Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

trojan horse and poss virus

Started by Sydney88 , Mar 19 2005 11:28 AM

Please log in to reply

#1
Sydney88

Posted 19 March 2005 - 11:28 AM

Member

Member
24 posts

Hello
I have done everything asked in the sticky post and still my com is runing slower than a snail. It will also restart itself randomly for no apparant reason. I also cant download or install and updates from the microsoft website it will try but just comes up with a message saying it has failed.

I even have to turn off avg grisoft to open up the hjt log otherwise everytime i try and open it i get a message saying i have a trojan horsePSW.ldpinch.3.l and it wont delete it . :tazz:

PLEASE HELP

finally here is my hjt log:

Logfile of HijackThis v1.99.0
Scan saved at 17:06:08, on 19/03/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\BT Digital Access USB\vstartx.exe
C:\Program Files\BT Digital Access USB\gisdnlog.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\BT Digital Access USB\gsyno.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\d60bf2301df38323b164fb3451417454\update\update.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\BearShare\BearShare.exe
C:\Program Files\BearShare\BearShare.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\All Users\Documents\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.freeserve.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Freeserve
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - SOFTWARE - (no file)
O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\3.bin\MYBAR.DLL (file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: adlog Class - {22B9A67D-E689-44B6-B775-0E8FE84B4F9B} - C:\WINDOWS\System32\hmaqygd.dll (file missing)
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: SDWin32 Class - {2784E164-4519-4A48-B9FC-DDFEA762FB64} - C:\WINDOWS\System32\jomgd.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll (file missing)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O2 - BHO: (no name) - {} - (no file)
O3 - Toolbar: (no name) - {C6177F25-2C7F-494F-8214-5A946D052E13} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: My &Search Bar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\3.bin\MYBAR.DLL (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll (file missing)
O4 - HKLM\..\Run: [GazelDisplay] "C:\Program Files\BT Digital Access USB\gsyno.exe" -h
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: GreatDownloads - {76DD9E77-F06C-4471-AB6C-CF03C5C6B5B0} - C:\WINDOWS\System32\GreatDownloads (file missing)
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.freeserve.com/
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {88C51E90-8E9C-4C96-8A45-574D88B63FAF} - http://acceso.masmin...aaplicacion.cab
O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} - http://install.wildt...stx/install.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pdownloader.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.h.../qdiagh.cab?312
O17 - HKLM\System\CCS\Services\Tcpip\..\{C09145AC-38EB-4930-AA02-24B9A31D09EB}: NameServer = 195.92.195.95 195.92.195.94
O19 - User stylesheet: (file missing)
O23 - Service: AVG7 Alert Manager Server - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: BT Digital Access USB start up - British Telecommunications plc - C:\Program Files\BT Digital Access USB\vstartx.exe
O23 - Service: ISDN connection log - British Telecommunications plc - C:\Program Files\BT Digital Access USB\gisdnlog.exe
O23 - Service: LexBce Server - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Display Driver Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ScsiAccess - Unknown - C:\WINDOWS\System32\ScsiAccess.EXE
O23 - Service: Symantec Network Drivers Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Sony SPTI Service - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
O23 - Service: SymWMI Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Windows User Mode Driver Framework - Unknown - C:\WINDOWS\System32\wdfmgr.exe (file missing)

#2
Wizard

Posted 20 March 2005 - 12:59 AM

Retired Staff

Retired Staff
5,661 posts

Hi Sydney88,Welcome to GeekstoGo!

I need you to have a file scanned,use the 2 links below and Scan this file for Viruses:

C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\d60bf2301df38323b164fb3451417454\update\update.exe<<< Just Scan the Update.exe

Scan Sites:

Kaspersky

Rav

If the results are Infected,Add to List to Delete in Safe Mode!

For the Time,while Online,Please go to Add\Remove Programs and Remove:

BearShare<<< Certain Versions Contain Spyware!
GreatDownloads

Lets Unregister a DLL,to do this:

Click Start>>>Click Run>>>Copy&paste the Text Below into the Text Box and Click OK!!

regsvr32 /u jomgd.dll
If you get an error message,try it like this:
regsvr32 /u C:\WINDOWS\System32\jomgd.dll

Open HijackThis and put a check by these but DO NOT hit the Fix Checked button yet!

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank

R3 - Default URLSearchHook is missing

O2 - BHO: (no name) - SOFTWARE - (no file)

O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\3.bin\MYBAR.DLL (file missing)

O2 - BHO: adlog Class - {22B9A67D-E689-44B6-B775-0E8FE84B4F9B} - C:\WINDOWS\System32\hmaqygd.dll (file missing)

O2 - BHO: SDWin32 Class - {2784E164-4519-4A48-B9FC-DDFEA762FB64} - C:\WINDOWS\System32\jomgd.dll

O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)

O2 - BHO: (no name) - {} - (no file)

O3 - Toolbar: (no name) - {C6177F25-2C7F-494F-8214-5A946D052E13} - (no file)

O3 - Toolbar: My &Search Bar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\3.bin\MYBAR.DLL (file missing)

O9 - Extra button: GreatDownloads - {76DD9E77-F06C-4471-AB6C-CF03C5C6B5B0} - C:\WINDOWS\System32\GreatDownloads (file missing)

O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

O16 - DPF: {88C51E90-8E9C-4C96-8A45-574D88B63FAF} - http://acceso.masmin...aaplicacion.cab

O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} - http://install.wildt...stx/install.cab

O19 - User stylesheet: (file missing)

Now Make sure ALL WINDOWS and BROWSERS are CLOSED and hit the Fix Checked Button!!

Reboot into SAFE MODE(Tap F8 when restarting)
Here is a link on how to boot into Safe Mode:
Safe Mode

After restarting in Safe Mode,Configure Windows to Show All Hidden Files and Folders,this must be done after restarting in Safe Mode!!
Here is a link to help with that:
Hidden Files
Make sure to follow the directions for XP

Now,locate and delete the Entries in Bold Print:

C:\Program Files\BearShare<<< Entire Bear Share Folder!

C:\Program Files\MyWay<<< Entire MyWay Folder!

C:\WINDOWS\System32\jomgd.dll<<< File Only!

When finished, reboot your system again and bring it back up in normal mode. Run MSCONFIG and enable everything in the startup area. To get to MSCONFIG, click on Start -> Run -> type in MSCONFIG -> click OK.
Make Sure Normal Startup is Checked!!
Select the tab labeled Startup and put a Check by every box there!! Once everything is enabled, run "Hijack This!" and post a new log to this thread!!

Here is a link explaining:
Msconfig

#3
Sydney88

Posted 20 March 2005 - 04:23 AM

Member

Topic Starter
Member
24 posts

Hey thank you for your help i have done everything you asked.
Ther wsant any virus in the update.exe folder though. I also couldnt find the myway folder it wasnt there.

Anyway here is my new HJT log

Logfile of HijackThis v1.99.1
Scan saved at 10:19:03, on 20/03/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\savedump.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\BT Digital Access USB\vstartx.exe
C:\Program Files\BT Digital Access USB\gisdnlog.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\BT Digital Access USB\gsyno.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
C:\WINDOWS\specialoffers4.exe
C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\WINDOWS\System32\LXSUPMON.EXE
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\Program Files\Nikon\NkView6\NkvMon.exe
C:\Documents and Settings\All Users\Documents\new HijackThis.exe
C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\7210e87e3912d997c94a92cc081e02d4\update\update.exe
C:\WINDOWS\System32\wuauclt.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.freeserve.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Freeserve
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=http://www-cache.freeserve.com:8080;ftp=http://www-cache.freeserve.com:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;<local>
F3 - REG:win.ini: run=c:\windows\system32\audcntr.exe
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: SDWin32 Class - {2784E164-4519-4A48-B9FC-DDFEA762FB64} - C:\WINDOWS\System32\jomgd.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll (file missing)
O2 - BHO: (no name) - {} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll (file missing)
O4 - HKLM\..\Run: [GazelDisplay] "C:\Program Files\BT Digital Access USB\gsyno.exe" -h
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [wkupdl] C:\WINDOWS\System32\ptjzvtf.exe
O4 - HKLM\..\Run: [windrv] C:\WINDOWS\System32\windrv32.exe
O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain
O4 - HKLM\..\Run: [WebRebates0] "C:\Program Files\Web_Rebates\WebRebates0.exe"
O4 - HKLM\..\Run: [updmgr] C:\Program Files\Common files\updmgr\updmgr.exe
O4 - HKLM\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [SpecialOffers] C:\WINDOWS\specialoffers4.exe
O4 - HKLM\..\Run: [sp2ctr] c:\windows\system32\sp2ctr.exe /nocomm
O4 - HKLM\..\Run: [sncntr] c:\windows\system32\sncntr.exe /nocomm
O4 - HKLM\..\Run: [rb32 ml710e] "C:\Program Files\RapidBlaster\rb32.exe"
O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKLM\..\Run: [Omnipage] C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\System32\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [kaocefmcrnax] C:\WINDOWS\System32\ptjzvtf.exe
O4 - HKLM\..\Run: [Hot_Tarts] C:\Program Files\Video1\Dialers\Hot_Tarts\Hot_Tarts.exe /dontdial
O4 - HKLM\..\Run: [GOZGQYBM] c:\windows\system32\gozgqybm.exe /install
O4 - HKLM\..\Run: [CMESys] "C:\Program Files\Common Files\CMEII\CMESys.exe"
O4 - HKLM\..\Run: [ClrSchLoader] C:\Program Files\ClearSearch\Loader.exe
O4 - HKLM\..\Run: [BAVVXGPD] c:\windows\system32\bavvxgpd.exe /install
O4 - HKLM\..\Run: [Audcntr] c:\windows\system32\audcntr.exe
O4 - HKLM\..\Run: [AltnetPointsManager] c:\program files\altnet\points manager\points manager.exe -s
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [WeatherCast] "C:\Program Files\WeatherCast\Weather.exe" /q
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - Global Startup: GStartup.lnk = C:\Program Files\Common Files\GMT\GMT.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView6\NkvMon.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.freeserve.com/
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pdownloader.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.h.../qdiagh.cab?312
O20 - Winlogon Notify: msguard - eplrr0.dll (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: BT Digital Access USB start up (Gazel Startup) - Unknown owner - C:\Program Files\BT Digital Access USB\vstartx.exe" /s (file missing)
O23 - Service: ISDN connection log (GisdnLog) - Unknown owner - C:\Program Files\BT Digital Access USB\gisdnlog.exe" -s (file missing)
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\System32\ScsiAccess.EXE
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Windows User Mode Driver Framework (UMWdf) - Unknown owner - C:\WINDOWS\System32\wdfmgr.exe (file missing)

#4
Wizard

Posted 20 March 2005 - 06:28 AM

Retired Staff

Retired Staff
5,661 posts

OK,I see Msconfig was holding quite a Bit!!

I need you to Download and Run RapidBlaster Killer 1.61

Get it here:
RapidBlaster
If it finds RapidBlaster,a log will be created in the Same folder you downloaded it to!

Once thats finished,please have the PC Scanned here:
Panda
Save any Results from this Scan also!

Once all this is completed,Post back with a fresh HijackThis log and the Results from Panda and RapidBlaster!

#5
Sydney88

Posted 20 March 2005 - 06:42 AM

Member

Topic Starter
Member
24 posts

ok the rapidablaster didnt find anything and the panda wont work as im using mozilla firefox as my browser and it says only microsoft explorer works. shall i reinstall explorer?

#6
Wizard

Posted 20 March 2005 - 07:42 AM

Retired Staff

Retired Staff
5,661 posts

OK,well that should mean that deleting whats left of RapidBlaster will a piece of cake!

While Online,Go to Add\Remove Programs and Remove this if they exist:

WildTangent CDA
WebRebates0
TV Media
SpecialOffers
P2P Networking
ClearSearch\ClrSchLoader
CMESys\CMEII
AltnetPointsManager
WeatherCast
GMT

Open HijackThis and put a check by these but DO NOT hit the Fix Checked button yet!

F3 - REG:win.ini: run=c:\windows\system32\audcntr.exe

O1 - Hosts: 64.91.255.87 www.dcsresearch.com

O2 - BHO: SDWin32 Class - {2784E164-4519-4A48-B9FC-DDFEA762FB64} - C:\WINDOWS\System32\jomgd.dll (file missing)

O2 - BHO: (no name) - {} - (no file)

O4 - HKLM\..\Run: [wkupdl] C:\WINDOWS\System32\ptjzvtf.exe

O4 - HKLM\..\Run: [windrv] C:\WINDOWS\System32\windrv32.exe

O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain

O4 - HKLM\..\Run: [WebRebates0] "C:\Program Files\Web_Rebates\WebRebates0.exe"

O4 - HKLM\..\Run: [updmgr] C:\Program Files\Common files\updmgr\updmgr.exe

O4 - HKLM\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe

O4 - HKLM\..\Run: [SpecialOffers] C:\WINDOWS\specialoffers4.exe

O4 - HKLM\..\Run: [sp2ctr] c:\windows\system32\sp2ctr.exe /nocomm

O4 - HKLM\..\Run: [sncntr] c:\windows\system32\sncntr.exe /nocomm

O4 - HKLM\..\Run: [rb32 ml710e] "C:\Program Files\RapidBlaster\rb32.exe"

O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART

O4 - HKLM\..\Run: [kaocefmcrnax] C:\WINDOWS\System32\ptjzvtf.exe

O4 - HKLM\..\Run: [Hot_Tarts] C:\Program Files\Video1\Dialers\Hot_Tarts\Hot_Tarts.exe /dontdial

O4 - HKLM\..\Run: [GOZGQYBM] c:\windows\system32\gozgqybm.exe /install

O4 - HKLM\..\Run: [CMESys] "C:\Program Files\Common Files\CMEII\CMESys.exe"

O4 - HKLM\..\Run: [ClrSchLoader] C:\Program Files\ClearSearch\Loader.exe

O4 - HKLM\..\Run: [BAVVXGPD] c:\windows\system32\bavvxgpd.exe /install

O4 - HKLM\..\Run: [Audcntr] c:\windows\system32\audcntr.exe

O4 - HKLM\..\Run: [AltnetPointsManager] c:\program files\altnet\points manager\points manager.exe -s

O4 - HKCU\..\Run: [WeatherCast] "C:\Program Files\WeatherCast\Weather.exe" /q

O4 - Global Startup: GStartup.lnk = C:\Program Files\Common Files\GMT\GMT.exe

O20 - Winlogon Notify: msguard - eplrr0.dll (file missing)

Now Make sure ALL WINDOWS and BROWSERS are CLOSED and hit the Fix Checked Button!!

Reboot into SAFE MODE(Tap F8 when restarting)
Here is a link on how to boot into Safe Mode:
Safe Mode

After restarting in Safe Mode,Configure Windows to Show All Hidden Files and Folders,this must be done after restarting in Safe Mode!!
Here is a link to help with that:
Hidden Files
Make sure to follow the Directions for XP!

Locate and Delete these Files and Folders I have listed in Bold Print!!

Folders First:

C:\Program Files\WildTangent<<< Entire WildTangent Folder!

C:\Program Files\Web_Rebates<<<Entire Web_Rebates Folder!

C:\Program Files\TV Media<<<Entire TV Media Folder!

C:\Program Files\RapidBlaster<<<Entire RapidBlaster Folder!

C:\Program Files\Video1<<<Entire Video1 Folder!

C:\Program Files\ClearSearch<<<Entire ClearSearch Folder!

C:\Program Files\altnet<<<Entire altnet Folder!

C:\Program Files\WeatherCast<<<Entire WeatherCast Folder!

C:\Program Files\Common Files\GMT<<< Entire GMT Folder!

C:\Program Files\Common files\updmgr<<< Entire updmgr Folder!

C:\Program Files\Common Files\CMEII<<< Entire CMEII Folder!

C:\WINDOWS\System32\P2P Networking<<< Entire P2P Networking Folder!

Files:

C:\WINDOWS\specialoffers4.exe<<< File Only!

C:\WINDOWS\System32\ptjzvtf.exe<<< File Only!

C:\WINDOWS\System32\windrv32.exe<<< File Only!

C:\WINDOWS\System32\sp2ctr.exe<<< File Only!

C:\WINDOWS\System32\sncntr.exe<<< File Only!

C:\WINDOWS\System32\ptjzvtf.exe<<< File Only!

C:\WINDOWS\System32\gozgqybm.exe<<< File Only!

C:\WINDOWS\System32\bavvxgpd.exe<<< File Only!

C:\WINDOWS\System32\audcntr.exe<<< File Only!

Please Keep track of any of those you couldnt find!

Use Windows Search Assistant(Click Start>>>Click Search)
Configure like this:
Open the Search Assistant,
Select All Files and Folders,
Select Advanced Options,
Make sure there is a check by these 3:

Search System Folders
Search hidden files and folders
Search Subfolders

Now under All Files and Folders,enter this into the text box:

Start with this File,to make sure its gone from the System:

eplrr0.dll

Anything you cant find,use the Search Assistant to search the entire System!

Once all this completed,Restart the PC and Post a fresh HijackThis log!

#7
Sydney88

Posted 20 March 2005 - 09:29 AM

Member

Topic Starter
Member
24 posts

thank you for your response here is the list of folders and files i couldnt find even using the search assistant:

Web_rebates
TV Media
Video1
GMT
updmgr
CMEII
ptjzvtf.exe
windrv32.exe
sp2ctr.exe
ancntr.exe
gozgqybm.exe
audcntr.exe

i found wildtangent with the search assistant but when i tried to delte it an error message came up saying cannot read from the source file or disk.

Here is the new hjt log

Logfile of HijackThis v1.99.1
Scan saved at 15:28:11, on 20/03/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\BT Digital Access USB\vstartx.exe
C:\Program Files\BT Digital Access USB\gisdnlog.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\67b8b2afbc4da236a51c966c22f26caf\update\update.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\BT Digital Access USB\gsyno.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\WINDOWS\System32\LXSUPMON.EXE
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\Program Files\Nikon\NkView6\NkvMon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\All Users\Documents\new HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.freeserve.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Freeserve
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll (file missing)
O2 - BHO: (no name) - {} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll (file missing)
O4 - HKLM\..\Run: [GazelDisplay] "C:\Program Files\BT Digital Access USB\gsyno.exe" -h
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [windrv] C:\WINDOWS\System32\windrv32.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Omnipage] C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\System32\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [Hot_Tarts] C:\Program Files\Video1\Dialers\Hot_Tarts\Hot_Tarts.exe /dontdial
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView6\NkvMon.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.freeserve.com/
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pdownloader.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.h.../qdiagh.cab?312
O17 - HKLM\System\CCS\Services\Tcpip\..\{C09145AC-38EB-4930-AA02-24B9A31D09EB}: NameServer = 195.92.195.95 195.92.195.94
O20 - Winlogon Notify: msguard - C:\WINDOWS\SYSTEM32\eplrr0.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: BT Digital Access USB start up (Gazel Startup) - Unknown owner - C:\Program Files\BT Digital Access USB\vstartx.exe" /s (file missing)
O23 - Service: ISDN connection log (GisdnLog) - Unknown owner - C:\Program Files\BT Digital Access USB\gisdnlog.exe" -s (file missing)
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\System32\ScsiAccess.EXE
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Windows User Mode Driver Framework (UMWdf) - Unknown owner - C:\WINDOWS\System32\wdfmgr.exe (file missing)

#8
Wizard

Posted 20 March 2005 - 09:59 AM

Retired Staff

Retired Staff
5,661 posts

OK,Lets Get Nasty with this sucker,I almost 100% Positive that the Update.exe I had you scan,needs to be removed from the System,I would like you to go back to that location and locate that file,I want to know what else is in that Update Folder and what else is in the folder that is in bold print:
C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\67b8b2afbc4da236a51c966c22f26caf
I just have a bad feeling about that entry!
Once you get to those locations,right Click file Names and select properties,look and see if there is a Microsoft Signature with the File Properties!
Also,place the pointer over update.exe,when it displays the Info,tell me if it has 2 entries:
Size and Date Created
or
Does it have 3 or 4 lines?

Download Pocket KillBox from here:
Pocket KillBox
There is a Direct Download and a description of what the Program does inside this link.
Download,UnZip,Extract All Files and Have it ready to Use!

Download Microworlds Antivirus Toolkit Utility:
MWAV

Once at the site select Download Link 1
Download,Extract all files and Install!

Double-click it to run it, select all local drives, scan all files, press 'scan' and when it is completed, anything found will be displayed in the lower pane.

All I need to see is what is displayed in the lower window,so have eScan produce a log and go through and Copy the Infected entried to a Notepad page and post those results here!

Once I get the list from MWAV,we will use Killbox and get rid of the Files Identified!

Post back with the Results From MWAV and we will get busy!

Edited by Cretemonster, 20 March 2005 - 10:00 AM.

#9
Sydney88

Posted 20 March 2005 - 04:08 PM

Member

Topic Starter
Member
24 posts

hmm interesting the file is the windows service pack set up? There is also alot of setup information documents all with update in title.
When i hover mouse over it 5 lines appear

Description:Windows Service pack setup
Company: Microsft corporation
file version:5.5.33.0
Date Created:14/10/2004
size:639kb

Also the second folder you listed doesn't exist

the scan to 4 hours and i d*** well couldnt make a log so giotta redo it tomorrow how do u mmake log? when i clicked on view log nothing happened

#10
Wizard

Posted 20 March 2005 - 06:35 PM

Retired Staff

Retired Staff
5,661 posts

OK,I am glad you found out that info!!!

So you say the MWAV scan took four Hours??

Not sure why you couldnt save a log,try again tomorrow,I will only need to see the Entries that are labeled Infected and were displayed in the Lower Window!

Well I guess we will see what we will see,once you get it posted!

Edited by Cretemonster, 20 March 2005 - 06:36 PM.

#11
Sydney88

Posted 21 March 2005 - 11:03 AM

Member

Topic Starter
Member
24 posts

how do you save the log ? i have on option to view the log do i just click that?

#12
Sydney88

Posted 21 March 2005 - 11:20 AM

Member

Topic Starter
Member
24 posts

half good news :tazz:

redid scan only took 13 mins this time but still couldn'y svae log when i click on view log the egg timer comes up for a second or two then nothing happens?

#13
Wizard

Posted 22 March 2005 - 04:11 PM

Retired Staff

Retired Staff
5,661 posts

The site was apparently down this morning before I left for work!!!

So,if the Scan found Items it deemed Infected,they are indeed just that!!!

Hence,they need to be removed!

If you can,just write them down and post exactly what the scan found!

#14
Sydney88

Posted 23 March 2005 - 05:45 PM

Member

Topic Starter
Member
24 posts

ok then here are the files found :

File C:\WINDOWS\system32\hhibybl.exe infected by "Trojan.Win32.Painwin.a"Virus Action Taken: No Action Taken.
File C:\WINDOWS\system32\hjanycr.exe infected by "Trojan.Win32.Painwin.a"Virus Action Taken: No Action Taken.
File C:\WINDOWS\system32\jomgdc.exe infected by"not-a-virus:AdWare.Abstart.b"Virus.
Action Taken: No Action Taken
File C:\WINDOWS\system32\hgidyam.exe infected by "Trojan.Win32.Painwin.a"Virus Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM32\HTAFYET.SYS infected by "Trojan.Win32.Painwin.a"Virus Action Taken: No Action Taken.
File C:\WINDOWS\esba-4.exe infected by "Backdoor.Win32.Ruledor.e"Virus. Action Taken: No Action Taken.
File C:\WINDOWS\MSRSTRT.EXE tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken
File C:\WINDOWS\system32\automove.exe infected by"not-a-virus:AdWare.Abstart.a"Virus.
Action Taken: No Action Taken
File C:\WINDOWS\system32\heauyft.vxd infected by "Trojan.Win32.Painwin.a"Virus Action Taken: No Action Taken.
File C:\WINDOWS\system32\hhibybl.exe infected by "Trojan.Win32.Painwin.a"Virus Action Taken: No Action Taken.
File C:\WINDOWS\system32\hjanycr.exe infected by "Trojan.Win32.Painwin.a"Virus Action Taken: No Action Taken.
File C:\WINDOWS\system32\jomgdd.exe infected by"not-a-virus:AdWare.Abstart.b"Virus.
Action Taken: No Action Taken
File C:\WINDOWS\system32\jomgdf.exe infected by"not-a-virus:AdWare.Abstart.d"Virus.
Action Taken: No Action Taken
File C:\WINDOWS\system32\msguard.sys infected by "Backdoor.Win32.Agent.cr"Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\notepad.exe infected by "Trojan-Dropper.Win32.Microjoin.c"Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\optimizer.exe infected by "Trojan-Downloader.Win32.lstBar.er"Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\unpack.exe infected by "Trojan.Win32.Painwin.a"Virus Action Taken: No Action Taken.
File C:\DOCUME~1\JANENA\LOCALS~1\Temp\Del626.tmp infected by "not-a-virus:AdWare.180Solutions"Virus Action Taken: No Action Taken.
File C:\DOCUME~1\JANENA\LOCALS~1\Temp\delwbi.tmp infected by "not-a-virus:p***-Dialer.Win32.DialerComp"Virus Action Taken: No Action Taken.
File C:\DOCUME~1\JANENA\LOCALS~1\Temp\divx.exe infected by "Backdoor.Win32.Agent.cr"Virus Action Taken: No Action Taken.
File C:\DOCUME~1\JANENA\LOCALS~1\Temp\remove.exe infected by"Trojan-Downloader.Win32.Keenval.f"Virus. Action Taken: No Action Taken.
File C:\DOCUME~1\JANENA\LOCALS~1\Temp\temp.fr2853\Tvm.exe infected by "not-a-virus:AdWare.TotalVelocity.y"Virus. Action Taken: No Action Taken.
File C:\DOCUME~1\JANENA\LOCALS~1\Temp\temp.fr2853\Tvmbho.dll infected by "not-a-virus:AdWare.TotalVelocity.y"Virus. Action Taken: No Action Taken.
File C:\DOCUME~1\JANENA\LOCALS~1\Temp\tvmupdater infected by "not-a-virus:AdWare.TotalVelocity.y"Virus. Action Taken: No Action Taken.
File C:\DOCUME~1\JANENA\LOCALS~1\Temp\__unin__.exe infected by "not-a-virus:AdWare.Altnet.b"Virus. Action Taken: No Action Taken.

whew There you go had to type them all out took a while :tazz:

but on the way down i saw a virus in notepad could that be why i couldnt open up the logs?

Anyway i hope that helps

#15
Wizard

Posted 25 March 2005 - 08:09 PM

Retired Staff

Retired Staff
5,661 posts

OK,Restart in Safe Mode(F8 while Windows is Loading)

Open KillBox>>>Select Tools>>>Select Delete Temp Files!

Now,With KillBox Open,Copy&Paste this into the Text Box labeled "Full Path of File to Delete"
C:\WINDOWS\system32\hhibybl.exe
Check "Standard File Delete" and Click the Red Circle with the White X in the middle to Delete!

You should get a response that the File was deleted Succesfully!

Follow the exact same process for these entries as well:

C:\WINDOWS\system32\hjanycr.exe

C:\WINDOWS\system32\jomgdc.exe

C:\WINDOWS\system32\hgidyam.exe

C:\WINDOWS\SYSTEM32\HTAFYET.SYS

C:\WINDOWS\esba-4.exe

C:\WINDOWS\MSRSTRT.EXE

C:\WINDOWS\system32\automove.exe

C:\WINDOWS\system32\heauyft.vxd

C:\WINDOWS\system32\jomgdd.exe

C:\WINDOWS\system32\jomgdf.exe

C:\WINDOWS\system32\msguard.sys

C:\WINDOWS\system32\notepad.exe<<< Wrong Location,This one is a Bug!

C:\WINDOWS\system32\optimizer.exe

C:\WINDOWS\system32\unpack.exe

Now,Please Navigate to this Folder:

C:\Documents and Settings\JANENA\Local Settings\Temp

Open that Temp Folder and Verify that it is Empty!

Post Back and let me Know if KillBox Could Not Delete any of those Files!

Please Keep Track,if KillBox wont Delete them,we will have to search them out and remove them manually!