControlAd\WinCtlAdAlt.exe
C:\Program Files\Windows ControlAd\WinCtlAd.exe
C:\Program Files\Windows ControlAd\WinCtlAdAlt.exe
C:\Program Files\Windows ControlAd\WinCtlAd.exe
C:\Program Files\Windows ControlAd\WinCtlAdAlt.exe
C:\Program Files\Windows ControlAd\WinCtlAd.exe
C:\Program Files\Windows ControlAd\WinCtlAdAlt.exe
C:\Program Files\Windows ControlAd\WinCtlAd.exe
C:\Program Files\Windows ControlAd\WinCtlAdAlt.exe
C:\Program Files\Windows ControlAd\WinCtlAd.exe
C:\Program Files\Windows ControlAd\WinCtlAdAlt.exe
C:\Program Files\Windows ControlAd\WinCtlAd.exe
C:\Program Files\Windows ControlAd\WinCtlAdAlt.exe
C:\Program Files\Windows ControlAd\WinCtlAd.exe
C:\Program Files\Windows ControlAd\WinCtlAd.exe
C:\Program Files\Windows ControlAd\WinCtlAdAlt.exe
C:\Program Files\Windows ControlAd\WinCtlAdAlt.exe
C:\Program Files\Windows ControlAd\WinCtlAd.exe
C:\Program Files\Windows ControlAd\WinCtlAdAlt.exe
C:\Program Files\Windows ControlAd\WinCtlAd.exe
C:\Program Files\Windows ControlAd\WinCtlAdAlt.exe
C:\Program Files\Windows ControlAd\WinCtlAd.exe
C:\Program Files\Windows ControlAd\WinCtlAdAlt.exe
C:\Program Files\Windows ControlAd\WinCtlAd.exe
C:\Program Files\Windows ControlAd\WinCtlAdAlt.exe
C:\Program Files\Windows ControlAd\WinCtlAd.exe
C:\Program Files\Windows ControlAd\WinCtlAdAlt.exe
C:\Program Files\Windows ControlAd\WinCtlAd.exe
C:\Program Files\Windows ControlAd\WinCtlAdAlt.exe
C:\Program Files\Windows ControlAd\WinCtlAd.exe
C:\Program Files\Windows ControlAd\WinCtlAdAlt.exe
C:\Program Files\Windows ControlAd\WinCtlAd.exe
C:\Program Files\Windows ControlAd\WinCtlAdAlt.exe
C:\Program Files\Windows ControlAd\WinCtlAd.exe
C:\Program Files\Windows ControlAd\WinCtlAdAlt.exe
C:\Program Files\Windows ControlAd\WinCtlAd.exe
C:\Program Files\Windows ControlAd\WinCtlAdAlt.exe
C:\Program Files\Windows ControlAd\WinCtlAd.exe
C:\Program Files\Windows ControlAd\WinCtlAdAlt.exe
C:\Program Files\Windows ControlAd\WinCtlAd.exe
C:\Program Files\Windows ControlAd\WinCtlAdAlt.exe
C:\Program Files\Windows ControlAd\WinCtlAd.exe
C:\Program Files\Windows ControlAd\WinCtlAdAlt.exe
C:\Program Files\Windows ControlAd\WinCtlAd.exe
C:\Program Files\Windows ControlAd\WinCtlAdAlt.exe
C:\Program Files\Windows ControlAd\WinCtlAd.exe
C:\Program Files\Windows ControlAd\WinCtlAdAlt.exe
C:\Program Files\Windows ControlAd\WinCtlAd.exe
C:\Program Files\Windows ControlAd\WinCtlAdAlt.exe
C:\Program Files\Windows ControlAd\WinCtlAd.exe
C:\Program Files\Windows ControlAd\WinCtlAd.exe
C:\Program Files\Windows ControlAd\WinCtlAdAlt.exe
C:\Program Files\Windows ControlAd\WinCtlAd.exe
C:\Program Files\Windows ControlAd\WinCtlAdAlt.exe
C:\Program Files\Windows ControlAd\WinCtlAd.exe
C:\Program Files\Windows ControlAd\WinCtlAdAlt.exe
C:\Program Files\Windows ControlAd\WinCtlAd.exe
C:\Program Files\Windows ControlAd\WinCtlAdAlt.exe
C:\Program Files\Windows ControlAd\WinCtlAd.exe
C:\Program Files\Windows ControlAd\WinCtlAdAlt.exe
C:\Program Files\Windows ControlAd\WinCtlAd.exe
C:\Program Files\Windows ControlAd\WinCtlAdAlt.exe
C:\Program Files\Windows ControlAd\WinCtlAd.exe
C:\Program Files\Windows ControlAd\WinCtlAdAlt.exe
C:\Program Files\Windows ControlAd\WinCtlAd.exe
C:\Program Files\Windows ControlAd\WinCtlAdAlt.exe
C:\Program Files\Windows ControlAd\WinCtlAd.exe
C:\Program Files\Windows ControlAd\WinCtlAdAlt.exe
C:\Program Files\Windows ControlAd\WinCtlAd.exe
C:\Program Files\Windows ControlAd\WinCtlAdAlt.exe
C:\Program Files\Windows ControlAd\WinCtlAd.exe
C:\Program Files\Windows ControlAd\WinCtlAdAlt.exe
C:\Program Files\Windows ControlAd\WinCtlAd.exe
C:\Program Files\Windows ControlAd\WinCtlAdAlt.exe
C:\Program Files\Windows ControlAd\WinCtlAd.exe
C:\Program Files\Windows ControlAd\WinCtlAd.exe
C:\Program Files\Windows ControlAd\WinCtlAdAlt.exe
C:\Program Files\Windows ControlAd\WinCtlAdAlt.exe
C:\Program Files\Windows ControlAd\WinCtlAd.exe
C:\Program Files\Windows ControlAd\WinCtlAd.exe
C:\Program Files\Windows ControlAd\WinCtlAdAlt.exe
C:\Program Files\Windows ControlAd\WinCtlAd.exe
C:\Program Files\Windows ControlAd\WinCtlAdAlt.exe
C:\Program Files\Windows ControlAd\WinCtlAd.exe
C:\Program Files\Windows ControlAd\WinCtlAdAlt.exe
C:\Program Files\Windows ControlAd\WinCtlAd.exe
C:\Program Files\Windows ControlAd\WinCtlAdAlt.exe
C:\Program Files\Windows ControlAd\WinCtlAd.exe
C:\Program Files\Windows ControlAd\WinCtlAdAlt.exe
C:\Program Files\Windows ControlAd\WinCtlAd.exe
C:\Program Files\Windows ControlAd\WinCtlAdAlt.exe
C:\Program Files\Windows ControlAd\WinCtlAd.exe
C:\Program Files\Windows ControlAd\WinCtlAd.exe
C:\Program Files\Windows ControlAd\WinCtlAdAlt.exe
C:\Program Files\Windows ControlAd\WinCtlAd.exe
C:\Program Files\Windows ControlAd\WinCtlAdAlt.exe
C:\Program Files\Windows ControlAd\WinCtlAd.exe
C:\Program Files\Windows ControlAd\WinCtlAdAlt.exe
C:\Program Files\Windows ControlAd\WinCtlAd.exe
C:\Program Files\Windows ControlAd\WinCtlAdAlt.exe
C:\Program Files\Windows ControlAd\WinCtlAd.exe
C:\Program Files\Windows ControlAd\WinCtlAdAlt.exe
C:\Program Files\Windows ControlAd\WinCtlAd.exe
C:\Program Files\Windows ControlAd\WinCtlAdAlt.exe
C:\Program Files\Windows ControlAd\WinCtlAd.exe
C:\Program Files\Windows ControlAd\WinCtlAdAlt.exe
C:\Program Files\Windows ControlAd\WinCtlAd.exe
C:\Program Files\Windows ControlAd\WinCtlAdAlt.exe
C:\Program Files\Windows ControlAd\WinCtlAd.exe
C:\Program Files\Windows ControlAd\WinCtlAdAlt.exe
C:\Program Files\Windows ControlAd\WinCtlAd.exe
C:\Program Files\Windows ControlAd\WinCtlAdAlt.exe
C:\Program Files\Windows ControlAd\WinCtlAd.exe
C:\Program Files\Windows ControlAd\WinCtlAdAlt.exe
C:\Program Files\Windows ControlAd\WinCtlAd.exe
C:\Program Files\Windows ControlAd\WinCtlAdAlt.exe
C:\Program Files\Windows ControlAd\WinCtlAd.exe
C:\Program Files\Windows ControlAd\WinCtlAdAlt.exe
C:\Program Files\Windows ControlAd\WinCtlAd.exe
C:\Program Files\Windows ControlAd\WinCtlAd.exe
C:\Program Files\Windows ControlAd\WinCtlAdAlt.exe
C:\Program Files\Windows ControlAd\WinCtlAd.exe
C:\Program Files\Windows ControlAd\WinCtlAdAlt.exe
C:\Program Files\Windows ControlAd\WinCtlAd.exe
C:\Program Files\Windows ControlAd\WinCtlAdAlt.exe
C:\Program Files\Windows ControlAd\WinCtlAd.exe
C:\Program Files\Windows ControlAd\WinCtlAdAlt.exe
C:\Program Files\Windows ControlAd\WinCtlAd.exe
C:\Program Files\Windows ControlAd\WinCtlAdAlt.exe
C:\Program Files\Windows ControlAd\WinCtlAd.exe
C:\Program Files\Windows ControlAd\WinCtlAdAlt.exe
C:\Program Files\Windows ControlAd\WinCtlAd.exe
C:\Program Files\Windows ControlAd\WinCtlAdAlt.exe
C:\Program Files\Windows ControlAd\WinCtlAd.exe
C:\Program Files\Windows ControlAd\WinCtlAdAlt.exe
C:\Program Files\Windows ControlAd\WinCtlAd.exe
C:\Program Files\Windows ControlAd\WinCtlAdAlt.exe
C:\Program Files\Windows ControlAd\WinCtlAd.exe
C:\Program Files\Windows ControlAd\WinCtlAdAlt.exe
C:\Program Files\Windows ControlAd\WinCtlAd.exe
C:\Program Files\Windows ControlAd\WinCtlAdAlt.exe
C:\Program Files\Windows ControlAd\WinCtlAd.exe
C:\Program Files\Windows ControlAd\WinCtlAdAlt.exe
C:\Program Files\Windows ControlAd\WinCtlAd.exe
C:\Program Files\Windows ControlAd\WinCtlAdAlt.exe
C:\Program Files\Windows ControlAd\WinCtlAd.exe
C:\Program Files\Windows ControlAd\WinCtlAdAlt.exe
C:\Program Files\Windows ControlAd\WinCtlAd.exe
C:\Program Files\Windows ControlAd\WinCtlAdAlt.exe
C:\Program Files\Windows ControlAd\WinCtlAd.exe
C:\Program Files\Windows ControlAd\WinCtlAdAlt.exe
C:\Program Files\Windows ControlAd\WinCtlAd.exe
C:\Program Files\Windows ControlAd\WinCtlAd.exe
C:\Program Files\Windows ControlAd\WinCtlAdAlt.exe
C:\Program Files\Windows ControlAd\WinCtlAd.exe
C:\Program Files\Windows ControlAd\WinCtlAdAlt.exe
C:\Program Files\Windows ControlAd\WinCtlAd.exe
C:\Program Files\Windows ControlAd\WinCtlAdAlt.exe
C:\Program Files\Windows ControlAd\WinCtlAdAlt.exe
C:\Program Files\Windows ControlAd\WinCtlAd.exe
C:\Program Files\Windows ControlAd\WinCtlAd.exe
C:\Program Files\Windows ControlAd\WinCtlAdAlt.exe
C:\Program Files\Windows ControlAd\WinCtlAd.exe
C:\Program Files\Windows ControlAd\WinCtlAdAlt.exe
C:\Program Files\Windows ControlAd\WinCtlAd.exe
C:\Program Files\Windows ControlAd\WinCtlAdAlt.exe
C:\Program Files\Windows ControlAd\WinCtlAd.exe
C:\Program Files\Windows ControlAd\WinCtlAd.exe
C:\Program Files\Windows ControlAd\WinCtlAd.exe
C:\Program Files\Windows ControlAd\WinCtlAd.exe
C:\Program Files\Windows ControlAd\WinCtlAd.exe
C:\Program Files\Windows ControlAd\WinCtlAd.exe
C:\Program Files\Windows ControlAd\WinCtlAd.exe
C:\Program Files\Windows ControlAd\WinCtlAd.exe
C:\Program Files\Windows ControlAd\WinCtlAd.exe
C:\Program Files\Windows ControlAd\WinCtlAd.exe
C:\Program Files\Windows ControlAd\WinCtlAd.exe
C:\Program Files\Windows ControlAd\WinCtlAd.exe
C:\Program Files\Windows ControlAd\WinCtlAd.exe
C:\Program Files\Windows ControlAd\WinCtlAd.exe
C:\Program Files\Windows ControlAd\WinCtlAd.exe
C:\Program Files\Windows ControlAd\WinCtlAd.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.alienware.com/mothership.aspx
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.alienware.com/mothership.aspx
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://minisearch.startnow.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.startnow.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://minisearch.startnow.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://minisearch.startnow.com
R3 - URLSearchHook: HyperSearchHook - {62D2530B-0CE2-4991-9BEE-613959E8C2A3} - C:\Program Files\Common Files\Hyperbar\HyperbarSS3.dll
O2 - BHO: MyWebSearch Search Assistant BHO - {00A6FAF1-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\2.bin\MWSSRCAS.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: mwsBar BHO - {07B18EA1-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\2.bin\MWSBAR.DLL
O2 - BHO: (no name) - {348FE907-249E-4C65-A838-F34A193FE1D1} - (no file)
O2 - BHO: URLLink Class - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - C:\Program Files\NewDotNet\newdotnet6_38.dll
O2 - BHO: HyperBHO - {4B2F5308-2CB0-40E2-8030-59936ED5D22C} - C:\Program Files\Common Files\Hyperbar\Hyperbar.dll
O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Startnow - {1BC1FC4B-B0D2-4D8D-9307-2E40E2A8C257} - C:\Program Files\Common Files\Hyperbar\Hyperbar.dll
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTDVDDet] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,NewDotNetStartup -s
O4 - HKLM\..\Run: [Windows ControlAd] C:\Program Files\Windows ControlAd\WinCtlAd.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.alienware.com/mothership.aspx
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/Download...e/bridge-c9.cab
O16 - DPF: {386A771C-E96A-421F-8BA7-32F1B706892F} (Installer Class) - http://www.xxxtoolbar.com/ist/softwares/v4.0/0006_movies.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab31267.cab
O23 - Service: Ati HotKey Poller - Unknown - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: MySql - Unknown - C:/apache/mysql/bin/mysqld-nt.exe
O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection - Symantec Corporation - C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: PHPGeekUtil - Unknown - c:\apache\APACHE.EXE
O23 - Service: ProductivIT Service - DynTek, Inc. - C:\Program Files\AlienAutopsy\TEKS_Service.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: VNC Server - UltraVNC - C:\Program Files\UltraVNC\winvnc.exe
LoPhatPhuud
Jan 4 2005, 09:39 PM
First:
If you didn't install and want NewDotNet, you need to uninstall it. I would recommend it unless it is serving some important purpose. Here are instructions for uninstalling it, DO NOT fix it with HJT or you may lose your internet connection:

http://www.newdotnet.com/#remove


Second:
Before we begin, please be sure that HiJackThis is in its own folder. This will allow us to use backups to restore entries if necessary. Please do not put HiJackThis in a temporary folder, or on the Desktop. I suggest using 'c:\program files\hijackthis\' or C:\HiJackThis\, but any name you choose is fine.

Check the following items in HijackThis.
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://minisearch.startnow.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.startnow.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://minisearch.startnow.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://minisearch.startnow.com
R3 - URLSearchHook: HyperSearchHook - {62D2530B-0CE2-4991-9BEE-613959E8C2A3} - C:\Program Files\Common Files\Hyperbar\HyperbarSS3.dll

O2 - BHO: MyWebSearch Search Assistant BHO - {00A6FAF1-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\2.bin\MWSSRCAS.DLL
O2 - BHO: mwsBar BHO - {07B18EA1-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\2.bin\MWSBAR.DLL
O2 - BHO: (no name) - {348FE907-249E-4C65-A838-F34A193FE1D1} - (no file)
O2 - BHO: URLLink Class - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - C:\Program Files\NewDotNet\newdotnet6_38.dll
O2 - BHO: HyperBHO - {4B2F5308-2CB0-40E2-8030-59936ED5D22C} - C:\Program Files\Common Files\Hyperbar\Hyperbar.dll

O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,NewDotNetStartup -s
O4 - HKLM\..\Run: [Windows ControlAd] C:\Program Files\Windows ControlAd\WinCtlAd.exe

O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/Download...e/bridge-c9.cab
O16 - DPF: {386A771C-E96A-421F-8BA7-32F1B706892F} (Installer Class) - http://www.xxxtoolbar.com/ist/softwares/v4.0/0006_movies.cab


Close all windows except HijackThis and click Fix checked.

Reboot in Safe Mode*, delete the following: (you may need to show hidden files**)
C:\Program Files\Windows ControlAd\ <-- delete entire folder

*How to Boot into Safe mode: http://service1.symantec.com/SUPPORT/tsgen...001052409420406
**Show Hidden and System files and folders
http://www.xtra.co.nz/help/0,,4155-1916458,00.html

Also, uncheck the boxes for hiding known file extensions and hiding protected operating system files. We want to see it all. When we finish here, it would be a good idea to rehide the protected operating system files but leave the rest to be shown.

Reboot in normal mode.


HiJackThis version 199.0 is now available.
If you do not already have it installed, download it from here:
http://www.computercops.biz/downloads-file-328.html
http://tomcoyote.org/hjt/

Then run HiJackThis again and post a new log in this thread.
CallMeJosh
Jan 6 2005, 01:24 AM
Logfile of HijackThis v1.99.0
Scan saved at 7:23:37 PM, on 1/5/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\apache\mysql\bin\mysqld-nt.exe
C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\AdvTools\NPROTECT.EXE
c:\apache\APACHE.EXE
C:\Program Files\AlienAutopsy\TEKS_Service.exe
C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\system32\svchost.exe
c:\apache\APACHE.EXE
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\UltraVNC\winvnc.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\AIM\aim.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HiJackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.alienware.com/mothership.aspx
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTDVDDet] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Windows ControlAd] C:\Program Files\Windows ControlAd\WinCtlAd.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZN
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.alienware.com/mothership.aspx
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab31267.cab
O23 - Service: Ati HotKey Poller - Unknown - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: MySql - Unknown - C:/apache/mysql/bin/mysqld-nt.exe
O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection - Symantec Corporation - C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: PHPGeekUtil - Unknown - c:\apache\APACHE.EXE
O23 - Service: ProductivIT Service - DynTek, Inc. - C:\Program Files\AlienAutopsy\TEKS_Service.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: VNC Server - UltraVNC - C:\Program Files\UltraVNC\winvnc.exe



YAY! WinCtlAdAlt is gone! Thank you!!!
LoPhatPhuud
Jan 6 2005, 01:31 AM
One item snuck back in but is not running to no problems there. Once removed your system will be clean.


Check the following items in HiJackThis:
O4 - HKLM\..\Run: [Windows ControlAd] C:\Program Files\Windows ControlAd\WinCtlAd.exe

Close all open windows except HiJackThis and press 'Fix Checked'.




At last, your system is clean and free of spyware! Want to keep it that way?

Here are some simple steps you can take to reduce the chance of infection in the future.

1. Visit Windows Update:
Make sure that you have all the Critical Updates recommended for your operating system and IE. The first defense against infection is a properly patched OS.
a. Windows Update: http://v5.windowsupdate.microsoft.com/en/default.asp

2. Adjust your security settings for ActiveX:]
Go to Internet Options/Security/Internet, press 'default level', then OK. Now press "Custom Level."
In the ActiveX section:
Set the first option, 'Download signed controls', to 'Prompt.
Set the second option, 'Download unsigned controls', to 'Disable'.
Finally, set 'Initialize and Script ActiveX controls not marked as safe to 'Disable'.

3. Download and install the following free programs
a. SpywareBlaster: http://www.javacoolsoftware.com/spywareblaster.html
b. SpywareGuard: http://www.wilderssecurity.net/spywareguard.html
c. IE/Spyad: https://netfiles.uiuc.edu/ehowes/www/resource.htm
d. Bugoff: http://tools.zerosrealm.com/bugoff.zip

4. Install Spyware Detection and Removal Programs:
You may also want to consider installing either or both of AdAware (free version) and Spybot S&D (freeware). Use these programs to regularly scan your system for and remove many forms of spyware/malware.
a. AdAware: http://www.lavasoft.de/]http://www.lavasoft.de/
b. Spybot S&D: http://security.kolla.de/index.php?lang=en&page=download

Before adding any other Spyware Detection and Removal programs always check the Rogue Anti-Spyware List for programs known to be misleading, mistaken, or just outright "Foistware". You will find the list here: http://www.spywarewarrior.com/rogue_anti-spyware,htm

5. Install 'Spoofstick"
Spoofstick is a simple browser extension that helps users detect spoofed (fake) websites. This extension is free and installs in Internet Explorer and Mozilla Firefox.
a. http://www.corestreet.com/spoofstick

6. Reset System Restore
If you are using Windows ME or Windows XP, please reset your System Restore. See Windows help for information.

7. Rogue/Suspect Anti-Spyware
Before using or purchasing any Spyware/Malware protection/removal program, always check the Rogue/Suspect Spyware List. It will save you a lot of grief, as well as money if you are thinking of purchasing. Here is the link: http://www/spywarewarrior.com/rogue_anti-spyware.htm

8. Anti-Spyware Programs Compared
Want to know just how effective your anti-spyware program is? Wonder how well any of the "rogue" programs listed above work? Check this link for an independent comparison of several anti-spyware programs: http://spywarewarrior.com/asw-test-guide.htm

For more information about Spyware, the tools available, and other informative material, including information on how you may have been infected in the first place, please check out this link: http://forum.gladiator-antivirus.com/index...?showtopic=9857

"It is your responsibility to read and adhere to the End User Licensing Agreement (EULA) of all software and services mentioned."

Good luck, and thanks for coming to our forums for help with your security and malware issues.
CallMeJosh
Jan 6 2005, 04:58 AM
Logfile of HijackThis v1.99.0
Scan saved at 10:55:54 PM, on 1/5/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\apache\mysql\bin\mysqld-nt.exe
C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\AdvTools\NPROTECT.EXE
c:\apache\APACHE.EXE
C:\Program Files\AlienAutopsy\TEKS_Service.exe
C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\system32\svchost.exe
c:\apache\APACHE.EXE
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\UltraVNC\winvnc.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\SpywareBlaster\spywareblaster.exe
C:\Program Files\HiJackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.alienware.com/mothership.aspx
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTDVDDet] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZN
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.alienware.com/mothership.aspx
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab31267.cab
O23 - Service: Ati HotKey Poller - Unknown - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: MySql - Unknown - C:/apache/mysql/bin/mysqld-nt.exe
O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection - Symantec Corporation - C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: PHPGeekUtil - Unknown - c:\apache\APACHE.EXE
O23 - Service: ProductivIT Service - DynTek, Inc. - C:\Program Files\AlienAutopsy\TEKS_Service.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: VNC Server - UltraVNC - C:\Program Files\UltraVNC\winvnc.exe






Did I get it all?

Also I downloaded 3 out of the 4 programs the Spyad one I couldnt get to work but, the rest are fine. Do I have to leave SpywareBlaster and BugOff open? Or can I close them?

Also with the bug off program... The last option won't Enable... It keeps Disabled is there a reason?
LoPhatPhuud
Jan 6 2005, 05:15 AM
SpywareBlaster and Bugoff set "kill bitds" or close holes in IE. Once executed you can close the program. Check SpywareBLaster occasionally for updates. Best place to check for all securtity program updates is at Broadband Reports (http://www.broadbandreports.com) in the Security Forum. The first thread is always the update list for that day. It covers AntiVirus, Anti Trojan, Anti-Spyware and other programs. Well worth a bookmark if you do already use it.

IE/Spyads is a group of registry settings which add website and domain to the restricted list. To install open the folder and execute the batch file. There are options there for adding, removing, etc.
CallMeJosh
Jan 6 2005, 05:23 AM
One last quesiton.. When I run Ad-Aware se it is clean except MRU List with the Location HKEY_USERS:S...... what do i do about this? it always shows up no matter how many times i clean it... is it something to worry about?
CallMeJosh
Jan 7 2005, 08:04 PM
One last quesiton.. When I run Ad-Aware se it is clean except MRU List with the Location HKEY_USERS:S...... what do i do about this? it always shows up no matter how many times i clean it... is it something to worry about?
LoPhatPhuud
Jan 7 2005, 11:50 PM
Efault for AdAware is to not clean Neglible Items, which inlcudes the MRU lists. You can accept the default or change it to remove. Search for MRU in the Help section of AdAware for more information.
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
Invision Power Board © 2001-2009 Invision Power Services, Inc.