Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Oooohh NO! I left the back door open! Please help with log..

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Oooohh NO! I left the back door open! Please help with log..

Unread postby rstone » June 16th, 2005, 12:38 am

Logfile of HijackThis v1.99.1
Scan saved at 12:24:05 AM, on 6/16/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\WinTools\WToolsS.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe
C:\WINDOWS\system32\sdbhtm.exe
c:\windows\system32\egyisyv.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\sdbhtm.exe
C:\Program Files\Common Files\WinTools\WSup.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\uanzra.exe
C:\WINDOWS\system32\pavsrv.exe
C:\WINDOWS\system32\AVENGINE.EXE
C:\Program Files\Panda Software\Panda Antivirus Titanium\APVXDWIN.EXE
C:\Program Files\Panda Software\Panda Antivirus Titanium\pavProxy.exe
C:\Temp\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://searchmiracle.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchmiracle.com/sp.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: &EliteBar - {28CAEFF3-0F18-4036-B504-51D73BD81ABC} - C:\WINDOWS\EliteToolBar\EliteToolBar version 60.dll
O2 - BHO: CControl Object - {3643ABC2-21BF-46B9-B230-F247DB0C6FD6} - C:\Program Files\E2G\IeBHOs.dll
O4 - HKLM\..\Run: [WinTools] C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe
O4 - HKLM\..\Run: [Win Server Updt] C:\WINDOWS\wupdt.exe
O4 - HKLM\..\Run: [gthfbz] c:\windows\system32\egyisyv.exe r
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\system32\uanzra.exe reg_run
O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Software\Panda Antivirus Titanium\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [checkrun] c:\windows\system32\elitevma32.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [sdbhtm] C:\WINDOWS\system32\sdbhtm.exe
O4 - HKCU\..\RunOnce: [sdbhtm] C:\WINDOWS\system32\sdbhtm.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/62479 ... ge-c15.cab
O16 - DPF: {42F2C9BA-614F-47C0-B3E3-ECFD34EED658} (Installer Class) - http://www.ysbweb.com/ist/softwares/v4. ... egular.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v ... 3416386531
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004 ... scan53.cab
O16 - DPF: {DDFFA75A-E81D-4454-89FC-B9FD0631E726} - http://www.bundleware.com/activeX/DS3/DS3.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software - C:\WINDOWS\SYSTEM32\pavsrv.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\System32\ScsiAccess.EXE
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe
O23 - Service: WinTools for IE service (WinToolsSvc) - Unknown owner - C:\Program Files\Common Files\WinTools\WToolsS.exe
rstone
Active Member
 
Posts: 6
Joined: June 16th, 2005, 12:33 am
Advertisement
Register to Remove

Unread postby dobhar » June 16th, 2005, 3:29 am

Hi rstone...let's close that door...

My name is dobhar and I will be looking over your log. Please give me some time to go look it over and I will post back as soon as possible.

If you have any questions post them back in this thread do not start another.

One thing I noticed off the hop...Your are running HijackThis from your C:\Temp folder. HijackThis should be run from a folder on it's own and not from a "Temp" folder. One of the Steps in our "Fix" is to clean out the Temp folders so we would lose the HJT program plus the backups it creates..

Please follow the instructions below to download the latest version and to save it to it's own folder:
- Download the latest HijackThis version 1.99.1 from here
- Save it on the root of your C: Drive to a folder called HJT or HijackThis
- To create the folder...
1. Open "My Computer"
2. Double-click "C:" or "Local Disk (C: )"
3. Right-click in an open area in that window
4. Select/left-click on "New" from the drop-down
5. Select/left-click on "Folder"
6. A folder will appear with the cursor blinking and the words "New Folder" will be highlighted
7. Name the folder HJT or HijackThis :D
User avatar
dobhar
MRU Honors Grad Emeritus
 
Posts: 961
Joined: March 3rd, 2005, 3:00 am
Location: Winnipeg

Unread postby dobhar » June 16th, 2005, 3:45 am

Hi rstone...

Please make sure you take care of getting HijackThis (per the instructions in my first post) into it's own folder before running these fixes.

Thanks,
__________________________________________

Please print out or copy these instructions\tutorials to Notepad as the internet will be unavailble to you at certain points of the removal process. Make sure to work through all the Steps in the exact order in which they are listed below. If there's anything that you don't understand, ask your question(s) before moving on with the fixes.
__________________________________________

Step 1.
==========

- Open the Control Panel then double click on Add or Remove Programs
- Look for the following and uninstall them if found:
WebSearch

Step 2.
==========

- Please download the trial version of Ewido Security Suite from here
- Install ewido security suite...
* Launch ewido...there should be an icon on your desktop double-click it
* When you run ewido for the first time, you could get a warning "Database could not be found!". Click OK
* The program will prompt you to update click the OK button
* The program will now go to the main screen
- You will need to update ewido to the latest definition files
* On the left-hand side of the main screen click Update button
* Click on Start
- The update will start and a progress bar will show the updates being installed
- Once finished updating close ewido
(Note: Do NOT run a scan yet)

Step 3.
==========

- Please download Nailfix from here
- Extract\Unzip it to the Desktop
(Note: Do NOT run it yet as it has to be run in "Safe Mode")

Step 4.
==========

Reboot your computer into "Safe Mode":
  • Restart your computer.
  • When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point you should gently tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu.
  • Select the option for Safe Mode using the arrow keys.
  • Then press enter on your keyboard to boot into Safe Mode.
(Note: For additional help in booting into Safe Mode, see the following site here)

Step 5.
==========

We need to make sure all hidden files are showing so please:
  • Open "My Computer".
  • Click on "Tools" and from the drop down menu select "Folder Options".
  • Select the "View" tab.
  • Under the "Hidden files and folders" heading SELECT "Show hidden files and folders".
  • UNCHECK the "Hide file extensions for known types option".
  • UNCHECK the "Hide protected operating system files (recommended) option".
  • Click "Yes" to confirm.
  • Click "OK".
Step 6.
==========

- Please double-click on the Nailfix.cmd file on your Desktop
- Your desktop and icons will disappear and reappear, and a window should open and close very quickly <==Don't worry about this, it is normal

Step 7.
==========

- Please start Ewido Security Suite, and run a full scan
* Click on Scanner
* Make sure the following boxes are checked before scanning:
Binder
Crypter
Archives

* Click on Start button to start the scan process
* Let the program scan the machine
- While the scan is in progress you will be prompted to clean files, click OK to proceed.
- Once the scan has completed, there will be a button located on the bottom of the screen named Save Report
* Click Save Report button
* Save the report to your Desktop
- Close ewido

Step 8.
==========

- Close all Windows and Programs
- Start HijackThis...
- Select\check the following entries, Double-check to make sure that only these entries are checked

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://searchmiracle.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchmiracle.com/sp.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe


- Click the "Fix checked" button

Step 9.
==========

We now need to cleanup all the Temp files, Temporary Internet Files, Recycle Bin, etc...
- Click the "Start" button, then select "Run"
- Enter cleanmgr in the "Run" menu to start XP's "Disk Cleanup" tool
- Select the drive you want to clean up. The default will be C:
- Disk Cleanup will calculate the free space on your computer, which may take a few minutes
- After the calculation is complete, confirm that only the following checkboxes are checked:
Temporary Internet Files
Recycle Bin
Temporary (Temp) Files

- Click OK and Yes when prompted to delete files. Disk cleanup will delete the files and close automatically when finished.

- Browse to C:\Windows\Prefetch folder. Delete All files within the Prefetch folder <= Not the Prefetch folder itself
- Browse to C:\Temp folder. Delete "All" files within the Temp folder<= Not the Temp folder itself

Step 10.
==========

- Restart your computer into "Normal Mode"
- Post a fresh new HijackThis log
- Post the Ewido scan log
User avatar
dobhar
MRU Honors Grad Emeritus
 
Posts: 961
Joined: March 3rd, 2005, 3:00 am
Location: Winnipeg

Unread postby rstone » June 16th, 2005, 8:08 pm

Hello Dobhar, sorry it's taken me this long to reply. I had to work all day today. Just got home and have d/l all tools you specified. Will print out your instructions and let you know how I made out. Thanks for taking the time to help me.
rstone
Active Member
 
Posts: 6
Joined: June 16th, 2005, 12:33 am

Unread postby rstone » June 17th, 2005, 10:51 am

Dobhar, I did all of the above except the ewido program will not complete. It crashes EVERY time @ 96% done. So I can't post a log from it. I seem to be making progress but I'm sure there is something in the registry that is reloading "look2me.ab" and "qoologic.q" as well as a few other trojans. Here is what my hyjackthis log looks like now. I ran it from safe mode though. Every time I enter WinXP regular mode, viruses start to load. Grrr.

Logfile of HijackThis v1.99.1
Scan saved at 10:36:23 AM, on 6/17/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\HJT\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://housecall.trendmicro.com/
O4 - HKLM\..\Run: [AVGCtrl] "C:\Program Files\AVPersonal\AVGNT.EXE" /min
O4 - HKLM\..\Run: [XoftSpy] C:\Program Files\XoftSpy\XoftSpy.exe -s
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/62479 ... ge-c15.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v ... 3416386531
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004 ... scan53.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\Program Files\AVPersonal\AVGUARD.EXE
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Program Files\AVPersonal\AVWUPSRV.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\System32\ScsiAccess.EXE
rstone
Active Member
 
Posts: 6
Joined: June 16th, 2005, 12:33 am

Unread postby dobhar » June 17th, 2005, 2:17 pm

Hi rstone...

Unless requested we always need a HijackThis log in "Normal Mode", not "Safe Mode". So could you Please post back a HJT log from "Normal Mode".

Thanks,
User avatar
dobhar
MRU Honors Grad Emeritus
 
Posts: 961
Joined: March 3rd, 2005, 3:00 am
Location: Winnipeg

Unread postby dobhar » June 17th, 2005, 2:25 pm

Hi rstone...

I have seen this before and the problem was ewido was dying when it was scanning the "System Restore" items.

Let's try this...As one of the last items I am going to get you to do was clean out all your old restore points as they could be infected with "Nasties" lets do it now and run ewido again.

So, using the instructions from here please disable System Restore, reboot, re-enable System Restore, and create a new fresh install point (very important).

After creating that new restore point try running ewido again and see how it runs.

Please post back results of scan and a fresh new HJT log.

Thanks,

Kent
User avatar
dobhar
MRU Honors Grad Emeritus
 
Posts: 961
Joined: March 3rd, 2005, 3:00 am
Location: Winnipeg

Unread postby rstone » June 17th, 2005, 6:41 pm

Thanks, it worked! Was able to run ewido to the end...!
Ok, here is what I have done:
1) Disabled System Restore
2) Enabled System Restore
3) create new restore point
4) reboot to safe mode
5) Ensure all hidden files are showing (folder options)
6) Ran nailfix.cmd
7) Ewido scan (see log below)
8) Ran Hyjackthis
9) Cleanup all temps (cleanmgr)
10) Empty C:\Windows\prefetch
11) Empty C:\temp
12) restart windows in "normal mode"
13) run hyjackthis again to get log while running in "normal mode".

My Antivir is still popping up windows telling me there are 8-10 trojans
on my machine. I have been selecting "deny access" to them when the window pops up. Is there any hope for this machine?

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 4:19:53 PM, 6/17/2005
+ Report-Checksum: A35E615A

+ Date of database: 6/17/2005
+ Version of scan engine: v3.0

+ Duration: 34 min
+ Scanned Files: 35467
+ Speed: 17.22 Files/Second
+ Infected files: 0
+ Removed files: 0
+ Files put in quarantine: 0
+ Files that could not be opened: 0
+ Files that could not be cleaned: 0

+ Binder: Yes
+ Crypter: Yes
+ Archives: Yes

+ Scanned items:
C:\

+ Scan result:
No infected files found!


::Report End

======================================

Logfile of HijackThis v1.99.1
Scan saved at 6:26:22 PM, on 6/17/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AVPersonal\AVGUARD.EXE
C:\Program Files\AVPersonal\AVWUPSRV.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\AVPersonal\AVGNT.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O4 - HKLM\..\Run: [AVGCtrl] "C:\Program Files\AVPersonal\AVGNT.EXE" /min
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/62479 ... ge-c15.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v ... 3416386531
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004 ... scan53.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\Program Files\AVPersonal\AVGUARD.EXE
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Program Files\AVPersonal\AVWUPSRV.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\System32\ScsiAccess.EXE
rstone
Active Member
 
Posts: 6
Joined: June 16th, 2005, 12:33 am

Unread postby dobhar » June 17th, 2005, 7:15 pm

Hi rstone...

Glad to see the ewido scan worked... :D

Now let's see if anything is hidden...Please do the following...

Please print out or copy these instructions\tutorials to Notepad as the internet will be unavailble to you at certain points of the removal process. Make sure to work through all the Steps in the exact order in which they are listed below. If there's anything that you don't understand, ask your question(s) before moving on with the fixes.

Step 1.
==========

- Download RKFiles.zip from here
- Create a new folder "C:\Antispyware\RKFiles"
- Extract\Unzip the contents of RKFiles.zip into the new folder you just created
(Note: do not run this program yet as it has to run in Safe Mode)

Step 2.
==========

- Create a new Folder in C:\Antispyware and call it "qoologic"
- Please download Find_Qoologic2.zip from here into the new Folder
- Extract\Unzip it into the new Folder


Step 3.
==========

Please run this MWAV scan for me...
- Download mwav.exe from here to your Desktop
- Double-click the mwav.exe icon to run it (It will self extract)
- Under "Scan Option" section, besides the defaults...
  • Select "Drive". Make sure "All Local Drives" is also selected
  • Select "Scan All Files"
- Click "Scan" button..(Note: Give this "scan" time to finish, it's very thorough)
- When it completes, post back the results...
- In the Virus Log Information Pane left-click and highlight all the info in the Lower pane--- Use "CTRL and the C" keys on your Keyboard to copy all found in the lower pane and paste it back here in your next reply

(Note: If prompted that a Virus was found and you need to purchase the product to remove the malware, just close out the prompt and let it continue scanning)

Step 4.
==========

Reboot your computer into "Safe Mode"...
  • Restart your computer.
  • When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point you should gently tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu.
  • Select the option for Safe Mode using the arrow keys.
  • Then press enter on your keyboard to boot into Safe Mode.
Step 5.
==========

- Open the C:\Antispyware\RKFiles folder
- Double click on "RKFILES.BAT" to run it (Note: Give it time to run. this may take a while)
- Save the text file it creates. It should save by default to "C:\Log.txt"


Step 6.
==========

- Open the C:\Antispyware\qoologic folder
- Double-click the "Find-Qoologic.bat" file to run it (Note: It'll take a while to run a full scan so please be patient)
- When it is finished a text file will open in Notepad called "file.txt"
- Save this text file in the "qoologic" folder

Step 7.
==========

- Reboot back into "Normal Mode"
- Post the contents of "C:\log.txt" and the "file.txt" results from the "qoologic" folder
- Post back MWAV results
User avatar
dobhar
MRU Honors Grad Emeritus
 
Posts: 961
Joined: March 3rd, 2005, 3:00 am
Location: Winnipeg

Unread postby rstone » June 17th, 2005, 10:06 pm

Qoologic.bat does not seem to work. Dos window says "Just wait until a text opens please. Disregard the parameters message".

A popup window says:
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\SYSTEM32\AUTOEXEC.NT. The system file is not
suitable for running MS-DOS dadadada.. Choose "close to terminate the application.

NO hard drive activity at all... I'm begining to wonder if this would be better to just format @ reinstall, but I've already put a lot of effort into it. And time.


********************************************************
********************************************************
RKfile contents:
C:\Documents and Settings\Administrator\Desktop
PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
Files Found in system Folder............
------------------------
C:\WINDOWS\system32\pjtpql.exe: UPX!
C:\WINDOWS\system32\PSof1.exe: UPX!
C:\WINDOWS\system32\dfrg.msc: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAAAwGpEc213

Files Found in all users startup Folder............
------------------------
Files Found in all users windows Folder............
------------------------
C:\WINDOWS\tsc.exe: UPX!
C:\WINDOWS\vsapi32.dll: UPX!t4
Finished
bye

********************************************************

********************************************************
mwav contents:
File C:\Documents and Settings\Administrator\Desktop\Nailfix\Process.exe tagged as not-a-virus:Tool.Win32.Processor.20. No Action Taken.
File C:\Documents and Settings\Administrator\Desktop\Process.exe tagged as not-a-virus:Tool.Win32.Processor.20. No Action Taken.
Object "BrowserAid Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "BrowserAid Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "DyFuCA Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "tsa Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "180Solutions Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "AltNet Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "AdRotator Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "iSearch Spyware/Adware" found in File System! Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\ModuleUsage" refers to invalid object "C:\WINDOWS\Downloaded Program Files\CONFLICT.1\DS3.dll". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\ModuleUsage" refers to invalid object "C:\WINDOWS\Downloaded Program Files\DS3.dll". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\ModuleUsage" refers to invalid object "C:\WINDOWS\Downloaded Program Files\MediaAccX.dll". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\ModuleUsage" refers to invalid object "C:\WINDOWS\Downloaded Program Files\ysbactivex.dll". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Hewlett-Packard\Digital Imaging\hpis\temp\Install.wse.exe". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Hewlett-Packard\Digital Imaging\hpis\temp\config.ini". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Hewlett-Packard\Digital Imaging\hpis\temp\templates.zip". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS\Downloaded Program Files\MediaAccX.dll". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS\Downloaded Program Files\ysbactivex.dll". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS\Downloaded Program Files\DS3.dll". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS\Downloaded Program Files\CONFLICT.1\DS3.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{00000001-C003-4A2F-9142-7CB1D78DE6C1}" refers to invalid object "C:\WINDOWS\tct101.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{017C20C1-F86F-11D8-9B25-000ACD002AE3}" refers to invalid object "C:\WINDOWS\Helper101.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{12EE7A5E-0674-42f9-A76A-000000004D00}" refers to invalid object "C:\WINDOWS\system32\stlb2.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{12EE7A5E-0674-42f9-A76B-000000004D00}" refers to invalid object "C:\WINDOWS\system32\stlb2.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6}" refers to invalid object "C:\WINDOWS\Downloaded Program Files\MediaAccX.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{2342DB04-08CE-4CF6-976D-BD9EFA960EFB}" refers to invalid object "c:\sysfwb\1658631355\iefwbar.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{286DA624-B692-4D91-8D49-D57DCB1324E0}" refers to invalid object "C:\WINDOWS\system32\dzcdll.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C}" refers to invalid object "C:\PROGRA~1\AWS\WEATHE~1\MINIBU~1.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{326BA862-D81C-46BD-9330-58EAC5DE7CDD}" refers to invalid object "C:\WINDOWS\system32\kudic.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{40D41A8B-D79B-43d7-99A7-9EE0F344C385}" refers to invalid object "C:\Program Files\AIM Toolbar\AIMBar.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{417386C3-8D4A-4611-9B91-E57E89D603AC}" refers to invalid object "C:\WINDOWS\system32\PopOops2.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{42ced37a-abe2-4ed6-bf9d-f2f7219020ef}" refers to invalid object "C:\WINDOWS\system32\oqdmc.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{46ba0734-7b06-4318-8732-5ea69dfdaea4}" refers to invalid object "C:\WINDOWS\system32\oqdmc.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{6a0f860d-92ac-494f-bc53-1f72d78ff43a}" refers to invalid object "C:\WINDOWS\system32\oqdmc.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{6EC11407-5B2E-4E25-8BDF-77445B52AB37}" refers to invalid object "C:\WINDOWS\system32\supdate.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{83D4679F-B6D7-11D2-BF36-00C04FB90A03}" refers to invalid object "C:\PROGRA~1\MESSEN~1\rtcimsp.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{84FFB063-3E69-463C-92A5-C995F8601EFE}" refers to invalid object "C:\WINDOWS\system32\ioetpp.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{872ef9f5-ca6f-407c-88e1-843b7139cef8}" refers to invalid object "C:\WINDOWS\system32\oqdmc.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{88E729D6-BDC1-11D1-BD2A-00C04FB9603F}" refers to invalid object "fde.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{9056A11F-5EA6-4A67-BDE9-8D3C7C453DAC}" refers to invalid object "c:\sysfwb\1658631355\iefwbar.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{94457870-1992-40AC-A4F9-F1F854FF56F6}" refers to invalid object "C:\WINDOWS\system32\mac42u.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{99180163-DA16-101A-935C-444553540000}" refers to invalid object "recncl.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{C0EF89EE-EEC7-4535-A041-F1EBF79560A7}" refers to invalid object "C:\WINDOWS\Downloaded Program Files\WEBInstaller.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{D52433A9-A44C-43AB-A013-24B3C756DD2B}" refers to invalid object "C:\WINDOWS\system32\SWLAD1.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{ecbe2d8a-a832-4564-b015-e006a2800e59}" refers to invalid object "C:\WINDOWS\system32\oqdmc.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{f879e021-1faf-4ffd-88da-bf4c62fbab7c}" refers to invalid object "C:\WINDOWS\system32\dqarn.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{FB790DEE-BE79-BC8A-7C32-E9ECDA914DCA}" refers to invalid object "C:\WINDOWS\system32\aiqitg.dll". Action Taken: No Action Taken.
Entry "HKCR\ActMsg.Session" refers to invalid object "{3FA7DEB3-6438-101B-ACC1-00AA00423326}". Action Taken: No Action Taken.
Entry "HKCR\Alg.AlgSetup" refers to invalid object "{27D0BCCC-344D-4287-AF37-0C72C161C14C}". Action Taken: No Action Taken.
Entry "HKCR\Alg.AlgSetup.1" refers to invalid object "{27D0BCCC-344D-4287-AF37-0C72C161C14C}". Action Taken: No Action Taken.
Entry "HKCR\ComPlusMetaData.MsCorHost" refers to invalid object "{727CDF4F-3BA0-11D3-8738-00C04F79ED0D}". Action Taken: No Action Taken.
Entry "HKCR\ComPlusMetaData.MsCorHost.2" refers to invalid object "{727CDF4F-3BA0-11D3-8738-00C04F79ED0D}". Action Taken: No Action Taken.
Entry "HKCR\MailFileAtt" refers to invalid object "{00020D05-0000-0000-C000-000000000046}". Action Taken: No Action Taken.
Entry "HKCR\Main.MimeFilter" refers to invalid object "{8293D547-38DD-4325-B35A-F1817EDFA5FC}". Action Taken: No Action Taken.
Entry "HKCR\Main.MimeFilter.1" refers to invalid object "{8293D547-38DD-4325-B35A-F1817EDFA5FC}". Action Taken: No Action Taken.
Entry "HKCR\mapifvbx.object" refers to invalid object "{41116C00-8B90-101B-96CD-00AA003B14FC}". Action Taken: No Action Taken.
Entry "HKCR\mapifvbx.object.1" refers to invalid object "{41116C00-8B90-101B-96CD-00AA003B14FC}". Action Taken: No Action Taken.
Entry "HKCR\Plenoptic.Plenoptic" refers to invalid object "{607C27E9-AB27-11d3-A116-A0EA50C10801}". Action Taken: No Action Taken.
Entry "HKCR\Plenoptic.Plenoptic.1" refers to invalid object "{607C27E9-AB27-11d3-A116-A0EA50C10801}". Action Taken: No Action Taken.
Entry "HKCR\RTCCore.RTCClient" refers to invalid object "{7a42ea29-a2b7-40c4-b091-f6f024aa89be}". Action Taken: No Action Taken.
Entry "HKCR\RTCCore.RTCClient.1" refers to invalid object "{7a42ea29-a2b7-40c4-b091-f6f024aa89be}". Action Taken: No Action Taken.
Entry "HKCR\SymWriter.pdb" refers to invalid object "{520DC67A-752E-11D3-8D56-00C04F680B2B}". Action Taken: No Action Taken.
Entry "HKCR\trfdsk.amo.1" refers to invalid object "{356B2BD0-D206-4E21-8C85-C6F49409C6A9}". Action Taken: No Action Taken.
Entry "HKCR\trfdsk.iiittt.1" refers to invalid object "{0962DA67-DB64-465C-8CD7-CBB357CAF825}". Action Taken: No Action Taken.
Entry "HKCR\trfdsk.momo.1" refers to invalid object "{52ADD86D-9561-4C40-B561-4204DBC139D1}". Action Taken: No Action Taken.
Entry "HKCR\trfdsk.ohb.1" refers to invalid object "{999A06FF-10EF-4A29-8640-69E99882C26B}". Action Taken: No Action Taken.
Entry "HKCR\WMPPublsihCntr.WMPPublsihCntr" refers to invalid object "{939438A9-CF0F-44d8-9140-599736F0D3A2}". Action Taken: No Action Taken.
Entry "HKCR\WMPPublsihCntr.WMPPublsihCntr.1" refers to invalid object "{939438A9-CF0F-44d8-9140-599736F0D3A2}". Action Taken: No Action Taken.
File C:\WINDOWS\_MSRSTRT.EXE tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\WINDOWS\system32\EDow_AS2.exe infected by "Trojan-Downloader.Win32.QDown.x" Virus! Action Taken: No Action Taken.
File C:\WINDOWS\system32\GSM3-0511.exe infected by "Trojan.Win32.Registrator.b" Virus! Action Taken: No Action Taken.
File C:\WINDOWS\system32\InstallerV3.exe tagged as "not-a-virus:AdWare.SafeSurfing.j". Action Taken: No Action Taken.
File C:\WINDOWS\system32\L90112201.Stub.exe infected by "Trojan-Downloader.Win32.Delmed.a" Virus! Action Taken: No Action Taken.
File C:\WINDOWS\system32\rtneg5_venturahot_246765.exe tagged as "not-a-virus:AdWare.ToolBar.HotSearchBar.e". Action Taken: No Action Taken.
File C:\WINDOWS\system32\weirdontheweb_ventura.exe tagged as "not-a-virus:AdWare.WeirWeb.b". Action Taken: No Action Taken.
File C:\WINDOWS\system32\WrapperOuter.exe tagged as "not-a-virus:AdWare.VirtualBouncer.c". Action Taken: No Action Taken.
File C:\Documents and Settings\Administrator\Desktop\Nailfix\Process.exe tagged as not-a-virus:Tool.Win32.Processor.20. No Action Taken.
File C:\Documents and Settings\Administrator\Desktop\Process.exe tagged as not-a-virus:Tool.Win32.Processor.20. No Action Taken.
File C:\Documents and Settings\Owner\Local Settings\Temp\1.exe tagged as "not-a-virus:AdWare.BetterInternet". Action Taken: No Action Taken.
File C:\Documents and Settings\Owner\Local Settings\Temp\GL_18.EXE tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\Documents and Settings\Owner\Local Settings\Temp\i1C.tmp tagged as "not-a-virus:AdWare.SurfSide.j". Action Taken: No Action Taken.
File C:\Documents and Settings\Owner\Local Settings\Temp\i9.tmp tagged as "not-a-virus:AdWare.SurfSide.j". Action Taken: No Action Taken.
File C:\Documents and Settings\Owner\Local Settings\Temp\iF.tmp tagged as "not-a-virus:AdWare.SurfSide.j". Action Taken: No Action Taken.
File C:\Documents and Settings\Owner\Local Settings\Temp\LVVVkG.exe infected by "Trojan-Downloader.Win32.IstBar.jl" Virus! Action Taken: No Action Taken.
File C:\Documents and Settings\Owner\Local Settings\Temp\Temporary Internet Files\Content.IE5\OP2JGLQZ\158[1].bin tagged as "not-a-virus:AdWare.WeirWeb.b". Action Taken: No Action Taken.
File C:\Documents and Settings\Owner\Local Settings\Temp\wrapperouter.exe tagged as "not-a-virus:AdWare.VirtualBouncer.j". Action Taken: No Action Taken.
File C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\QID5XSZI\AppWrap[1].exe infected by "Trojan-Downloader.Win32.Small.ru" Virus! Action Taken: No Action Taken.
File C:\HJT\Nailfix\Process.exe tagged as not-a-virus:Tool.Win32.Processor.20. No Action Taken.
File C:\Program Files\Fla\Flacpy_inst.exe tagged as "not-a-virus:AdWare.FlashEnhancer.a ". Action Taken: No Action Taken.
File C:\Program Files\rdso\eetu.exe infected by "Trojan-Downloader.Win32.PurityScan.t" Virus! Action Taken: No Action Taken.
File C:\Program Files\USBToolbox\U2v2_03.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\WINDOWS\system\QBTool.exe infected by "Trojan.Win32.Registrator.b" Virus! Action Taken: No Action Taken.
File C:\WINDOWS\system32\Cache\876004.exe infected by "Trojan-Dropper.Win32.VB.gg" Virus! Action Taken: No Action Taken.
File C:\WINDOWS\system32\Cache\pi1_60.exe infected by "Trojan-Downloader.Win32.Small.aal" Virus! Action Taken: No Action Taken.
File C:\WINDOWS\system32\Cache\weirdontheweb_ventura2.exe tagged as "not-a-virus:AdWare.WeirWeb.b". Action Taken: No Action Taken.
File C:\WINDOWS\system32\EDow_AS2.exe infected by "Trojan-Downloader.Win32.QDown.x" Virus! Action Taken: No Action Taken.
File C:\WINDOWS\system32\GSM3-0511.exe infected by "Trojan.Win32.Registrator.b" Virus! Action Taken: No Action Taken.
File C:\WINDOWS\system32\InstallerV3.exe tagged as "not-a-virus:AdWare.SafeSurfing.j". Action Taken: No Action Taken.
File C:\WINDOWS\system32\L90112201.Stub.exe infected by "Trojan-Downloader.Win32.Delmed.a" Virus! Action Taken: No Action Taken.
File C:\WINDOWS\system32\rtneg5_venturahot_246765.exe tagged as "not-a-virus:AdWare.ToolBar.HotSearchBar.e". Action Taken: No Action Taken.
File C:\WINDOWS\system32\weirdontheweb_ventura.exe tagged as "not-a-virus:AdWare.WeirWeb.b". Action Taken: No Action Taken.
File C:\WINDOWS\system32\WrapperOuter.exe tagged as "not-a-virus:AdWare.VirtualBouncer.c". Action Taken: No Action Taken.
File C:\WINDOWS\Temp\!update.exe infected by "Trojan-Downloader.Win32.PurityScan.t" Virus! Action Taken: No Action Taken.
File C:\WINDOWS\_MSRSTRT.EXE tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
:cry:
rstone
Active Member
 
Posts: 6
Joined: June 16th, 2005, 12:33 am

Unread postby dobhar » June 18th, 2005, 1:18 am

hi rstone...

Dont get disheartened...we'll fix you up... :D It sometimes takes a few rounds of fixes to get everything.

Step 1.
==========

We need to make sure all hidden files are showing...
- Open "My Computer"
- Click on "Tools" and from the drop down menu select "Folder Options"
- Select the "View" tab
- Under the "Hidden files and folders" heading SELECT "Show hidden files and folders"
- UNCHECK the "Hide file extensions for known types option"
- UNCHECK the "Hide protected operating system files (recommended) option"
- Click "Yes" to confirm
- Click "OK"

Step 2.
==========

Reboot computer into "Safe Mode" Using the F8 method...
- Restart the computer
- As soon as the BIOS is loaded begin tapping the F8 key until the Boot Menu appears
- Use the arrow keys to select the Safe Mode menu item
- Press the Enter key
(Note: For additional help in booting into Safe Mode, see the following site here)

Step 3.
==========

Delete the following file(s) and folder(s) in BOLD only, if found (please do NOT try to find them by "search" because they will not show up that way)
C:\WINDOWS\system32\pjtpql.exe <<<=Delete This File
C:\WINDOWS\system32\PSof1.exe <<<=Delete This File

Step 4.
==========

- Reboot back into "Normal Mode"
- Download, install, setup, and run Ad-aware SE 1.06 and Spybot S&D 1.4 per the instructions found http://www.malwareremoval.com/forum/viewtopic.php?t=13
(Note: If you already have Ad-aware and Spybot make sure they are updated, setup per instructions in link, and re run)

Step 5.
==========

- Run HouseCall from Trend Micro from http://housecall.trendmicro.com/. Let it remove all infected files.
- Click "Scan now, it's free" (Note: It will take few minutes to download, so be patient)
- Select all available drives
- Check(tick) "Auto Clean"
- Click "Scan"
- After scan completes, copy the full filename of any files that cannot be cleaned or deleted and post them when your done with the following fix


Step 6.
==========

Please post back a new log for me to look at.

Kent
User avatar
dobhar
MRU Honors Grad Emeritus
 
Posts: 961
Joined: March 3rd, 2005, 3:00 am
Location: Winnipeg

Unread postby rstone » June 19th, 2005, 1:56 pm

Hi Kent, Here is what I've done this time.
1) Made sure all hidden files are showing (folder options)
2) Boot to "Safe Mode"
3) Deleted C:\windows\system32\pjtpql.exe and PSof1.exe
4) Reboot to "Normal Mode" & ran Ad-aware SE 1.06 and Spybot S&D 1.4
Ad-aware found 311 critical items and 84 registry keys/values then zapped them all. Consequently, Spybot said I was clean.
5) Ran TrendMicro "housecall" and came up clean
6) msconfig says only AVGNT, ZLCLIENT & CTFMON are running
BUT.......
When I boot to normal mode, I get: Found new hardware, HTTP SSL with window that asks "can windows update to search for software?" I clicked on cancel, them disabled in device mgr because I wasn't sure if this was some kind of virus attack. I know I need Secure Socket Layer but not sure why I'm getting it as "hardware"??? Should I enable it and let it do it's thing? Also, on bootup there is something trying to load after my antivirus (Antivir) loads. There is a 56 sec wait between the time the Antivir icon appears on taskbar and the time Zonealarm appears. Also still running dog slow.. Heres my latest hyjackthis log.

Logfile of HijackThis v1.99.1
Scan saved at 1:29:46 PM, on 6/19/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\AVPersonal\AVGUARD.EXE
C:\Program Files\AVPersonal\AVWUPSRV.EXE
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\AVPersonal\AVGNT.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [AVGCtrl] "C:\Program Files\AVPersonal\AVGNT.EXE" /min
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/62479 ... ge-c15.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v ... 3416386531
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004 ... scan53.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\Program Files\AVPersonal\AVGUARD.EXE
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Program Files\AVPersonal\AVWUPSRV.EXE
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\System32\ScsiAccess.EXE
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
rstone
Active Member
 
Posts: 6
Joined: June 16th, 2005, 12:33 am

Unread postby dobhar » June 19th, 2005, 3:05 pm

Hi rstone...

We still need to remove 1 entry...

Please print out or copy these instructions\tutorials to Notepad as the internet will be unavailble to you at certain points of the removal process. Make sure to work through all the Steps in the exact order in which they are listed below. If there's anything that you don't understand, ask your question(s) before moving on with the fixes.

Step 1.
==========

Reboot your computer into "Safe Mode":
  • Restart your computer.
  • When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point you should gently tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu.
  • Select the option for Safe Mode using the arrow keys.
  • Then press enter on your keyboard to boot into Safe Mode.
(Note: For additional help in booting into Safe Mode, see the following site here)

Step 2.
==========

- Close all Windows and Programs
- Start HijackThis...
- Select\check the following entries, Double-check to make sure that only these entries are checked

O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/62479 ... ge-c15.cab

- Click the "Fix checked" button

Step 3.
==========

We now need to cleanup all the Temp files, Temporary Internet Files, Recycle Bin, etc...
- Click the "Start" button, then select "Run"
- Enter cleanmgr in the "Run" menu to start XP's "Disk Cleanup" tool
- Select the drive you want to clean up. The default will be C:
- Disk Cleanup will calculate the free space on your computer, which may take a few minutes
- After the calculation is complete, confirm that only the following checkboxes are checked:
Temporary Internet Files
Recycle Bin
Temporary (Temp) Files

- Click OK and Yes when prompted to delete files. Disk cleanup will delete the files and close automatically when finished.

- Browse to C:\Windows\Prefetch folder. Delete All files within the Prefetch folder <= Not the Prefetch folder itself

Step 4.
==========

- Re-enable the item you disabled in Device Manager (to see if it comes up again. IF it does disable it again)
- Reboot computer into "Normal Mode"
- Post back a few new HJT log
__________________________

As far as the long startup...run Task Manager and click on Processes tab and see what's taking all the "CPU"
User avatar
dobhar
MRU Honors Grad Emeritus
 
Posts: 961
Joined: March 3rd, 2005, 3:00 am
Location: Winnipeg

Unread postby Nellie2 » July 13th, 2005, 2:44 pm

Whilst we appreciate that you may be busy, it has been 14 days or more since we heard from you.

Infections can change and fresh instructions will now need to be given. This topic is now closed, if you still require assistance then please start a new topic in the Malware Removal Forum

If you wish this topic reopened, please send us an email to 'admin at malwareremoval.com' with a link to your thread.

You can help support this site from this link :
Donations For Malware Removal

Do not bother contacting us if you are not the topic starter. A valid,
working link to the closed topic is required along with the user name used.
If the user name does not match the one in the thread linked, the email will be deleted.
User avatar
Nellie2
Administrator Emeritus
 
Posts: 8737
Joined: December 16th, 2004, 5:01 pm
Location: UK
Advertisement
Register to Remove


  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 39 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware