Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Hijack This Log, need help.

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Hijack This Log, need help.

Unread postby oulevon » July 9th, 2005, 2:38 pm

Hello,

I was wondering if someone could take a look at my log file to see what further actions I needed to take to rid this computer of any viruses. The computer was infected with the aurora/nail.exe virus and I was led to this page after I followed instructions from the following link:

http://forums.us.dell.com/supportforums ... ge.id=6790

If anyone needs any other information, please let me know. Thank you in advance for any help you could provide me with.


Code: Select all
Logfile of HijackThis v1.99.1
Scan saved at 2:18:50 PM, on 7/9/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
c:\program files\comcast\security manager\app\CurtainsSysSvcNt.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\WINDOWS\System32\jrmnjh.exe
C:\WINDOWS\System32\rdcon.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Cas\Client\casclient.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Privacy Champion\pscan.exe
C:\Program Files\America Online 8.0\aoltray.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\WINDOWS\System32\wuauclt.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://searchmiracle.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\AUserInit.exe
O2 - BHO: CExtension Object - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - C:\WINDOWS\cfgmgr52.dll
O2 - BHO: AuthBHO.cBHO - {A4D90779-6CB2-4752-83C2-A2AB4D9A672D} - C:\Program Files\Comcast\Security Manager\app\AuthBHO.dll
O3 - Toolbar: (no name) - {825CF5BD-8862-4430-B771-0C15C5CA8DEF} - (no file)
O3 - Toolbar: Security Manager Popup Blocker - {64634180-B0EA-48B6-82B7-9620D33362C1} - C:\Program Files\Comcast\Security Manager\app\AuthBHO.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [MCAgentExe] C:\Program Files\McAfee.com\Agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [VirusScan Online] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [PSof1] C:\WINDOWS\System32\PSof1.exe
O4 - HKLM\..\Run: [exp.exe] C:\WINDOWS\System32\exp.exe
O4 - HKLM\..\Run: [WinTask driver] C:\WINDOWS\System32\wintask.exe
O4 - HKLM\..\Run: [richup] C:\WINDOWS\System32\richup.exe
O4 - HKLM\..\Run: [cfgmgr52] RunDLL32.EXE C:\WINDOWS\cfgmgr52.dll,DllRun
O4 - HKLM\..\Run: [C:\WINDOWS\VCMnet11.exe] C:\WINDOWS\VCMnet11.exe
O4 - HKLM\..\Run: [Win Server Updt] C:\WINDOWS\wupdt.exe
O4 - HKLM\..\Run: [checkrun] C:\windows\system32\elitecik32.exe
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\System32\jrmnjh.exe reg_run
O4 - HKLM\..\Run: [r3rW34g] rdcon.exe
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [Media Access] C:\Program Files\Media Access\MediaAccK.exe
O4 - HKLM\..\Run: [version] C:\WINDOWS\System32\Ziuhik.exe
O4 - HKLM\..\Run: [secure] C:\WINDOWS\System32\Qsnulf.exe
O4 - HKLM\..\Run: [ABox] C:\WINDOWS\ABox.exe
O4 - HKLM\..\Run: [WinLogon] C:\WINDOWS\logon.exe
O4 - HKLM\..\Run: [WeirdOnTheWeb] "C:\Program Files\WeirdOnTheWeb\WeirdOnTheWeb.exe"
O4 - HKLM\..\Run: [heqoxga] c:\windows\system32\maifvpf.exe r
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [a006RQM9l] psoookup.exe
O4 - HKCU\..\Run: [CAS Client] "C:\Program Files\Cas\Client\casclient.exe"
O4 - HKCU\..\Run: [PrivacyScanner] C:\Program Files\Privacy Champion\pscan.exe
O4 - Global Startup: America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0\aoltray.exe
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: kntp.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: officejet 6100.lnk = ?
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! MLB StatTracker - http://aud7.sports.yahoo.com/java/y/mlbst8296_x.cab
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540013} (CInstall Class) - http://adserver.sharewareonline.com/adserver/Install.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1120274906274
O16 - DPF: {F229AB32-7BF9-4225-B78F-B4680AE6FC23} (Snapfish File Upload ActiveX Control) - http://www.snapfish.com/SnapfishUpload.cab
O18 - Filter: text/html - {8293D547-38DD-4325-B35A-F1817EDFA5FC} - C:\Program Files\Cas\Client\casmf.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Curtains for Windows System Service (CurtainsSysSvc) - Authentium, Inc. - c:\program files\comcast\security manager\app\CurtainsSysSvcNt.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Mcafee.com Corporation - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

oulevon
Active Member
 
Posts: 6
Joined: July 9th, 2005, 2:20 pm
Advertisement
Register to Remove

Unread postby 'KotaGuy » July 10th, 2005, 11:00 pm

Hi oulevon! I'm 'KotaGuy. Welcome to Malware Removal.

I'm curious about something. Run HijackThis, click the Misc Tools button. Then click the Open Uninstall Manager button. Click the Save List button. Save the file to your desktop.

Post the uninstall_list.txt file and a new HijackThis log please. After you have done that, do not reboot/logoff/turn off your computer unless I instruct it, please. One of the infections you have mutates each time you do and I would like to avoid that.

Thanks!
User avatar
'KotaGuy
Admin/Teacher Emeritus
 
Posts: 12472
Joined: April 7th, 2005, 7:06 pm
Location: Alberta, Canada

Unread postby oulevon » July 11th, 2005, 6:29 am

Hi KotaGuy,


Thanks for your help. Here is the uninstall log:

Code: Select all
Adobe Acrobat 4.0
Adobe Acrobat 5.0
Adobe PhotoDeluxe Home Edition 4.0
America Online
AOL Coach Version 1.0(Build:20030807.3)
BCM V.92 56K Modem
Britannica Ready Reference
Broadcom Advanced Control Suite
Candy Land
Chutes and Ladders
Content Delivery Module
DAO
Dell Picture Studio - Dell Image Expert
Dell ResourceCD
Dell Solution Center
Dell Support 5.0.0 (766)
Disney's Activity Center, Winnie the Pooh
Earthlink Installer - uninstall 'Earthlink 5.0' entry first if present
Easy CD Creator 5 Basic
ewido security suite
Google Toolbar for Internet Explorer
HijackThis 1.99.1
hp instant support
HP Photo and Imaging 1.0 - HP PSC - HP OfficeJet
HP Photo and Imaging 1.0 - HP PSC - HP OfficeJet
HP Photo and Imaging 1.0 - HP PSC - HP OfficeJet Drivers
hp psc 2200 series
Intel(R) Extreme Graphics Driver
JD Secure 3.1
Just Grandma and Me
Kazoo Player
Leap Ahead Phonics Ages 4-7
Little Mermaid II Return to the Sea
Macromedia Shockwave Player
Man in the Moon
McAfee.com SecurityCenter
McAfee.com VirusScan Online
Media Access
Microsoft .NET Framework (English)
Microsoft .NET Framework (English) v1.0.3705
Microsoft Office 2000 Professional
Modem Helper
Mozilla Firefox (1.0.4)
MUSICMATCH Jukebox
Paint Shop Pro 7
PC-Linq
Quicken 2005
QuickTime
Reader Rabbit's Math Ages 4-6
Reader Rabbit's Reading Ages 4-6
Reader Rabbit's Toddler
Readiris 7.5
RealOne Player
Registry Cleaner (Trial)
RichEditor
Scholastic's I SPY Junior
Security Manager
Sesame Street Search & Learn Adventures
Ski Jumping 2004
Spybot - Search & Destroy 1.4
Terayon DOCSIS Modem
The ABI Network- A Division of Direct Revenue
Viewpoint Media Player (Remove Only)
WeirdOnTheWeb
Windows AFA Internet Enhancement
Windows Installer 3.1 (KB893803)
Windows XP Hotfix - KB842773
WordPerfect Office 2002
WordPerfect Office 2002
Yahoo! Toolbar



And here is the new hijack this log:

Code: Select all
Logfile of HijackThis v1.99.1
Scan saved at 6:25:07 AM, on 7/11/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
c:\program files\comcast\security manager\app\CurtainsSysSvcNt.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\WINDOWS\System32\jrmnjh.exe
C:\WINDOWS\System32\ipvnt97.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Cas\Client\casclient.exe
C:\Program Files\America Online 8.0\aoltray.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Program Files\Aprps\CxtPls.exe
C:\WINDOWS\system32\LxrJD31s.exe
C:\WINDOWS\System32\LxrJD31c.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://searchmiracle.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\AUserInit.exe
O2 - BHO: CExtension Object - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - C:\WINDOWS\cfgmgr52.dll
O2 - BHO: (no name) - {016235BE-59D4-4CEB-ADD5-E2378282A1D9} - C:\Program Files\Aprps\cxtpls.dll
O2 - BHO: AuthBHO.cBHO - {A4D90779-6CB2-4752-83C2-A2AB4D9A672D} - C:\Program Files\Comcast\Security Manager\app\AuthBHO.dll
O3 - Toolbar: (no name) - {825CF5BD-8862-4430-B771-0C15C5CA8DEF} - (no file)
O3 - Toolbar: Security Manager Popup Blocker - {64634180-B0EA-48B6-82B7-9620D33362C1} - C:\Program Files\Comcast\Security Manager\app\AuthBHO.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [MCAgentExe] C:\Program Files\McAfee.com\Agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [VirusScan Online] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [PSof1] C:\WINDOWS\System32\PSof1.exe
O4 - HKLM\..\Run: [exp.exe] C:\WINDOWS\System32\exp.exe
O4 - HKLM\..\Run: [WinTask driver] C:\WINDOWS\System32\wintask.exe
O4 - HKLM\..\Run: [richup] C:\WINDOWS\System32\richup.exe
O4 - HKLM\..\Run: [cfgmgr52] RunDLL32.EXE C:\WINDOWS\cfgmgr52.dll,DllRun
O4 - HKLM\..\Run: [C:\WINDOWS\VCMnet11.exe] C:\WINDOWS\VCMnet11.exe
O4 - HKLM\..\Run: [Win Server Updt] C:\WINDOWS\wupdt.exe
O4 - HKLM\..\Run: [checkrun] C:\windows\system32\elitecik32.exe
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\System32\jrmnjh.exe reg_run
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [Media Access] C:\Program Files\Media Access\MediaAccK.exe
O4 - HKLM\..\Run: [version] C:\WINDOWS\System32\Ziuhik.exe
O4 - HKLM\..\Run: [secure] C:\WINDOWS\System32\Qsnulf.exe
O4 - HKLM\..\Run: [ABox] C:\WINDOWS\ABox.exe
O4 - HKLM\..\Run: [WinLogon] C:\WINDOWS\logon.exe
O4 - HKLM\..\Run: [WeirdOnTheWeb] "C:\Program Files\WeirdOnTheWeb\WeirdOnTheWeb.exe"
O4 - HKLM\..\Run: [heqoxga] c:\windows\system32\maifvpf.exe r
O4 - HKLM\..\Run: [r3rW34g] ipvnt97.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [a006RQM9l] iphlib.exe
O4 - HKCU\..\Run: [CAS Client] "C:\Program Files\Cas\Client\casclient.exe"
O4 - HKCU\..\Run: [PrivacyScanner] C:\Program Files\Privacy Champion\pscan.exe
O4 - Global Startup: America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0\aoltray.exe
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: kntp.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: officejet 6100.lnk = ?
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! MLB StatTracker - http://aud7.sports.yahoo.com/java/y/mlbst8296_x.cab
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540013} (CInstall Class) - http://adserver.sharewareonline.com/adserver/Install.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1120274906274
O16 - DPF: {F229AB32-7BF9-4225-B78F-B4680AE6FC23} (Snapfish File Upload ActiveX Control) - http://www.snapfish.com/SnapfishUpload.cab
O18 - Filter: text/html - {8293D547-38DD-4325-B35A-F1817EDFA5FC} - C:\Program Files\Cas\Client\casmf.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Curtains for Windows System Service (CurtainsSysSvc) - Authentium, Inc. - c:\program files\comcast\security manager\app\CurtainsSysSvcNt.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Lexar JD31 (LxrJD31s) - Unknown owner - C:\WINDOWS\SYSTEM32\LxrJD31s.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Mcafee.com Corporation - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe



I won't be able to get to my computer until this Evening because of work, so I'm sorry if I can't respond sooner. Thanks again for your help.
oulevon
Active Member
 
Posts: 6
Joined: July 9th, 2005, 2:20 pm

Unread postby 'KotaGuy » July 11th, 2005, 2:21 pm

Thanks for posting the logs!

Copy/paste this into notepad or wordpad for reference during the fix.

Go to Add/Remove Programs. Uninstall Media Access, The ABI Network- A Division of Direct Revenue, WeirdOnTheWeb and Windows AFA Internet Enhancement.

There are also a couple other entries in you Add/Remove list I'm curious about. Do you recognize these:

Content Delivery Module
DAO


Download and install CCleaner. Don't run it yet.

Download LQFix. Extract the file to a folder. Don't run it yet.

Update Ewido. Don't scan with it yet.

Make sure no files are hidden. To do this:

1. Click Start.
2. Open My Computer.
3. Select the Tools menu and click Folder Options.
4. Select the View Tab.
5. Under the Hidden files and folders heading select Show hidden files and folders.
6. Uncheck the Hide protected operating system files (recommended) option.
7. Click Yes to confirm.
8. Click OK.

Boot into Safe Mode. To do this:

1. Reboot your computer.
2. Tap the F8 button as your computer is booting to bring you to the Advanced Options Menu.
3. Select Safe Mode and press Enter.

Run and scan with HijackThis. With all browsers and windows closed, place checks beside the following and fix:

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://searchmiracle.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O2 - BHO: CExtension Object - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - C:\WINDOWS\cfgmgr52.dll
O2 - BHO: (no name) - {016235BE-59D4-4CEB-ADD5-E2378282A1D9} - C:\Program Files\Aprps\cxtpls.dll
O3 - Toolbar: (no name) - {825CF5BD-8862-4430-B771-0C15C5CA8DEF} - (no file)
O4 - HKLM\..\Run: [PSof1] C:\WINDOWS\System32\PSof1.exe
O4 - HKLM\..\Run: [exp.exe] C:\WINDOWS\System32\exp.exe
O4 - HKLM\..\Run: [WinTask driver] C:\WINDOWS\System32\wintask.exe
O4 - HKLM\..\Run: [richup] C:\WINDOWS\System32\richup.exe
O4 - HKLM\..\Run: [cfgmgr52] RunDLL32.EXE C:\WINDOWS\cfgmgr52.dll,DllRun
O4 - HKLM\..\Run: [C:\WINDOWS\VCMnet11.exe] C:\WINDOWS\VCMnet11.exe
O4 - HKLM\..\Run: [Win Server Updt] C:\WINDOWS\wupdt.exe
O4 - HKLM\..\Run: [checkrun] C:\windows\system32\elitecik32.exe
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\System32\jrmnjh.exe reg_run
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [Media Access] C:\Program Files\Media Access\MediaAccK.exe
O4 - HKLM\..\Run: [version] C:\WINDOWS\System32\Ziuhik.exe
O4 - HKLM\..\Run: [secure] C:\WINDOWS\System32\Qsnulf.exe
O4 - HKLM\..\Run: [ABox] C:\WINDOWS\ABox.exe
O4 - HKLM\..\Run: [WinLogon] C:\WINDOWS\logon.exe
O4 - HKLM\..\Run: [WeirdOnTheWeb] "C:\Program Files\WeirdOnTheWeb\WeirdOnTheWeb.exe"
O4 - HKLM\..\Run: [heqoxga] c:\windows\system32\maifvpf.exe r
O4 - HKLM\..\Run: [r3rW34g] ipvnt97.exe
O4 - HKCU\..\Run: [a006RQM9l] iphlib.exe
O4 - HKCU\..\Run: [CAS Client] "C:\Program Files\Cas\Client\casclient.exe"
O4 - HKCU\..\Run: [PrivacyScanner] C:\Program Files\Privacy Champion\pscan.exe
O4 - Global Startup: kntp.exe
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540013} (CInstall Class) - http://adserver.sharewareonline.com/ads ... nstall.cab
O18 - Filter: text/html - {8293D547-38DD-4325-B35A-F1817EDFA5FC} - C:\Program Files\Cas\Client\casmf.dll


Note: This 04 entry:

O4 - HKLM\..\Run: [heqoxga] c:\windows\system32\maifvpf.exe r

May mutate on you. If it isn't in the HJT list... look for a similar entry with the "r" behined the ".exe". You will need to fix that line. If it has mutated, write the name of the file down, but don't include the "r" after the ".exe".

Run LQFix.bat. A DOS window will open and close, this is normal. Run Ewido through a full scan. While Ewido is running, do not use your computer, let it do what it needs to do. If you do anything on it while the scan is running, chances are your machine will be reinfected. Save the logfile please.

Search for and delete these folders:

C:\Program Files\AutoUpdate
C:\Program Files\Media Access
C:\Program Files\WeirdOnTheWeb
C:\Program Files\Cas
C:\Program Files\Privacy Champion

Search for and delete these files:

C:\WINDOWS\System32\PSof1.exe
C:\WINDOWS\System32\exp.exe
C:\WINDOWS\System32\wintask.exe
C:\WINDOWS\System32\richup.exe
C:\WINDOWS\System32\jrmnjh.exe
C:\WINDOWS\System32\Ziuhik.exe
C:\WINDOWS\System32\Qsnulf.exe
C:\WINDOWS\System32\maifvpf.exe
C:\WINDOWS\VCMnet11.exe
C:\WINDOWS\wupdt.exe
C:\WINDOWS\ABox.exe
C:\WINDOWS\logon.exe
ipvnt97.exe
iphlib.exe


Note: This file, C:\WINDOWS\System32\maifvpf.exe, again may have mutated, if so, use the filename I had you write down earlier.

Browse to your C:\Windows\Prefetch folder. Delete all the files in the folder, do not delete the folder itself. Empty your Recycle Bin. Run CCleaner.

Reboot Windows normally and post a new HijackThis log please along with the Ewido log.

Thanks!
User avatar
'KotaGuy
Admin/Teacher Emeritus
 
Posts: 12472
Joined: April 7th, 2005, 7:06 pm
Location: Alberta, Canada

Unread postby oulevon » July 11th, 2005, 10:13 pm

KotaGuy,

Thank you again for all your help. Under Add/Remove Programs when I try to remove "The ABI Network - A Division of Direct Revenue" a browser window pops up with a message saying that it isn't spy ware, but if I want to remove it I have to go to another website for the uninstall tool. I didn't do this, and I tried several times, but it appears that the Add/Remove program will not remove this. Other than that some of the files you wanted me to delete (PSof1.exe and some others) didn't exist. I did a full search and they couldn't be found. The ones that came up were deleted though. Here is my Hijack This Log:
Code: Select all
Logfile of HijackThis v1.99.1
Scan saved at 10:01:19 PM, on 7/11/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
c:\program files\comcast\security manager\app\CurtainsSysSvcNt.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\system32\LxrJD31s.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\America Online 8.0\aoltray.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\WINDOWS\System32\wuauclt.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\AUserInit.exe
O2 - BHO: AuthBHO.cBHO - {A4D90779-6CB2-4752-83C2-A2AB4D9A672D} - C:\Program Files\Comcast\Security Manager\app\AuthBHO.dll
O3 - Toolbar: Security Manager Popup Blocker - {64634180-B0EA-48B6-82B7-9620D33362C1} - C:\Program Files\Comcast\Security Manager\app\AuthBHO.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [MCAgentExe] C:\Program Files\McAfee.com\Agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [VirusScan Online] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - Global Startup: America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0\aoltray.exe
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: officejet 6100.lnk = ?
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! MLB StatTracker - http://aud7.sports.yahoo.com/java/y/mlbst8296_x.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1120274906274
O16 - DPF: {F229AB32-7BF9-4225-B78F-B4680AE6FC23} (Snapfish File Upload ActiveX Control) - http://www.snapfish.com/SnapfishUpload.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Curtains for Windows System Service (CurtainsSysSvc) - Authentium, Inc. - c:\program files\comcast\security manager\app\CurtainsSysSvcNt.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Lexar JD31 (LxrJD31s) - Unknown owner - C:\WINDOWS\SYSTEM32\LxrJD31s.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Mcafee.com Corporation - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe



And here is the Ewido scan logfile (this is from where in the instructions you had me do a scan; I didn't rescan after I rebooted, should I?):
Code: Select all
---------------------------------------------------------
 ewido security suite - Scan report
---------------------------------------------------------

 + Created on:			9:22:02 PM, 7/11/2005
 + Report-Checksum:		CEB15CBF

 + Scan result:

	HKLM\SOFTWARE\AutoLoader -> Spyware.AproposMedia : Cleaned with backup
	HKLM\SOFTWARE\AutoLoader\rw0c1OdRaLLa -> Spyware.AproposMedia : Cleaned with backup
	HKLM\SOFTWARE\AutoLoader\rw0q1OdRaLLa -> Spyware.AproposMedia : Cleaned with backup
	HKLM\SOFTWARE\Classes\AppID\BookedSpace.DLL -> Spyware.BookedSpace : Cleaned with backup
	HKLM\SOFTWARE\Classes\AppID\{0DC5CD7C-F653-4417-AA43-D457BE3A9622} -> Spyware.BookedSpace : Cleaned with backup
	HKLM\SOFTWARE\Classes\BookedSpace.Extension -> Spyware.BookedSpace : Cleaned with backup
	HKLM\SOFTWARE\Classes\BookedSpace.Extension\CLSID -> Spyware.BookedSpace : Cleaned with backup
	HKLM\SOFTWARE\Classes\BookedSpace.Extension\CurVer -> Spyware.BookedSpace : Cleaned with backup
	HKLM\SOFTWARE\Classes\CLSID\{B5AB638F-D76C-415B-A8F2-F3CEAC502212} -> Spyware.AproposMedia : Cleaned with backup
	HKLM\SOFTWARE\Classes\CLSID\{BC333116-6EA1-40A1-9D07-ECB192DB8CEA} -> Spyware.AproposMedia : Cleaned with backup
	HKLM\SOFTWARE\Classes\Interface\{05080E6B-A88A-4CFD-8C3D-9B2557670B6E} -> Spyware.BookedSpace : Cleaned with backup
	HKLM\SOFTWARE\Classes\Interface\{B548B7D8-3D03-4AED-A6A1-4251FAD00C10} -> Spyware.AproposMedia : Cleaned with backup
	HKLM\SOFTWARE\Classes\Interface\{B99A727F-0782-4A71-BCC2-6E1E66414904} -> Spyware.AproposMedia : Cleaned with backup
	HKLM\SOFTWARE\Classes\Interface\{BC333116-6EA1-40A1-9D07-ECB192DB8CEA} -> Spyware.AproposMedia : Cleaned with backup
	HKLM\SOFTWARE\Classes\TypeLib\{0DC5CD7C-F653-4417-AA43-D457BE3A9622} -> Spyware.BookedSpace : Cleaned with backup
	HKLM\SOFTWARE\Envolo -> Spyware.AproposMedia : Cleaned with backup
	HKLM\SOFTWARE\Envolo\AutoUpdate -> Spyware.AproposMedia : Cleaned with backup
	HKLM\SOFTWARE\Envolo\AutoUpdate\State -> Spyware.AproposMedia : Cleaned with backup
	HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AproposClient -> Spyware.AproposMedia : Cleaned with backup
	HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AutoUpdate -> Spyware.AproposMedia : Cleaned with backup
	:mozilla.6:C:\Documents and Settings\Jim\Application Data\Mozilla\Firefox\Profiles\44e1r998.default\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
	:mozilla.7:C:\Documents and Settings\Jim\Application Data\Mozilla\Firefox\Profiles\44e1r998.default\cookies.txt -> Spyware.Cookie.Atdmt : Cleaned with backup
	:mozilla.8:C:\Documents and Settings\Jim\Application Data\Mozilla\Firefox\Profiles\44e1r998.default\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
	:mozilla.9:C:\Documents and Settings\Jim\Application Data\Mozilla\Firefox\Profiles\44e1r998.default\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
	C:\Documents and Settings\Jim\Local Settings\Temp\AutoUpdate0\AutoUpdate.exe -> TrojanDownloader.Apropo.g : Cleaned with backup
	C:\Documents and Settings\Jim\Local Settings\Temp\AutoUpdate0\auto_update_install.exe -> Spyware.AproposMedia : Cleaned with backup
	C:\Documents and Settings\Jim\Local Settings\Temp\SSK3_B5 Seedcorn 4.exe -> TrojanDropper.Small.qn : Cleaned with backup
	C:\Documents and Settings\Jim\Local Settings\Temporary Internet Files\Content.IE5\CJ1RYUNP\My404[1].exe -> Spyware.Hijacker.Generic : Cleaned with backup
	C:\Documents and Settings\Jim\Local Settings\Temporary Internet Files\Content.IE5\G5674P2Z\AutoUpdaterInstaller[1].exe -> TrojanDownloader.Apropo.g : Cleaned with backup
	C:\Documents and Settings\Laura\Local Settings\Temp\f593890.exe -> TrojanDownloader.Qoologic.u : Cleaned with backup
	C:\Documents and Settings\Laura\Local Settings\Temp\SSK3_B5 Seedcorn 4.exe -> TrojanDropper.Small.qn : Cleaned with backup
	C:\HJT\backups\backup-20050711-203807-405.dll -> Heuristic.Win32.Hijacker1 : Cleaned with backup
	C:\HJT\backups\backup-20050711-203807-858.dll -> Spyware.BookedSpace : Cleaned with backup
	C:\HJT\backups\backup-20050711-203807-995-kntp.exe -> TrojanDownloader.Qoologic.u : Cleaned with backup
	C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP670\A0037410.dll -> Spyware.BookedSpace : Cleaned with backup
	C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP676\A0037822.dll -> Spyware.BookedSpace : Cleaned with backup
	C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP680\A0039144.dll -> Heuristic.Win32.Hijacker1 : Cleaned with backup
	C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP680\A0039145.exe -> TrojanDownloader.Apropo.g : Cleaned with backup
	C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP680\A0039146.exe -> TrojanDownloader.Agent.qg : Cleaned with backup
	C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP680\A0039147.exe -> Heuristic.Win32.Dialer : Cleaned with backup
	C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP680\A0039148.exe -> Heuristic.Win32.Dialer : Cleaned with backup
	C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP680\A0039149.dll -> Spyware.SmartPops : Cleaned with backup
	C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP680\A0039150.exe -> Spyware.SmartPops : Cleaned with backup
	C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP680\A0039151.dll -> Spyware.WinAD : Cleaned with backup
	C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP680\A0039152.exe -> Spyware.WinAD : Cleaned with backup
	C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP680\A0039153.exe -> Spyware.VirtualBouncer : Cleaned with backup
	C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP680\A0039154.exe -> Spyware.VirtualBouncer : Cleaned with backup
	C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP680\A0039155.exe -> Spyware.AdBox : Cleaned with backup
	C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP680\A0039156.EXE -> Spyware.Background : Cleaned with backup
	C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP680\A0039157.exe -> Spyware.BookedSpace : Cleaned with backup
	C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP680\A0039158.dll -> Spyware.EliteBar : Cleaned with backup
	C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP680\A0039159.exe -> Adware.BetterInternet : Cleaned with backup
	C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP680\A0039160.exe -> Adware.BetterInternet : Cleaned with backup
	C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP680\A0039161.dll -> Spyware.ImiBar : Cleaned with backup
	C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP680\A0039162.exe -> TrojanDownloader.Small.aly : Cleaned with backup
	C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP680\A0039163.exe -> Spyware.AproposMedia : Cleaned with backup
	C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP680\A0039164.exe -> TrojanDownloader.Agent.qg : Cleaned with backup
	C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP680\A0039165.exe -> Spyware.DealHelper : Cleaned with backup
	C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP680\A0039166.exe -> Spyware.Hijacker.Generic : Cleaned with backup
	C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP680\A0039167.exe -> Spyware.Hijacker.Generic : Cleaned with backup
	C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP680\A0039168.exe -> Spyware.Hijacker.Generic : Cleaned with backup
	C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP680\A0039169.exe -> Spyware.Hijacker.Generic : Cleaned with backup
	C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP680\A0039170.exe -> Spyware.Hijacker.Generic : Cleaned with backup
	C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP680\A0039171.exe -> Spyware.Hijacker.Generic : Cleaned with backup
	C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP680\A0039172.exe -> Spyware.Hijacker.Generic : Cleaned with backup
	C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP680\A0039173.exe -> Spyware.Hijacker.Generic : Cleaned with backup
	C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP680\A0039174.exe -> Spyware.Hijacker.Generic : Cleaned with backup
	C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP680\A0039175.exe -> Spyware.Hijacker.Generic : Cleaned with backup
	C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP680\A0039176.exe -> Spyware.Hijacker.Generic : Cleaned with backup
	C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP680\A0039177.exe -> Spyware.Hijacker.Generic : Cleaned with backup
	C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP680\A0039178.exe -> Spyware.Hijacker.Generic : Cleaned with backup
	C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP680\A0039179.dll -> Spyware.DealHelper : Cleaned with backup
	C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP680\A0039180.dll -> TrojanDownloader.Qoologic.q : Cleaned with backup
	C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP680\A0039181.dll -> TrojanDownloader.Qoologic.q : Cleaned with backup
	C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP680\A0039182.exe -> TrojanDropper.Agent.hl : Cleaned with backup
	C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP680\A0039183.exe -> TrojanDownloader.Agent.hw : Cleaned with backup
	C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP680\A0039184.dll -> Spyware.Hijacker.Generic : Cleaned with backup
	C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP680\A0039185.exe -> TrojanDownloader.Qoologic.q : Cleaned with backup
	C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP680\A0039186.dll -> Spyware.VirtualBouncer : Cleaned with backup
	C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP680\A0039187.dll -> Spyware.VirtualBouncer : Cleaned with backup
	C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP680\A0039188.cpl -> TrojanDownloader.Qoologic.p : Cleaned with backup
	C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP680\A0039189.exe -> TrojanDropper.Agent.hl : Cleaned with backup
	C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP680\A0039190.dll -> TrojanDownloader.Qoologic.p : Cleaned with backup
	C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP680\A0039191.dll -> Spyware.VirtualBouncer : Cleaned with backup
	C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP680\A0039192.dll -> Spyware.VirtualBouncer : Cleaned with backup
	C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP680\A0039193.exe -> TrojanDropper.Agent.hl : Cleaned with backup
	C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP680\A0039194.exe -> Adware.BetterInternet : Cleaned with backup
	C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP680\A0039195.exe -> TrojanDropper.Agent.hl : Cleaned with backup
	C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP680\A0039196.exe -> TrojanDropper.Agent.hl : Cleaned with backup
	C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP680\A0039197.dll -> TrojanDownloader.Qoologic.t : Cleaned with backup
	C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP680\A0039198.exe -> Spyware.DealHelper : Cleaned with backup
	C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP680\A0039199.exe -> Trojan.Imiserv.c : Cleaned with backup
	C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP680\A0039200.bat -> Backdoor.AcidShiver : Cleaned with backup
	C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP680\A0039201.exe -> Adware.BetterInternet : Cleaned with backup
	C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP680\A0039219.exe -> TrojanDownloader.Small.aly : Cleaned with backup
	C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP680\A0039221.dll -> TrojanDownloader.Qoologic.s : Cleaned with backup
	C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP681\A0039250.dll -> TrojanDownloader.Qoologic.s : Cleaned with backup
	C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP681\A0040250.dll -> TrojanDownloader.Qoologic.s : Cleaned with backup
	C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP681\A0040251.exe -> TrojanDownloader.Apropo.ac : Cleaned with backup
	C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP681\A0040276.exe -> TrojanDownloader.Small.aly : Cleaned with backup
	C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP682\A0040284.dll -> TrojanDownloader.Qoologic.s : Cleaned with backup
	C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP682\A0040286.dll -> Spyware.BookedSpace : Cleaned with backup
	C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP682\A0040287.dll -> Heuristic.Win32.Hijacker1 : Cleaned with backup
	C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP682\A0040288.exe -> TrojanDownloader.Qoologic.u : Cleaned with backup
	C:\WINDOWS\SYSTEM32\ipvnt97.exe -> TrojanDownloader.Apropo.ac : Cleaned with backup
	C:\WINDOWS\SYSTEM32\jrmnjh.exe -> TrojanDownloader.Qoologic.u : Cleaned with backup
	C:\WINDOWS\SYSTEM32\nsj13.dll -> Spyware.HotSearchBar : Cleaned with backup
	C:\WINDOWS\SYSTEM32\nsr41.dll -> Spyware.HotSearchBar : Cleaned with backup
	C:\WINDOWS\SYSTEM32\nsy31.dll -> Spyware.HotSearchBar : Cleaned with backup
	C:\WINDOWS\SYSTEM32\wunqw.dll -> TrojanDownloader.Qoologic.t : Cleaned with backup
	C:\WINDOWS\System320nsx6A0 -> Spyware.HotSearchBar : Cleaned with backup


::Report End



Thanks again for all your help.
oulevon
Active Member
 
Posts: 6
Joined: July 9th, 2005, 2:20 pm

Unread postby 'KotaGuy » July 11th, 2005, 10:55 pm

Log looks good! It is clean! Good Work! :D

Open up HijackThis. Press the Misc Tools button. Press the Open Uninstall Manager button. Hilite the AbetterInternet entry in the list and click the Delete this entry button. This should remove it from the Add/Remove programs list.

Download pfind.

Unzip it to the desktop and run pfind.bat.

Once the scan is finished, close the Notepad window that pops up. Then post the entire contents of the file C:\log.txt here for me.

Thanks!
User avatar
'KotaGuy
Admin/Teacher Emeritus
 
Posts: 12472
Joined: April 7th, 2005, 7:06 pm
Location: Alberta, Canada

Unread postby oulevon » July 11th, 2005, 11:15 pm

When I click the link I get a 404 Error: Page not Found

Thanks again for your help.
oulevon
Active Member
 
Posts: 6
Joined: July 9th, 2005, 2:20 pm

Unread postby 'KotaGuy » July 12th, 2005, 1:59 am

Bleh... so I noticed... s'ok though... looks like Ewido has done its job... how is the computer behaving?
User avatar
'KotaGuy
Admin/Teacher Emeritus
 
Posts: 12472
Joined: April 7th, 2005, 7:06 pm
Location: Alberta, Canada

Unread postby oulevon » July 12th, 2005, 6:18 am

It seems to be acting fine.

Thanks again for all your help.
oulevon
Active Member
 
Posts: 6
Joined: July 9th, 2005, 2:20 pm

Unread postby 'KotaGuy » July 12th, 2005, 12:38 pm

To clean up anything that may have been left behind, I suggest doing a couple online virus scans. A couple good ones are Panda ActiveScan and TrendMicro HouseCall. Let them fix anything they find. Reboot between each scan.

If you don't have them, download Ad-Aware and Spybot S&D. Visit this page for proper configuration of Spybot and Ad-Aware. Run and scan with both, letting them fix whatever they find. Remember to reboot between each scan.

Now that your computer is clean, its a good time to reset your System Restore point. This will ensure a clean backup to fall upon if you ever need it. To do this:
  • Right-click My Computer, and then click Properties.
  • Click the System Restore tab.
  • Check the "Turn off System Restore" or "Turn off System Restore on all drives"

Reboot your computer, follow the steps above, this time unchecking the "Turn off System Restore" and reboot.

I recommend downloading and installing SpywareBlaster, SpywareGuard, and IE-SPYAD as well. The programs are free and can be updated... so please do so. Installing these will go a long way in preventing reinfection.

If you don't have one, I recommend installing a Firewall. I'm sure you've heard of ZoneAlarm.

Check out these links How'd I get Infected and Understanding Spyware as well, some good information for you.

Update Windows as well... grab SP2 now that your computer is clean. It will fix a lot security issues.

Other than that, remember to update Windows frequently, update your protection programs, scan often and...

Surf Safe
User avatar
'KotaGuy
Admin/Teacher Emeritus
 
Posts: 12472
Joined: April 7th, 2005, 7:06 pm
Location: Alberta, Canada

Unread postby oulevon » July 12th, 2005, 6:30 pm

KotaGuy


Thanks again for all your help. I would've been lost without you.
oulevon
Active Member
 
Posts: 6
Joined: July 9th, 2005, 2:20 pm

Unread postby 'KotaGuy » July 12th, 2005, 7:43 pm

Was my pleasure! :D

Feel free to return if you ever need to.
User avatar
'KotaGuy
Admin/Teacher Emeritus
 
Posts: 12472
Joined: April 7th, 2005, 7:06 pm
Location: Alberta, Canada
Advertisement
Register to Remove


Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 294 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware