Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Help with trojan

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Help with trojan

Unread postby ven » October 27th, 2006, 3:14 pm

I was notified by norton AV that I was infected with trojan brusky. As per this site http://www.precisesecurity.com/computer-virus/tbs-oct45.htm I ran AVG antispyware in safe mode and deleted what it found. I then rebooted in safe mode and used the smitfraudfix.cmd and cleaned the registry. I scanned with norton antivirus it found two files a gypqqqb.dll and smdjzqe.dll that it quarantined. Norton system security site had no fix for them and recommended deleting them which I did. The system still boots VERY slow, gets hung when I click on my start menu for 30-45 seconds. Also whenever I boot into windows it gives the error "file not found .../system32/gypqqqb.dll which is one of the files norton recommended deleting. I ran AVG antispyware again and deleted one program it found. I have run spybot and adaware. Here is smitfraudfix log and below that is the hijackthislog.

SmitFraudFix v2.113

Scan done at 18:38:28.96, Thu 10/26/2006
Run from F:\Documents and Settings\Walterfamily\Desktop\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files


»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» End










Here is the hijackthislog

Logfile of HijackThis v1.99.1
Scan saved at 6:49:18 PM, on 10/26/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\Ati2evxx.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\ZoneLabs\vsmon.exe
F:\WINDOWS\system32\Ati2evxx.exe
F:\WINDOWS\Explorer.EXE
F:\WINDOWS\system32\spoolsv.exe
F:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
F:\Program Files\Norton AntiVirus\navapsvc.exe
F:\WINDOWS\System32\svchost.exe
F:\PROGRA~1\SPRINT~1\SMARTB~1\SprintDSLAlert.exe
F:\Program Files\BroadJump\Client Foundation\CFD.exe
F:\PROGRA~1\NORTON~1\navapw32.exe
F:\Program Files\HP\HP Software Update\HPWuSchd2.exe
F:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
F:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
F:\DOCUME~1\WALTER~1\MYDOCU~1\SMBOLS~1\rundll.exe
F:\Program Files\Common Files\s?stem32\w?nspool.exe
F:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
F:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
F:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
F:\WINDOWS\system32\wuauclt.exe
F:\Program Files\Hijackthis\show.exe.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: (no name) - {B46688B4-4300-39F4-7762-127490A679E3} - F:\WINDOWS\system32\riyfhdkc.dll (file missing)
O2 - BHO: (no name) - {0CCFBE21-4E21-8AB4-8FE7-073017F57970} - F:\WINDOWS\system32\smdjzqe.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Burn4Free Toolbar Helper - {60BF5EE3-0105-4858-AD98-17C19F86B042} - F:\Program Files\Burn4Free Toolbar\v3.2.0.0\Burn4Free_Toolbar.dll
O2 - BHO: (no name) - {B46688B4-4300-39F4-7762-127490A679E3} - F:\WINDOWS\system32\riyfhdkc.dll (file missing)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - F:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - F:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Burn4Free Toolbar - {55FAF0F2-44D4-425F-B5F5-6B275B621EAB} - F:\Program Files\Burn4Free Toolbar\v3.2.0.0\Burn4Free_Toolbar.dll
O4 - HKLM\..\Run: [SprintModemUpdate] javaw.exe -cp "F:\Program Files\Motive\FirmwareUpdater\lib\SprintModemUpdate.jar" com.motive.firmwareUpdater.client.SprintModemUpdate
O4 - HKLM\..\Run: [Motive SmartBridge] F:\PROGRA~1\SPRINT~1\SMARTB~1\SprintDSLAlert.exe
O4 - HKLM\..\Run: [BJCFD] F:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [NAV Agent] F:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] F:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [HP Software Update] F:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [gypqqqb.dll] F:\WINDOWS\system32\rundll32.exe F:\WINDOWS\system32\gypqqqb.dll,xvqzwfg
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "F:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [Zone Labs Client] "F:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [Rhni] "F:\DOCUME~1\WALTER~1\MYDOCU~1\SMBOLS~1\rundll.exe" -vt yazb
O4 - HKCU\..\Run: [Jxxaemqn] F:\Program Files\Common Files\s?stem32\w?nspool.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = F:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O20 - Winlogon Notify: WgaLogon - F:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: winghy32 - winghy32.dll (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - F:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - F:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - F:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - F:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - F:\WINDOWS\system32\ZoneLabs\vsmon.exe
ven
Active Member
 
Posts: 7
Joined: October 27th, 2006, 3:10 pm
Advertisement
Register to Remove

Unread postby 1972vet » October 27th, 2006, 6:12 pm

Go to Start > Control Panels > Add/Remove Programs and uninstall the following programs if listed:
PuritySCAN By OIN, OIN, OuterInfo or similar.

Reboot and delete the folder below indicated in Bold text, if found:
C:\Program Files\PurityScan\

Next, please copy everything inside the quote box below (starting with dir) and paste it into notepad. Go up to "File > Save As" and click the drop-down box to change the "Save As Type" to "All Files". Save it as findfile.bat on your Desktop.

dir C:\WINDOWS\system32\w?nspool.exe /a h > files.txt
notepad files.txt


Locate findfile.bat on your Desktop and double-click on it. It will open Notepad with some text in it. Please post the contents of that Notepad here in your reply.

Next, please run HijackThis again and check the following:
R3 - URLSearchHook: (no name) - {B46688B4-4300-39F4-7762-127490A679E3} - F:\WINDOWS\system32\riyfhdkc.dll (file missing)
O2 - BHO: (no name) - {0CCFBE21-4E21-8AB4-8FE7-073017F57970} - F:\WINDOWS\system32\smdjzqe.dll (file missing)
O2 - BHO: (no name) - {B46688B4-4300-39F4-7762-127490A679E3} - F:\WINDOWS\system32\riyfhdkc.dll (file missing)
O4 - HKLM\..\Run: [gypqqqb.dll] F:\WINDOWS\system32\rundll32.exe F:\WINDOWS\system32\gypqqqb.dll,xvqzwfg
O4 - HKCU\..\Run: [Rhni] "F:\DOCUME~1\WALTER~1\MYDOCU~1\SMBOLS~1\rundll.exe" -vt yazb
O4 - HKCU\..\Run: [Jxxaemqn] F:\Program Files\Common Files\s?stem32\w?nspool.exe
O20 - Winlogon Notify: winghy32 - winghy32.dll (file missing)


The next two items below are optional. You should read what is known about this software here:
O2 - BHO: Burn4Free Toolbar Helper - {60BF5EE3-0105-4858-AD98-17C19F86B042} - F:\Program Files\Burn4Free Toolbar\v3.2.0.0\Burn4Free_Toolbar.dll
O3 - Toolbar: Burn4Free Toolbar - {55FAF0F2-44D4-425F-B5F5-6B275B621EAB} - F:\Program Files\Burn4Free Toolbar\v3.2.0.0\Burn4Free_Toolbar.dll


Close all windows now except for the HijackThis application window then click Fix Checked.

Locate and delete the following files/folders indicated in Bold text:
NOTE DO NOT PERFORM A SEARCH FOR THESE FILES, YOU MUST NAVIGATE TO THE FILE WITH WINDOWS EXPLORER USING THE PATH SHOWN:
F:\WINDOWS\system32\gypqqqb.dll
F:\WINDOWS\system32\xvqzwfg
F:\DOCUMENTS AND SETTINGS\WALTER~1\MYDOCUMENTS\SMBOLS~1\rundll.exe
F:\WINDOWS\system32\winghy32.dll

Reboot the computer and post the contents of the text you saved in your blank Notepad from the findfile.bat along with a fresh HijackThis log. Thanks!
1972vet
Regular Member
 
Posts: 34
Joined: June 2nd, 2006, 11:44 pm

Unread postby ven » October 27th, 2006, 7:02 pm

1972vet wrote:Go to Start > Control Panels > Add/Remove Programs and uninstall the following programs if listed:
PuritySCAN By OIN, OIN, OuterInfo or similar.

Reboot and delete the folder below indicated in Bold text, if found:
C:\Program Files\PurityScan\

Done, PuritSCAN wasn't there but OIN was.
1972vet wrote:Next, please copy everything inside the quote box below (starting with dir) and paste it into notepad. Go up to "File > Save As" and click the drop-down box to change the "Save As Type" to "All Files". Save it as findfile.bat on your Desktop.

dir C:\WINDOWS\system32\w?nspool.exe /a h > files.txt
notepad files.txt


I am assuming you mean f: as that is where windows is installed. I will proceed with that
1972vet wrote:Locate findfile.bat on your Desktop and double-click on it. It will open Notepad with some text in it. Please post the contents of that Notepad here in your reply.


Volume in drive F has no label.
Volume Serial Number is BCAF-0479

Directory of F:\WINDOWS\system32

08/18/2001 08:00 AM 2,112 winspool.exe
1 File(s) 2,112 bytes

Directory of F:\Documents and Settings\Walterfamily\Desktop

I will do the rest next...
ven
Active Member
 
Posts: 7
Joined: October 27th, 2006, 3:10 pm

Unread postby ven » October 27th, 2006, 7:30 pm

Locate and delete the following files/folders indicated in Bold text:
NOTE DO NOT PERFORM A SEARCH FOR THESE FILES, YOU MUST NAVIGATE TO THE FILE WITH WINDOWS EXPLORER USING THE PATH SHOWN:
F:\WINDOWS\system32\gypqqqb.dll
F:\WINDOWS\system32\xvqzwfg
F:\DOCUMENTS AND SETTINGS\WALTER~1\MYDOCUMENTS\SMBOLS~1\rundll.exe
F:\WINDOWS\system32\winghy32.dll

I didn't find any of those and I have show hidden files as my option

1972vet wrote:Reboot the computer and post the contents of the text you saved in your blank Notepad from the findfile.bat along with a fresh HijackThis log. Thanks!


Here is the findfile.bat:

Volume in drive F has no label.
Volume Serial Number is BCAF-0479

Directory of F:\WINDOWS\system32

08/18/2001 08:00 AM 2,112 winspool.exe
1 File(s) 2,112 bytes

Directory of F:\Documents and Settings\Walterfamily\Desktop






Here is the new hijackthis log

Logfile of HijackThis v1.99.1
Scan saved at 7:04:55 PM, on 10/27/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\Ati2evxx.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\ZoneLabs\vsmon.exe
F:\WINDOWS\system32\spoolsv.exe
F:\WINDOWS\system32\Ati2evxx.exe
F:\WINDOWS\Explorer.EXE
F:\PROGRA~1\SPRINT~1\SMARTB~1\SprintDSLAlert.exe
F:\Program Files\BroadJump\Client Foundation\CFD.exe
F:\PROGRA~1\NORTON~1\navapw32.exe
F:\Program Files\HP\HP Software Update\HPWuSchd2.exe
F:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
F:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
F:\Program Files\TrojanHunter 4.6\THGuard.exe
F:\DOCUME~1\WALTER~1\MYDOCU~1\SMBOLS~1\rundll.exe
F:\Program Files\Common Files\s?stem32\w?nspool.exe
F:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
F:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
F:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
F:\Program Files\Norton AntiVirus\navapsvc.exe
F:\WINDOWS\System32\svchost.exe
F:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
F:\Program Files\Mozilla Firefox\firefox.exe
F:\Program Files\Hijackthis\show.exe.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: (no name) - {B46688B4-4300-39F4-7762-127490A679E3} - F:\WINDOWS\system32\riyfhdkc.dll (file missing)
O2 - BHO: (no name) - {0CCFBE21-4E21-8AB4-8FE7-073017F57970} - F:\WINDOWS\system32\smdjzqe.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {B46688B4-4300-39F4-7762-127490A679E3} - F:\WINDOWS\system32\riyfhdkc.dll (file missing)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - F:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - F:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SprintModemUpdate] javaw.exe -cp "F:\Program Files\Motive\FirmwareUpdater\lib\SprintModemUpdate.jar" com.motive.firmwareUpdater.client.SprintModemUpdate
O4 - HKLM\..\Run: [Motive SmartBridge] F:\PROGRA~1\SPRINT~1\SMARTB~1\SprintDSLAlert.exe
O4 - HKLM\..\Run: [BJCFD] F:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [NAV Agent] F:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] F:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [HP Software Update] F:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [gypqqqb.dll] F:\WINDOWS\system32\rundll32.exe F:\WINDOWS\system32\gypqqqb.dll,xvqzwfg
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "F:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [Zone Labs Client] "F:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [THGuard] "F:\Program Files\TrojanHunter 4.6\THGuard.exe"
O4 - HKCU\..\Run: [Rhni] "F:\DOCUME~1\WALTER~1\MYDOCU~1\SMBOLS~1\rundll.exe" -vt yazb
O4 - HKCU\..\Run: [Jxxaemqn] F:\Program Files\Common Files\s?stem32\w?nspool.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = F:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O20 - Winlogon Notify: WgaLogon - F:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: winghy32 - winghy32.dll (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - F:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - F:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - F:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - F:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - F:\WINDOWS\system32\ZoneLabs\vsmon.exe




THANK YOU!!!!!!!!!
ven
Active Member
 
Posts: 7
Joined: October 27th, 2006, 3:10 pm

Unread postby ven » October 27th, 2006, 7:35 pm

I noticed all the items you asked me to check and fix in hijackthis are still there, should they be? Should I have done all this in safemode?
ven
Active Member
 
Posts: 7
Joined: October 27th, 2006, 3:10 pm

Unread postby ven » October 27th, 2006, 7:52 pm

Ok, I am a complete idiot. That hijackthis log was a previous one. Here is the proper one:
Thank you soo much for your help



Logfile of HijackThis v1.99.1
Scan saved at 7:20:42 PM, on 10/27/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\Ati2evxx.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\ZoneLabs\vsmon.exe
F:\WINDOWS\system32\Ati2evxx.exe
F:\WINDOWS\Explorer.EXE
F:\WINDOWS\system32\spoolsv.exe
F:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
F:\Program Files\Norton AntiVirus\navapsvc.exe
F:\WINDOWS\System32\svchost.exe
F:\PROGRA~1\SPRINT~1\SMARTB~1\SprintDSLAlert.exe
F:\Program Files\BroadJump\Client Foundation\CFD.exe
F:\PROGRA~1\NORTON~1\navapw32.exe
F:\Program Files\HP\HP Software Update\HPWuSchd2.exe
F:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
F:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
F:\Program Files\TrojanHunter 4.6\THGuard.exe
F:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
F:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
F:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
F:\Program Files\Mozilla Firefox\firefox.exe
F:\WINDOWS\system32\wuauclt.exe
F:\Program Files\Hijackthis\show.exe.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - F:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - F:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SprintModemUpdate] javaw.exe -cp "F:\Program Files\Motive\FirmwareUpdater\lib\SprintModemUpdate.jar" com.motive.firmwareUpdater.client.SprintModemUpdate
O4 - HKLM\..\Run: [Motive SmartBridge] F:\PROGRA~1\SPRINT~1\SMARTB~1\SprintDSLAlert.exe
O4 - HKLM\..\Run: [BJCFD] F:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [NAV Agent] F:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] F:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [HP Software Update] F:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "F:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [Zone Labs Client] "F:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [THGuard] "F:\Program Files\TrojanHunter 4.6\THGuard.exe"
O4 - Global Startup: HP Digital Imaging Monitor.lnk = F:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O20 - Winlogon Notify: WgaLogon - F:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - F:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - F:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - F:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - F:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - F:\WINDOWS\system32\ZoneLabs\vsmon.exe

It looks as if all those files are gone. I will do all new virus scans and spybot, etc. Thank you!!!!!!!!!!!!
ven
Active Member
 
Posts: 7
Joined: October 27th, 2006, 3:10 pm

Unread postby 1972vet » October 28th, 2006, 1:26 pm

That log looks clean but I'd like to investigate something further. Please check to see that your printer or fax is in good working order and inform me of your findings on your next reply. Please note:
If you have more than one user profile on the computer, when you finish with all these instructions, please check each profile by logging on using that user name and running the HijackThis application. If any of the logs from those scans present ANY entries in the log that contain a question mark in the executable file (such as M?config.exe or similar), please post THOSE LOGS.

The PurityScan infection that you had is peculiar in the world of malware infections as it inserts unicode cyrillic characters that resemble latin characters. As such, these characters cannot be read by non-unicode applications. It's the "?" that appears in the HijackThis log entries that tell on this malware. The infected systems will download and display advertisements that you most probably DO NOT want.

To make sure that your family computer is well protected against this type of behavior, please continue with the following instructions:

You would also benefit by running an update of all your protective software manually just to make certain everything is up to date i.e. Antivirus, Antispyware and Antitrojan software. You should scan with each of those one at a time in safe mode. Allow the software to quarantine whatever it finds and please report any findings in your next reply as well.

Next, please perform this online scan: F-Secure Online Scanner Next Generation Beta
1. Click on the link "F-Secure Online Scanner Next Generation Beta".
2. You may receive an alert on the address bar at this point to install the ActiveX control.
3. Click on that alert and then Click Insall ActiveX component.
4. Read the license agreement and click "Accept".
5.Click "Custom Scan" and be sure the following are checked:
  • Scan whole System
  • Scan all files
  • Scan whole system for rootkits
  • Scan whole system for spyware
  • Scan inside archives
  • Use advanced heuristics

6. When the scan completes, click the "I want to decide item by item" button.
7. For each item found, Select "Disinfect" and click "Next".
8. When done, click the "Show Report" button, then copy and paste the entire report into your next reply and don't forget to mention the condition of your printer and any other findings from your safe mode scans or other user profile HijackThis log scans that contain the telltale question mark as described above. Thanks!
1972vet
Regular Member
 
Posts: 34
Joined: June 2nd, 2006, 11:44 pm

Unread postby ven » October 29th, 2006, 10:21 pm

Did all the things you told me. The F-secure online scanner found two viruses:
1. W32/networkWorm
2.Trojan-Downloader.Win32.Purityscan.dt
I had it clean them.
Here is the text of the report:

Scanning Report
Sunday, October 29, 2006 20:21:32 - 21:11:26
Computer name: FAMILYROOM
Scanning type: Scan system for viruses, rootkits, spyware
Target: C:\ E:\ F:\

Result: 2 malware found
Trojan-Downloader.Win32.PurityScan.dt (virus)
• F:\DOCUMENTS AND SETTINGS\WALTERFAMILY\MY DOCUMENTS\S?MBOLS\RUNDLL.EXE
W32/NetworkWorm (virus)
• F:\WINDOWS\TEMP\WINC92.TMP.EXE (Submitted)

Statistics
Scanned:
• Files: 19740
• System: 3800
• Not scanned: 4
Actions:
• Disinfected: 0
• Renamed: 0
• Deleted: 0
• None: 2
• Submitted: 1
Files not scanned:
• C:\D733EFE6BCAFBDB83B78A26D12828784\1394BUS.SYS
• C:\34F22D59755BD\1394BUS.SYS
• F:\PAGEFILE.SYS
• F:\WINDOWS\SYSTEM32\CONFIG\DEFAULT

Options
Scanning engines:
• F-Secure AVP: 6.0.171, 2006-10-27
• F-Secure Libra: 2.4.1, 2006-10-26
• F-Secure Orion: 1.2.37, 2006-10-27
• F-Secure Blacklight: 1.0.31, 0000-00-00
• F-Secure Pegasus: 1.19.0, 2006-08-29
Scanning options:
• Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB LNK WSF {* PDF ZL? XML ZIP XXX
• Use Advanced heuristics



Here is my most recent hijackthislog




Logfile of HijackThis v1.99.1
Scan saved at 9:16:15 PM, on 10/29/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\Ati2evxx.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\spoolsv.exe
F:\WINDOWS\system32\Ati2evxx.exe
F:\WINDOWS\Explorer.EXE
F:\PROGRA~1\SPRINT~1\SMARTB~1\SprintDSLAlert.exe
F:\Program Files\BroadJump\Client Foundation\CFD.exe
F:\PROGRA~1\NORTON~1\navapw32.exe
F:\Program Files\HP\HP Software Update\HPWuSchd2.exe
F:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
F:\Program Files\TrojanHunter 4.6\THGuard.exe
F:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
F:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
F:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
F:\Program Files\Norton AntiVirus\navapsvc.exe
F:\WINDOWS\System32\svchost.exe
F:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
F:\WINDOWS\System32\svchost.exe
F:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
F:\WINDOWS\system32\ZoneLabs\vsmon.exe
F:\Program Files\Mozilla Firefox\firefox.exe
F:\Program Files\Hijackthis\show.exe.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - F:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - F:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SprintModemUpdate] javaw.exe -cp "F:\Program Files\Motive\FirmwareUpdater\lib\SprintModemUpdate.jar" com.motive.firmwareUpdater.client.SprintModemUpdate
O4 - HKLM\..\Run: [Motive SmartBridge] F:\PROGRA~1\SPRINT~1\SMARTB~1\SprintDSLAlert.exe
O4 - HKLM\..\Run: [BJCFD] F:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [NAV Agent] F:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] F:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [HP Software Update] F:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "F:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [Zone Labs Client] "F:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [THGuard] "F:\Program Files\TrojanHunter 4.6\THGuard.exe"
O4 - Global Startup: HP Digital Imaging Monitor.lnk = F:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {9D190AE6-C81E-4039-8061-978EBAD10073} (F-Secure Online Scanner 3.0) - http://support.f-secure.com/ols/fscax.cab
O20 - Winlogon Notify: WgaLogon - F:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - F:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - F:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - F:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - F:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - F:\WINDOWS\system32\ZoneLabs\vsmon.exe
ven
Active Member
 
Posts: 7
Joined: October 27th, 2006, 3:10 pm

Unread postby 1972vet » October 29th, 2006, 10:33 pm

OK looks good. How's it running for you?
1972vet
Regular Member
 
Posts: 34
Joined: June 2nd, 2006, 11:44 pm

Unread postby ven » October 29th, 2006, 11:48 pm

Much better. THANK YOU! :cheers:
ven
Active Member
 
Posts: 7
Joined: October 27th, 2006, 3:10 pm

Unread postby 1972vet » October 29th, 2006, 11:54 pm

Now that your system is clean, let's create a new restore point.
Please click "Start > Programs > Accessories > System Tools > System Restore"
In the new window, check the 'Create a restore point' in the right pane and click "Next".
In the "Restore point description" textbox, name your restore point to something you will easily recognize. I recommend something like yyyymmdd_Clean (ex. 20060101_Clean)
Click "Create" and reboot your computer.

In the future, there are some things you can do to prevent spyware infections:

Install the following freeware programs:
SpywareGuard
Spywareblaster

Keep your anti-virus and spyware definitions up to date. Be sure to scan often.

If you do not have a firewall, here are a couple freeware firewalls you can install:
Kerio Personal Firewall
Zone Alarm


Stay updated with the most recent Windows patches using
Microsoft's Windows Update.

Using an alternate browser can reduce your chance of certain infections installing themselves. We recommend installing Mozilla Firefox from http://www.mozilla.org

If you still wish to use Internet Explorer, please make sure you install SpywareBlaster (from above) to protect you from most ActiveX infections.

Run CCleaner often
or Disk Cleanup ("Start > Programs > Accessories > System Tools > Disk Cleanup" ) and check off the following:
Downloaded Program Files, Temporary Internet Files, Recycle Bin, and Temporary Files

So how did I get infected in the first place?
Regards, and Happy Surfing!
1972vet
Regular Member
 
Posts: 34
Joined: June 2nd, 2006, 11:44 pm

Unread postby agrarianmonk » November 19th, 2006, 5:34 pm

Glad we could be of assistance.

This topic is now closed. If you wish it
reopened, please send us an email to 'admin at malwareremoval.com' with a link to your thread.


You can help support this site from this link :
Donations For Malware Removal

Do not bother contacting us if you are not the topic starter. A valid,
working link to the closed topic is required along with the user name used.
If the user name does not match the one in the thread linked, the email will be deleted.
User avatar
agrarianmonk
MRU Teacher Emeritus
 
Posts: 5439
Joined: December 24th, 2005, 3:11 am
Advertisement
Register to Remove


  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 31 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware