Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Attacked Again

Started by Diddles , Mar 03 2005 12:44 AM

  • This topic is locked This topic is locked

#1
Diddles
Posted 03 March 2005 - 12:44 AM

Diddles

    Member

  • Member
  • PipPip
  • 19 posts
OK I was attacked last night in a matter of minutes, to stop the attack I ended up having to unplug my computer from the wall... When i rebooted so many things went wrong. My desktop is a "stop spyware add" and I had pop up after pop up, search tools and very strange error messages. I followed the "start Here" guide in the beginning of your home page. I have followed all the instructions. Everything seems to be back to normal except my desktop is still a "stop spyware" add. My system response time is also very slow. I am posting my HJT Log below:

Logfile of HijackThis v1.99.0
Scan saved at 10:35:32 PM, on 3/2/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\explorer.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\Program Files\j8wao3s6\j8wao3s6.exe
C:\WINDOWS\System32\yxgtynr\gnxoi.exe
C:\WINDOWS\System32\gdgxcrp\cnun.exe
C:\WINDOWS\System32\rfcruik\wgtgg.exe
C:\WINDOWS\newsd32.exe
C:\WINDOWS\System32\ntddetect.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\sysmonnt.exe
C:\WINDOWS\System32\ptech.exe
C:\WINDOWS\System32\ptech.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Highjack This\HijackThis.exe
C:\WINDOWS\System32\wuauclt.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.daosearch.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: Shell=explorer.exe C:\WINDOWS\regchecka.exe
O2 - BHO: (no name) - {301BFA50-6FE9-4CE1-B989-88C9BA25628E} - C:\WINDOWS\System32\kndb.dll (file missing)
O2 - BHO: CControl Object - {3643ABC2-21BF-46B9-B230-F247DB0C6FD6} - C:\Program Files\E2G\IeBHOs.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5E1DC657-71C4-424A-9F8B-2872E18278A4} - C:\Program Files\j8wao3s6\j8wao3s6.dll
O2 - BHO: (no name) - {6C84AAD8-B583-4F24-8C40-8F43F596C404} - C:\Program Files\j8wao3s6\j8wao3s6.dll
O2 - BHO: (no name) - {7E9ABA18-FCCF-4DB9-88BD-C817F0E28CE3} - C:\Program Files\j8wao3s6\j8wao3s6.dll
O2 - BHO: (no name) - {95C884C5-6D3B-4B45-9918-54D4077D81A6} - C:\Program Files\j8wao3s6\j8wao3s6.dll
O2 - BHO: (no name) - {974C0BF2-6C32-4EDC-82E9-937167B20C11} - C:\Program Files\j8wao3s6\j8wao3s6.dll
O2 - BHO: (no name) - {BE6627CA-0B2D-47C8-A85F-3C4A43D0E980} - C:\Program Files\j8wao3s6\j8wao3s6.dll
O2 - BHO: (no name) - {C0D9A98B-4A66-4A36-9C04-BDDDDDDDEB5B} - C:\Program Files\j8wao3s6\j8wao3s6.dll
O2 - BHO: (no name) - {ED103D9F-3070-4580-AB1E-E5C179C1AE41} - (no file)
O2 - BHO: (no name) - {F2D93954-C5EE-4D86-AF94-50A1875F4718} - C:\Program Files\j8wao3s6\j8wao3s6.dll
O2 - BHO: (no name) - {FBBD0D36-7AA5-425D-8AA3-A0022CB8470F} - C:\Program Files\j8wao3s6\j8wao3s6.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [iyixmw] c:\windows\system32\iyixmw.exe
O4 - HKLM\..\Run: [ljvhtc] C:\WINDOWS\System32\ljvhtc.exe
O4 - HKLM\..\Run: [j8wao3s6] C:\Program Files\j8wao3s6\j8wao3s6.exe
O4 - HKLM\..\Run: [gnxoi] C:\WINDOWS\System32\yxgtynr\gnxoi.exe
O4 - HKLM\..\Run: [cnun] C:\WINDOWS\System32\gdgxcrp\cnun.exe
O4 - HKLM\..\Run: [wgtgg] C:\WINDOWS\System32\rfcruik\wgtgg.exe
O4 - HKLM\..\Run: [chrpwc] C:\WINDOWS\System32\chrpwc.exe
O4 - HKLM\..\Run: [antiware] C:\windows\system32\elitefpl32.exe
O4 - HKLM\..\Run: [supernews12] C:\WINDOWS\newsd32.exe
O4 - HKLM\..\Run: [tibs5] C:\WINDOWS\System32\tibs5.exe
O4 - HKLM\..\Run: [ntddetect] C:\WINDOWS\System32\ntddetect.exe
O4 - HKLM\..\Run: [regcheck] C:\WINDOWS\regchecka.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\RunServices: [ntddetect] C:\WINDOWS\System32\ntddetect.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [sysmonnt] C:\WINDOWS\System32\sysmonnt
O4 - HKCU\..\Run: [ptech] C:\WINDOWS\System32\ptech.exe
O4 - HKCU\..\Run: [ntddetect] C:\WINDOWS\System32\ntddetect.exe
O4 - Startup: Check For Dope Wars Updates.lnk = C:\Program Files\Dopewars\WiseUpdt.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall-bet...all/xscan60.cab
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540006} (CInstall Class) - http://www.errorguar...ion/Install.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.co...76/mcinsctl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by5fd.bay5.ho...es/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1094580171281
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://bin.mcafee.co...,16/mcgdmgr.cab
O16 - DPF: {EF0DBA6F-43CE-4B26-9808-2AB38FA0DB29} (MSN Money Ticker) - http://fdl.msn.com/p.../v13/ticker.cab
O23 - Service: AVG7 Alert Manager Server - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: LexBce Server - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee.com McShield - Unknown - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager - Networks Associates Technology, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe

Than you sooo much for all that you do your services are invaluable!

Diddles
  • 0

Advertisements

#2
Guest_thatman_*
Posted 03 March 2005 - 02:00 AM

Guest_thatman_*
  • Guest
Hi Diddles

Welcome to geekstogo ;)

Please read through the instructions before you start (you may want to print this out).

Please set your system to show all files; Click here for how to do this if you're unsure.

Press Ctrl+Alt+Delete once -> Click Task Manager -> Click the Processes tab -> Double-click the Image Name column header to alphabetically sort the processes -> Scroll through the list and look for:

C:\Program Files\j8wao3s6\j8wao3s6.dll
c:\windows\system32\iyixmw.exe
C:\WINDOWS\System32\ljvhtc.exe
C:\WINDOWS\System32\yxgtynr\gnxoi.exe
C:\WINDOWS\System32\gdgxcrp\cnun.exe
C:\WINDOWS\System32\rfcruik\wgtgg.exe
C:\WINDOWS\System32\chrpwc.exe
C:\windows\system32\elitefpl32.exe
C:\WINDOWS\System32\tibs5.exe
C:\WINDOWS\System32\sysmonnt
C:\WINDOWS\System32\ptech.exe
C:\WINDOWS\System32\ntddetect.exe

If you find the files, click on them, and then click End Process -> Exit the Task Manager.

Please go offline, close all browsers and any open Windows, making sure that only HijackThis is open. Scan and when it finishes, put an X in the boxes, only next to these following items, then click fix checked.

O2 - BHO: (no name) - {5E1DC657-71C4-424A-9F8B-2872E18278A4} - C:\Program Files\j8wao3s6\j8wao3s6.dll
O2 - BHO: (no name) - {6C84AAD8-B583-4F24-8C40-8F43F596C404} - C:\Program Files\j8wao3s6\j8wao3s6.dll
O2 - BHO: (no name) - {7E9ABA18-FCCF-4DB9-88BD-C817F0E28CE3} - C:\Program Files\j8wao3s6\j8wao3s6.dll
O2 - BHO: (no name) - {95C884C5-6D3B-4B45-9918-54D4077D81A6} - C:\Program Files\j8wao3s6\j8wao3s6.dll
O2 - BHO: (no name) - {974C0BF2-6C32-4EDC-82E9-937167B20C11} - C:\Program Files\j8wao3s6\j8wao3s6.dll
O2 - BHO: (no name) - {BE6627CA-0B2D-47C8-A85F-3C4A43D0E980} - C:\Program Files\j8wao3s6\j8wao3s6.dll
O2 - BHO: (no name) - {C0D9A98B-4A66-4A36-9C04-BDDDDDDDEB5B} - C:\Program Files\j8wao3s6\j8wao3s6.dll
O2 - BHO: (no name) - {ED103D9F-3070-4580-AB1E-E5C179C1AE41} - (no file)
O2 - BHO: (no name) - {F2D93954-C5EE-4D86-AF94-50A1875F4718} - C:\Program Files\j8wao3s6\j8wao3s6.dll
O2 - BHO: (no name) - {FBBD0D36-7AA5-425D-8AA3-A0022CB8470F} - C:\Program Files\j8wao3s6\j8wao3s6.dll
O4 - HKLM\..\Run: [iyixmw] c:\windows\system32\iyixmw.exe
O4 - HKLM\..\Run: [ljvhtc] C:\WINDOWS\System32\ljvhtc.exe
O4 - HKLM\..\Run: [j8wao3s6] C:\Program Files\j8wao3s6\j8wao3s6.exe
O4 - HKLM\..\Run: [gnxoi] C:\WINDOWS\System32\yxgtynr\gnxoi.exe
O4 - HKLM\..\Run: [cnun] C:\WINDOWS\System32\gdgxcrp\cnun.exe
O4 - HKLM\..\Run: [wgtgg] C:\WINDOWS\System32\rfcruik\wgtgg.exe
O4 - HKLM\..\Run: [chrpwc] C:\WINDOWS\System32\chrpwc.exe
O4 - HKLM\..\Run: [antiware] C:\windows\system32\elitefpl32.exe
O4 - HKLM\..\Run: [tibs5] C:\WINDOWS\System32\tibs5.exe
O4 - HKCU\..\Run: [sysmonnt] C:\WINDOWS\System32\sysmonnt
O4 - HKCU\..\Run: [ptech] C:\WINDOWS\System32\ptech.exe
O4 - HKCU\..\Run: [ntddetect] C:\WINDOWS\System32\ntddetect.exe

Click on Fix Checked and exit HijackThis.

Reboot into Safe Mode: see here if you don't know how to do this.

Using Windows Explorer, locate the following files/folders, and delete them:

C:\Program Files\j8wao3s6\j8wao3s6.dll<--Delete the whole folder
c:\windows\system32\iyixmw.exe<--Delete this file
C:\WINDOWS\System32\ljvhtc.exe<--Delete this file
C:\WINDOWS\System32\yxgtynr\gnxoi.exe<--Delete the whole folder
C:\WINDOWS\System32\gdgxcrp\cnun.exe<--Delete the whole folder
C:\WINDOWS\System32\rfcruik\wgtgg.exe<--Delete the whole folder
C:\WINDOWS\System32\chrpwc.exe<--Delete this file
C:\windows\system32\elitefpl32.exe<--Delete this file
C:\WINDOWS\System32\tibs5.exe<--Delete this file
C:\WINDOWS\System32\sysmonnt<--Delete this file
C:\WINDOWS\System32\ptech.exe<--Delete this file
C:\WINDOWS\System32\ntddetect.exe<--Delete this file


Exit Explorer, and reboot as normal afterwards.

If you would please, rescan with HijackThis and post a fresh log in this same topic, and [b]let us know how your system's working. :thumbsup:

Kc :tazz:
  • 0

#3
Diddles
Posted 03 March 2005 - 01:36 PM

Diddles

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
OK - I followed the directions above, when i went to Task Manager to "end process" on file: C:\WINDOWS\System32\ptech.exe, it would not end the process. Also there were 2 files with this name running, niether would let me end process.

So I moved on through the instructions.

When i got to Safe mode and had to delete files, some were not found. I still deleted the ones that I did find.

After following all the instructions minus the ones that didn't work or couldn't be found, I rebooted. The system response time is much better, i would say it is normal. However, I still have spyware ad as my desktop background and my Internet Expolorer is still pointing my home page to DOASearch.com.

Below is my latest HJT Log

:tazz:

Thanks Again!!!!!!!!!


Logfile of HijackThis v1.99.0
Scan saved at 11:27:27 AM, on 3/3/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\WINDOWS\newsd32.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\System32\ctfmon.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\msiexec.exe
C:\Highjack This\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.daosearch.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: Shell=explorer.exe C:\WINDOWS\regchecka.exe
O2 - BHO: (no name) - {23012C11-B73C-474E-8437-DA1A881ED264} - C:\Program Files\j8wao3s6\j8wao3s6.dll (file missing)
O2 - BHO: (no name) - {301BFA50-6FE9-4CE1-B989-88C9BA25628E} - C:\WINDOWS\System32\kndb.dll (file missing)
O2 - BHO: CControl Object - {3643ABC2-21BF-46B9-B230-F247DB0C6FD6} - C:\Program Files\E2G\IeBHOs.dll
O2 - BHO: (no name) - {5069AB37-667B-4892-BC32-5C8DC7BCD872} - C:\Program Files\j8wao3s6\j8wao3s6.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {C54A2665-674C-4D76-8B63-8F39C08AE199} - C:\Program Files\j8wao3s6\j8wao3s6.dll (file missing)
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [supernews12] C:\WINDOWS\newsd32.exe
O4 - HKLM\..\Run: [ntddetect] C:\WINDOWS\System32\ntddetect.exe
O4 - HKLM\..\Run: [regcheck] C:\WINDOWS\regchecka.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [gnxoi] C:\WINDOWS\System32\yxgtynr\gnxoi.exe
O4 - HKLM\..\Run: [cnun] C:\WINDOWS\System32\gdgxcrp\cnun.exe
O4 - HKLM\..\Run: [wgtgg] C:\WINDOWS\System32\rfcruik\wgtgg.exe
O4 - HKLM\..\RunServices: [ntddetect] C:\WINDOWS\System32\ntddetect.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [ptech] C:\WINDOWS\System32\ptech.exe
O4 - HKCU\..\Run: [ntddetect] C:\WINDOWS\System32\ntddetect.exe
O4 - Startup: Check For Dope Wars Updates.lnk = C:\Program Files\Dopewars\WiseUpdt.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall-bet...all/xscan60.cab
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540006} (CInstall Class) - http://www.errorguar...ion/Install.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.co...76/mcinsctl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by5fd.bay5.ho...es/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1094580171281
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://bin.mcafee.co...,16/mcgdmgr.cab
O16 - DPF: {EF0DBA6F-43CE-4B26-9808-2AB38FA0DB29} (MSN Money Ticker) - http://fdl.msn.com/p.../v13/ticker.cab
O23 - Service: AVG7 Alert Manager Server - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: LexBce Server - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee.com McShield - Unknown - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager - Networks Associates Technology, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe

Diddles
  • 0

#4
Guest_thatman_*
Posted 03 March 2005 - 02:25 PM

Guest_thatman_*
  • Guest
Hi Diddles

Please set your system to show all files; Click here for how to do this if you're unsure.

Please read through the instructions before you start (you may want to print this out).

1. Download the Pocket Killbox.
2. Unzip the contents of KillBox.zip to a convenient location.
3. Double-click on KillBox.exe.
4. Click "Replace on Reboot" and check the "Use Dummy" box.
5. Paste this file into the top "Full Path of File to Delete" box.

C:\WINDOWS\System32\ntddetect.exe

6. Click the "Delete File" button which looks like a stop sign.
7. Click "Yes" at the Replace on Reboot prompt.

C:\WINDOWS\System32\ntddetect.exe
C:\WINDOWS\System32\yxgtynr\gnxoi.exe
C:\WINDOWS\System32\gdgxcrp\cnun.exe
C:\WINDOWS\System32\rfcruik\wgtgg.exe
C:\WINDOWS\System32\ptech.exe


Please go offline, close all browsers and any open Windows, making sure that only HijackThis is open. Scan and when it finishes, put an X in the boxes, only next to these following items.[/b]

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.daosearch.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = www.yahoo.com
O2 - BHO: (no name) - {23012C11-B73C-474E-8437-DA1A881ED264} - C:\Program Files\j8wao3s6\j8wao3s6.dll (file missing)
O2 - BHO: (no name) - {301BFA50-6FE9-4CE1-B989-88C9BA25628E} - C:\WINDOWS\System32\kndb.dll (file missing)
O2 - BHO: CControl Object - {3643ABC2-21BF-46B9-B230-F247DB0C6FD6} - C:\Program Files\E2G\IeBHOs.dll
O2 - BHO: (no name) - {5069AB37-667B-4892-BC32-5C8DC7BCD872} - C:\Program Files\j8wao3s6\j8wao3s6.dll (file missing)
O2 - BHO: (no name) - {C54A2665-674C-4D76-8B63-8F39C08AE199} - C:\Program Files\j8wao3s6\j8wao3s6.dll (file missing)
O4 - HKLM\..\Run: [ntddetect] C:\WINDOWS\System32\ntddetect.exe
O4 - HKLM\..\Run: [gnxoi] C:\WINDOWS\System32\yxgtynr\gnxoi.exe
O4 - HKLM\..\Run: [cnun] C:\WINDOWS\System32\gdgxcrp\cnun.exe
O4 - HKLM\..\Run: [wgtgg] C:\WINDOWS\System32\rfcruik\wgtgg.exe
O4 - HKLM\..\RunServices: [ntddetect] C:\WINDOWS\System32\ntddetect.exe
O4 - HKCU\..\Run: [ptech] C:\WINDOWS\System32\ptech.exe
O4 - HKCU\..\Run: [ntddetect] C:\WINDOWS\System32\ntddetect.exe

Click on Fix Checked and exit HijackThis.

Reboot into Safe Mode: see here if you don't know how to do this.

Using Windows Explorer, locate the following files/folders, and delete them:

C:\Program Files\j8wao3s6\j8wao3s6.dll<--Delete the whole folder
C:\WINDOWS\System32\kndb.dll <--Delete this file
C:\Program Files\E2G\IeBHOs.dll<--Delete the whole folder
C:\WINDOWS\System32\ntddetect.exe<--Delete this file
C:\WINDOWS\System32\yxgtynr\gnxoi.exe<--Delete the whole folder
C:\WINDOWS\System32\gdgxcrp\cnun.exe<--Delete the whole folder
C:\WINDOWS\System32\rfcruik\wgtgg.exe<--Delete the whole folder
C:\WINDOWS\System32\ptech.exe<--Delete this file

Exit Explorer, and reboot as normal afterwards.

If you would please, rescan with HijackThis and post a fresh log in this same topic, and let us know how your system's working. ;)

Kc :tazz:
  • 0

#5
Diddles
Posted 03 March 2005 - 05:16 PM

Diddles

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
Hi Again -

I followed all instructions.

My homepage is fixed, my system response is great.... but I still have a remove spyware ad as my desktop background.

Here is my latest HJT log, thanks again!

Logfile of HijackThis v1.99.0
Scan saved at 3:12:45 PM, on 3/3/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\WINDOWS\newsd32.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\System32\ctfmon.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\msiexec.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Highjack This\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.qwest.net/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: Shell=explorer.exe C:\WINDOWS\regchecka.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [supernews12] C:\WINDOWS\newsd32.exe
O4 - HKLM\..\Run: [regcheck] C:\WINDOWS\regchecka.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Startup: Check For Dope Wars Updates.lnk = C:\Program Files\Dopewars\WiseUpdt.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall-bet...all/xscan60.cab
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540006} (CInstall Class) - http://www.errorguar...ion/Install.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.co...76/mcinsctl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by5fd.bay5.ho...es/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1094580171281
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://bin.mcafee.co...,16/mcgdmgr.cab
O16 - DPF: {EF0DBA6F-43CE-4B26-9808-2AB38FA0DB29} (MSN Money Ticker) - http://fdl.msn.com/p.../v13/ticker.cab
O23 - Service: AVG7 Alert Manager Server - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: LexBce Server - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee.com McShield - Unknown - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager - Networks Associates Technology, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe

Diddles
  • 0

#6
Guest_thatman_*
Posted 04 March 2005 - 06:19 AM

Guest_thatman_*
  • Guest
Hi Diddles

Please follow the following steps: Right click on a blank area on your DeskTop > Click on the DeskTop button > Click on Customize Desktop > Click on Web > Inside off this box you will see My Current Home Page > Click on Properties > Now uncheck the box Make this page available offline > Now click on Schedule remove any links that are showing, Click on the item Only when I choose Synchronize from the tools menu. Click on Apply then OK > We are now back to the Web page you can now delete the affending item. Just reset your background to your chosing.

Please repost a new HJT.log

Thanks

Kc :tazz:
  • 0

#7
Diddles
Posted 09 March 2005 - 12:51 PM

Diddles

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
Hi - Sorry this took so long I was out of town... :tazz:

So I got rid of my desktop add! Yah!

I ran a new HJT log, it's below. One more thing, now I have some virus worm thing trying to send emails out. I don't even have to be logged in to my email for this to happen... My McAfee Virus software pops a message every second or so letting me know that emails are going out and do I want to stop them. I said yes, about a hundred times befor I stopped getting the message. Also, I noticed when I shut down my computer the last two times that "programs are not responding and are going through the "end now" process upon shutdown. I don't recognize these programs they seem to be malicious programs but I don't know where to find them or how to identify them. ;)

Anyways... here;'s my log. I don't know what I would do without your help!

Thanks

Diddles

Logfile of HijackThis v1.99.0
Scan saved at 10:43:29 AM, on 3/9/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\WINDOWS\newsd32.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\WINDOWS\system32\ctfmon.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Highjack This\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.qwest.net/
F2 - REG:system.ini: Shell=explorer.exe C:\WINDOWS\regchecka.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [supernews12] C:\WINDOWS\newsd32.exe
O4 - HKLM\..\Run: [regcheck] C:\WINDOWS\regchecka.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Check For Dope Wars Updates.lnk = C:\Program Files\Dopewars\WiseUpdt.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.musicmatch.com
O15 - Trusted Zone: *.musicmatch.com (HKLM)
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall-bet...all/xscan60.cab
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540006} (CInstall Class) - http://www.errorguar...ion/Install.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.co...76/mcinsctl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by5fd.bay5.ho...es/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1094580171281
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://bin.mcafee.co...,16/mcgdmgr.cab
O16 - DPF: {EF0DBA6F-43CE-4B26-9808-2AB38FA0DB29} (MSN Money Ticker) - http://fdl.msn.com/p.../v13/ticker.cab
O23 - Service: AVG7 Alert Manager Server - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: LexBce Server - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee.com McShield - Unknown - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager - Networks Associates Technology, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
  • 0

#8
Guest_thatman_*
Posted 09 March 2005 - 01:08 PM

Guest_thatman_*
  • Guest
Hi Diddles

Please set your system to show all files; Click here for how to do this if you're unsure.

Please go offline, close all browsers and any open Windows, making sure that only HijackThis is open. Scan and when it finishes, put an X in the boxes, only next to these following items.[/b]

F2 - REG:system.ini: Shell=explorer.exe C:\WINDOWS\regchecka.exe
O4 - HKLM\..\Run: [supernews12] C:\WINDOWS\newsd32.exe
O4 - HKLM\..\Run: [regcheck] C:\WINDOWS\regchecka.exe
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540006} (CInstall Class) - http://www.errorguar...ion/Install.cab

Click on Fix Checked and exit HijackThis.[/COLOR]

Reboot into Safe Mode: see here if you don't know how to do this.

Using Windows Explorer, locate the following files/folders, and delete them:

C:\WINDOWS\newsd32.exe
C:\WINDOWS\regchecka.exe

Exit Explorer

Reboot into normal mode (simply restart your computer as you normally would),

Please run the following free, online virus scans: Please post the logs From both virus scans And HJT.log we will need them to remove previous infections that have left files on your system.
http://housecall.tre.../start_corp.asp
http://www.pandasoft...n_principal.htm

Kc :tazz:
  • 0

#9
Diddles
Posted 09 March 2005 - 05:32 PM

Diddles

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
Hi ! OK Ran the stuff here are my logs:

HJT Log:Logfile of HijackThis v1.99.0
Scan saved at 3:24:08 PM, on 3/9/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Highjack This\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.qwest.net/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Check For Dope Wars Updates.lnk = C:\Program Files\Dopewars\WiseUpdt.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.musicmatch.com
O15 - Trusted Zone: *.musicmatch.com (HKLM)
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall-bet...all/xscan60.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.co...76/mcinsctl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by5fd.bay5.ho...es/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1094580171281
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://bin.mcafee.co...,16/mcgdmgr.cab
O16 - DPF: {EF0DBA6F-43CE-4B26-9808-2AB38FA0DB29} (MSN Money Ticker) - http://fdl.msn.com/p.../v13/ticker.cab
O23 - Service: AVG7 Alert Manager Server - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: LexBce Server - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee.com McShield - Unknown - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager - Networks Associates Technology, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe



Here is my Trend Housecall Virus scan report:

Virus Scan
0 virus cleaned, 0 virus deleted



Results:
We have detected 5 infected file(s) with 5 virus(es) on your computer: 0 virus(es) cleaned, 5 virus(es) uncleanable, 0 virus(es) deleted, 0 virus(es) undeletable, 0 virus(es) passed.
Detected File Associated Virus Name Action taken
C:\RECYCLER\S-1-5-21-672552267-779557215-1803055576-1007\Dc18.exe TROJ_AGENT.ML
Uncleanable
C:\RECYCLER\S-1-5-21-672552267-779557215-1803055576-1007\Dc21.exe TROJ_AGENT.MX
Uncleanable
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP357\A0033861.exe TROJ_AGENT.AAB
Uncleanable
C:\WINDOWS\BTGrab.dll TROJ_BISPY.B
Uncleanable
C:\WINDOWS\sys5323.exe TROJ_AGENT.ML
Uncleanable

Trojan/Worm Check
0 worm/Trojan horse deleted


What we checked:
Malicious activity by a Trojan horse program. Although a Trojan seems like a harmless program, it contains malicious code and once installed can cause damage to your computer.
Results:
We have detected 0 Trojan horse program(s) and worm(s) on your computer: 0 Worm(s)/Trojan(s) deleted, 0 worm(s)/Trojan(s) undeletable, 0 worm(s)/Trojan(s) passed.


What we checked:
Whether personal information was tracked and reported by spyware. Spyware is often installed secretly with legitimate programs downloaded from the Internet.
Results:
We have detected 0 spyware(s) on your computer: 0 spyware(s) removed, 0 spyware(s) unremovable, 0 spyware(s) passed.


What we checked:
Microsoft known security vulnerabilities. These are issues Microsoft has identified and released Critical Updates to fix.
Results:
We have detected 0 vulnerability/vulnerabilities on your computer.



Here is my Panda Virus Report:


Incident Status Location

Spyware:Spyware/New.net No disinfected C:\WINDOWS\NDNuninstall*.exe
Adware:Adware/MyWay No disinfected C:\Program Files\MySearch
Spyware:Spyware/AdClicker No disinfected Windows Registry
Spyware:Spyware/ClearSearch No disinfected C:\Program Files\Lycos
Spyware:Spyware/BetterInet No disinfected Windows Registry
Adware:Adware/PortalScan No disinfected C:\WINDOWS\Helper101.dll
Adware:Adware/Apropos No disinfected C:\Program Files\cxtpls
Spyware:Spyware/TVMedia No disinfected C:\Documents and Settings\Tricia Pobjoy\Application Data\tvm*.dll
Adware:Adware/SideSearch No disinfected C:\Documents and Settings\Tricia Pobjoy\Application Data\Lycos
Adware:Adware/IPInsight No disinfected C:\WINDOWS\inf\conscorr.inf
Adware:Adware/SideFind No disinfected Windows Registry
Adware:Adware/DealHelper No disinfected C:\WINDOWS\system32\DealHelper
Adware:Adware/AdLogix No disinfected Windows Registry
Adware:Adware/EliteBar No disinfected C:\WINDOWS\EliteSideBar
Adware:Adware/Beginto No disinfected C:\WINDOWS\system32\dsktrf.dll
Spyware:Spyware/MarketScore No disinfected C:\WINDOWS\system32\osconfig.dll
Adware:Adware/E2Give No disinfected Windows Registry
Spyware:Spyware/IESearchToolbarNo disinfected C:\Program Files\iesearchtoolbar
Spyware:Spyware/SurfSideKick No disinfected Windows Registry
Adware:Adware/BTGrab No disinfected C:\WINDOWS\BTGrab.dll
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Tricia Pobjoy\Favorites\Sites about\Ab scissor.url
Adware:Adware/CWS.Searchmeup No disinfected C:\WINDOWS\system32\srpcsrv32.dll
Adware:Adware/PurityScan No disinfected C:\Documents and Settings\Tricia Pobjoy\Application Data\osoa.exe
Spyware:Spyware/BetterInet No disinfected C:\Documents and Settings\Tricia Pobjoy\Local Settings\Temp\DrTemp\thnall1b.exe
Spyware:Spyware/SurfSideKick No disinfected C:\Documents and Settings\Tricia Pobjoy\Local Settings\Temp\i50.tmp
Spyware:Spyware/BetterInet No disinfected C:\Documents and Settings\Tricia Pobjoy\Local Settings\Temp\thnall1r.exe
Adware:Adware/EliteBar No disinfected C:\Documents and Settings\Tricia Pobjoy\Local Settings\Temp\uninstall.exe
Spyware:Spyware/BetterInet No disinfected C:\Documents and Settings\Tricia Pobjoy\Local Settings\Temporary Internet Files\Content.IE5\CXMVCPYN\32[1].bin
Adware:Adware/MyWay No disinfected C:\Documents and Settings\Tricia Pobjoy\Local Settings\Temporary Internet Files\Content.IE5\JHKY40OZ\26[1].bin
Adware:Adware/IESearchBar No disinfected C:\Program Files\IESearchToolbar\IESearchToolbar.dll
Adware:Adware/MyWay No disinfected C:\Program Files\MySearch\bar\1.bin\NPMYSRCH.DLL
Adware:Adware/MyWay No disinfected C:\Program Files\MySearch\bar\1.bin\S42NS.EXE
Adware:Adware/AdLogix No disinfected C:\RECYCLER\S-1-5-21-672552267-779557215-1803055576-1007\Dc11.exe
Adware:Adware/AdLogix No disinfected C:\RECYCLER\S-1-5-21-672552267-779557215-1803055576-1007\Dc15.exe
Virus:Trj/Agent.FW Disinfected C:\RECYCLER\S-1-5-21-672552267-779557215-1803055576-1007\Dc18.exe
Virus:Trj/Downloader.ASG Disinfected C:\RECYCLER\S-1-5-21-672552267-779557215-1803055576-1007\Dc20.dll
Virus:Trj/Downloader.ALQ Disinfected C:\RECYCLER\S-1-5-21-672552267-779557215-1803055576-1007\Dc21.exe
Virus:Trj/Downloader.AVC Disinfected C:\RECYCLER\S-1-5-21-672552267-779557215-1803055576-1007\Dc22.exe
Adware:Adware/Envolo No disinfected C:\RECYCLER\S-1-5-21-672552267-779557215-1803055576-1007\Dc7\setup.inf
Adware:Adware/BTGrab No disinfected C:\WINDOWS\BTGrab.dll
Adware:Adware/MultiMPP No disinfected C:\WINDOWS\dlmax.dll
Adware:Adware/EliteBar No disinfected C:\WINDOWS\EliteSideBar\EliteSideBar 08.dll
Adware:Adware/EliteBar No disinfected C:\WINDOWS\EliteToolBar\EliteToolBar version 59.dll
Adware:Adware/BTGrab No disinfected C:\WINDOWS\INF\btgrab.inf
Adware:Adware/IPInsight No disinfected C:\WINDOWS\INF\conscorr.inf
Adware:Adware/IPInsight No disinfected C:\WINDOWS\INF\farmmext.inf
Spyware:Spyware/BetterInet No disinfected C:\WINDOWS\INF\zserv.inf
Spyware:Spyware/New.net No disinfected C:\WINDOWS\NDNuninstall6_22.exe
Spyware:Spyware/New.net No disinfected C:\WINDOWS\NDNuninstall6_38.exe
Adware:Adware/OneMore.A No disinfected C:\WINDOWS\nylin.dll
Adware:Adware/OneMore.A No disinfected C:\WINDOWS\opkoo.dll
Adware:Adware/CWS.Searchmeup No disinfected C:\WINDOWS\sys5235.exe
Virus:Trj/Agent.FW Disinfected C:\WINDOWS\sys5323.exe
Virus:Trj/Imiserv.D Disinfected C:\WINDOWS\systb.exe
Spyware:Spyware/BetterInet No disinfected C:\WINDOWS\SYSTEM32\bH.dll
Virus:Trj/Downloader.AWZ Disinfected C:\WINDOWS\SYSTEM32\Cache\20001.exe
Adware:Adware/MyWay No disinfected C:\WINDOWS\SYSTEM32\Cache\s4Sept.exe
Spyware:Spyware/BetterInet No disinfected C:\WINDOWS\SYSTEM32\Cache\thin-8-1-x-x.exe
Adware:Adware/TopRebates No disinfected C:\WINDOWS\SYSTEM32\Cache\WebRebates_Auto_InstallSilent.exe
Adware:Adware/VirtualBouncer No disinfected C:\WINDOWS\SYSTEM32\Cache\wrapperouter.exe
Adware:Adware/AdLogix No disinfected C:\WINDOWS\SYSTEM32\chrpwf.exe
Adware:Adware/AdLogix No disinfected C:\WINDOWS\SYSTEM32\ljvht.dll
Adware:Adware/AdLogix No disinfected C:\WINDOWS\SYSTEM32\ljvhtd.exe
Adware:Adware/AdLogix No disinfected C:\WINDOWS\SYSTEM32\ljvhtf.exe
Adware:Adware/PurityScan No disinfected C:\WINDOWS\SYSTEM32\LASS~1.EXE
Adware:Adware/nCase No disinfected C:\WINDOWS\SYSTEM32\msbb321.dll
Spyware:Spyware/MarketScore No disinfected C:\WINDOWS\SYSTEM32\osconfig.dll
Virus:Trj/Downloader.ASG Disinfected C:\WINDOWS\SYSTEM32\srpcsrv32.dll
Adware:Adware/Adtomi No disinfected C:\WINDOWS\SYSTEM32\v229.exe
Adware:Adware/WinTools No disinfected C:\WINDOWS\Temp\WTuninst.exe


Thanks Again!! :tazz:
  • 0

#10
Guest_thatman_*
Posted 10 March 2005 - 02:37 AM

Guest_thatman_*
  • Guest
Hi Diddles

Download the ccleaner
I use this Program and is setup like this all boxs are check.

Clean out all temp files in Mozilla, Internet Explorer.
Internet Explorer: Tools/ Internet Options/ General/ Temporary internet files/ Delete Files (NOTE, that this may take very long!). You can also set the memory limit to about 80 MB at the Settings.

Mozilla: Edit/ Options/ Extended/ Cache/ Clear Cache

ActiveX Controls could do with a big cleanup. Open your browser and go to Tools > Internet Options and click on the General Tab. Click on Settings (next to Temporary Internet Files) and then click on View Objects. Rightclick on each and choose Properties. If there is anything there that you dont know what it is (microsoft, apple, macromedia etc are OK) or where it came from, delete it. If there are any damaged controls there, delete those also. If any are needed, you will be prompted to download them again anyway.

Now run the cleaner

C:\RECYCLER\S-1-5-21-672552267-779557215-1803055576-1007\Dc11.exe
C:\RECYCLER\S-1-5-21-672552267-779557215-1803055576-1007\Dc15.exe
C:\RECYCLER\S-1-5-21-672552267-779557215-1803055576-1007\Dc7\setup.inf


C:\Documents and Settings\Tricia Pobjoy\Local Settings\Temp\DrTemp\thnall1b.exe
C:\Documents and Settings\Tricia Pobjoy\Local Settings\Temp\i50.tmp
C:\Documents and Settings\Tricia Pobjoy\Local Settings\Temp\thnall1r.exe
C:\Documents and Settings\Tricia Pobjoy\Local Settings\Temp\uninstall.exe
C:\Documents and Settings\Tricia Pobjoy\Local Settings\Temp\DrTemp\thnall1b.exe
C:\Documents and Settings\Tricia Pobjoy\Local Settings\Temp\i50.tmp
C:\Documents and Settings\Tricia Pobjoy\Local Settings\Temp\thnall1r.exe
C:\Documents and Settings\Tricia Pobjoy\Local Settings\Temp\uninstall.exe


C:\Documents and Settings\Tricia Pobjoy\Application Data\tvm*.dll
C:\Documents and Settings\Tricia Pobjoy\Application Data\Lycos
C:\Documents and Settings\Tricia Pobjoy\Favorites\Sites about\Ab scissor.url
C:\Documents and Settings\Tricia Pobjoy\Application Data\osoa.exe
C:\Documents and Settings\Tricia Pobjoy\Local Settings\Temporary Internet Files\Content.IE5\CXMVCPYN\32[1].bin
C:\Documents and Settings\Tricia Pobjoy\Local Settings\Temporary Internet Files\Content.IE5\JHKY40OZ\26[1].bin
C:\Documents and Settings\Tricia Pobjoy\Application Data\osoa.exe
C:\Documents and Settings\Tricia Pobjoy\Local Settings\Temporary Internet Files\Content.IE5\CXMVCPYN\32[1].bin
C:\Documents and Settings\Tricia Pobjoy\Local Settings\Temporary Internet Files\Content.IE5\JHKY40OZ\26[1].bin


C:\Program Files\iesearchtoolbar< --Delete the whole folder
C:\Program Files\IESearchToolbar\IESearchToolbar.dll< --Delete the whole folder
C:\Program Files\MySearch\bar\1.bin\NPMYSRCH.DLL< --Delete the whole folder
C:\Program Files\Lycos< --Delete the whole folder
C:\Program Files\cxtpls< --Delete the whole folder


1. Download the Pocket Killbox.
2. Unzip the contents of KillBox.zip to a convenient location.
3. Double-click on KillBox.exe.
4. Click "Replace on Reboot" and check the "Use Dummy" box.
5. Paste this file into the top "Full Path of File to Delete" box.

C:\WINDOWS\NDNuninstall*.exe

6. Click the "Delete File" button which looks like a stop sign.
7. Click "Yes" at the Replace on Reboot prompt
8. Continue with all items below

C:\WINDOWS\NDNuninstall*.exe
C:\WINDOWS\Helper101.dll
C:\WINDOWS\inf\conscorr.inf
C:\WINDOWS\EliteSideBar
C:\WINDOWS\system32\dsktrf.dll
C:\WINDOWS\system32\osconfig.dll
C:\WINDOWS\BTGrab.dll
C:\WINDOWS\system32\srpcsrv32.dll


C:\WINDOWS\BTGrab.dll
C:\WINDOWS\dlmax.dll
C:\WINDOWS\EliteSideBar\EliteSideBar 08.dll
C:\WINDOWS\EliteToolBar\EliteToolBar version 59.dll
C:\WINDOWS\INF\btgrab.inf
C:\WINDOWS\INF\conscorr.inf
C:\WINDOWS\INF\farmmext.inf
C:\WINDOWS\INF\zserv.inf
C:\WINDOWS\NDNuninstall6_22.exe
C:\WINDOWS\system32\DealHelper


C:\WINDOWS\NDNuninstall6_38.exe
C:\WINDOWS\nylin.dll
C:\WINDOWS\opkoo.dll
C:\WINDOWS\sys5235.exe
C:\WINDOWS\SYSTEM32\bH.dll
C:\WINDOWS\SYSTEM32\Cache\20001.exe
C:\WINDOWS\SYSTEM32\Cache\s4Sept.exe
C:\WINDOWS\SYSTEM32\Cache\thin-8-1-x-x.exe
C:\WINDOWS\SYSTEM32\Cache\WebRebates_Auto_InstallSilent.exe
C:\WINDOWS\SYSTEM32\Cache\wrapperouter.exe


C:\WINDOWS\SYSTEM32\chrpwf.exe
C:\WINDOWS\SYSTEM32\ljvht.dll
C:\WINDOWS\SYSTEM32\ljvhtd.exe
C:\WINDOWS\SYSTEM32\ljvhtf.exe
C:\WINDOWS\SYSTEM32\LASS~1.EXE
C:\WINDOWS\SYSTEM32\msbb321.dll
C:\WINDOWS\SYSTEM32\osconfig.dll
C:\WINDOWS\SYSTEM32\srpcsrv32.dll
C:\WINDOWS\SYSTEM32\v229.exe
C:\WINDOWS\Temp\WTuninst.exe[/COLOR

.
[color=red]Please run the following free, online virus scans: Please post the logs From both virus scans and HJT.log we will need them to remove previous infections that have left files on your system.
http://housecall.tre.../start_corp.asp
http://www.pandasoft...n_principal.htm

Kc :tazz:
  • 0

Advertisements

#11
Diddles
Posted 10 March 2005 - 11:57 AM

Diddles

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
I need to ask a question about the instructions above. I just finished running the cleaner. Below this step you list a number of file names. Am I supposed to delete these in safe mode or with HJT? These are the files you list befor the Pocket Killbox directions. Sorry for the confusion and thank you!!!

Diddles :tazz:
  • 0

#12
Guest_thatman_*
Posted 10 March 2005 - 12:10 PM

Guest_thatman_*
  • Guest
Hi Diddles

1. Download the Pocket Killbox.
2. Unzip the contents of KillBox.zip to a convenient location.
3. Double-click on KillBox.exe.
4. Click "Replace on Reboot" and check the "Use Dummy" box.
5. Paste this file into the top "Full Path of File to Delete" box.

C:\WINDOWS\NDNuninstall*.exe

6. Click the "Delete File" button which looks like a stop sign.
7. Click "Yes" at the Replace on Reboot prompt
8. Continue with all items in blue below and Delete them with killbox.

C:\WINDOWS\NDNuninstall*.exe
C:\WINDOWS\Helper101.dll
C:\WINDOWS\inf\conscorr.inf
C:\WINDOWS\EliteSideBar
C:\WINDOWS\system32\dsktrf.dll
C:\WINDOWS\system32\osconfig.dll
C:\WINDOWS\BTGrab.dll
C:\WINDOWS\system32\srpcsrv32.dll


C:\WINDOWS\BTGrab.dll
C:\WINDOWS\dlmax.dll
C:\WINDOWS\EliteSideBar\EliteSideBar 08.dll
C:\WINDOWS\EliteToolBar\EliteToolBar version 59.dll
C:\WINDOWS\INF\btgrab.inf
C:\WINDOWS\INF\conscorr.inf
C:\WINDOWS\INF\farmmext.inf
C:\WINDOWS\INF\zserv.inf
C:\WINDOWS\NDNuninstall6_22.exe
C:\WINDOWS\system32\DealHelper


C:\WINDOWS\NDNuninstall6_38.exe
C:\WINDOWS\nylin.dll
C:\WINDOWS\opkoo.dll
C:\WINDOWS\sys5235.exe
C:\WINDOWS\SYSTEM32\bH.dll
C:\WINDOWS\SYSTEM32\Cache\20001.exe
C:\WINDOWS\SYSTEM32\Cache\s4Sept.exe
C:\WINDOWS\SYSTEM32\Cache\thin-8-1-x-x.exe
C:\WINDOWS\SYSTEM32\Cache\WebRebates_Auto_InstallSilent.exe
C:\WINDOWS\SYSTEM32\Cache\wrapperouter.exe


C:\WINDOWS\SYSTEM32\chrpwf.exe
C:\WINDOWS\SYSTEM32\ljvht.dll
C:\WINDOWS\SYSTEM32\ljvhtd.exe
C:\WINDOWS\SYSTEM32\ljvhtf.exe
C:\WINDOWS\SYSTEM32\LASS~1.EXE
C:\WINDOWS\SYSTEM32\msbb321.dll
C:\WINDOWS\SYSTEM32\osconfig.dll
C:\WINDOWS\SYSTEM32\srpcsrv32.dll
C:\WINDOWS\SYSTEM32\v229.exe
C:\WINDOWS\Temp\WTuninst.exe


Please run the following free, online virus scans: Please post the logs From both virus scans and HJT.log we will need them to remove previous infections that have left files on your system.
http://housecall.tre.../start_corp.asp
http://www.pandasoft...n_principal.htm

Kc :tazz:
  • 0

#13
Diddles
Posted 10 March 2005 - 12:24 PM

Diddles

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
:tazz:

I understand these instructions, but in the first email (meaning the one befor this last one) you listed alot of files then you list some folders and your instructions say to delete these folders (but there are no instructions for the files listed above these folders) Do I do this in safe mode or HJT or do I ignore thses instructions and move straight to the killbox instructions...

I am sorry to be such a pain. Thanks ;)
  • 0

#14
Guest_thatman_*
Posted 10 March 2005 - 01:10 PM

Guest_thatman_*
  • Guest
Hi Diddles

You are not a pain :tazz:

Remove all the items in blue with killbox my last post, when you have completed that list

Do the online virus scans.
Please run the following free, online virus scans: Please post the logs From both virus scans and HJT.log we will need them to remove previous infections that have left files on your system.
http://housecall.tre.../start_corp.asp
http://www.pandasoft...n_principal.htm

Kc ;)
  • 0

#15
Diddles
Posted 10 March 2005 - 05:20 PM

Diddles

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
OK I did all the stuff. Although I could not het Housecall to work. I ran the panda scan and HJT but Housetrend would not work at all a few hours ago and when I just went in to try it again i got all the way to the "scan now" sreen and then it goes to a blank page and does not stat scanning... So here are the HJT Log and the Panda Virus Scan report:

HJT Log:

Logfile of HijackThis v1.99.0
Scan saved at 3:14:52 PM, on 3/10/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\msiexec.exe
C:\Highjack This\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.qwest.net/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Check For Dope Wars Updates.lnk = C:\Program Files\Dopewars\WiseUpdt.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.musicmatch.com
O15 - Trusted Zone: *.musicmatch.com (HKLM)
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall-bet...all/xscan60.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.co...76/mcinsctl.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://bin.mcafee.co...,16/mcgdmgr.cab
O23 - Service: AVG7 Alert Manager Server - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: LexBce Server - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee.com McShield - Unknown - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager - Networks Associates Technology, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe



Panda Report:


Incident Status Location

Spyware:Spyware/New.net No disinfected C:\WINDOWS\NDNuninstall*.exe
Adware:Adware/MyWay No disinfected C:\Program Files\MySearch
Spyware:Spyware/AdClicker No disinfected Windows Registry
Spyware:Spyware/ClearSearch No disinfected C:\Program Files\Lycos
Spyware:Spyware/BetterInet No disinfected Windows Registry
Adware:Adware/PortalScan No disinfected C:\WINDOWS\Helper101.dll
Adware:Adware/Apropos No disinfected C:\Program Files\cxtpls
Spyware:Spyware/TVMedia No disinfected C:\Documents and Settings\Tricia Pobjoy\Application Data\tvm*.dll
Adware:Adware/SideSearch No disinfected C:\Documents and Settings\Tricia Pobjoy\Application Data\Lycos
Adware:Adware/IPInsight No disinfected C:\WINDOWS\inf\conscorr.inf
Adware:Adware/SideFind No disinfected Windows Registry
Adware:Adware/DealHelper No disinfected C:\WINDOWS\system32\DealHelper
Adware:Adware/AdLogix No disinfected Windows Registry
Adware:Adware/EliteBar No disinfected C:\WINDOWS\EliteSideBar
Adware:Adware/Beginto No disinfected C:\WINDOWS\system32\dsktrf.dll
Spyware:Spyware/MarketScore No disinfected C:\WINDOWS\system32\osconfig.dll
Adware:Adware/E2Give No disinfected Windows Registry
Spyware:Spyware/IESearchToolbarNo disinfected C:\Program Files\iesearchtoolbar
Spyware:Spyware/SurfSideKick No disinfected Windows Registry
Adware:Adware/BTGrab No disinfected C:\WINDOWS\BTGrab.dll
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Tricia Pobjoy\Favorites\Sites about\Ab scissor.url
Adware:Adware/PurityScan No disinfected C:\Documents and Settings\Tricia Pobjoy\Application Data\osoa.exe
Adware:Adware/IESearchBar No disinfected C:\Program Files\IESearchToolbar\IESearchToolbar.dll
Adware:Adware/MyWay No disinfected C:\Program Files\MySearch\bar\1.bin\NPMYSRCH.DLL
Adware:Adware/MyWay No disinfected C:\Program Files\MySearch\bar\1.bin\S42NS.EXE
Thanks for your help and being patient with me! :tazz:
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP