HELP ME, I've got a virus..[resolved]

Hi Tommie

Welcome to geekstogo!

Please read through the instructions before you start (you may want to print this out).

Download and unzip cwsserviceremove to your desktop.
cwsserviceremove

Please set your system to show all files; please see here if you're unsure how to do this.

Use Add remove program files uninstall the following program
C:\Program Files\ISTsvc\istsvc.exe

Close all programs leaving only HijackThis running. Place a check against each of the following, making sure you get them all and not any others by mistake:
O3 - Toolbar: (no name) - {FAA356E4-D317-42a6-AB41-A3021C6E7D52} - (no file)
O4 - HKLM\..\Run: [gah95on6] C:\WINDOWS\system32\gah95on6.exe
O4 - HKLM\..\Run: [jeIki] C:\WINDOWS\lwfmujf.exe
O4 - HKLM\..\Run: [hUTTAxbAr] C:\WINDOWS\lwfmujf.exe
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
O4 - HKLM\..\Run: [abasa5jrp] C:\WINDOWS\system32\abasa5jrp.exe
O4 - HKLM\..\Run: [Á³# L"h'þ9Óœð3rÅWC:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\lwfmujf.exe
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O15 - Trusted Zone: http://ny.contentmatch.net (HKLM)
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
Click on Fix Checked when finished and exit HijackThis.

Reboot into Safe Mode: please see here if you are not sure how to do this.

Using Windows Explorer, locate the following files/folders, and delete them:
C:\Program Files\ISTsvc<--Delete the whole folder
C:\WINDOWS\system32\gah95on6.exe<--Delete this file
C:\Program Files\Internet Optimizer<--Delete the whole folder
C:\WINDOWS\system32\abasa5jrp.exe<--Delete this file

Exit Explorer

Double click on the cwsserviceremove and when asked to merge say yes.

Reboot into normal mode.

Download the Hoster from here Press "Restore Original Hosts. and press "OK". Exit Program.

Please run the following free, online virus scans.
http://www.pandasoft...n_principal.htm
http://housecall.tre.../start_corp.asp

Please post the logs From Panda virus scan and HJT.log we will need them to remove previous infections that have left files on your system.

Kc

hi again..

thanx for helping me so quick..

everything went well except for this, cause when i tried to find these files:


C:\WINDOWS\system32\abasa5jrp.exe<--Delete this file
C:\WINDOWS\system32\abasa5jrp.exe<--Delete this file

I couldn't find them..


here are the logs were you for asked:


Logfile of HijackThis v1.99.1
Scan saved at 18:54:05, on 31-3-2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\Media Access\MediaAccK.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Media Access\MediaAccess.exe
C:\Program Files\Digital Image\Monitor.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Microsoft Office\Office\WINWORD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\HiJack THis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://svcs.microsof...enger&Country=0
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [ITUNES] itune.exe
O4 - HKLM\..\Run: [ap9h4qmo] C:\WINDOWS\system32\ap9h4qmo.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [Media Access] C:\Program Files\Media Access\MediaAccK.exe
O4 - HKLM\..\RunServices: [ITUNES] itune.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - Global Startup: Digital Image Monitor.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...kr.cab31267.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall-bet...all/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {6211AC26-A1B4-422A-AC52-1E70B7D24465} (FileSharingCtrl Class) - http://appdirectory....sharingctrl.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Besturing) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zon...wn.cab31267.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)


and



Incident Status Location

Adware:Adware/WUpd No disinfected C:\Program Files\Media Access\MediaAccK.exe
Adware:Adware/WUpd No disinfected C:\Program Files\Media Access\MediaAccess.exe
Adware:Adware/WUpd No disinfected C:\Program Files\Media Access\MediaAccC.dll
Adware:Adware/WUpd No disinfected C:\PROGRA~1\MEDIAA~1\MEDIAA~1.EXE
Adware:Adware/SaveNow No disinfected Windows Registry
Adware:Adware/CWS No disinfected C:\Documents and Settings\Thomas.GROENENDAAL\Favorieten\Fun & Games\Betting.lnk
Adware:Adware/BHO No disinfected Windows Registry
Adware:Adware/Apropos No disinfected C:\DOCUME~1\THOMAS~1.GRO\LOCALS~1\Temp\cfout.txt
Adware:Adware/SideFind No disinfected Windows Registry
Adware:Adware/WUpd No disinfected C:\Program Files\Media Access
Adware:Adware/WhenUSearch No disinfected C:\Program Files\Common Files\Whenu
Adware:Adware/WinAD No disinfected C:\autosupdate.exe
Adware:Adware/WinAD No disinfected C:\dd.exe
Spyware:Spyware/ISTbar No disinfected C:\Documents and Settings\Els.GROENENDAAL\Local Settings\Temp\4aIAot.exe
Spyware:Spyware/ISTbar No disinfected C:\Documents and Settings\Els.GROENENDAAL\Local Settings\Temp\5DmjKF.exe
Spyware:Spyware/ISTbar No disinfected C:\Documents and Settings\Els.GROENENDAAL\Local Settings\Temp\afrDPF.exe
Spyware:Spyware/ISTbar No disinfected C:\Documents and Settings\Els.GROENENDAAL\Local Settings\Temp\CBaAIw.exe
Adware:Adware/WinAD No disinfected C:\Documents and Settings\Els.GROENENDAAL\Local Settings\Temporary Internet Files\Content.IE5\Q5IYUQJT\dd[1].exe
Spyware:Spyware/ISTbar No disinfected C:\Documents and Settings\Frank.GROENENDAAL\Local Settings\Temp\ccJbdE.exe
Spyware:Spyware/ISTbar No disinfected C:\Documents and Settings\Frank.GROENENDAAL\Local Settings\Temp\F0hxe8.exe
Spyware:Spyware/ISTbar No disinfected C:\Documents and Settings\Frank.GROENENDAAL\Local Settings\Temp\fdckFN.exe
Spyware:Spyware/ISTbar No disinfected C:\Documents and Settings\Frank.GROENENDAAL\Local Settings\Temp\fFJXwC.exe
Spyware:Spyware/ISTbar No disinfected C:\Documents and Settings\Frank.GROENENDAAL\Local Settings\Temp\GjfqF7.exe
Spyware:Spyware/ISTbar No disinfected C:\Documents and Settings\Frank.GROENENDAAL\Local Settings\Temp\KZFPe2.exe
Adware:Adware/SAHAgent No disinfected C:\Documents and Settings\Frank.GROENENDAAL\Local Settings\Temp\temp.fr587D
Adware:Adware/SAHAgent No disinfected C:\Documents and Settings\Frank.GROENENDAAL\Local Settings\Temp\temp.fr5E45
Adware:Adware/SAHAgent No disinfected C:\Documents and Settings\Frank.GROENENDAAL\Local Settings\Temp\temp.fr667D
Adware:Adware/SAHAgent No disinfected C:\Documents and Settings\Frank.GROENENDAAL\Local Settings\Temp\temp.fr6AE8
Spyware:Spyware/Dyfuca No disinfected C:\Documents and Settings\Frank.GROENENDAAL\Local Settings\Temp\temp.frA5D8
Spyware:Spyware/ISTbar No disinfected C:\Documents and Settings\Frank.GROENENDAAL\Local Settings\Temp\YLM4kk.exe
Spyware:Spyware/ISTbar No disinfected C:\Documents and Settings\Myrthe.GROENENDAAL\Local Settings\Temp\1y570B.exe
