Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

mal, spy, t/bars,popups, you name it

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

mal, spy, t/bars,popups, you name it

Unread postby dlguk » June 1st, 2005, 2:25 pm

Hi all,

This is my first time here and hope that someone can help me, (I got you URL from a person on PC adviser).
The situation; I have been using Counterspy for a while now and the most it did is to come up with cookies, however recently someone on a PC connected to this one via my router visited some unsavoury sites. I checked the history and did what I could to delete all that I didn’t want but I feel a port has been opened. Since he did this it has gone from 10 not too severe infections to the last scan, 48 mostly severe with hundreds of infected registry keys, I could grow a beard in the time it take to bootup and shut down. Toolbars, oops there you go popups netvendor, ok no big threat but my PC was fairly stable till it was misused.

Can anyone help?? Please

Thank you in advance Dlg
Ps I am using XP Pro, SP2, on a 3gig P4 (HT) machine, if this is relevant?
dlguk
Active Member
 
Posts: 7
Joined: June 1st, 2005, 1:49 pm
Advertisement
Register to Remove

Unread postby Bertha » June 1st, 2005, 2:38 pm

Hi dl,

Welcome to Malware Removal,

Please download HJT 1.99.1 here - http://www.malwareremoval.com/downloads.html

Unzip it into its own folder something like C:\HJT, DONT RUN IT YET

Now go here http://www.malwareremoval.com/forum/viewtopic.php?t=12

And follow the guidelines it gives for running some scans, Once you have done that,

Open HJT and run it clicking "do system scan and save logfile"
Notepad will open after a few seconds with the Log

Post the results of the HJT Log here for me to see

Bertha
User avatar
Bertha
Admin/Teacher Emeritus
 
Posts: 2053
Joined: February 6th, 2005, 1:17 pm
Location: Midlands

scan as requested

Unread postby dlguk » June 2nd, 2005, 5:00 am

Logfile of HijackThis v1.99.1
Scan saved at 09:58:35, on 02/06/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Toolbar\TBPSSvc.exe
C:\Program Files\Common Files\WinTools\WToolsS.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Toolbar\TBPS.exe
C:\PROGRA~1\Toolbar\PIB.exe
c:\PROGRA~1\Toolbar\radio.exe
C:\Program Files\Common Files\WinTools\WToolsA.exe
C:\Program Files\Common Files\WinTools\WSup.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\dpps2.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
C:\PROGRA~1\MYWEBS~1\bar\2.bin\mwsoemon.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Sunbelt Software\CounterSpy Client\sunasDtServ.exe
C:\Program Files\Sunbelt Software\CounterSpy Client\sunasServ.exe
C:\WINDOWS\system32\msxct.exe
C:\WINDOWS\system32\p2pnetworking.exe
C:\WINDOWS\grovr.exe
C:\WINDOWS\system32\abasa5jrp.exe
C:\Program Files\Media Access\MediaAccK.exe
C:\Program Files\Media Access\MediaAccess.exe
C:\Program Files\ISTsvc\istsvc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Optimizer\optimize.exe
C:\Program Files\Netropa\Multimedia Keyboard\TrayMon.exe
C:\Program Files\Netropa\Onscreen Display\OSD.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\PENSOFT\fquick32.exe
C:\PENSOFT\Quick95.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\program files\internet explorer\iexplore.exe
C:\Program Files\BullsEye Network\bin\bargains.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\WINDOWS\system32\DllHost.exe
c:\temp\salm.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Documents and Settings\David\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.websearch.com/ie.aspx?tb_id=50245
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50245
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50245
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\Userinit.exe
O2 - BHO: BHObj Class - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINDOWS\nem220.dll
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_19_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {074E3AA7-7718-4404-B3F8-FF8FB5414E0E} - (no file)
O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
O2 - BHO: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - C:\PROGRA~1\Toolbar\toolbar.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.02.3000.1002\en-xu\stmain.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-gb\msntb.dll (file missing)
O2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINDOWS\system32\msbe.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_19_0.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: (no name) - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - (no file)
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-gb\msntb.dll (file missing)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: ISTbar - {FAA356E4-D317-42a6-AB41-A3021C6E7D52} - C:\Program Files\ISTbar\istbarcm.dll
O3 - Toolbar: &Search Toolbar - {339BB23F-A864-48C0-A59F-29EA915965EC} - C:\PROGRA~1\Toolbar\toolbar.dll
O4 - HKLM\..\Run: [Pop-Up Stopper] "C:\PROGRA~1\PANICW~1\POP-UP~1\dpps2.exe"
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [DownloadAccelerator] C:\PROGRA~1\DAP\DAP.EXE /STARTUP
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-gb\msnappau.exe"
O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\2.bin\mwsoemon.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AWMON] "C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-Watch.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [sunasDTServ] C:\Program Files\Sunbelt Software\CounterSpy Client\sunasDtServ.exe
O4 - HKLM\..\Run: [sunasServ] C:\Program Files\Sunbelt Software\CounterSpy Client\sunasServ.exe
O4 - HKLM\..\Run: [msxct] msxct.exe
O4 - HKLM\..\Run: [p2pnetworking] p2pnetworking.exe
O4 - HKLM\..\Run: [DokX] C:\WINDOWS\grovr.exe
O4 - HKLM\..\Run: [winupdate] C:\Program Files\winupdate\winupdate.exe /auto
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [abasa5jrp] C:\WINDOWS\system32\abasa5jrp.exe
O4 - HKLM\..\Run: [Media Access] C:\Program Files\Media Access\MediaAccK.exe
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
O4 - HKLM\..\Run: [salm] c:\temp\salm.exe
O4 - HKLM\..\Run: [BullsEye Network] C:\Program Files\BullsEye Network\bin\bargains.exe
O4 - HKLM\..\Run: [onwvgjut] C:\WINDOWS\onwvgjut.exe
O4 - HKLM\..\Run: [Power Scan] C:\Program Files\Power Scan\powerscan.exe
O4 - HKLM\..\Run: [WinTools] C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe
O4 - HKLM\..\Run: [TBPS] C:\PROGRA~1\Toolbar\TBPS.exe
O4 - HKLM\..\Run: [SAHBundle] C:\DOCUME~1\David\LOCALS~1\Temp\sahagent-cdt1004.exe run
O4 - HKLM\..\Run: [Ã
dlguk
Active Member
 
Posts: 7
Joined: June 1st, 2005, 1:49 pm

Unread postby Bertha » June 2nd, 2005, 6:00 am

dlg,

Hello! and welcome to the Malware Removal forums.

Please read through the following before starting, and copy it to notepad/print it off so you can follow it

-

We'll need to disable AdAware's AdWatch, since it might interfere with other program(s) we might be using to 'clean' off your system; you can re-enable it after we're done. To disable this feature, run Run AdAware SE, then:

1. Click "AdWatch".
2. Click "Tools and Preferences".

(Look at the bottom of the window you will see two options...)


3. Uncheck these options:

Active: This will turn Ad-Watch On\Off without closing it
Automatic: Suspicious activity will be blocked automatically


Remember to re-enable this feature once your system is clean.

Download and run WinsockXPFix
When you run the program, create ReG-Backup onto desktop then click fix. That way, if you lose Internet Connectivity you can restore from that backup to get back online and we can try a different approach.

It should replace your LSP Stack

===============

Go to www.trendmicro.com, and then:

1. Click "Free Online Scan".
2. Click "Scan now, it's free".

It'll take a few minutes to download (especially with a dialup connection), so be patient. When it's down:

1. Select all available drives.
2. Check(tick) "Auto Clean".
3. Click "Scan".

When it completes, post back the full filename of any files that cannot be cleaned or deleted.

