Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Board index Malware Removal ForumsInfected? Virus, malware, adware, ransomware, oh my!

Adware, Spybot, MS Antispy HELPLESS! Hijack Log...

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.
Topic locked

Adware, Spybot, MS Antispy HELPLESS! Hijack Log...

Unread postby Suprman37 » June 14th, 2005, 7:07 am

I've run all three and they keep removing the same spyware, but it keeps regenerating itself. It's like they are totally helpless against this. I've even run CWSShredder, and this CWS variant doesn't get removed. Here is my hijack this log...

Logfile of HijackThis v1.99.1
Scan saved at 9:09:09 PM, on 6/13/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\ieyc32.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\addpz.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Tramel Raggs\Desktop\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\qielh.dll/sp.html#93256
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\qielh.dll/sp.html#93256
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\qielh.dll/sp.html#93256
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\qielh.dll/sp.html#93256
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\qielh.dll/sp.html#93256
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\qielh.dll/sp.html#93256
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {F20ED84C-D847-D6C7-F794-2ED9DCB4B4D1} - C:\WINDOWS\javarq.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [IEXPLORE.EXE] C:\Program Files\Internet Explorer\IEXPLORE.EXE
O4 - HKLM\..\Run: [ieyc32.exe] C:\WINDOWS\ieyc32.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Microsoft AntiSpyware helper - {7812D989-C3B3-4441-A1BA-89589AEDF8D5} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {7812D989-C3B3-4441-A1BA-89589AEDF8D5} - (no file) (HKCU)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid= ... lcid=0x409
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/ ... 0_0_44.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v ... 8704411515
O23 - Service: Remote Procedure Call (RPC) Helper ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\addpz.exe
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
Suprman37
Active Member
 
Posts: 5
Joined: June 14th, 2005, 7:04 am
Top
Advertisement
Register to Remove

Unread postby Bertha » June 14th, 2005, 7:08 am

Hey supr,

Im looking at your Hijackthis Log now, bear with me

Bertha
User avatar
Bertha
Admin/Teacher Emeritus
 
Posts: 2053
Joined: February 6th, 2005, 1:17 pm
Location: Midlands
Top

Unread postby Bertha » June 14th, 2005, 7:17 am

Hey Supr,

Welcome to MR Forums

You have an About Blank infection and a Smitfraud infection, however firsy I want to remove the About Blank problem then tackle Smitfraud

First of all I need you to download some programs for use later.

Download this file and unzip it to your desktop

Download About:Buster from here. Once it is downloaded extract it to c:\aboutbuster and check for updates. Do NOT use it yet

Download CWShredder (delete your current version fo it)from here, install it, check for updates but again, don't use it yet.

Then, Download Ad-aware Second Edition here and install it. If you already have Ad-aware Second Edition skip to the next step.

Open adaware and Click the "Check for updates now" line on the main screen. CLick the "Connect" button on the webupdate screen.

If an update is available download it and install it. Click the "Finish" button to go back to the main screen.

Click on the "Settings" button (gear symbol in the upper right corner of the main status screen) in the quick launch toolbar to open the General settings screen. Check the "Automatically quarantine objects prior to removal" setting and then click "Proceed" to save your changes

Click the "Scan now" button in the main menu on the left side of the main status screen or use the "Start" button in lower right corner. This will open the Preparing System Scan screen. Please deselect "Search for negligible risk entries", as negligible risk entries (MRU's) are not considered to be a threat. Then select "Use custom scanning options" and click "CUstomize". This will open the "Scan Settings Page. Make sure all of the following are On with a "green" checkmark:

Scan within archives
Scan active processes
Scan Registry
Deep-scan Registry
Scan my IE Favorites for banned URLs
Scan my Hosts File

Then click on the "Tweak" Button to open up the tweak settings.

Open up the Scanning Engine section and make sure all of the following are On with a "green" checkmark:

Scan registry for all users instead of current user only

Make sure the following is unchecked with a "red" X:

Unload recognized processes & modules during scan.

Open up the Cleaning Engine section and make sure all of the following are On with a "green" checkmark:

Always try to unload modules before deletion
During Removal, unload Explorer and IE if necessary
Let Windows remove files in use at next reboot.

Click the "Proceed" button to save settings.

Don't scan yet. We will do it in safe mode.

Ensure hidden files and folders are set to show;


  • Click Start.
  • Open My Computer.
  • Select the Tools menu and click Folder Options.
  • Select the View Tab.
  • Under the Hidden files and folders heading select Show hidden files and folders.
  • Uncheck the Hide protected operating system files (recommended) option.
  • Click Yes to confirm.
  • Click OK.


Next, go to Start->Run and type "Services.msc" (without quotes) then hit Ok

Scroll down and find the service called

O Remote Procedure Call (RPC) Helper C:\WINDOWS\addpz.exe


When you find it, double-click on it. In the next window that opens, click the Stop button, then click on properties and under the General Tab, change the Startup Type to Disabled. Now hit Apply and then Ok and close any open windows.

Please disconnect from the Internet and unplug your modem for the duration of this fix

You may want to print the rest of these instructions.

Reboot your computer into Safe Mode by tapping F8 while booting up and continue for the rest of the fix in SAFE MODE

We need to disable your Microsoft AntiSpyware (to be sure it wont interfere, even though you are in Safe Mode) Real-time Protection as it may interfere with the fixes that we need to make.

Open Microsoft AntiSpyware.
Click on Tools, Settings.
In the left pane, click on Real-time Protection.
Under Startup Options uncheck Enable the Microsoft AntiSpyware Security Agents on startup (recommended).
Under Real-time spyware threat protection uncheck Enable real-time spyware threat protection (recommended).
After you uncheck these, click on the Save button and close Microsoft AntiSpyware.
Right click on the Microsoft AntiSpyware icon on the taskbar and select Shutdown Microsoft AntiSpyware.

After all of the fixes are complete it is very important that you enable Real-time Protection again.


While in safe mode, double click on the cwsserviceemove.reg file you downloaded at the beginning. Grant it permission to add the registry items.

Then Open cwshredder that you downloaded in the first step. Close all browser windows and click on the fix/next button.

Bring up task manager Ctrl-Alt-Del and end these processes if they are present

C:\WINDOWS\ieyc32.exe
C:\WINDOWS\addpz.exe


Now find and delete these files, if you can't find one then don't worry.. just move on to the next one.

C:\WINDOWS\qielh.dll
C:\WINDOWS\javarq.dll
C:\WINDOWS\ieyc32.exe
C:\WINDOWS\addpz.exe


Now run hijackthis and click the scan button, when it has finished scanning put a check against the following and click 'fix checked'

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\qielh.dll/sp.html#93256
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\qielh.dll/sp.html#93256
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\qielh.dll/sp.html#93256
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\qielh.dll/sp.html#93256
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\qielh.dll/sp.html#93256
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\qielh.dll/sp.html#93256
R3 - Default URLSearchHook is missing

O2 - BHO: Class - {F20ED84C-D847-D6C7-F794-2ED9DCB4B4D1} - C:\WINDOWS\javarq.dll

O4 - HKLM\..\Run: [ieyc32.exe] C:\WINDOWS\ieyc32.exe

O23 - Service: Remote Procedure Call (RPC) Helper ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\addpz.exe


The following step is important as you may have several malware files in your temp directories.

Then browse to the C:\documents and settings\Your User Name (repeat for all other user names in documents and settings)\local settings\temp folder and delete all files and folders in it.
Then browse to the C:\Window\Temp folder and delete all files and folders in it.
Then in internet explore click tools>internet Options>General. Click on Delete Files make sure you get all offline content as well.

Now navigate to the c:\aboutbuster directory and double-click on aboutbuster.exe When the tool is open press the OK button, then the Start button, then the OK button, and then finally the Yes button. It will start scanning your computer for files. If it asks if you would like to do a second pass, allow it to do so. Post the log file in your next reply.

Scan with Adaware by opening it and clicking the "Next" button to start the scan.

When the scan is completed the Performing System Scan screen will change name to "Scan Complete".

Click the "Next" button to get to the Scanning Results screens where more information about the objects detected during the scan is available.

Click the Critical Objects Tab. In general all of the items listed will be bad. Be carefull with the Hosts file entries. Malware uses the hosts file to redirect you websites. However you can use the hosts file as a way to prevent malware. If the object has 127.0.0.1 in it, it should most likely not be deleted as it is protecting against unwanted sites. For more information on how to use a host file to protect yourself read here. So in short, you may or may not want to fix the hosts file entries.

To fix all the bad critical objects do the following:

Right click on one of them to open up the selection screen. Click the "Select All" button to select all entries. In general all should be selected with the exception of the good hosts file entries.

When all are selected Click "Next" and then "OK" in the pop-up window to confirm the removal.

Now reboot,and run hijackthis again and post a fresh log along with the about buster log. :)

Bertha
User avatar
Bertha
Admin/Teacher Emeritus
 
Posts: 2053
Joined: February 6th, 2005, 1:17 pm
Location: Midlands
Top

Unread postby Suprman37 » June 14th, 2005, 7:36 am

THANK YOU!

I will print this from work and get to it when I get home. I can tell you that the CWS Shredder and AdWare that you've instructed me to download are the versions I already have.
Suprman37
Active Member
 
Posts: 5
Joined: June 14th, 2005, 7:04 am
Top

Unread postby Bertha » June 14th, 2005, 7:38 am

Your Welcome!! :D

If you already have them then just be sure they are up to date :thumbleft:

Bertha
User avatar
Bertha
Admin/Teacher Emeritus
 
Posts: 2053
Joined: February 6th, 2005, 1:17 pm
Location: Midlands
Top

Unread postby Suprman37 » June 14th, 2005, 8:25 am

Ok, I got the latest version of AboutBuster (5) and it wasn't like what you described. I ran a check, and it removed some adds, but it didn't have the tabs or buttons you were describing and I couldn't get a log from it. I ran it again just to be sure, and still no, but the second time it came up with no adds.

I did everything else to the tee and have just rebooted. This is my new hijack this log. One thing I did notice right away is that Internet Explorer still launches at startup, but I'll change that in the msnconfig.

Here is the log...

Logfile of HijackThis v1.99.1
Scan saved at 7:21:27 AM, on 6/14/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Documents and Settings\Tramel Raggs\Desktop\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gamefaqs.com/
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [IEXPLORE.EXE] C:\Program Files\Internet Explorer\IEXPLORE.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Microsoft AntiSpyware helper - {7812D989-C3B3-4441-A1BA-89589AEDF8D5} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {7812D989-C3B3-4441-A1BA-89589AEDF8D5} - (no file) (HKCU)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid= ... lcid=0x409
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/ ... 0_0_44.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v ... 8704411515
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
Suprman37
Active Member
 
Posts: 5
Joined: June 14th, 2005, 7:04 am
Top

Unread postby Bertha » June 14th, 2005, 12:36 pm

Hey Supr,

Well done with the previous fix!!

Now please do as follows: (print this off)

Now we need to see if we need to restore some deleted files:
Please check for the following files using the Windows Search Engine:

control.exe
rundll32.exe
wmplayer.exe
msconfig.exe
notepad.exe
shell.dll
SDHelper.dll

If any are missing or not working properly then you can download new copies from Merijn's Files and follow the instructions at that site to installthem where they belong for your OS.

Download the Hoster from here. Press "Restore Original Hosts" and press "OK". Exit Program. This will restore the original deleted Hosts file.

Reboot

Please read these instructions carefully and print them out! Be sure to follow ALL instructions!

Please right-click: HERE and go to Save As (in Internet Explorer it's "Save Target As") in order to download Grinler's reg file. Save it to your desktop. http://www.bleepingcomputer.com/files/reg/smitfraud.reg

Locate "smitfraud.reg" on your desktop and double-click it. When asked if you want to merge with the registry, click YES. Wait for the "merged successfully" prompt then follow the rest of the instructions below.

Go to Start > Control Panel > Add or Remove Programs and remove the following programs, if found:

Security IGuard
Virtual Maid
Search Maid

Exit Add/Remove Programs.

*IMPORTANT*CLICK THIS LINK TO LEARN HOW TO VIEW HIDDEN FILES
http://www.xtra.co.nz/help/0,,4155-1916458,00.html

I need you to copy all of the Killbox file paths below and paste them into Notepad.

* Please download the Killbox by Option^Explicit. *In the event you already have Killbox, this is a new version that I need you to download.
http://www.atribune.org/downloads/KillBox.exe

* Save it to your desktop.

* Please double-click Killbox.exe to run it.

* Select "Delete on Reboot".

* Open the Notepad file where you saved the file paths earlier and copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C

C:\wp.exe
C:\wp.bmp
C:\bsw.exe
C:\Windows\sites.ini
C:\Windows\popuper.exe
C:\Windows\system32\hhk.dll
C:\Windows\System32\wldr.dll
C:\Windows\System32\helper.exe
C:\Windows\System32\intmon.exe
C:\Windows\System32\shnlog.exe
C:\Windows\System32\intmonp.exe
C:\Windows\System32\msmsgs.exe
C:\Windows\system32\msole32.exe
C:\Windows\System32\ole32vbs.exe

* Return to Killbox, go to the File menu, and choose "Paste from Clipboard".

* Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

If your computer does not restart automatically, please restart it manually.

While your computer is restarting, tap the F8 key continually until a menu appears. Use your up arrow key to highlight Safe Mode, then hit enter.

Make sure you can view hidden files.

Using Windows Explorer, delete the following, if found, (please do NOT try to find them by "search" because they will not show up that way)

FOLDERS to delete (in bold) if found:

C:\Program Files\Search Maid
C:\Program Files\Virtual Maid
C:\Windows\System32\Log Files
C:\Program Files\Security IGuard

While still in Safe Mode, do the following:

We need to disable your Microsoft AntiSpyware Real-time Protection as it may interfere with the fixes that we need to make. (to be sure)

Open Microsoft AntiSpyware.
Click on Tools, Settings.
In the left pane, click on Real-time Protection.
Under Startup Options uncheck Enable the Microsoft AntiSpyware Security Agents on startup (recommended).
Under Real-time spyware threat protection uncheck Enable real-time spyware threat protection (recommended).
After you uncheck these, click on the Save button and close Microsoft AntiSpyware.
Right click on the Microsoft AntiSpyware icon on the taskbar and select Shutdown Microsoft AntiSpyware.

After all of the fixes are complete it is very important that you enable Real-time Protection again.

Make sure all programs and windows are closed. Run HiJackThis and place a check next to the following items, if found, then click FIX CHECKED

O4 - HKLM\..\Run: [IEXPLORE.EXE] C:\Program Files\Internet Explorer\IEXPLORE.EXE (this will stop IE opening at startup)

O9 - Extra button: Microsoft AntiSpyware helper - {7812D989-C3B3-4441-A1BA-89589AEDF8D5} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {7812D989-C3B3-4441-A1BA-89589AEDF8D5} - (no file) (HKCU)

Close HiJackThis.

Reboot into normal mode.

1.) Download The Hoster Press "Restore Original Hosts" and press "OK". Exit Program. http://www.funkytoad.com/download/hoster.zip

2.) Right-Click HERE and Save As to download DelDomains.inf to your desktop. http://www.mvps.org/winhelp2002/DelDomains.inf
To use: RIGHT-CLICK DelDomains.inf on your desktop and select: Install (no need to restart)
Note: This will remove all entries in the "Trusted Zone" and "Ranges" also.

3.) Download, install, and run CleanUp! http://www.spywareaid.com/index.php?fil ... tware&id=1

4.) Run this online virus scan: ActiveScan - Save the results from the scan! http://www.pandasoftware.com/activescan/

Post a new HiJackThis log and anything that Panda found but could not remove along with its location (not the whole Panda Log!!)

Bertha
User avatar
Bertha
Admin/Teacher Emeritus
 
Posts: 2053
Joined: February 6th, 2005, 1:17 pm
Location: Midlands
Top

Unread postby Suprman37 » June 14th, 2005, 5:17 pm

Ok, here are the panda logs...


Incident Status Location

Adware:Adware/SaveNow No disinfected Windows Registry
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Tramel Raggs\Favorites\Sites about\Ab scissor.url
Adware:Adware/Adsmart No disinfected C:\WINDOWS\sys????.exe
Virus:Trj/Downloader.CFJ Disinfected Operating system
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Tramel Raggs\Favorites\Sites about\Ab scissor.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Tramel Raggs\Favorites\Sites about\Broadband comparison.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Tramel Raggs\Favorites\Sites about\Credit counseling.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Tramel Raggs\Favorites\Sites about\Credit report.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Tramel Raggs\Favorites\Sites about\Crm software.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Tramel Raggs\Favorites\Sites about\Debt credit card.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Tramel Raggs\Favorites\Sites about\Escorts.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Tramel Raggs\Favorites\Sites about\Fha.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Tramel Raggs\Favorites\Sites about\Health insurance.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Tramel Raggs\Favorites\Sites about\Help desk software.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Tramel Raggs\Favorites\Sites about\Insurance home.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Tramel Raggs\Favorites\Sites about\Loan for debt consolidation.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Tramel Raggs\Favorites\Sites about\Loan for people with bad credit.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Tramel Raggs\Favorites\Sites about\Marketing email.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Tramel Raggs\Favorites\Sites about\Mortgage insurance.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Tramel Raggs\Favorites\Sites about\Mortgage life insurance.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Tramel Raggs\Favorites\Sites about\Nevada corporations.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Tramel Raggs\Favorites\Sites about\Online Betting Site.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Tramel Raggs\Favorites\Sites about\Online gambling casino.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Tramel Raggs\Favorites\Sites about\Online instant loan.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Tramel Raggs\Favorites\Sites about\Order phentermine.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Tramel Raggs\Favorites\Sites about\Payroll advance.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Tramel Raggs\Favorites\Sites about\Personal loans online.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Tramel Raggs\Favorites\Sites about\Personal loans with bad credit.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Tramel Raggs\Favorites\Sites about\Prescription Drugs Rx Online.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Tramel Raggs\Favorites\Sites about\Refinancing my mortgage.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Tramel Raggs\Favorites\Sites about\Tahoe vacation rental.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Tramel Raggs\Favorites\Sites about\Unsecured bad credit loans.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Tramel Raggs\Favorites\Sites about\Videos.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Tramel Raggs\Favorites\Sites about\What is hydrocodone.url
Adware:Adware/SearchAid No disinfected C:\WINDOWS\addpz.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\apilq.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\apixc32.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\appwx32.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\atlhf.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\atlix32.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\atlma.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\crlq32.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\d3zg.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\ierl.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\iewb.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\ieyc32.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\ipek32.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\javarn32.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\mfcgu.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\msdr.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\msnj.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\mszc32.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\netmg32.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\ntps32.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\ntue.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\n_euzywg.dat
Adware:Adware/SearchAid No disinfected C:\WINDOWS\n_qorlor.dat
Adware:Adware/SearchAid No disinfected C:\WINDOWS\sdkih32.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\sdkno32.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\syskf32.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\system32\apphg32.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\system32\atlwm32.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\system32\crqi32.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\system32\iedw.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\system32\ipaz.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\system32\javavg32.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\system32\mfcyq.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\system32\msbt.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\system32\msnj32.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\system32\netml32.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\system32\ntlh.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\system32\sdkmj.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\system32\sdknf.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\wincd.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\winyz.exe

...and the hijack this logs...

Logfile of HijackThis v1.99.1
Scan saved at 4:09:57 PM, on 6/14/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Tramel Raggs\Desktop\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gamefaqs.com/
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid= ... lcid=0x409
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/ ... 0_0_44.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v ... 8704411515
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe


Now, Panda found that stuff, but it hasn't come up anywhere else. I still have a few spyware programs in the Add/Remove section (and I don't trust the installers they want you to download to get rid of them), but they aren't the ones listed. They are:

Offer Optimizer
Shopping Wizard.

So far, I haven't seen any ill effects from them, though and my system is running top notch. I have also since deleted ieyc32.exe and addpz.exe in the windows directory. I don't know how I missed them before.
Suprman37
Active Member
 
Posts: 5
Joined: June 14th, 2005, 7:04 am
Top

Unread postby Bertha » June 15th, 2005, 6:24 am

Hey Supr,

Your Hijackthis Log is clean, just the Panda results to deal with

Print this off so you can follow it

Add Remove Programs

Start - Control Panel – Add/Remove Programs (Might not be there)

Offer Optimizer
Shopping Wizard

Ok lets use Killbox to remove the file/folder that is being so stubborn:

Download Pocket Killbox here - http://www.malwareremoval.com/downloads.html

Now take a look at this post as it will guide you through the installation process as well as the removal process incase you get confused:

http://www.malwareremoval.com/forum/viewtopic.php?t=320

Once you have installed Killbox we need to begin to delete the file folder:

If you look at the topic above this is what we are going to do (so read this part):

How to use KILLBOX to delete a file - Delete on reboot kill - Delete on reboot kill

ChrisRLG

Open Killbox and check a mark in the "RadioBox" which says "Delete On Reboot"

Under "Full Path or File to Delete copy and paste this entry below:

C:\WINDOWS\addpz.exe

Now press the red cross and a new window will pop up asking you to confirm the removal CLICK YES

Now it will ask you if you wish to reboot click NO as we have more files to add first, copy and paste these entries

C:\WINDOWS\apilq.exe
C:\WINDOWS\apixc32.exe
C:\WINDOWS\appwx32.exe
C:\WINDOWS\atlhf.exe
C:\WINDOWS\atlix32.exe
C:\WINDOWS\atlma.exe
C:\WINDOWS\crlq32.exe
C:\WINDOWS\d3zg.exe
C:\WINDOWS\ierl.exe
C:\WINDOWS\iewb.exe
C:\WINDOWS\ieyc32.exe
C:\WINDOWS\ipek32.exe
C:\WINDOWS\javarn32.exe
C:\WINDOWS\mfcgu.exe
C:\WINDOWS\msdr.exe
C:\WINDOWS\msnj.exe
C:\WINDOWS\mszc32.exe
C:\WINDOWS\n_euzywg.dat
C:\WINDOWS\n_qorlor.dat
C:\WINDOWS\netmg32.exe
C:\WINDOWS\ntps32.exe
C:\WINDOWS\ntue.exe
C:\WINDOWS\sdkih32.exe
C:\WINDOWS\sdkno32.exe
C:\WINDOWS\syskf32.exe
C:\WINDOWS\system32\apphg32.exe
C:\WINDOWS\system32\atlwm32.exe
C:\WINDOWS\system32\crqi32.exe
C:\WINDOWS\system32\iedw.exe
C:\WINDOWS\system32\ipaz.exe
C:\WINDOWS\system32\javavg32.exe
C:\WINDOWS\system32\mfcyq.exe
C:\WINDOWS\system32\msbt.exe
C:\WINDOWS\system32\msnj32.exe
C:\WINDOWS\system32\netml32.exe
C:\WINDOWS\system32\ntlh.exe
C:\WINDOWS\system32\sdkmj.exe
C:\WINDOWS\system32\sdknf.exe
C:\WINDOWS\wincd.exe
C:\WINDOWS\winyz.exe

After you have added the above entry and it asks if you wish to restart CLICK YES and the computer will restart

Run Cleanup to empty all your
Temporary Internet Folders as Hijackthis and other programs
leave a lot of junk behind:

http://cleanup.stevengould.org

Tell me how things are running now, and post a new Hijackthis Log to be sure

Bertha
User avatar
Bertha
Admin/Teacher Emeritus
 
Posts: 2053
Joined: February 6th, 2005, 1:17 pm
Location: Midlands
Top

Unread postby Suprman37 » June 15th, 2005, 2:07 pm

Ok, Offer Optimizer and Shopping Wizard is still listed in the add/remove programs, but my system is back to running the way it was previous to the infection. Thanks for everything. The last thing I needed was for this machine to go down. Here's my new log...


Logfile of HijackThis v1.99.1
Scan saved at 1:04:51 PM, on 6/15/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Documents and Settings\Tramel Raggs\Desktop\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gamefaqs.com/
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid= ... lcid=0x409
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/ ... 0_0_44.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v ... 8704411515
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
Suprman37
Active Member
 
Posts: 5
Joined: June 14th, 2005, 7:04 am
Top

Unread postby Bertha » June 15th, 2005, 2:19 pm

Try this to remove BeterINterent etc

Follow the instructions in this post:

http://www.malwareremoval.com/forum/viewtopic.php?t=13

Download SpyBot and AdAware SE form that page and set them up as shown, run them and reboot between scans

Tell me how things are running and post a new HJT Log

Bertha
User avatar
Bertha
Admin/Teacher Emeritus
 
Posts: 2053
Joined: February 6th, 2005, 1:17 pm
Location: Midlands
Top

Unread postby ChrisRLG » July 6th, 2005, 8:50 am

Whilst we appreciate that you may be busy, it has been 14 days or more since we heard from you.

Infections can change and fresh instructions will now need to be given. This topic is now closed, if you still require assistance then please start a new topic in the Malware Removal Forum

If you wish this topic reopened, please send us an email to 'admin at malwareremoval.com' with a link to your thread.

You can help support this site from this link :
Donations For Malware Removal

Do not bother contacting us if you are not the topic starter. A valid,
working link to the closed topic is required along with the user name used.
If the user name does not match the one in the thread linked, the email will be deleted.
ChrisRLG
Administrator Emeritus
 
Posts: 17759
Joined: December 16th, 2004, 10:04 am
Location: Southend, Essex, UK
Top
Advertisement
Register to Remove
Topic locked
  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 159 guests

The teamDelete all board cookiesAll times are UTC - 5 hours [ DST ]

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware

Board index