Spyware:Spyware/ISTbar No disinfected C:\Documents and Settings\Myrthe.GROENENDAAL\Local Settings\Temp\2QbeIS.exe
Spyware:Spyware/ISTbar No disinfected C:\Documents and Settings\Myrthe.GROENENDAAL\Local Settings\Temp\7RNJfe.exe
Spyware:Spyware/ISTbar No disinfected C:\Documents and Settings\Myrthe.GROENENDAAL\Local Settings\Temp\r5IEGM.exe
Spyware:Spyware/ISTbar No disinfected C:\Documents and Settings\Myrthe.GROENENDAAL\Local Settings\Temp\tnQTBQ.exe
Adware:Adware/WinAD No disinfected C:\Documents and Settings\Myrthe.GROENENDAAL\Local Settings\Temporary Internet Files\Content.IE5\OJVZ2W5H\dd[1].exe
Spyware:Spyware/ISTbar No disinfected C:\Documents and Settings\Myrthe.GROENENDAAL\Local Settings\Temporary Internet Files\Content.IE5\S58X6305\istsvc[1].exe
Spyware:Spyware/ISTbar No disinfected C:\Documents and Settings\Thomas.GROENENDAAL\Local Settings\Temp\0p8gOb.exe
Spyware:Spyware/ISTbar No disinfected C:\Documents and Settings\Thomas.GROENENDAAL\Local Settings\Temp\3b4rWH.exe
Spyware:Spyware/ISTbar No disinfected C:\Documents and Settings\Thomas.GROENENDAAL\Local Settings\Temp\A748be.exe
Spyware:Spyware/ISTbar No disinfected C:\Documents and Settings\Thomas.GROENENDAAL\Local Settings\Temp\AEeEKZ.exe
Spyware:Spyware/ISTbar No disinfected C:\Documents and Settings\Thomas.GROENENDAAL\Local Settings\Temp\aKFwGB.exe
Spyware:Spyware/ISTbar No disinfected C:\Documents and Settings\Thomas.GROENENDAAL\Local Settings\Temp\aPg98G.exe
Spyware:Spyware/ISTbar No disinfected C:\Documents and Settings\Thomas.GROENENDAAL\Local Settings\Temp\CBk3kd.exe
Spyware:Spyware/ISTbar No disinfected C:\Documents and Settings\Thomas.GROENENDAAL\Local Settings\Temp\d2ecuy.exe
Spyware:Spyware/ISTbar No disinfected C:\Documents and Settings\Thomas.GROENENDAAL\Local Settings\Temp\P1mdNe.exe
Spyware:Spyware/Dyfuca No disinfected C:\Documents and Settings\Thomas.GROENENDAAL\Local Settings\Temp\temp.fr2D2D
Spyware:Spyware/ISTbar No disinfected C:\Documents and Settings\Thomas.GROENENDAAL\Local Settings\Temp\UBoKUD.exe
Spyware:Spyware/ISTbar No disinfected C:\Documents and Settings\Thomas.GROENENDAAL\Local Settings\Temp\ZBh4t9.exe
Spyware:Spyware/ISTbar No disinfected C:\Documents and Settings\Thomas.GROENENDAAL\Local Settings\Temp\ZINcBP.exe
Adware:Adware/WinAD No disinfected C:\Documents and Settings\Thomas.GROENENDAAL\Local Settings\Temporary Internet Files\Content.IE5\E90NM1E1\dd[1].exe
Adware:Adware/WUpd No disinfected C:\Program Files\Media Access\MediaAccC.dll
Adware:Adware/WUpd No disinfected C:\Program Files\Media Access\MediaAccess.exe
Adware:Adware/WUpd No disinfected C:\Program Files\Media Access\MediaAccK.exe
Spyware:Spyware/Dyfuca No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\31AE3836-48C5-462C-BE8F-01E95B\8402D579-F965-47A3-884B-02166A
Adware:Adware/WUpd No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\3E085D10-9632-4A29-9F3F-0DD450\478B4AA3-7555-4439-85FD-BF295E
Adware:Adware/WUpd No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\3E085D10-9632-4A29-9F3F-0DD450\F279055B-F9C7-4BD1-B6BF-6C2AE2
Adware:Adware/WUpd No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\3E40D68F-4692-4C42-B3CA-A00D55\5A99DEC0-95B1-4EEB-98E5-3B7224
Adware:Adware/WUpd No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\3E40D68F-4692-4C42-B3CA-A00D55\67C8BD1A-545A-4CB3-8044-5BA3C2
Adware:Adware/SAHAgent No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\435E869E-F81C-4062-97EA-6E6094\EFCD3078-CC56-4943-A356-9462D9
Spyware:Spyware/ISTbar No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\46A2BB9F-5359-4929-BE69-6FDE93\63D3E242-E077-4703-A185-309D9E
Adware:Adware/SAHAgent No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\6370FD0B-C7BE-4ED8-AFD4-DAF9DE\B201089E-63C8-4AB7-8804-B1AA2E
Adware:Adware/WUpd No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\81CCB204-BE11-4465-967D-A81DA6\0A87083B-53E2-4DFA-A311-C374C5
Adware:Adware/WUpd No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\81CCB204-BE11-4465-967D-A81DA6\CF413EDB-1CCC-479E-ABB1-5B1A31
Adware:Adware/WUpd No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\87867535-0C64-460C-84A2-DEEAAF\0488E002-2515-4D8F-9F22-CE66DA
Adware:Adware/WUpd No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\87867535-0C64-460C-84A2-DEEAAF\6DBA3325-5DA3-4396-AFF4-DA9096
Adware:Adware/SAHAgent No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\8E6AAD7B-A702-4101-8FEB-AA174C\64CC5FCD-5A4F-4D85-94AC-DE1155
Adware:Adware/SAHAgent No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\C22E2043-A8D4-40DB-8C6C-04B651\EE64E929-1B33-47FA-A8DD-FCBD75
Adware:Adware/WUpd No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\C3F5BE9F-7F63-41AC-B685-F41A7E\533ED00B-9BE7-4F84-8F31-3B1722
Adware:Adware/WUpd No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\C3F5BE9F-7F63-41AC-B685-F41A7E\F38445CC-0ADD-46ED-8506-66260C
Adware:Adware/SAHAgent No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\C6E99FE7-B097-4957-84F6-329567\B37BC1CD-998B-495C-8588-28822D
Adware:Adware/SAHAgent No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\D2CFD1C6-DD39-43A3-B941-C0C9B6\01362B38-2860-42BC-81DE-041741
Spyware:Spyware/ISTbar No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\D4D1C5BF-52B4-4A77-B4F0-860F7D\6D0034E2-A1DD-47AF-BE5D-90BF22
Spyware:Spyware/ISTbar No disinfected C:\WINDOWS\lwfmujf.exe
Spyware:Spyware/ISTbar No disinfected C:\WINDOWS\nsorvq.exe
Adware:Adware/SAHAgent No disinfected C:\WINDOWS\system32\abasa5jrp.exe
Adware:Adware/SAHAgent No disinfected C:\WINDOWS\system32\abasa5jrp.ini
Adware:Adware/SAHAgent No disinfected C:\WINDOWS\system32\hochkaod3.exe
Adware:Adware/SAHAgent No disinfected C:\WINDOWS\system32\hochkaod3.ini
Adware:Adware/SAHAgent No disinfected C:\WINDOWS\system32\qh4mkbv9.dll
Adware:Adware/SAHAgent No disinfected C:\WINDOWS\system32\u6f6uftuc.ini
Adware:Adware/SAHAgent No disinfected C:\WINDOWS\u6f6uftuc.exe

everything went well except for this, cause when i tried to find these files:

C:\WINDOWS\system32\gah95on6.exe<--Delete this file
C:\WINDOWS\system32\abasa5jrp.exe<--Delete this file


I couldn't find them.. confused1.gif


i mean those 2 off course..

Hi Tommie

Welcome to geekstogo!

Please read through the instructions before you start (you may want to print this out).

Please set your system to show all files; please see here if you're unsure how to do this.

Download the CCleaner unzip the file to install.
Open the ccleaner.
Place a check by everything in the Applications tab.
Place a check by Internet Explorer, Windows explorer, and System in the Windows tab.
Don't run yet

Using Add remove program files uninstall the following program:
C:\Program Files\Media Access\MediaAccK.exe

Close all programs leaving only HijackThis running. Place a check against each of the following, making sure you get them all and not any others by mistake:
O4 - HKLM\..\Run: [ITUNES] itune.exe
O4 - HKLM\..\Run: [ap9h4qmo] C:\WINDOWS\system32\ap9h4qmo.exe
O4 - HKLM\..\Run: [Media Access] C:\Program Files\Media Access\MediaAccK.exe
O4 - HKLM\..\RunServices: [ITUNES] itune.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
Click on Fix Checked when finished and exit HijackThis.

Reboot into Safe Mode: please see here if you are not sure how to do this.

Using Windows Explorer, locate the following files/folders, and delete them:
C:\Program Files\Media Access<--Delete the whole folder
itune.exe<--Delete this file
C:\WINDOWS\system32\ap9h4qmo.exe<--Delete this file
C:\Program Files\Common Files\Whenu<--Delete the whole folder
C:\autosupdate.exe<--Delete the whole folder
C:\dd.exe<--Delete the whole folder

Exit Explorer, and reboot as normal afterwards.

Now click on Run Cleaner


If you were unable to find any of the files then please follow these additional instructions:
Download Pocket Killbox and unzip it; save it to your Desktop.
Run killbox and click the radio button that says Delete a file on reboot. For each of the files you could not delete, paste them one at a time into the full path of file to delete box and click the red circle with a white cross in it.
The program will ask you if you want to reboot; say No each time until the last one has been pasted in whereupon you should answer Yes.
Let the system reboot.
C:\WINDOWS\lwfmujf.exe
C:\WINDOWS\nsorvq.exe
C:\WINDOWS\system32\abasa5jrp.exe
C:\WINDOWS\system32\abasa5jrp.ini
C:\WINDOWS\system32\hochkaod3.exe
C:\WINDOWS\system32\hochkaod3.ini
C:\WINDOWS\system32\qh4mkbv9.dll
C:\WINDOWS\system32\u6f6uftuc.ini
C:\WINDOWS\u6f6uftuc.exe
End of killbox files

Please run the following free, online virus scans.
http://www.pandasoft...n_principal.htm
http://housecall.tre.../start_corp.asp

Please post the logs From Panda virus scan and HJT.log we will need them to remove previous infections that have left files on your system.

Kc

hi,


every thing went well..

here is my log..:

Logfile of HijackThis v1.99.1
Scan saved at 15:05:21, on 1-4-2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HiJack THis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://svcs.microsof...enger&Country=0
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - Global Startup: Digital Image Monitor.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...kr.cab31267.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall-bet...all/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {6211AC26-A1B4-422A-AC52-1E70B7D24465} (FileSharingCtrl Class) - http://appdirectory....sharingctrl.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Besturing) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zon...wn.cab31267.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)



im now performing the online virus scans..just a moment..

housecall didnot found any virusses..now im performing the panda scan..

Hi Tommie

I will have to wait for the Panda scan your HJT.Log is clean

Kc

Incident Status Location

Adware:Adware/SaveNow No disinfected Windows Registry
Adware:Adware/CWS No disinfected C:\Documents and Settings\Thomas.GROENENDAAL\Favorieten\Fun & Games\Betting.lnk
Adware:Adware/BHO No disinfected Windows Registry
Adware:Adware/Apropos No disinfected C:\DOCUME~1\THOMAS~1.GRO\LOCALS~1\Temp\cfout.txt
Adware:Adware/SideFind No disinfected Windows Registry
Spyware:Spyware/ISTbar No disinfected C:\Documents and Settings\Els.GROENENDAAL\Local Settings\Temp\4aIAot.exe
Spyware:Spyware/ISTbar No disinfected C:\Documents and Settings\Els.GROENENDAAL\Local Settings\Temp\5DmjKF.exe
Spyware:Spyware/ISTbar No disinfected C:\Documents and Settings\Els.GROENENDAAL\Local Settings\Temp\afrDPF.exe
Spyware:Spyware/ISTbar No disinfected C:\Documents and Settings\Els.GROENENDAAL\Local Settings\Temp\CBaAIw.exe
Adware:Adware/WinAD No disinfected C:\Documents and Settings\Els.GROENENDAAL\Local Settings\Temporary Internet Files\Content.IE5\Q5IYUQJT\dd[1].exe
Spyware:Spyware/ISTbar No disinfected C:\Documents and Settings\Frank.GROENENDAAL\Local Settings\Temp\ccJbdE.exe
Spyware:Spyware/ISTbar No disinfected C:\Documents and Settings\Frank.GROENENDAAL\Local Settings\Temp\F0hxe8.exe
Spyware:Spyware/ISTbar No disinfected C:\Documents and Settings\Frank.GROENENDAAL\Local Settings\Temp\fdckFN.exe
Spyware:Spyware/ISTbar No disinfected C:\Documents and Settings\Frank.GROENENDAAL\Local Settings\Temp\fFJXwC.exe
Spyware:Spyware/ISTbar No disinfected C:\Documents and Settings\Frank.GROENENDAAL\Local Settings\Temp\GjfqF7.exe
Spyware:Spyware/ISTbar No disinfected C:\Documents and Settings\Frank.GROENENDAAL\Local Settings\Temp\KZFPe2.exe
Adware:Adware/SAHAgent No disinfected C:\Documents and Settings\Frank.GROENENDAAL\Local Settings\Temp\temp.fr587D
Adware:Adware/SAHAgent No disinfected C:\Documents and Settings\Frank.GROENENDAAL\Local Settings\Temp\temp.fr5E45
Adware:Adware/SAHAgent No disinfected C:\Documents and Settings\Frank.GROENENDAAL\Local Settings\Temp\temp.fr667D
Adware:Adware/SAHAgent No disinfected C:\Documents and Settings\Frank.GROENENDAAL\Local Settings\Temp\temp.fr6AE8
Spyware:Spyware/ISTbar No disinfected C:\Documents and Settings\Frank.GROENENDAAL\Local Settings\Temp\YLM4kk.exe
Spyware:Spyware/ISTbar No disinfected C:\Documents and Settings\Myrthe.GROENENDAAL\Local Settings\Temp\1y570B.exe
Spyware:Spyware/ISTbar No disinfected C:\Documents and Settings\Myrthe.GROENENDAAL\Local Settings\Temp\2QbeIS.exe
Spyware:Spyware/ISTbar No disinfected C:\Documents and Settings\Myrthe.GROENENDAAL\Local Settings\Temp\7RNJfe.exe
Spyware:Spyware/ISTbar No disinfected C:\Documents and Settings\Myrthe.GROENENDAAL\Local Settings\Temp\r5IEGM.exe
Spyware:Spyware/ISTbar No disinfected C:\Documents and Settings\Myrthe.GROENENDAAL\Local Settings\Temp\tnQTBQ.exe
Adware:Adware/WinAD No disinfected C:\Documents and Settings\Myrthe.GROENENDAAL\Local Settings\Temporary Internet Files\Content.IE5\OJVZ2W5H\dd[1].exe
Spyware:Spyware/ISTbar No disinfected C:\Documents and Settings\Thomas.GROENENDAAL\Local Settings\Temp\0p8gOb.exe
Spyware:Spyware/ISTbar No disinfected C:\Documents and Settings\Thomas.GROENENDAAL\Local Settings\Temp\3b4rWH.exe
Spyware:Spyware/ISTbar No disinfected C:\Documents and Settings\Thomas.GROENENDAAL\Local Settings\Temp\A748be.exe
Spyware:Spyware/ISTbar No disinfected C:\Documents and Settings\Thomas.GROENENDAAL\Local Settings\Temp\AEeEKZ.exe
Spyware:Spyware/ISTbar No disinfected C:\Documents and Settings\Thomas.GROENENDAAL\Local Settings\Temp\aKFwGB.exe
Spyware:Spyware/ISTbar No disinfected C:\Documents and Settings\Thomas.GROENENDAAL\Local Settings\Temp\aPg98G.exe
Spyware:Spyware/ISTbar No disinfected C:\Documents and Settings\Thomas.GROENENDAAL\Local Settings\Temp\CBk3kd.exe
Spyware:Spyware/ISTbar No disinfected C:\Documents and Settings\Thomas.GROENENDAAL\Local Settings\Temp\d2ecuy.exe
Spyware:Spyware/ISTbar No disinfected C:\Documents and Settings\Thomas.GROENENDAAL\Local Settings\Temp\P1mdNe.exe
Spyware:Spyware/ISTbar No disinfected C:\Documents and Settings\Thomas.GROENENDAAL\Local Settings\Temp\UBoKUD.exe
Spyware:Spyware/ISTbar No disinfected C:\Documents and Settings\Thomas.GROENENDAAL\Local Settings\Temp\ZBh4t9.exe
Spyware:Spyware/ISTbar No disinfected C:\Documents and Settings\Thomas.GROENENDAAL\Local Settings\Temp\ZINcBP.exe
Spyware:Spyware/ISTbar No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\22EED0F3-C8C9-44D3-9770-E1D978\B6871D62-E2BA-4222-852F-00263A
Spyware:Spyware/ISTbar No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\22EED0F3-C8C9-44D3-9770-E1D978\F0FA5C64-BCD4-4A57-8341-57001F
Adware:Adware/WUpd No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\3E085D10-9632-4A29-9F3F-0DD450\478B4AA3-7555-4439-85FD-BF295E
Adware:Adware/WUpd No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\3E085D10-9632-4A29-9F3F-0DD450\F279055B-F9C7-4BD1-B6BF-6C2AE2
Adware:Adware/WUpd No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\3E40D68F-4692-4C42-B3CA-A00D55\5A99DEC0-95B1-4EEB-98E5-3B7224
Adware:Adware/WUpd No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\3E40D68F-4692-4C42-B3CA-A00D55\67C8BD1A-545A-4CB3-8044-5BA3C2
Adware:Adware/SAHAgent No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\435E869E-F81C-4062-97EA-6E6094\EFCD3078-CC56-4943-A356-9462D9
Adware:Adware/SAHAgent No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\6370FD0B-C7BE-4ED8-AFD4-DAF9DE\B201089E-63C8-4AB7-8804-B1AA2E
Adware:Adware/WUpd No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\81CCB204-BE11-4465-967D-A81DA6\0A87083B-53E2-4DFA-A311-C374C5
Adware:Adware/WUpd No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\81CCB204-BE11-4465-967D-A81DA6\CF413EDB-1CCC-479E-ABB1-5B1A31
Adware:Adware/WUpd No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\87867535-0C64-460C-84A2-DEEAAF\0488E002-2515-4D8F-9F22-CE66DA
Adware:Adware/WUpd No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\87867535-0C64-460C-84A2-DEEAAF\6DBA3325-5DA3-4396-AFF4-DA9096
Adware:Adware/SAHAgent No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\8E6AAD7B-A702-4101-8FEB-AA174C\64CC5FCD-5A4F-4D85-94AC-DE1155
Adware:Adware/SAHAgent No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\C22E2043-A8D4-40DB-8C6C-04B651\EE64E929-1B33-47FA-A8DD-FCBD75
Adware:Adware/WUpd No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\C3F5BE9F-7F63-41AC-B685-F41A7E\533ED00B-9BE7-4F84-8F31-3B1722
Adware:Adware/WUpd No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\C3F5BE9F-7F63-41AC-B685-F41A7E\F38445CC-0ADD-46ED-8506-66260C
Adware:Adware/SAHAgent No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\C6E99FE7-B097-4957-84F6-329567\B37BC1CD-998B-495C-8588-28822D
Adware:Adware/SAHAgent No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\D2CFD1C6-DD39-43A3-B941-C0C9B6\01362B38-2860-42BC-81DE-041741


here is the panda scan..

Hi Tommie

Welcome to Microsoft AntiSpyware
How to Remove a Quarantined Item
You can permanently remove any items in quarantine. To permanently remove an item from quarantine:
1. A list of all items in your quarantine is displayed. Select the item you would like to delete and when the item appears in the right details pane, click Remove Threat. This permanently removes the threat from your computer.
2. To remove multiple threats in the quarantine, select each item and click Remove all checked Threats at the bottom of the screen.
3. Delete all Quarantined items

C:\Program Files\Microsoft AntiSpyware\Quarantine\

Thomas.GROENENDAAL Delete all files in your temp folder
C:\DOCUME~1\THOMAS~1.GRO\LOCALS~1\Temp\

Thomas.GROENENDAAL delete the following file from your Favorieten
C:\Documents and Settings\Thomas.GROENENDAAL\Favorieten\Fun & Games\Betting.lnk

Frank.GROENENDAAL Delete all files in your temp folder
Spyware:Spyware/ISTbar No disinfected C:\Documents and Settings\Frank.GROENENDAAL\Local Settings\Temp\

Kc

So much thanx man..

I hope im now relieved of all the s*** on my computer..

I am now running my ad-aware scan, AVG and S&D if there isnt anything left..just to be sure..

Well non off my scans discovered any threats..

I hope this was it, but if I found any other problems I just contact you guys..

MUCH MUCH MUCH thanx to you thatman for helping me..

Greetz from Tommie..

Hi Tommie

Congratulations! Your system is CLEAN

Download the Microsoft Antispyware

Download the CCleaner unzip the file to install.
Open CCleaner.
Place a check by everything in the Applications tab.
Place a check by Internet Explorer, Windows explorer, and System in the Windows tab.
Run the ccleaner

Clean out all temp files in Mozilla, Internet Explorer.
Internet Explorer: Tools/ Internet Options/ General/ Temporary internet files/ Delete Files (NOTE, that this may take very long!). You can also set the memory limit to about 80 MB at the Settings.

Mozilla: Edit/ Options/ Extended/ Cache/ Clear Cache

Turn of system restore
Disabling or enabling Windows XP System Restore

Turn system restore back on and create a new restore point. Defrag your hard drive

How do you prevent spyware from being installed again? We strongly recommend installing SpywareBlaster (it's free for personal use). Click Here
QUOTE
Prevent the installation of ActiveX-based spyware, adware, browser hijackers, dialers, and other potentially unwanted pests.
Block spyware/tracking cookies in Internet Explorer and Mozilla/Firefox.
Restrict the actions of potentially dangerous sites in Internet Explorer.
Consumes no system resources.

Download, run, check for updates, download updates, select all, protect against checked. All done. Check for updates every couple of weeks. If you have any errors running the program like a missing file see the link at the bottom of the javacool page.

It's also very important to keep your system up to date to avoid unnecessary security risks. Click Here http://windowsupdate.microsoft.com/ to make sure that you have the latest patches for Windows.

These next two steps are optional, but will provide the greatest protection.
1. Use ANY browser besides Internet Explorer, almost every exploit is crafted to take advantage of an IE weakness. We usually recommend FireFox user posted image.
2. Install Sun's Java. It's much more secure than Microsoft's Java Virtual Machine .

After doing all these, your system will be thoroughly protected from future threats.

Kc