===============

Download, unzip to your desktop CWShredder and run it, then:

1. Click "Check For Update"

(If an update isn't available, skip to step #4.)

2. Click "Click here to Download the upate".
3. When the new version has been downloaded, click "Save".

4. Click "Fix ->"

===============

Let's look for, and delete, any program segments(prefetches) that might be present, and are associated with the 'problems' we're trying to remove from this system. To do this, let's:

1) Click "Start | Search", then search for each of these program's base name(s), in all files and folders:

PIB.exe*
radio.exe*
WToolsA.exe*
WSup.exe*
msxct.exe*
p2pnetworking.exe*

2) Then if any are found in the 'prefetch' folder, delete them.

Look closely, since the 'base' name will have a bunch of random numbers and letters attached to it.

===============

Go to Add/Remove programs and remove(uninstall) the following, if present:

Bullseye Networks
Internet Optimizer
MyWebSearch
NewDotNet
ShopatHomeSelect Agent
SideFind
WinTools
P2P Networking
PowerScan
Spyware Cop
- rogue scanner see here http://www.spywarewarrior.com/rogue_anti-spyware.htm

The above could appear anywhere within the entry. Be careful not to remove any personal or system software.

===============

Download the Adware.Istbar removal utility from Symantec and following the instructions on the same page.

===============

Next, Open a command prompt by:

1. Clicking "Start", then "Run...".
2. Enter "cmd" (without the quotes).
3. Enter "services.msc" (without the quotes).

-

Now, locate and 'stop' the following services, if present:

p2pnetworking ... (p2pnetworking.exe)
WebSeach Toolbar support NT service (TBPSSvc) owner ... (C:\PROGRA~1\Toolbar\TBPSSvc.exe)
WinTools for IE service (WinToolsSvc) owner ... (C:\Program Files\Common Files\WinTools\WToolsS.exe)

Look carefully, since the name of the service (above) can be anywhere in the entry; also be careful not to 'stop' any required system services.

Please move Hijackthis off the desktop and into its own folder, this is very important as it allows backups to be made

===============

Run HiJackThis then:

1. Click "Config..."
2. Click "Misc Tools"
3. Click "Open Process manager"

-

Next, while holding down the CTRL key, locate (if present) and click on (highlight) each of the following:

C:\PROGRA~1\Toolbar\TBPSSvc.exe
C:\Program Files\Common Files\WinTools\WToolsS.exe
C:\PROGRA~1\Toolbar\TBPS.exe
C:\PROGRA~1\Toolbar\PIB.exe
c:\PROGRA~1\Toolbar\radio.exe
C:\Program Files\Common Files\WinTools\WToolsA.exe
C:\Program Files\Common Files\WinTools\WSup.exe
C:\PROGRA~1\MYWEBS~1\bar\2.bin\mwsoemon.exe
C:\WINDOWS\system32\msxct.exe
C:\WINDOWS\system32\p2pnetworking.exe
C:\WINDOWS\grovr.exe
C:\WINDOWS\system32\abasa5jrp.exe
C:\Program Files\ISTsvc\istsvc.exe
C:\Program Files\Internet Optimizer\optimize.exe
C:\Program Files\BullsEye Network\bin\bargains.exe
c:\temp\salm.exe

Now double-check and make sure that only those item(s) above are highlighted, then click "Kill process". Now, click "Refresh", check again, and repeat this step if any remain.

===============

Run HiJackThis and click "Scan", then check(tick) the following, if present:


R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.websearch.com/ie.aspx?tb_id=50245
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50245
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50245
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

R3 - Default URLSearchHook is missing

O2 - BHO: BHObj Class - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINDOWS\nem220.dll
O2 - BHO: (no name) - {074E3AA7-7718-4404-B3F8-FF8FB5414E0E} - (no file)
O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
O2 - BHO: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - C:\PROGRA~1\Toolbar\toolbar.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.02.3000.1002\en-xu\stmain.dll (file missing)
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-gb\msntb.dll (file missing)
O2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINDOWS\system32\msbe.dll

O3 - Toolbar: (no name) - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - (no file)
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-gb\msntb.dll (file missing)
O3 - Toolbar: ISTbar - {FAA356E4-D317-42a6-AB41-A3021C6E7D52} - C:\Program Files\ISTbar\istbarcm.dll
O3 - Toolbar: &Search Toolbar - {339BB23F-A864-48C0-A59F-29EA915965EC} - C:\PROGRA~1\Toolbar\toolbar.dll

O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\2.bin\mwsoemon.exe
O4 - HKLM\..\Run: [msxct] msxct.exe
O4 - HKLM\..\Run: [p2pnetworking] p2pnetworking.exe
O4 - HKLM\..\Run: [DokX] C:\WINDOWS\grovr.exe
O4 - HKLM\..\Run: [winupdate] C:\Program Files\winupdate\winupdate.exe /auto
O4 - HKLM\..\Run: [abasa5jrp] C:\WINDOWS\system32\abasa5jrp.exe
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
O4 - HKLM\..\Run: [salm] c:\temp\salm.exe
O4 - HKLM\..\Run: [BullsEye Network] C:\Program Files\BullsEye Network\bin\bargains.exe
O4 - HKLM\..\Run: [onwvgjut] C:\WINDOWS\onwvgjut.exe
O4 - HKLM\..\Run: [Power Scan] C:\Program Files\Power Scan\powerscan.exe
O4 - HKLM\..\Run: [WinTools] C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe
O4 - HKLM\..\Run: [TBPS] C:\PROGRA~1\Toolbar\TBPS.exe
O4 - HKLM\..\Run: [SAHBundle] C:\DOCUME~1\David\LOCALS~1\Temp\sahagent-cdt1004.exe run
[color=#9933cc][b] O4 - HKLM\..\Run: [Ã
User avatar
Bertha
Admin/Teacher Emeritus
 
Posts: 2053
Joined: February 6th, 2005, 1:17 pm
Location: Midlands

format anygood?

Unread postby dlguk » June 5th, 2005, 4:07 pm

Hello Bertha,

I have carried out your instructions to the best of my abilty, a couple of things I couldn't find. I have just started it all again and when I try to run Trendmicro an alert tells me, Housecall, Clean failed:WORM_MUGLY.I. I clicked OK and it proceded with the scan.
Could it be that this is the culprit and if so could you point me to a patch for it?

Thank you in advance

Dave
dlguk
Active Member
 
Posts: 7
Joined: June 1st, 2005, 1:49 pm

Unread postby Bertha » June 5th, 2005, 4:10 pm

Hey dl,

Ok for the worm that TrendMicro found but could not clean, could you note down its location, so that you can post it back here

Also once you have completed the above fix, plase post a new Hijackthis Log back here

Bertha
User avatar
Bertha
Admin/Teacher Emeritus
 
Posts: 2053
Joined: February 6th, 2005, 1:17 pm
Location: Midlands

Unread postby dlguk » June 5th, 2005, 5:42 pm

I am afraid you miss understood, when I tried to run TrendMicro a dialog box opened over it, a small window if you will. On the title bar it has 'HouseCall', in the box was 'Clean failed:WORM_MUGLY.I' and an Ok button, When I clicked Ok the box dissapeared and the scan started.

Dl
dlguk
Active Member
 
Posts: 7
Joined: June 1st, 2005, 1:49 pm

Unread postby Bertha » June 5th, 2005, 5:49 pm

So it never gave you the location of these bad files,

Ok lets try another wat then.

Please download MWAV - http://www.mwti.net/antivirus/free_utilities.asp

Allow it to scan all:

Set it up as follows:
Check

Memory, Startup folders, drive, Registry, System folders og Services.
And:
All local drives og Scan all files
Push: Scan Button
The scan can take a couple of hours

Post back the results here of those files it has found, and labelled as baddies :D

Bertha
User avatar
Bertha
Admin/Teacher Emeritus
 
Posts: 2053
Joined: February 6th, 2005, 1:17 pm
Location: Midlands

Unread postby dlguk » June 7th, 2005, 3:24 am

Doesnt matter what i do I cannot send the MWAV.LOG, I have been trying since last night
dave
dlguk
Active Member
 
Posts: 7
Joined: June 1st, 2005, 1:49 pm

Unread postby Bertha » June 7th, 2005, 4:41 am

Hey dave,

Ok can you do this for me then,

Note down the items it has found and there locations

For example:

Trojan.... C:\WINDOWs etc

Then once you have noted these down post them back here for me to see, if any that is

Bertha
User avatar
Bertha
Admin/Teacher Emeritus
 
Posts: 2053
Joined: February 6th, 2005, 1:17 pm
Location: Midlands

sorry to be such a pain

Unread postby dlguk » June 9th, 2005, 4:21 pm

Hello Bertha,

I am sorry for the delay but I am getting a little confused. Although your instructions were clear enough the fact I couldn’t send them was because it was too large, I think so to take a note of then would be a mammoth task.
As I think I told you I have been using ‘Counterspy’ and I also used Avaste. C/spy tells me that all is ‘quarantined’ but if it delete from there and run it again I get the same old junk, in fact it is getting worse. C/spy tells me that there are three problems in memory and Avaste, well I have attached the log.

Yours hoping you can help

Dave


list

06/06/2005 22:46:20 David 1684 Sign of "Win32:DyfucDldr-Z [Trj]" has been found in "C:\Documents and Settings\David\Local Settings\Temporary Internet Files\Content.IE5\J36K7K9G\optimize[1].exe" file.
06/06/2005 22:46:20 David 1684 Sign of "Win32:DyfucDldr-Z [Trj]" has been found in "C:\DOCUME~1\David\LOCALS~1\Temp\optimize.exe" file.
06/06/2005 22:46:20 David 1684 Sign of "Win32:DyfucDldr-Z [Trj]" has been found in "C:\DOCUME~1\David\LOCALS~1\Temp\optimize.exe" file.
06/06/2005 22:46:22 David 1684 Sign of "Win32:Adan-060 [Adw]" has been found in "C:\Documents and Settings\David\Local Settings\Temporary Internet Files\Content.IE5\NLDTO4E9\bb[1].exe" file.
06/06/2005 22:46:22 David 1684 Sign of "Win32:Adan-060 [Adw]" has been found in "C:\DOCUME~1\David\LOCALS~1\Temp\bb.exe" file.
06/06/2005 22:46:22 David 1684 Sign of "Win32:Adan-060 [Adw]" has been found in "C:\DOCUME~1\David\LOCALS~1\Temp\bb.exe" file.
06/06/2005 22:46:29 David 1684 Sign of "Win32:Adan-024 [Adw]" has been found in "C:\Documents and Settings\David\Local Settings\Temporary Internet Files\Content.IE5\NLDTO4E9\sfbho13[1].dll" file.
06/06/2005 22:46:29 David 1684 Sign of "Win32:Adan-024 [Adw]" has been found in "C:\Program Files\SideFind\sfbho.dll" file.
06/06/2005 22:46:31 David 1684 Sign of "Win32:SrchAssist-2 [Adw]" has been found in "C:\Documents and Settings\David\Local Settings\Temporary Internet Files\Content.IE5\NLDTO4E9\ncase_new[1].exe\[UPX]" file.
06/06/2005 22:46:31 David 1684 Sign of "Win32:SrchAssist-2 [Adw]" has been found in "C:\DOCUME~1\David\LOCALS~1\Temp\sais.exe\[UPX]" file.
06/06/2005 22:46:31 David 1684 Sign of "Win32:SrchAssist-2 [Adw]" has been found in "C:\DOCUME~1\David\LOCALS~1\Temp\sais.exe\[UPX]" file.
06/06/2005 22:46:32 David 1684 Sign of "Win32:Trojan-gen. {Other}" has been found in "C:\Documents and Settings\David\Local Settings\Temporary Internet Files\Content.IE5\0H2F4HIN\sidefind13[1].dll" file.
06/06/2005 22:46:33 David 1684 Sign of "Win32:Trojan-gen. {Other}" has been found in "C:\Program Files\SideFind\sidefind.dll" file.
06/06/2005 22:46:34 David 1684 Sign of "Win32:Adan-021 [Adw]" has been found in "C:\Documents and Settings\David\Local Settings\Temporary Internet Files\Content.IE5\J36K7K9G\cmctl[1].dll\[UPX]" file.
06/06/2005 22:46:34 David 1684 Sign of "Win32:Adan-021 [Adw]" has been found in "C:\DOCUME~1\David\LOCALS~1\Temp\cmctl.dll\[UPX]" file.
06/06/2005 22:46:34 David 1684 Sign of "Win32:Adan-021 [Adw]" has been found in "C:\DOCUME~1\David\LOCALS~1\Temp\cmctl.dll\[UPX]" file.
06/06/2005 22:46:35 David 1684 Sign of "Win32:Trojan-gen. {Other}" has been found in "C:\Program Files\SideFind\sidefind.dll" file.
06/06/2005 22:46:39 David 1684 Sign of "Win32:SrchAssist-2 [Adw]" has been found in "C:\temp\NCasePackage.exe\[UPX]" file.
06/06/2005 22:46:39 David 1684 Sign of "Win32:SrchAssist-2 [Adw]" has been found in "C:\temp\NCasePackage.exe\[UPX]" file.
06/06/2005 22:46:45 David 1684 Sign of "Win32:Trojan-gen. {UPX!}" has been found in "C:\temp\EDowPack.exe" file.
06/06/2005 22:46:45 David 1684 Sign of "Win32:Trojan-gen. {UPX!}" has been found in "C:\temp\EDowPack.exe" file.
06/06/2005 22:46:47 David 1684 Sign of "Win32:Trojan-gen. {Other}" has been found in "C:\temp\sahagent-cdt1004.exe" file.
06/06/2005 22:46:47 David 1684 Sign of "Win32:Trojan-gen. {Other}" has been found in "C:\temp\sahagent-cdt1004.exe" file.
06/06/2005 22:46:48 David 1684 Sign of "Win32:DyfucDldr-Z [Trj]" has been found in "C:\temp\optimize.exe" file.
06/06/2005 22:46:48 David 1684 Sign of "Win32:DyfucDldr-Z [Trj]" has been found in "C:\temp\optimize.exe" file.
06/06/2005 23:07:16 David 1684 Sign of "Win32:Adan-069 [Adw]" has been found in "C:\WINDOWS\system32\msxct.exe" file.
06/06/2005 23:08:04 David 1684 Sign of "Win32:Adan-024 [Adw]" has been found in "C:\program files\sidefind\sfbho.dll" file.
06/06/2005 23:08:15 David 1684 Sign of "Win32:Trojan-gen. {Other}" has been found in "C:\program files\sidefind\sidefind.dll" file.
06/06/2005 23:08:46 David 1684 Sign of "Win32:Trojan-gen. {UPX!}" has been found in "C:\temp\edowpack.exe" file.
06/06/2005 23:08:53 David 1684 Sign of "Win32:SrchAssist-2 [Adw]" has been found in "C:\temp\ncasepackage.exe\[UPX]" file.
06/06/2005 23:08:57 David 1684 Sign of "Win32:Trojan-gen. {Other}" has been found in "C:\temp\sahagent-cdt1004.exe" file.
06/06/2005 23:10:07 David 1684 Sign of "Win32:DyfucDldr-Z [Trj]" has been found in "C:\temp\optimize.exe" file.
07/06/2005 08:09:45 David 1464 Sign of "Win32:Trojan-gen. {VC}" has been found in "C:\WINDOWS\hjutwg.exe\[UPX]" file.
07/06/2005 08:11:14 David 1464 Sign of "Win32:DyfucDldr-Z [Trj]" has been found in "C:\Documents and Settings\David\Local Settings\Temporary Internet Files\Content.IE5\J36K7K9G\optimize[1].exe" file.
07/06/2005 08:12:12 David 1464 Sign of "Win32:SrchAssist-2 [Adw]" has been found in "C:\temp\NCasePackage.exe\[UPX]" file.
07/06/2005 08:12:23 David 1464 Sign of "Win32:Adan-024 [Adw]" has been found in "C:\Documents and Settings\David\Local Settings\Temporary Internet Files\Content.IE5\NLDTO4E9\sfbho13[2].dll" file.
07/06/2005 08:12:30 David 1464 Sign of "Win32:DyfucDldr-Z [Trj]" has been found in "C:\Documents and Settings\David\Local Settings\Temporary Internet Files\Content.IE5\NLDTO4E9\optimize[1].exe" file.
07/06/2005 08:12:37 David 1464 Sign of "Win32:SrchAssist-2 [Adw]" has been found in "C:\temp\NCasePackage.exe\[UPX]" file.
07/06/2005 08:12:44 David 1464 Sign of "Win32:Adan-024 [Adw]" has been found in "C:\Program Files\SideFind\sfbho.dll" file.
07/06/2005 08:12:48 David 1464 Sign of "Win32:DyfucDldr-Z [Trj]" has been found in "C:\DOCUME~1\David\LOCALS~1\Temp\optimize.exe" file.
07/06/2005 08:12:51 David 1464 Sign of "Win32:Trojan-gen. {Other}" has been found in "C:\Documents and Settings\David\Local Settings\Temporary Internet Files\Content.IE5\J36K7K9G\sidefind13[1].dll" file.
07/06/2005 08:12:58 David 1464 Sign of "Win32:Adan-060 [Adw]" has been found in "C:\Documents and Settings\David\Local Settings\Temporary Internet Files\Content.IE5\NLDTO4E9\bb[1].exe" file.
07/06/2005 08:13:05 David 1464 Sign of "Win32:Trojan-gen. {UPX!}" has been found in "C:\temp\EDowPack.exe" file.
07/06/2005 08:13:11 David 1464 Sign of "Win32:Trojan-gen. {Other}" has been found in "C:\Program Files\SideFind\sidefind.dll" file.
07/06/2005 08:13:14 David 1464 Sign of "Win32:Adan-060 [Adw]" has been found in "C:\Documents and Settings\David\Local Settings\Temporary Internet Files\Content.IE5\0H2F4HIN\bb[1].exe" file.
07/06/2005 08:13:19 David 1464 Sign of "Win32:Trojan-gen. {Other}" has been found in "C:\temp\sahagent-cdt1004.exe" file.
07/06/2005 08:13:23 David 1464 Sign of "Win32:Adan-060 [Adw]" has been found in "C:\DOCUME~1\David\LOCALS~1\Temp\bb.exe" file.
07/06/2005 08:13:28 David 1464 Sign of "Win32:DyfucDldr-Z [Trj]" has been found in "C:\temp\optimize.exe" file.
07/06/2005 08:13:33 David 1464 Sign of "Win32:SrchAssist-2 [Adw]" has been found in "C:\Documents and Settings\David\Local Settings\Temporary Internet Files\Content.IE5\NLDTO4E9\ncase_new[1].exe\[UPX]" file.
07/06/2005 08:13:38 David 1464 Sign of "Win32:Trojan-gen. {UPX!}" has been found in "C:\temp\EDowPack.exe" file.
07/06/2005 08:13:42 David 1464 Sign of "Win32:SrchAssist-2 [Adw]" has been found in "C:\Documents and Settings\David\Local Settings\Temporary Internet Files\Content.IE5\NLDTO4E9\CAY52BCD.exe\[UPX]" file.
07/06/2005 08:13:46 David 1464 Sign of "Win32:Trojan-gen. {Other}" has been found in "C:\temp\sahagent-cdt1004.exe" file.
07/06/2005 08:13:53 David 1464 Sign of "Win32:SrchAssist-2 [Adw]" has been found in "C:\DOCUME~1\David\LOCALS~1\Temp\sais.exe\[UPX]" file.
07/06/2005 08:13:59 David 1464 Sign of "Win32:DyfucDldr-Z [Trj]" has been found in "C:\temp\optimize.exe" file.
07/06/2005 08:14:07 David 1464 Sign of "Win32:Adan-021 [Adw]" has been found in "C:\Documents and Settings\David\Local Settings\Temporary Internet Files\Content.IE5\J36K7K9G\cmctl[1].dll\[UPX]" file.
07/06/2005 08:14:11 David 1464 Sign of "Win32:Trojan-gen. {UPX!}" has been found in "C:\temp\EDowPack.exe" file.
07/06/2005 08:14:19 David 1464 Sign of "Win32:Adan-021 [Adw]" has been found in "C:\Documents and Settings\David\Local Settings\Temporary Internet Files\Content.IE5\NLDTO4E9\cmctl[1].dll\[UPX]" file.
07/06/2005 08:14:22 David 1464 Sign of "Win32:Trojan-gen. {Other}" has been found in "C:\temp\sahagent-cdt1004.exe" file.
07/06/2005 08:14:27 David 1464 Sign of "Win32:Adan-021 [Adw]" has been found in "C:\DOCUME~1\David\LOCALS~1\Temp\cmctl.dll\[UPX]" file.
07/06/2005 08:14:31 David 1464 Sign of "Win32:DyfucDldr-Z [Trj]" has been found in "C:\temp\optimize.exe" file.
07/06/2005 08:46:20 David 4068 Sign of "Win32:Istdnldr-Y [Trj]" has been found in "c:\windows\hjutwg.exe" file.
07/06/2005 17:49:17 David 1908 Sign of "Win32:Adan-025 [Adw]" has been found in "C:\Documents and Settings\David\Local Settings\Temporary Internet Files\Content.IE5\9UJPBPZA\WinTS[1].cab\WToolsS.exe" file.
07/06/2005 17:49:46 David 1908 Sign of "Win32:Adan-025 [Adw]" has been found in "C:\Documents and Settings\David\Local Settings\Temporary Internet Files\Content.IE5\NLDTO4E9\WinTB[1].cab\WToolsB.dll" file.
07/06/2005 17:49:55 David 1908 Sign of "Win32:Adan-025 [Adw]" has been found in "C:\Documents and Settings\David\Local Settings\Temporary Internet Files\Content.IE5\NLDTO4E9\WinTS[1].cab\WToolsS.exe" file.
07/06/2005 18:31:58 David 1908 Sign of "Win32:Sasser-F [Wrm]" has been found in "C:\Documents and Settings\David\Shared\Ricochet Lost Worlds [v1.3.63] (like DX-Ball, but better) - Games.zip\Ricochet Lost Worlds [v1.3.63] (like DX-Ball, but better) - Games\KeyGen\aaocg-r13.exe" file.
07/06/2005 18:38:27 David 1908 Sign of "Win32:Trojan-gen. {VC}" has been found in "C:\Documents and Settings\David\Shared\Webroot_Spy_Sweeper_v3.5.X - CRACK - KeyGen -- -=TOS=-.RB0\cr_ss35x.exe" file.
07/06/2005 18:39:41 David 1908 Sign of "Win32:Trojan-gen. {Other}" has been found in "C:\Documents and Settings\David\Shared\WinRar 4.1 Pro (with CRACK).zip\WinRar 4.1 Pro (with CRACK).exe\Filters.exe\svchost1.exe" file.
07/06/2005 18:39:55 David 1908 Sign of "Win32:Trojan-gen. {Other}" has been found in "C:\Documents and Settings\David\Shared\WinRar 4.1 Pro (with CRACK).zip\WinRar 4.1 Pro (with CRACK).exe\Filters.exe\HIDDEN32.EXE" file.
07/06/2005 18:40:02 David 1908 Sign of "Win32:Trojan-gen. {UPX!}" has been found in "C:\Documents and Settings\David\Shared\WinRar 4.1 Pro (with CRACK).zip\WinRar 4.1 Pro (with CRACK).exe\Filters.exe" file.
07/06/2005 18:51:54 SYSTEM 1460 Sign of "Win32:Adhooker [Trj]" has been found in "C:\program files\sunbelt software\counterspy client\quarantine\42405a88-4072-4530-a045-381d45\ed3c2a57-314b-4df7-9eab-7e1529" file.
07/06/2005 18:52:38 SYSTEM 1460 Sign of "Win32:Adan-025 [Adw]" has been found in "C:\program files\sunbelt software\counterspy client\quarantine\4a655a55-64dd-4b5f-9577-2ed90f\9f1359f9-110c-4834-91cf-af9bfe" file.
07/06/2005 18:53:57 SYSTEM 1460 Sign of "Win32:Astubin [Adw]" has been found in "C:\temp\180sapack.exe\[UPX]" file.
07/06/2005 21:15:19 David 1472 Sign of "Win32:Trojan-gen. {VC}" has been found in "C:\Documents and Settings\David\Local Settings\Temporary Internet Files\Content.IE5\0H2F4HIN\istrecover[1].exe\[UPX]" file.
07/06/2005 21:15:52 David 1472 Sign of "Win32:SrchAssist-2 [Adw]" has been found in "C:\temp\NCasePackage.exe\[UPX]" file.
07/06/2005 21:16:03 David 1472 Sign of "Win32:SrchAssist-2 [Adw]" has been found in "C:\temp\ncasepackage.exe\[UPX]" file.
07/06/2005 21:16:13 David 1472 Sign of "Win32:Trojan-gen. {VC}" has been found in "C:\DOCUME~1\David\LOCALS~1\Temp\bhfwpmay.exe\[UPX]" file.
07/06/2005 21:16:20 David 1472 Sign of "Win32:SrchAssist-2 [Adw]" has been found in "C:\temp\NCasePackage.exe\[UPX]" file.
07/06/2005 21:28:32 David 1472 Sign of "Win32:Adan-060 [Adw]" has been found in "C:\Documents and Settings\David\Local Settings\Temporary Internet Files\Content.IE5\NLDTO4E9\bb[1].exe" file.
07/06/2005 21:28:32 David 1472 Sign of "Win32:Trojan-gen. {Other}" has been found in "C:\Documents and Settings\David\Local Settings\Temporary Internet Files\Content.IE5\NLDTO4E9\nem220[1].dll" file.
07/06/2005 21:28:32 David 1472 Sign of "Win32:Adan-024 [Adw]" has been found in "C:\Documents and Settings\David\Local Settings\Temporary Internet Files\Content.IE5\0H2F4HIN\sfbho13[1].dll" file.
07/06/2005 21:28:32 David 1472 Sign of "Win32:Adan-060 [Adw]" has been found in "C:\DOCUME~1\David\LOCALS~1\Temp\bb.exe" file.
07/06/2005 21:28:32 David 1472 Sign of "Win32:Trojan-gen. {Other}" has been found in "C:\WINDOWS\nem220.dll" file.
07/06/2005 21:28:32 David 1472 Sign of "Win32:Adan-024 [Adw]" has been found in "C:\Program Files\SideFind\sfbho.dll" file.
07/06/2005 21:28:32 David 1472 Sign of "Win32:Adan-060 [Adw]" has been found in "C:\DOCUME~1\David\LOCALS~1\Temp\bb.exe" file.
07/06/2005 21:32:32 David 1448 Sign of "Win32:Trojan-gen. {VC}" has been found in "C:\Documents and Settings\David\Local Settings\Temporary Internet Files\Content.IE5\9UJPBPZA\istrecover[1].exe\[UPX]" file.
07/06/2005 21:40:51 David 1448 Sign of "Win32:SrchAssist-2 [Adw]" has been found in "C:\temp\NCasePackage.exe\[UPX]" file.
07/06/2005 21:40:56 David 1448 Sign of "Win32:Trojan-gen. {VC}" has been found in "C:\DOCUME~1\David\LOCALS~1\Temp\cttkdrg.exe\[UPX]" file.
07/06/2005 21:40:56 David 1448 Sign of "Win32:Trojan-gen. {VC}" has been found in "C:\DOCUME~1\David\LOCALS~1\Temp\cttkdrg.exe\[UPX]" file.
07/06/2005 21:40:56 David 1448 Sign of "Win32:SrchAssist-2 [Adw]" has been found in "C:\temp\NCasePackage.exe\[UPX]" file.
07/06/2005 21:40:57 David 1448 Sign of "Win32:Adan-060 [Adw]" has been found in "C:\Documents and Settings\David\Local Settings\Temporary Internet Files\Content.IE5\NLDTO4E9\bb[1].exe" file.
07/06/2005 21:40:58 David 1448 Sign of "Win32:Adan-060 [Adw]" has been found in "C:\Documents and Settings\David\Local Settings\Temporary Internet Files\Content.IE5\0H2F4HIN\bb[1].exe" file.
07/06/2005 21:40:58 David 1448 Sign of "Win32:Adan-060 [Adw]" has been found in "C:\DOCUME~1\David\LOCALS~1\Temp\bb.exe" file.
07/06/2005 21:40:58 David 1448 Sign of "Win32:Adan-060 [Adw]" has been found in "C:\DOCUME~1\David\LOCALS~1\Temp\bb.exe" file.
07/06/2005 21:41:00 David 1448 Sign of "Win32:Trojan-gen. {UPX!}" has been found in "C:\temp\EDowPack.exe" file.
07/06/2005 21:41:00 David 1448 Sign of "Win32:Trojan-gen. {UPX!}" has been found in "C:\temp\EDowPack.exe" file.
07/06/2005 21:41:02 David 1448 Sign of "Win32:Adan-024 [Adw]" has been found in "C:\Documents and Settings\David\Local Settings\Temporary Internet Files\Content.IE5\NLDTO4E9\sfbho13[1].dll" file.
07/06/2005 21:41:02 David 1448 Sign of "Win32:Adan-024 [Adw]" has been found in "C:\Program Files\SideFind\sfbho.dll" file.
07/06/2005 21:41:02 David 1448 Sign of "Win32:Trojan-gen. {Other}" has been found in "C:\temp\sahagent-cdt1004.exe" file.
07/06/2005 21:41:02 David 1448 Sign of "Win32:Trojan-gen. {Other}" has been found in "C:\temp\sahagent-cdt1004.exe" file.
07/06/2005 21:41:04 David 1448 Sign of "Win32:Trojan-gen. {Other}" has been found in "C:\Documents and Settings\David\Local Settings\Temporary Internet Files\Content.IE5\NLDTO4E9\sidefind13[1].dll" file.
07/06/2005 21:41:04 David 1448 Sign of "Win32:Trojan-gen. {Other}" has been found in "C:\Program Files\SideFind\sidefind.dll" file.
07/06/2005 21:41:06 David 1448 Sign of "Win32:Trojan-gen. {Other}" has been found in "C:\Program Files\SideFind\sidefind.dll" file.
07/06/2005 21:41:06 David 1448 Sign of "Win32:SrchAssist-2 [Adw]" has been found in "C:\Documents and Settings\David\Local Settings\Temporary Internet Files\Content.IE5\J36K7K9G\ncase_new[1].exe\[UPX]" file.
07/06/2005 21:41:06 David 1448 Sign of "Win32:SrchAssist-2 [Adw]" has been found in "C:\DOCUME~1\David\LOCALS~1\Temp\sais.exe\[UPX]" file.
07/06/2005 21:41:06 David 1448 Sign of "Win32:SrchAssist-2 [Adw]" has been found in "C:\DOCUME~1\David\LOCALS~1\Temp\sais.exe\[UPX]" file.
07/06/2005 21:41:08 David 1448 Sign of "Win32:Adan-021 [Adw]" has been found in "C:\Documents and Settings\David\Local Settings\Temporary Internet Files\Content.IE5\NLDTO4E9\cmctl[1].dll\[UPX]" file.
07/06/2005 21:41:08 David 1448 Sign of "Win32:Adan-021 [Adw]" has been found in "C:\DOCUME~1\David\LOCALS~1\Temp\cmctl.dll\[UPX]" file.
07/06/2005 21:41:08 David 1448 Sign of "Win32:Adan-021 [Adw]" has been found in "C:\DOCUME~1\David\LOCALS~1\Temp\cmctl.dll\[UPX]" file.
07/06/2005 22:25:32 David 3664 Sign of "Win32:Trojan-gen. {VC}" has been found in "C:\Documents and Settings\David\Local Settings\Temp\cttkdrg.exe\[UPX]" file.
07/06/2005 22:26:45 David 3664 Sign of "Win32:Adan-060 [Adw]" has been found in "C:\Documents and Settings\David\Local Settings\Temporary Internet Files\Content.IE5\0H2F4HIN\bb[1].exe" file.
07/06/2005 22:27:16 David 3664 Sign of "Win32:Adan-024 [Adw]" has been found in "C:\Documents and Settings\David\Local Settings\Temporary Internet Files\Content.IE5\0H2F4HIN\sfbho13[1].dll" file.
07/06/2005 22:27:25 David 3664 Sign of "Win32:Trojan-gen. {VC}" has been found in "C:\Documents and Settings\David\Local Settings\Temporary Internet Files\Content.IE5\9UJPBPZA\istrecover[1].exe\[UPX]" file.
07/06/2005 22:27:37 David 3664 Sign of "Win32:SrchAssist-2 [Adw]" has been found in "C:\Documents and Settings\David\Local Settings\Temporary Internet Files\Content.IE5\J36K7K9G\ncase_new[1].exe\[UPX]" file.
07/06/2005 22:27:45 David 3664 Sign of "Win32:Adan-021 [Adw]" has been found in "C:\Documents and Settings\David\Local Settings\Temporary Internet Files\Content.IE5\NLDTO4E9\cmctl[1].dll\[UPX]" file.
07/06/2005 22:27:50 David 3664 Sign of "Win32:Trojan-gen. {Other}" has been found in "C:\Documents and Settings\David\Local Settings\Temporary Internet Files\Content.IE5\NLDTO4E9\nem220[1].dll" file.
07/06/2005 22:27:52 David 3664 Sign of "Win32:Adan-024 [Adw]" has been found in "C:\Documents and Settings\David\Local Settings\Temporary Internet Files\Content.IE5\NLDTO4E9\sfbho13[1].dll" file.
07/06/2005 22:27:56 David 3664 Sign of "Win32:Trojan-gen. {Other}" has been found in "C:\Documents and Settings\David\Local Settings\Temporary Internet Files\Content.IE5\NLDTO4E9\sidefind13[1].dll" file.
07/06/2005 22:43:52 David 1448 Sign of "Win32:Adan-069 [Adw]" has been found in "C:\System Volume Information\_restore{390B6801-E38A-43E2-B9B1-DB5583D3AF74}\RP447\A0094577.exe" file.
08/06/2005 08:29:24 David 1468 Sign of "Win32:Trojan-gen. {Other}" has been found in "C:\Documents and Settings\David\Local Settings\Temporary Internet Files\Content.IE5\9UJPBPZA\nem220[1].dll" file.
08/06/2005 08:30:00 David 1468 Sign of "Win32:Trojan-gen. {Other}" has been found in "C:\WINDOWS\nem220.dll" file.
08/06/2005 08:30:20 David 1468 Sign of "Win32:Trojan-gen. {Other}" has been found in "C:\Documents and Settings\David\Local Settings\Temporary Internet Files\Content.IE5\0H2F4HIN\nem220[1].dll" file.
08/06/2005 08:30:23 David 1468 Sign of "Win32:Trojan-gen. {Other}" has been found in "C:\WINDOWS\nem220.dll" file.
08/06/2005 08:30:43 David 1468 Sign of "Win32:Trojan-gen. {Other}" has been found in "C:\Documents and Settings\David\Local Settings\Temporary Internet Files\Content.IE5\9UJPBPZA\nem220[1].dll" file.
08/06/2005 08:30:53 David 1468 Sign of "Win32:Trojan-gen. {Other}" has been found in "C:\WINDOWS\nem220.dll" file.
08/06/2005 08:59:08 David 1468 Sign of "Win32:Adan-024 [Adw]" has been found in "C:\program files\sidefind\sfbho.dll" file.
08/06/2005 08:59:26 David 1468 Sign of "Win32:Trojan-gen. {Other}" has been found in "C:\program files\sidefind\sidefind.dll" file.
08/06/2005 08:59:49 David 1468 Sign of "Win32:Trojan-gen. {UPX!}" has been found in "C:\temp\edowpack.exe" file.
08/06/2005 08:59:52 David 1468 Sign of "Win32:SrchAssist-2 [Adw]" has been found in "C:\temp\ncasepackage.exe\[UPX]" file.
08/06/2005 08:59:55 David 1468 Sign of "Win32:Trojan-gen. {Other}" has been found in "C:\temp\sahagent-cdt1004.exe" file.
08/06/2005 18:28:57 SYSTEM 1356 Sign of "Win32:Adan-069 [Adw]" has been found in "C:\System Volume Information\_restore{390B6801-E38A-43E2-B9B1-DB5583D3AF74}\RP447\A0094577.exe" file.
08/06/2005 19:20:17 David 2752 Sign of "Win32:Trojan-gen. {Other}" has been found in "C:\Documents and Settings\David\Shared\WinRar 4.1 Pro (with CRACK).zip\WinRar 4.1 Pro (with CRACK).exe\Filters.exe\svchost1.exe" file.
08/06/2005 19:20:21 David 2752 Sign of "Win32:Trojan-gen. {Other}" has been found in "C:\Documents and Settings\David\Shared\WinRar 4.1 Pro (with CRACK).zip\WinRar 4.1 Pro (with CRACK).exe\Filters.exe\HIDDEN32.EXE" file.
08/06/2005 19:20:23 David 2752 Sign of "Win32:Trojan-gen. {UPX!}" has been found in "C:\Documents and Settings\David\Shared\WinRar 4.1 Pro (with CRACK).zip\WinRar 4.1 Pro (with CRACK).exe\Filters.exe" file.
dlguk
Active Member
 
Posts: 7
Joined: June 1st, 2005, 1:49 pm

Unread postby Bertha » June 10th, 2005, 1:42 pm

Hey,

Are you aware that you are running a Cracked version of WinRar, likely to be from a P2P program?

P2P programs are known to just let anything and everythign onto your system, I onyl advise you use those that can be trusted, do you use a P2P program, and if so check it against this list:
http://www.spywareinfo.com/articles/p2p/

Cracked means that it has benn altered with in a way to do things it was not supposed to dop by the people behind it, they have gone against the agreements which you have to agree to with any software

I advise that you uninstall WinRaR and then get back to me, :D

Bertha
User avatar
Bertha
Admin/Teacher Emeritus
 
Posts: 2053
Joined: February 6th, 2005, 1:17 pm
Location: Midlands

pretty please :-(

Unread postby dlguk » June 10th, 2005, 3:27 pm

Hiya Bertha,

Ok winrar uninstalled through add/remove and yes I use ‘Limewire‘ occasionally.
This thing is getting really bad I wish I could send you a screen shot of it.
There is one Avaste warning that refuses to go from the screen despite all the buttons
If you can’t come up with any solution would a repair ‘plug the hole’, sorry but things are getting real desperate.
I have to keep disconnecting from the net then I run both C/spy’ and Avaste BUT they don’t remove anything they just keep building up
HELP

Dave
dlguk
Active Member
 
Posts: 7
Joined: June 1st, 2005, 1:49 pm

Unread postby Bertha » June 12th, 2005, 1:32 pm

Hey dl,

Sorry about the wait, Been caught up with the last bits of college,

Ill be back shortly with the next part of the fix :D

Bertha
User avatar
Bertha
Admin/Teacher Emeritus
 
Posts: 2053
Joined: February 6th, 2005, 1:17 pm
Location: Midlands

Unread postby Bertha » June 12th, 2005, 2:03 pm

Hey dl,

Copy/Print this off so you can follow it

Ok lets use Killbox to remove the file/folder that is being so stubborn:

Download Pocket Killbox here - http://www.malwareremoval.com/downloads.html

Now take a look at this post as it will guide you through the installation process as well as the removal process incase you get confused:

http://www.malwareremoval.com/forum/viewtopic.php?t=320

Once you have installed Killbox we need to begin to delete the file folder:

If you look at the topic above this is what we are going to do (so read this part):

How to use KILLBOX to delete a file - Delete on reboot kill - Delete on reboot kill

ChrisRLG

Open Killbox and check a mark in the "RadioBox" which says "Delete On Reboot"

Under "Full Path or File to Delete copy and paste this entry below: (no quotes)

"C:\DOCUME~1\David\LOCALS~1\Temp\bb.exe

Now press the red cross and a new window will pop up asking you to confirm the removal CLICK YES

Now it will ask you if you wish to reboot click NO as we have more files to add first, copy and paste these entries (no quotes) You may see some replicated, so no need to copy and pste them twice

[b"C:\DOCUME~1\David\LOCALS~1\Temp\optimize.exe
"C:\Documents and Settings\David\Local Settings\Temporary Internet Files\Content.IE5\0H2F4HIN\bb[1].exe
"C:\Documents and Settings\David\Local Settings\Temporary Internet Files\Content.IE5\0H2F4HIN\bb[1].exe
"C:\Documents and Settings\David\Local Settings\Temporary Internet Files\Content.IE5\0H2F4HIN\bb[1].exe
"C:\Documents and Settings\David\Local Settings\Temporary Internet Files\Content.IE5\0H2F4HIN\nem220[1].dll
"C:\Documents and Settings\David\Local Settings\Temporary Internet Files\Content.IE5\0H2F4HIN\sfbho13[1].dll
"C:\Documents and Settings\David\Local Settings\Temporary Internet Files\Content.IE5\0H2F4HIN\sfbho13[1].dll
"C:\Documents and Settings\David\Local Settings\Temporary Internet Files\Content.IE5\0H2F4HIN\sidefind13[1].dll
"C:\Documents and Settings\David\Local Settings\Temporary Internet Files\Content.IE5\9UJPBPZA\nem220[1].dll
"C:\Documents and Settings\David\Local Settings\Temporary Internet Files\Content.IE5\9UJPBPZA\nem220[1].dll
"C:\Documents and Settings\David\Local Settings\Temporary Internet Files\Content.IE5\9UJPBPZA\WinTS[1].cab\WToolsS.exe
"C:\Documents and Settings\David\Local Settings\Temporary Internet Files\Content.IE5\J36K7K9G\optimize[1].exe
"C:\Documents and Settings\David\Local Settings\Temporary Internet Files\Content.IE5\J36K7K9G\optimize[1].exe
"C:\Documents and Settings\David\Local Settings\Temporary Internet Files\Content.IE5\J36K7K9G\sidefind13[1].dll
"C:\Documents and Settings\David\Local Settings\Temporary Internet Files\Content.IE5\NLDTO4E9\bb[1].exe
"C:\Documents and Settings\David\Local Settings\Temporary Internet Files\Content.IE5\NLDTO4E9\bb[1].exe
"C:\Documents and Settings\David\Local Settings\Temporary Internet Files\Content.IE5\NLDTO4E9\bb[1].exe
"C:\Documents and Settings\David\Local Settings\Temporary Internet Files\Content.IE5\NLDTO4E9\bb[1].exe
"C:\Documents and Settings\David\Local Settings\Temporary Internet Files\Content.IE5\NLDTO4E9\nem220[1].dll
"C:\Documents and Settings\David\Local Settings\Temporary Internet Files\Content.IE5\NLDTO4E9\nem220[1].dll
"C:\Documents and Settings\David\Local Settings\Temporary Internet Files\Content.IE5\NLDTO4E9\optimize[1].exe
"C:\Documents and Settings\David\Local Settings\Temporary Internet Files\Content.IE5\NLDTO4E9\sfbho13[1].dll
"C:\Documents and Settings\David\Local Settings\Temporary Internet Files\Content.IE5\NLDTO4E9\sfbho13[1].dll
"C:\Documents and Settings\David\Local Settings\Temporary Internet Files\Content.IE5\NLDTO4E9\sfbho13[1].dll
"C:\Documents and Settings\David\Local Settings\Temporary Internet Files\Content.IE5\NLDTO4E9\sfbho13[2].dll
"C:\Documents and Settings\David\Local Settings\Temporary Internet Files\Content.IE5\NLDTO4E9\sidefind13[1].dll
"C:\Documents and Settings\David\Local Settings\Temporary Internet Files\Content.IE5\NLDTO4E9\sidefind13[1].dll
"C:\Documents and Settings\David\Local Settings\Temporary Internet Files\Content.IE5\NLDTO4E9\WinTB[1].cab\WToolsB.dll
"C:\Documents and Settings\David\Local Settings\Temporary Internet Files\Content.IE5\NLDTO4E9\WinTS[1].cab\WToolsS.exe
"C:\Documents and Settings\David\Shared\Ricochet Lost Worlds [v1.3.63] (like DX-Ball, but better) - Games.zip\Ricochet Lost Worlds [v1.3.63] (like DX-Ball, but better) - Games\KeyGen\aaocg-r13.exe
"C:\Documents and Settings\David\Shared\Webroot_Spy_Sweeper_v3.5.X - CRACK - KeyGen -- -=TOS=-.RB0\cr_ss35x.exe
"C:\program files\sidefind\sfbho.dll
"C:\program files\sidefind\sfbho.dll
"C:\Program Files\SideFind\sfbho.dll
"C:\Program Files\SideFind\sfbho.dll
"C:\Program Files\SideFind\sfbho.dll
"C:\Program Files\SideFind\sfbho.dll
"C:\program files\sidefind\sidefind.dll
"C:\program files\sidefind\sidefind.dll
"C:\Program Files\SideFind\sidefind.dll
"C:\Program Files\SideFind\sidefind.dll
"C:\Program Files\SideFind\sidefind.dll
"C:\Program Files\SideFind\sidefind.dll
"C:\Program Files\SideFind\sidefind.dll
"C:\System Volume Information\_restore{390B6801-E38A-43E2-B9B1-DB5583D3AF74}\RP447\A0094577.exe
"C:\temp\edowpack.exe
"C:\temp\edowpack.exe
"C:\temp\EDowPack.exe
"C:\temp\EDowPack.exe
"C:\temp\EDowPack.exe
"C:\temp\EDowPack.exe
"C:\temp\EDowPack.exe
"C:\temp\EDowPack.exe
"C:\temp\EDowPack.exe
"C:\temp\optimize.exe
"C:\temp\optimize.exe
"C:\temp\optimize.exe
"C:\temp\optimize.exe
"C:\temp\optimize.exe
"C:\temp\optimize.exe
"C:\temp\sahagent-cdt1004.exe
"C:\temp\sahagent-cdt1004.exe
"C:\temp\sahagent-cdt1004.exe
"C:\temp\sahagent-cdt1004.exe
"C:\temp\sahagent-cdt1004.exe
"C:\temp\sahagent-cdt1004.exe
"C:\temp\sahagent-cdt1004.exe
"C:\temp\sahagent-cdt1004.exe
"C:\temp\sahagent-cdt1004.exe
"c:\windows\hjutwg.exe
"C:\WINDOWS\nem220.dll
"C:\WINDOWS\nem220.dll
"C:\WINDOWS\nem220.dll
"C:\WINDOWS\nem220.dll
"C:\WINDOWS\system32\msxct.exe


C:\DOCUME~1\David\LOCALS~1\Temp\sais.exe
C:\DOCUME~1\David\LOCALS~1\Temp\sais.exe
C:\Documents and Settings\David\Local Settings\Temporary Internet Files\Content.IE5\NLDTO4E9\ncase_new[1].exe
C:\DOCUME~1\David\LOCALS~1\Temp\cmctl.dll
C:\DOCUME~1\David\LOCALS~1\Temp\cmctl.dll
C:\Documents and Settings\David\Local Settings\Temporary Internet Files\Content.IE5\J36K7K9G\cmctl[1].dll
C:\temp\NCasePackage.exe
C:\temp\NCasePackage.exe
C:\temp\ncasepackage.exe
C:\WINDOWS\hjutwg.exe
C:\temp\NCasePackage.exe
C:\temp\NCasePackage.exe
C:\Documents and Settings\David\Local Settings\Temporary Internet Files\Content.IE5\NLDTO4E9\ncase_new[1].exe
C:\Documents and Settings\David\Local Settings\Temporary Internet Files\Content.IE5\NLDTO4E9\CAY52BCD.exe

C:\DOCUME~1\David\LOCALS~1\Temp\sais.exe
C:\Documents and Settings\David\Local Settings\Temporary Internet Files\Content.IE5\J36K7K9G\cmctl[1].dll
C:\Documents and Settings\David\Local Settings\Temporary Internet Files\Content.IE5\NLDTO4E9\cmctl[1].dll
C:\DOCUME~1\David\LOCALS~1\Temp\cmctl.dll
C:\Documents and Settings\David\Shared\WinRar 4.1 Pro (with CRACK).zip\WinRar 4.1 Pro (with CRACK).exe\Filters.exe\svchost1.exe
C:\Documents and Settings\David\Shared\WinRar 4.1 Pro (with CRACK).zip\WinRar 4.1 Pro (with CRACK).exe\Filters.exe\HIDDEN32.EXE
C:\Documents and Settings\David\Shared\WinRar 4.1 Pro (with CRACK).zip\WinRar 4.1 Pro (with CRACK).exe\Filters.exe
C:\Documents and Settings\David\Local Settings\Temporary Internet Files\Content.IE5\0H2F4HIN\istrecover[1].exe
C:\temp\NCasePackage.exe
C:\temp\ncasepackage.exe
C:\DOCUME~1\David\LOCALS~1\Temp\bhfwpmay.exe

C:\temp\NCasePackage.exe
C:\Documents and Settings\David\Local Settings\Temporary Internet Files\Content.IE5\9UJPBPZA\istrecover[1].exe
C:\temp\NCasePackage.exe
C:\temp\NCasePackage.exe
C:\DOCUME~1\David\LOCALS~1\Temp\cttkdrg.exe
C:\DOCUME~1\David\LOCALS~1\Temp\cttkdrg.exe
C:\DOCUME~1\David\LOCALS~1\Temp\sais.exe
C:\DOCUME~1\David\LOCALS~1\Temp\sais.exe
C:\Documents and Settings\David\Local Settings\Temporary Internet Files\Content.IE5\J36K7K9G\ncase_new[1].exe

C:\DOCUME~1\David\LOCALS~1\Temp\cmctl.dll
C:\DOCUME~1\David\LOCALS~1\Temp\cmctl.dll
C:\Documents and Settings\David\Local Settings\Temporary Internet Files\Content.IE5\NLDTO4E9\cmctl[1].dll
C:\Documents and Settings\David\Local Settings\Temp\cttkdrg.exe.
C:\Documents and Settings\David\Local Settings\Temporary Internet Files\Content.IE5\9UJPBPZA\istrecover[1].exe

C:\Documents and Settings\David\Local Settings\Temporary Internet Files\Content.IE5\J36K7K9G\ncase_new[1].exe
C:\Documents and Settings\David\Local Settings\Temporary Internet Files\Content.IE5\NLDTO4E9\cmctl[1].dll

C:\temp\ncasepackage.exe
C:\Documents and Settings\David\Shared\WinRar 4.1 Pro (with CRACK).zip\WinRar 4.1 Pro (with CRACK).exe\Filters.exe\svchost1.exe
C:\Documents and Settings\David\Shared\WinRar 4.1 Pro (with CRACK).zip\WinRar 4.1 Pro (with CRACK).exe\Filters.exe\HIDDEN32.EXE
C:\Documents and Settings\David\Shared\WinRar 4.1 Pro (with CRACK).zip\WinRar 4.1 Pro (with CRACK).exe\Filters.exe[/b]


After you have added the above entry and it asks if you wish to restart CLICK YES and the computer will restart
User avatar
Bertha
Admin/Teacher Emeritus
 
Posts: 2053
Joined: February 6th, 2005, 1:17 pm
Location: Midlands
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 303 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware