Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

hjt ... trojan

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

hjt ... trojan

Unread postby elastic » May 1st, 2005, 7:54 pm

All


i have ran HJT and cleared all, and rebooted .. i have ran Adaware and spybot, and they keep picking up on Coolsearch ... but for some reason they keep returning ... there seems to be new .exe file appearing out of nowhere.
can you please advise. Thanks elastic

Logfile of HijackThis v1.99.1
Scan saved at 00:42:50, on 02/05/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\apiwb32.exe
C:\WINDOWS\system32\MsgSys.EXE
C:\WINDOWS\System32\LVCOMS.EXE
C:\Program Files\Browser MOUSE\mouse32a.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\netys.exe
C:\Program Files\Paltalk Messenger\paltalk7.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\brendan\hijack\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\jlysy.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\jlysy.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\jlysy.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\jlysy.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\jlysy.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\jlysy.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\jlysy.dll/sp.html#37049
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: (no name) - {FEF27C0E-F323-983C-7373-F21C8EF035DF} - C:\WINDOWS\system32\javadr.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [LVCOMS] C:\WINDOWS\System32\LVCOMS.EXE
O4 - HKLM\..\Run: [FLMOFFICE4DMOUSE] C:\Program Files\Browser MOUSE\mouse32a.exe
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\System32\PSDrvCheck.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [netys.exe] C:\WINDOWS\netys.exe
O4 - HKLM\..\RunOnce: [apiwb32.exe] C:\WINDOWS\system32\apiwb32.exe
O4 - HKCU\..\RunServicesOnce: [washindex] C:\Program Files\Washer\washidx.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/ ... acscom.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/Shar ... vSniff.cab
O16 - DPF: {4C1DF000-D3FF-11CE-84BA-484F4DF914E6} (ProtoView DataTable Control) - https://orion.mslicense.com/Orion/CABS/pvdt40r.cab
O16 - DPF: {5C06C331-EA8F-11D1-B0B4-00C04FD9198A} (Project1.MSADCO2_Inst) - https://orion.mslicense.com/Orion/CABS/msadc_inst.CAB
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/Shar ... /cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004 ... scan53.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} - http://www.installengine.com/engine/isetup.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://activex.webcam.nl/AxisCamControl.cab
O16 - DPF: {9A54032D-31F7-400D-B184-83B33BDE65FA} (MSN File Upload Control) - http://sc.groups.msn.com/controls/FileUC/MsnUpld.cab
O16 - DPF: {A8BA388A-3246-4A2F-869C-CE7BDF6D9A24} (SftTree/OCX 4.5 Tree Control (IE)) - https://orion.mslicense.com/Orion/CABS/ ... 6_I_45.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {AD0E37CE-0A0E-4183-83E9-902CC84A4185} (RootInstaller Class) - https://orion.mslicense.com/orion/rootinst.dll
O16 - DPF: {ADB6CCF9-8853-4431-82A0-B7494DED18C3} (WcnfGrpCtl Class) - http://download.paltalk.com/webconftest ... ontrol.cab
O16 - DPF: {B283E20C-2CB3-11D0-ADA6-00400520799C} (Infragistics Progress Bar) - https://orion.mslicense.com/Orion/CABS/pvprgbar.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/Shar ... /cabsa.cab
O16 - DPF: {D4A97620-8E8F-11CF-93CD-00AA00C08FDF} (Microsoft ActiveX Image Control 1.0) - https://orion.mslicense.com/Orion/CABS/mspert10.cab
O16 - DPF: {E9C9692E-F93C-11D1-ABB0-0040054FC6FB} (Infragistics DataTable Control 8.0 (OLEDB)) - https://orion.mslicense.com/Orion/CABS/pvdt80.cab
O16 - DPF: {F5820AD3-9B20-423E-B2AA-7AF2B4055746} (CRegistryDownload Class) - http://download.paltalk.com/download/0.x/regdload.cab
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O23 - Service: Network Security Service ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\system32\winpq32.exe (file missing)
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: Easy PDF Creator Printing (Service1) - Unknown owner - C:\Program Files\Easy PDF Creator\EasyPrinting.exe (file missing)
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
elastic
Active Member
 
Posts: 1
Joined: May 1st, 2005, 7:47 pm
Advertisement
Register to Remove

Unread postby dobhar » May 2nd, 2005, 3:38 am

Hi elastic...

My name is dobhar and I will be looking over your log. Please give me some time to go look it over. I will post back as soon as possible.

If you have any questions post them back in this thread do not start another.

Thanks,
User avatar
dobhar
MRU Honors Grad Emeritus
 
Posts: 961
Joined: March 3rd, 2005, 3:00 am
Location: Winnipeg

Unread postby dobhar » May 3rd, 2005, 11:53 am

Hi elastic...

I'm very sorry for taking so long to get back to you...thank you for being so patient. Lets see what we can do together to get your PC fixed up...

Note: Please print out or copy these instructions\tutorials to Notepad as the internet will be unavailble to you at certain points of the removal process. Make sure to work through all the Steps in the exact order in which they are listed below. If there's anything that you don't understand, ask your question(s) before moving on with the fixes.

Step 1.
==========
Run HouseCall from Trend Micro from here
- Click "Scan now, it's free" (Note: It will take few minutes to download, so be patient
- Select all available drives
- Check(tick) "Auto Clean"
- Click "Scan"
- After scan completes, copy the full filename of any files that cannot be cleaned or deleted and post them when your done with the following fix

Step 2.
==========
- Download and install CleanUp! from http://downloads.stevengould.org/cleanup/CleanUp40.exe
- A tutorial can be found http://www.bleepingcomputer.com/forums/tutorial93.html
(Note: Do not run this program yet)

Step 3.
==========
Download the following tools but do not run until asked
1. Download cwsserviceremove.zip from here and unzip it to your desktop
2. Download About:Buster from here. Once it is downloaded extract it to c:\aboutbuster and check for updates
3. Download CWShredder from here. Save it to its own folder named C:\CWS

Step 4.
==========
- Enable all "Hidden Files and Folders" in Windows. Instructions can be found here

Step 5.
==========
We need to stop a service...
- Click "Start" button then select "Run"
- Type "services.msc" (without quotes) then hit OK
- Scroll down and find the service called.

Network Security Service

- Right-click on Service and choose "Properties"
- On the "General" tab under "Service Status" click the "Stop" button to stop the service
- Beside "Startup Type" in the dropdown menu select "Disabled"
- Click Apply then OK. Exit the Services utility
(Note: If the service isn't listed go ahead with the rest of these instructions anyway)

Step 6.
==========
- Disconnect from the internet
- Reboot computer into "Safe Mode". Instructions can be found here

Step 7.
==========
- Double click on the cwsserviceemove.reg file on your Desktop
- Grant it permission to add the registry items

Step 8.
==========
- Browse to C:\CWS folder
- Double-click on CWShredder.exe to start it
- click the "Fix ->" button
- You will be prompted that CWShredder will shutdown any Internet Explorer and Windows Media Player windows. click "OK" to continue
- Let it run completely to delete anything it finds
- After its scan, click "Next", then "Exit"

Step 9.
==========
We need to stop some Windows Processes
- Run HiJackThis...
1. Click "Config..." button
2. Click "Misc Tools" button
3. Click "Open process manager" button
4. While holding down the CTRL key, locate (if present) and click on (highlight) each of the following...

C:\WINDOWS\system32\apiwb32.exe
C:\WINDOWS\netys.exe


5. Double-check to make sure that only those item(s) above are highlighted, then click "Kill process" button
6. Click "Refresh". Check to make sure they are not listed
7. Repeat this step if any remain.
- Close HijackThis

Step 10.
==========
Delete the following file(s) and folder(s) in BOLD only. (Don't be concern if they do not exist)
C:\WINDOWS\jlysy.dll <<<= This File
C:\WINDOWS\system32\javadr.dll <<<= This File
C:\WINDOWS\netys.exe <<<= This File
C:\WINDOWS\system32\apiwb32.exe <<<= This File
C:\WINDOWS\system32\winpq32.exe <<<= This File

Step 11.
==========
- Close all Windows and programs
- Run HijackThis...
- Select\check the following entries, Double-check to make sure that only these entries are checked...

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\jlysy.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\jlysy.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\jlysy.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\jlysy.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\jlysy.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\jlysy.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\jlysy.dll/sp.html#37049
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {FEF27C0E-F323-983C-7373-F21C8EF035DF} - C:\WINDOWS\system32\javadr.dll
O4 - HKLM\..\Run: [netys.exe] C:\WINDOWS\netys.exe
O4 - HKLM\..\RunOnce: [apiwb32.exe] C:\WINDOWS\system32\apiwb32.exe
O23 - Service: Network Security Service ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\system32\winpq32.exe (file missing)


- Click the "Fix checked" button...

Step 12.
==========
We now need to cleanup all the Temp files and such
- Start the CleanUp! program I had you download earlier
- Click on the CleanUp! button and let it run to completion
(Note: It may take a few minutes depending on the size of your hard drive so be patient)

Step 13.
==========
- Browse to where you saved AboutBuster and run AboutBuster.exe
- Click "OK" at the directions Read: Important! prompt
- Click "Start" and then "OK" to allow AboutBuster to scan for Alternate Data Streams
- Click "Yes" at the About:Buster prompt to allow it to shutdown explorer.exe.
- Please wait while AboutBuster scans your computer for malicious files. If it asks if you would like to do a second pass, allow it to do so.
- When it has finished, click "Save Log...". Make sure you save it as I will need a copy of it.
- Click "Exit" and "Exit" again to exit AboutBuster.

Step 14.
==========
- Reboot back into "Normal Mode"
- Post back a new HijackThis log
- Post back the About:Buster log
User avatar
dobhar
MRU Honors Grad Emeritus
 
Posts: 961
Joined: March 3rd, 2005, 3:00 am
Location: Winnipeg

Unread postby ChrisRLG » May 20th, 2005, 3:07 pm

Whilst we appreciate that you may be busy, it has been 10 days or more since we heard from you.

Infections can change and fresh instructions will now need to be given. This topic is now closed, if you still require assistance then please start a new topic in the Malware Removal Forum

If you wish this topic reopened, please send us an email to 'admin at malwareremoval.com' with a link to your thread.

You can help support this site from this link :
Donations For Malware Removal

Do not bother contacting us if you are not the topic starter. A valid,
working link to the closed topic is required along with the user name used.
If the user name does not match the one in the thread linked, the email will be deleted.
ChrisRLG
Administrator Emeritus
 
Posts: 17759
Joined: December 16th, 2004, 10:04 am
Location: Southend, Essex, UK
Advertisement
Register to Remove


  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 37 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware