Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Host File "Corruption"[RESOLVED]

Started by Nate3577 , Mar 22 2005 07:33 PM

  • This topic is locked This topic is locked

#16
Nate3577
Posted 31 March 2005 - 07:19 PM

Nate3577

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
Good Evening Don,
Here are what the scans say. Thanks once again for everything!

Nate

Trendo Micro:

TROJ_SMALL.AKZ C:\_RESTORE\TEMP\A0007685.CPY
TROJ_AGENT.NJ C:\_RESTORE\TEMP\A0007809.CPY
TROJ_AGENT.MS C:\_RESTORE\TEMP\A0007810.CPY



Incident Status Location

Adware:Adware/QoolShown No disinfected C:\WINDOWS\ETYRIYG.DLL
Virus:W32/Spybot.QV.worm No disinfected Operating system
Adware:Adware/eZula No disinfected Windows Registry
Adware:Adware/SaveNow No disinfected C:\WINDOWS\TEMP\vmstmp\vmstmp.exe
Adware:Adware/Apropos No disinfected Windows Registry
Spyware:Spyware/Bundleware No disinfected C:\WINDOWS\downloaded program files\ds3.dll
Adware:Adware/Look2Me No disinfected C:\WINDOWS\Downloaded Program Files\DS3.dll
Virus:Trj/Small.HQ Disinfected C:\WINDOWS\SYSTEM\winup2date.dll
Adware:Adware/DelFinMedia No disinfected C:\WINDOWS\SYSTEM\nsvsvc\nsvsvc.exe
Adware:Adware/DelFinMedia No disinfected C:\WINDOWS\SYSTEM\nsvsvc\nsv.ocx
Virus:Bck/Agent.KO Disinfected C:\WINDOWS\SYSTEM\picsvr\picsvr.exe
Virus:W32/Spybot.QV.worm Disinfected C:\WINDOWS\gpuka.dat
Adware:Adware/QoolShown No disinfected C:\WINDOWS\etyriyg.dll
Virus:W32/Spybot.QV.worm Disinfected C:\WINDOWS\avzkpz.exe
Adware:Adware/Minibug No disinfected C:\Program Files\AIM\Sysfiles\WxBug.EXE
Adware:Adware/DelFinMedia No disinfected C:\Program Files\Common Files\Uninstall Information\RemoveDisplayUtility.exe
Adware:Adware/DelFinMedia No disinfected C:\Program Files\Sunbelt Software\CounterSpy Client\Quarantine\B737FC6A-0B3F-4B77-9C57-6A6EE2\21721267-D734-41A3-B4E8-56B0AA
Adware:Adware/DelFinMedia No disinfected C:\Program Files\Sunbelt Software\CounterSpy Client\Quarantine\B737FC6A-0B3F-4B77-9C57-6A6EE2\CCB13BB0-38AC-4D85-A85B-71A8F7
  • 0

Advertisements

#17
don77
Posted 01 April 2005 - 07:12 PM

don77

    Malware Expert

  • Retired Staff
  • 18,526 posts
Hi Nate,
sorry i overlooked your post,
Lets see if we can get this cleaned up,

Adware:Adware/QoolShown No disinfected C:\WINDOWS\ETYRIYG.DLL
Virus:W32/Spybot.QV.worm No disinfected Operating system
Adware:Adware/eZula No disinfected Windows Registry
Adware:Adware/SaveNow No disinfected C:\WINDOWS\TEMP\vmstmp\vmstmp.exe
Adware:Adware/Apropos No disinfected Windows Registry
Spyware:Spyware/Bundleware No disinfected C:\WINDOWS\downloaded program files\ds3.dll
Adware:Adware/Look2Me No disinfected C:\WINDOWS\Downloaded Program Files\DS3.dll
Virus:Trj/Small.HQ Disinfected C:\WINDOWS\SYSTEM\winup2date.dll
Adware:Adware/DelFinMedia No disinfected C:\WINDOWS\SYSTEM\nsvsvc\nsvsvc.exe
Adware:Adware/DelFinMedia No disinfected C:\WINDOWS\SYSTEM\nsvsvc\nsv.ocx

Adware:Adware/QoolShown No disinfected C:\WINDOWS\etyriyg.dll

Adware:Adware/Minibug No disinfected C:\Program Files\AIM\Sysfiles\WxBug.EXE
Adware:Adware/DelFinMedia No disinfected C:\Program Files\Common Files\Uninstall Information\RemoveDisplayUtility.exe


Reboot to safe mode search for and delete the files in Bold, The files highlighted in Red please delete the associated folder,
Empty your Recycle Bin
Restart your computer
Rescan with Active and post back how you make out,

The files found by TrendMicro we will clear out by flushing system Restore once we get rid of the rest,
  • 0

#18
Nate3577
Posted 02 April 2005 - 10:25 AM

Nate3577

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
Morning Don,
Here is the latest update. A Couple of things: I am not going to delete WxBug.EXE. It is Weatherbug which I downloaded because I am a weather freak. Also I was only able to find the etyriyg.dll to delete. The other items I was not able to find. Can you think of a reason that I cannot find it? Thanks once again and here is the report.


Incident Status Location

Adware:Adware/eZula No disinfected Windows Registry
Adware:Adware/SaveNow No disinfected C:\WINDOWS\TEMP\vmstmp\vmstmp.exe
Adware:Adware/Apropos No disinfected Windows Registry
Spyware:Spyware/Bundleware No disinfected C:\WINDOWS\downloaded program files\ds3.dll
Adware:Adware/Look2Me No disinfected C:\WINDOWS\Downloaded Program Files\DS3.dll
Adware:Adware/DelFinMedia No disinfected C:\WINDOWS\SYSTEM\nsvsvc\nsvsvc.exe
Adware:Adware/DelFinMedia No disinfected C:\WINDOWS\SYSTEM\nsvsvc\nsv.ocx
Adware:Adware/Minibug No disinfected C:\Program Files\AIM\Sysfiles\WxBug.EXE
Adware:Adware/DelFinMedia No disinfected C:\Program Files\Common Files\Uninstall Information\RemoveDisplayUtility.exe
Adware:Adware/DelFinMedia No disinfected C:\Program Files\Sunbelt Software\CounterSpy Client\Quarantine\B737FC6A-0B3F-4B77-9C57-6A6EE2\21721267-D734-41A3-B4E8-56B0AA
Adware:Adware/DelFinMedia No disinfected C:\Program Files\Sunbelt Software\CounterSpy Client\Quarantine\B737FC6A-0B3F-4B77-9C57-6A6EE2\CCB13BB0-38AC-4D85-A85B-71A8F7
Adware:Adware/QoolShown No disinfected C:\Recycled\Dc2.dll
Adware:Adware/MyWebSearch No disinfected C:\NULL


Have a nice day!

Nate
  • 0

#19
don77
Posted 02 April 2005 - 08:32 PM

don77

    Malware Expert

  • Retired Staff
  • 18,526 posts
Hi Nate,
Lets go this route,

Run killbox and click the radio button that says Delete a file on reboot.
Paste them one at a time into the full path of file to delete box and click the red circle with a white cross in it.
The program will ask you if you want to reboot; say No each time until the last one has been pasted in where upon you should answer Yes.
Let the system reboot.

C:\WINDOWS\TEMP\vmstmp
C:\WINDOWS\downloaded program files\ds3.dll
C:\WINDOWS\SYSTEM\nsvsvc
C:\Program Files\Common Files\Uninstall Information\RemoveDisplayUtility.exe


Rescan with active scan and RAV

Please disable your current AV
Click Here and run RAV online scan, Copy and paste back the log into this thread when it has finished,
Be sure and enable your AV when done with the above
  • 0

#20
Nate3577
Posted 03 April 2005 - 09:43 AM

Nate3577

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
Morning Don,
Thanks for the newest advise. Here are the newest log reports. Hopefully you see some headway being made! Talk to you soon!

Nate


Incident Status Location

Adware:Adware/eZula No disinfected Windows Registry
Adware:Adware/SaveNow No disinfected C:\WINDOWS\TEMP\vmstmp\vmstmp.exe
Adware:Adware/Apropos No disinfected Windows Registry
Adware:Adware/DelFinMedia No disinfected C:\WINDOWS\SYSTEM\nsvsvc\nsvsvc.exe
Adware:Adware/DelFinMedia No disinfected C:\WINDOWS\SYSTEM\nsvsvc\nsv.ocx
Adware:Adware/Minibug No disinfected C:\Program Files\AIM\Sysfiles\WxBug.EXE
Adware:Adware/DelFinMedia No disinfected C:\Program Files\Sunbelt Software\CounterSpy Client\Quarantine\B737FC6A-0B3F-4B77-9C57-6A6EE2\21721267-D734-41A3-B4E8-56B0AA
Adware:Adware/DelFinMedia No disinfected C:\Program Files\Sunbelt Software\CounterSpy Client\Quarantine\B737FC6A-0B3F-4B77-9C57-6A6EE2\CCB13BB0-38AC-4D85-A85B-71A8F7
Adware:Adware/QoolShown No disinfected C:\Recycled\Dc2.dll
Adware:Adware/MyWebSearch No disinfected C:\NULL


Scan started at 4/3/2005 10:43:52 AM

Scanning memory...
c:\setup74.exe - TrojanDropper:Win32/Small.FL -> Infected

Scanned
============================
Objects: 26253
Directories: 1654
Archives: 713
Size(Kb): -1805153
Infected files: 1

Found
============================
Viruses found: 1
Suspicious files: 0
Disinfected files: 0
Mail files: 67
  • 0

#21
don77
Posted 04 April 2005 - 05:11 AM

don77

    Malware Expert

  • Retired Staff
  • 18,526 posts
Lets give this another run,

Run killbox and click the radio button that says Delete a file on reboot.
Paste them one at a time into the full path of file to delete box and click the red circle with a white cross in it.
The program will ask you if you want to reboot; say No each time until the last one has been pasted in where upon you should answer Yes.
Let the system reboot.

C:\WINDOWS\TEMP\vmstmp\vmstmp.exe
C:\WINDOWS\SYSTEM\nsvsvc\nsvsvc.exe
C:\WINDOWS\SYSTEM\nsvsvc\nsv.ocx
C:\Recycled\Dc2.dll
c:\setup74.exe


Run another RAV scan please post back what it finds,
  • 0

#22
Nate3577
Posted 04 April 2005 - 06:52 PM

Nate3577

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
Evening Don,
Maybe we are getting closer. Here is the log from this evening.

Nate

Scan started at 4/4/2005 8:06:22 PM

Scanning memory...
c:\_RESTORE\TEMP\SETUP74.0 - TrojanDropper:Win32/Small.FL -> Infected

Scanned
============================
Objects: 27381
Directories: 1651
Archives: 733
Size(Kb): -1812389
Infected files: 1

Found
============================
Viruses found: 1
Suspicious files: 0
Disinfected files: 0
Mail files: 72
  • 0

#23
don77
Posted 04 April 2005 - 07:40 PM

don77

    Malware Expert

  • Retired Staff
  • 18,526 posts
Much better Nate,

Please download and install AD-Aware.
Check Here on how setup and use it - please make sure you update it first.

Run ascan with Ad-aware and have it fix all it finds please, Restart your computer,

Next please see Here How to disable and enable system Restore

Disable system restore then enable it, This will flush the last file RAV has found,
Run RAV one more time and let us know how you make out please,
  • 0

#24
Nate3577
Posted 04 April 2005 - 09:08 PM

Nate3577

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
Don,
Here is the newest log.

Nate

Scan started at 4/4/2005 10:31:21 PM

Scanning memory...

Scanned
============================
Objects: 27193
Directories: 1650
Archives: 659
Size(Kb): -1922423
Infected files: 0

Found
============================
Viruses found: 0
Suspicious files: 0
Disinfected files: 0
Mail files: 73
  • 0

#25
don77
Posted 04 April 2005 - 09:43 PM

don77

    Malware Expert

  • Retired Staff
  • 18,526 posts
Looks to have done the trick how is the computer running now ?
  • 0

Advertisements

#26
Nate3577
Posted 05 April 2005 - 07:03 AM

Nate3577

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
Don,
Yeah, it has been running better as we have been plugging away on this. THANKS a bunch for all of your help with this. Question: As a preventative measure, what is the best way to make sure that my host file does not get corrupted again? Should I just use the host file tool option on spybot? Thanks once again for everything!

Nate
  • 0

#27
don77
Posted 05 April 2005 - 07:14 PM

don77

    Malware Expert

  • Retired Staff
  • 18,526 posts
Sure Nate,

[*]Spybot Search & Destroy - Uber powerful tool which can search and annhilate nasties that make it onto your system. Now with an Immunize section that will help prevent future infections.

[*]AdAware - Another very powerful tool which searches and kills nasties that infect your system. AdAware and Spybot Search & Destroy compliment each other very well.

[*]SpywareBlaster - Great prevention tool to keep nasties from installing on your system.

[*]SpywareGuard - Works as a Spyware "Shield" to protect your computer from getting malware in the first place.

[*]IE-SpyAd - puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.

[*]CleanUP! - Cleans temporary files from IE and Windows, empties the recycle bin and more. Great tool to help speed up your computer and knock out those nasties that like to reside in the temp folders.

[*]Windows Updates - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.

[*]Google Toolbar - Free google toolbar that allows you to use the powerful Google search engine from the bar, but also blocks pop up windows.

[*]Trillian or Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)
[/list]To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein
  • 0

#28
don77
Posted 03 May 2005 - 09:36 PM

don77

    Malware Expert

  • Retired Staff
  • 18,526 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :tazz:

If your the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP