Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Still got'em

Started by nate_nvs , Mar 26 2005 11:32 AM

  • This topic is locked This topic is locked

#1
nate_nvs
Posted 26 March 2005 - 11:32 AM

nate_nvs

    New Member

  • Member
  • Pip
  • 6 posts
did everything to the tea but still got some stuff on the system. followed all the directions from req steps log and there still on my system so i'm posting a highjacthis log hoping for help. any would be much appreciated.



Logfile of HijackThis v1.99.1
Scan saved at 12:22:33 PM, on 3/26/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WUSB54Gv4.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Krzk\Hoyp.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\InfoMyCa.exe
C:\WINDOWS\System32\MSNGMSNGR32.EXE
C:\WINDOWS\sixtypopsix.exe
C:\WINDOWS\System32\winupdt.exe
C:\Program Files\wfvaxbnh\wfvaxbnh.exe
C:\WINDOWS\System32\RUNDLL32.exe
C:\WINDOWS\isrvs\desktop.exe
C:\WINDOWS\System32\stoes.exe
C:\WINDOWS\SysCheckBop32.exe
C:\WINDOWS\win320864-8720667.exe
C:\WINDOWS\System32\pacis.exe
C:\WINDOWS\System32\inrraz.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\WINDOWS\sys01872066764-.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Alexandra\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://support.dell....5DS&appindex=DS
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost;
O2 - BHO: (no name) - {33CFEF75-52AA-426C-BA65-E5A4926CB412} - C:\Program Files\wfvaxbnh\wfvaxbnh.dll
O2 - BHO: (no name) - {3932DAF6-A747-422B-B427-9DE05848FE27} - C:\Program Files\wfvaxbnh\wfvaxbnh.dll
O2 - BHO: (no name) - {3FAF6D75-FBC4-428D-B285-5E787C8C55D7} - C:\Program Files\wfvaxbnh\wfvaxbnh.dll
O2 - BHO: (no name) - {49340965-CBBA-4C7A-9328-BF21FEA1A3B0} - C:\Program Files\wfvaxbnh\wfvaxbnh.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5801E70B-898A-48F1-9EC2-667677B2DDE1} - C:\Program Files\wfvaxbnh\wfvaxbnh.dll
O2 - BHO: (no name) - {65548086-29F2-47EC-9D69-684E14528E27} - C:\Program Files\wfvaxbnh\wfvaxbnh.dll
O2 - BHO: (no name) - {6BD3F7DB-7638-4D6B-9865-FFA9F7EA96A8} - C:\Program Files\wfvaxbnh\wfvaxbnh.dll
O2 - BHO: (no name) - {6BDC46F0-1D83-4E45-9F60-EEE6EC30CC63} - C:\Program Files\wfvaxbnh\wfvaxbnh.dll
O2 - BHO: (no name) - {8719FA7F-7D52-4B3B-8D51-75E5D03FFCA1} - C:\Program Files\wfvaxbnh\wfvaxbnh.dll
O2 - BHO: (no name) - {885F5E7B-DD6C-4105-9BE3-68FE47A81358} - C:\Program Files\wfvaxbnh\wfvaxbnh.dll
O2 - BHO: (no name) - {979BB70A-3503-4A93-A795-A0689F0372E3} - C:\Program Files\wfvaxbnh\wfvaxbnh.dll
O2 - BHO: ohb - {999A06FF-10EF-4A29-8640-69E99882C26B} - C:\WINDOWS\System32\rtneg2.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {B582B81B-1C79-406D-ACC6-39083F1F7C02} - C:\Program Files\wfvaxbnh\wfvaxbnh.dll
O2 - BHO: (no name) - {D0522917-C5A5-CC05-F02E-CAC9DEC06F94} - C:\WINDOWS\System32\frnsxm.dll
O2 - BHO: (no name) - {D052296B-C5A1-B877-F05B-BAC9DDB46F9F} - C:\WINDOWS\System32\frnsxm.dll
O2 - BHO: (no name) - {E4614FE5-BAD0-41D7-B3BE-AB8B4FCA8E3A} - C:\Program Files\wfvaxbnh\wfvaxbnh.dll
O2 - BHO: (no name) - {EF2BCD94-2CC6-4079-9333-3961D3C8454A} - C:\Program Files\wfvaxbnh\wfvaxbnh.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [MCAgentExe] C:\Program Files\McAfee.com\Agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [VirusScan Online] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [WUSB54Gv4] C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\InvokeSvc3.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Etvawdhm] C:\Program Files\Krzk\Hoyp.exe
O4 - HKLM\..\Run: [Microsoft Instant Messenger] MSNGMSNGR32.EXE
O4 - HKLM\..\Run: [sixtysix] C:\WINDOWS\sixtypopsix.exe
O4 - HKLM\..\Run: [Dvx] C:\WINDOWS\System32\wsxsvc\wsxsvc.exe
O4 - HKLM\..\Run: [winupdtl] C:\WINDOWS\System32\winupdt.exe
O4 - HKLM\..\Run: [wfvaxbnh] C:\Program Files\wfvaxbnh\wfvaxbnh.exe
O4 - HKLM\..\Run: [AUNPS2] RUNDLL32 AUNPS2.DLL,_Run@16
O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe
O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe
O4 - HKLM\..\Run: [exp.exe] C:\WINDOWS\System32\exp.exe
O4 - HKLM\..\Run: [2s6S32X] stoes.exe
O4 - HKLM\..\Run: [SystemCheck] C:\WINDOWS\SysCheckBop32
O4 - HKLM\..\Run: [win320864-8720667] C:\WINDOWS\win320864-8720667.exe
O4 - HKLM\..\Run: [PaciSoft] C:\WINDOWS\System32\pacis.exe
O4 - HKLM\..\Run: [etbrun] C:\windows\system32\elitexiv32.exe
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\System32\inrraz.exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [gah95on6] C:\WINDOWS\System32\gah95on6.exe
O4 - HKLM\..\Run: [ap9h4qmo] C:\WINDOWS\System32\ap9h4qmo.exe
O4 - HKLM\..\Run: [sys01872066764-] C:\WINDOWS\sys01872066764-.exe
O4 - HKCU\..\RunOnce: [Microsoft Instant Messenger] MSNGMSNGR32.EXE
O4 - Global Startup: AdwareFilter Background Protection.lnk = C:\Program Files\AdwareFilter\adwarefilter.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O15 - Trusted Zone: *.media-motor.net
O15 - Trusted Zone: *.popuppers.com
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {88D758A3-D33B-45FD-91E3-67749B4057FA} - http://dm.screensave.../sinstaller.cab
O16 - DPF: {9FC5238F-12C4-454F-B1B5-74599A21DE47} (Webshots Photo Uploader) - http://community.web...otoUploader.CAB
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://www.popcap.co...aploader_v6.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalci...illama/ampx.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Mcafee.com Corporation - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: WUSB54Gv4SVC - Unknown owner - C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe" "WUSB54Gv4.exe (file missing)
  • 0

Advertisements

#2
Guest_thatman_*
Posted 26 March 2005 - 12:12 PM

Guest_thatman_*
  • Guest
Hi nate_nvs

Welcome to geekstogo ;)

Please read through the instructions before you start (you may want to print this out).

You are running HijackThis from the Desktop; please create a new folder C:\HJT and move HijackThis.exe into the new folder

Download and unzip cwsserviceremove to your desktop.
cwsserviceremove

Please set your system to show all files; please see here if you're unsure how to do this.

Press Control-Alt-Del to enter the Task Manager.
Click on the Processes tab and end the following processes:
C:\WINDOWS\sixtypopsix.exe
C:\WINDOWS\System32\winupdt.exe
C:\WINDOWS\isrvs\desktop.exe
C:\WINDOWS\SysCheckBop32.exe
C:\WINDOWS\win320864-8720667.exe
C:\WINDOWS\System32\pacis.exe
C:\WINDOWS\System32\inrraz.exe
C:\WINDOWS\sys01872066764-.exe
Exit the Task Manager when finished.

[*]Close all programs leaving only HijackThis running. Place a check against each of the following, making sure you get them all and not any others by mistake:
O2 - BHO: (no name) - {33CFEF75-52AA-426C-BA65-E5A4926CB412} - C:\Program Files\wfvaxbnh\wfvaxbnh.dll
O2 - BHO: (no name) - {3932DAF6-A747-422B-B427-9DE05848FE27} - C:\Program Files\wfvaxbnh\wfvaxbnh.dll
O2 - BHO: (no name) - {3FAF6D75-FBC4-428D-B285-5E787C8C55D7} - C:\Program Files\wfvaxbnh\wfvaxbnh.dll
O2 - BHO: (no name) - {49340965-CBBA-4C7A-9328-BF21FEA1A3B0} - C:\Program Files\wfvaxbnh\wfvaxbnh.dll
O2 - BHO: (no name) - {5801E70B-898A-48F1-9EC2-667677B2DDE1} - C:\Program Files\wfvaxbnh\wfvaxbnh.dll
O2 - BHO: (no name) - {65548086-29F2-47EC-9D69-684E14528E27} - C:\Program Files\wfvaxbnh\wfvaxbnh.dll
O2 - BHO: ohb - {999A06FF-10EF-4A29-8640-69E99882C26B} - C:\WINDOWS\System32\rtneg2.dll
O2 - BHO: (no name) - {B582B81B-1C79-406D-ACC6-39083F1F7C02} - C:\Program Files\wfvaxbnh\wfvaxbnh.dll
O2 - BHO: (no name) - {D0522917-C5A5-CC05-F02E-CAC9DEC06F94} - C:\WINDOWS\System32\frnsxm.dll
O2 - BHO: (no name) - {D052296B-C5A1-B877-F05B-BAC9DDB46F9F} - C:\WINDOWS\System32\frnsxm.dll
O2 - BHO: (no name) - {E4614FE5-BAD0-41D7-B3BE-AB8B4FCA8E3A} - C:\Program Files\wfvaxbnh\wfvaxbnh.dll
O2 - BHO: (no name) - {EF2BCD94-2CC6-4079-9333-3961D3C8454A} - C:\Program Files\wfvaxbnh\wfvaxbnh.dll
O4 - HKLM\..\Run: [Microsoft Instant Messenger] MSNGMSNGR32.EXE
O4 - HKLM\..\Run: [sixtysix] C:\WINDOWS\sixtypopsix.exe
O4 - HKLM\..\Run: [Dvx] C:\WINDOWS\System32\wsxsvc\wsxsvc.exe
O4 - HKLM\..\Run: [winupdtl] C:\WINDOWS\System32\winupdt.exe
O4 - HKLM\..\Run: [wfvaxbnh] C:\Program Files\wfvaxbnh\wfvaxbnh.exe
O4 - HKLM\..\Run: [AUNPS2] RUNDLL32 AUNPS2.DLL,_Run@16
O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe
O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe
O4 - HKLM\..\Run: [exp.exe] C:\WINDOWS\System32\exp.exe
O4 - HKLM\..\Run: [2s6S32X] stoes.exe
O4 - HKLM\..\Run: [SystemCheck] C:\WINDOWS\SysCheckBop32
O4 - HKLM\..\Run: [win320864-8720667] C:\WINDOWS\win320864-8720667.exe
O4 - HKLM\..\Run: [PaciSoft] C:\WINDOWS\System32\pacis.exe
O4 - HKLM\..\Run: [etbrun] C:\windows\system32\elitexiv32.exe
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\System32\inrraz.exe
O4 - HKLM\..\Run: [gah95on6] C:\WINDOWS\System32\gah95on6.exe
O4 - HKLM\..\Run: [ap9h4qmo] C:\WINDOWS\System32\ap9h4qmo.exe
O4 - HKLM\..\Run: [sys01872066764-] C:\WINDOWS\sys01872066764-.exe
O4 - HKCU\..\RunOnce: [Microsoft Instant Messenger] MSNGMSNGR32.EXE
O4 - Global Startup: AdwareFilter Background Protection.lnk = C:\Program Files\AdwareFilter\adwarefilter.exe
O15 - Trusted Zone: *.media-motor.net
O15 - Trusted Zone: *.popuppers.com
Click on Fix Checked when finished and exit HijackThis.

Reboot into Safe Mode: please see here if you are not sure how to do this.

Using Windows Explorer, locate the following files/folders, and delete them:

C:\WINDOWS\sixtypopsix.exe<--Delete this file
C:\WINDOWS\System32\winupdt.exe<--Delete this file
C:\WINDOWS\isrvs\[/B]<--Delete this folder
C:\WINDOWS\SysCheckBop32.exe<--Delete this file
C:\WINDOWS\win320864-8720667.exe<--Delete this file
C:\WINDOWS\System32\pacis.exe<--Delete this file
C:\WINDOWS\System32\inrraz.exe<--Delete this file
C:\Program Files\wfvaxbnh<--Delete this folder
C:\WINDOWS\System32\rtneg2.dll<--Delete this file
C:\WINDOWS\System32\frnsxm.dll<--Delete this file
MSNGMSNGR32.EXE<--Delete this file
C:\WINDOWS\System32\wsxsvc<--Delete this folder
AUNPS2.DLL<--Delete this file
C:\WINDOWS\isrvs\ffisearch.exe<--Delete this file
C:\WINDOWS\System32\exp.exe<--Delete this file
stoes.exe<--Delete this file
C:\windows\system32\elitexiv32.exe<--Delete this file
C:\WINDOWS\System32\gah95on6.exe<--Delete this file
C:\Program Files\AdwareFilter<--Delete the whole folder

Exit Explorer

Run cwsserviceremove. Double click on the cwsserviceremove and when asked to merge say yes.

Reboot into normal mode.

13. Download the Hoster from here Press "Restore Original Hosts. and press "OK". Exit Program.

Please run the following free, online virus scans.
http://www.pandasoft...n_principal.htm
http://housecall.tre.../start_corp.asp

Please post the logs From both virus scans and HJT.log we will need them to remove previous infections that have left files on your system.

Kc :tazz:
  • 0

#3
nate_nvs
Posted 26 March 2005 - 12:44 PM

nate_nvs

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
I can't bring up the task mngr. everytimr i try it brings up the green square on the task bar but doesn't load and if i put the cursor over the square it dissapers. i tried to run it from the run command and that does'nt work either.
  • 0

#4
Guest_thatman_*
Posted 26 March 2005 - 12:50 PM

Guest_thatman_*
  • Guest
Hi thatman

If no taskmanager just continue with the fix, will look for a link for new taskmanager.

Kc :tazz:
  • 0

#5
Guest_thatman_*
Posted 26 March 2005 - 01:02 PM

Guest_thatman_*
  • Guest
Hi nate_nvs

Unzip this file to your desktop tasmanager +
http://www.diamondcs...hp?page=taskman
TaskMan+ is a free tiny utility that launches Windows Task Manager in a special way as to boost the security privileges of Task Manager, which in turn gives it a real unconditional license to terminate ANY process. Requires Administrator privileges

Advanced Process Termination
http://www.diamondcs...ex.php?page=apt
DiamondCS APT offers seven different methods of process termination - the only thing we know of that can stop all 7 methods is Process Guard!

Kc :tazz:
  • 0

#6
nate_nvs
Posted 26 March 2005 - 10:32 PM

nate_nvs

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
okay, with some delay, had to do some erands. Iv'e done everything so far. hers where i'm at.


this is the active scan log

Incident Status Location

Adware:Adware/QoolShown No disinfected C:\WINDOWS\System32\sgppeyy.dll
Spyware:Spyware/Dyfuca No disinfected C:\Program Files\Krzk\Hoyp.exe
Virus:W32/Spybot.QV.worm No disinfected Operating system
Adware:Adware/eZula No disinfected C:\WINDOWS\System32\ezPopStub.exe
Adware:Adware/SaveNow No disinfected Windows Registry
Adware:Adware/nCase No disinfected C:\WINDOWS\System32\FLEOK
Adware:Adware/SAHAgent No disinfected C:\WINDOWS\unstall.exe
Adware:Adware/BHO No disinfected Windows Registry
Adware:Adware/BookedSpace No disinfected C:\WINDOWS\bsx32
Adware:Adware/Apropos No disinfected C:\Program Files\cxtpls
Adware:Adware/FavoriteMan No disinfected C:\WINDOWS\downloaded program files\ATPartners.inf
Adware:Adware/Sqwire No disinfected C:\WINDOWS\System32\tsuninst.exe
Spyware:Spyware/TVMedia No disinfected C:\WINDOWS\System32\tvm_b5*.exe
Adware:Adware/DelFinMedia No disinfected C:\keys.ini
Adware:Adware/IPInsight No disinfected C:\WINDOWS\farmmext.ini
Adware:Adware/NavHelper No disinfected C:\Program Files\Ares
Adware:Adware/ISearch No disinfected Windows Registry
Adware:Adware/EliteBar No disinfected C:\WINDOWS\EliteToolBar
Spyware:Spyware/SurfSideKick No disinfected Windows Registry
Adware:Adware/IEMenuExtension No disinfected C:\WINDOWS\IEMenuExtension.exe
Adware:Adware/Transponder No disinfected C:\WINDOWS\dlmax.dll
Virus:Trj/Downloader.AAF Disinfected C:\Documents and Settings\Alex\Local Settings\Temp\atiupdate.exe
Adware:Adware/ISearch No disinfected C:\Documents and Settings\Alex\Local Settings\Temp\B29734339\build3.exe
Spyware:Spyware/ISTbar No disinfected C:\Documents and Settings\Alex\Local Settings\Temp\GLF1AEGLF1AE.EXE
Spyware:Spyware/ISTbar No disinfected C:\Documents and Settings\Alex\Local Settings\Temp\GLF5AGLF5A.EXE
Virus:Trj/TSUpdate.A Disinfected C:\Documents and Settings\Alex\Local Settings\Temp\GLFDCGLFDC.EXE
Spyware:Spyware/SurfSideKick No disinfected C:\Documents and Settings\Alex\Local Settings\Temp\i31.tmp
Spyware:Spyware/SurfSideKick No disinfected C:\Documents and Settings\Alex\Local Settings\Temp\i3D.tmp
Spyware:Spyware/SurfSideKick No disinfected C:\Documents and Settings\Alex\Local Settings\Temp\i64.tmp
Spyware:Spyware/SurfSideKick No disinfected C:\Documents and Settings\Alex\Local Settings\Temp\i65.tmp
Spyware:Spyware/TVMedia No disinfected C:\Documents and Settings\Alex\Local Settings\Temp\iBF.tmp
Spyware:Spyware/SurfSideKick No disinfected C:\Documents and Settings\Alex\Local Settings\Temp\ms63.tmp
Possible Virus. No disinfected C:\Documents and Settings\Alex\Local Settings\Temp\ms6B.tmp
Virus:Trj/Small.GZ Disinfected C:\Documents and Settings\Alex\Local Settings\Temp\msdioo.exe
Virus:Bck/Paci.A Disinfected C:\Documents and Settings\Alex\Local Settings\Temp\pcs_0002.exe
Virus:Bck/Paci.A Disinfected C:\Documents and Settings\Alex\Local Settings\Temp\pcs_0004.exe
Possible Virus. No disinfected C:\Documents and Settings\Alex\Local Settings\Temp\ptf_0002.exe
Possible Virus. No disinfected C:\Documents and Settings\Alex\Local Settings\Temp\ptf_0004.exe
Virus:W32/Gaobot.batch Disinfected C:\Documents and Settings\Alex\Local Settings\Temp\r.bat
Adware:Adware/SAHAgent No disinfected C:\Documents and Settings\Alex\Local Settings\Temp\SAHAGE~1.EXE
Adware:Adware/EliteBar No disinfected C:\Documents and Settings\Alex\Local Settings\Temp\suicidetb.exe
Adware:Adware/WinTools No disinfected C:\Documents and Settings\Alex\Local Settings\Temp\toolbar.dll
Spyware:Spyware/ISTbar No disinfected C:\Documents and Settings\Alex\Local Settings\Temp\tsinstall_4_0_3_8_b17.exe
Spyware:Spyware/TVMedia No disinfected C:\Documents and Settings\Alex\Local Settings\Temp\Tvm.upd
Spyware:Spyware/TVMedia No disinfected C:\Documents and Settings\Alex\Local Settings\Temp\tvmupdater.exe
Spyware:Spyware/TVMedia No disinfected C:\Documents and Settings\Alex\Local Settings\Temp\U45.tmp
Adware:Adware/Comet No disinfected C:\Documents and Settings\Alex\Local Settings\Temp\unpack\CC_43.inf
Virus:W32/Spybot.QV.worm Disinfected C:\Documents and Settings\Alexandra\Local Settings\Temp\tp7543.exe
Virus:W32/Spybot.QV.worm Disinfected C:\Documents and Settings\Alexandra\Local Settings\Temporary Internet Files\Content.IE5\4M93MJ9F\i282[1].exe
Virus:W32/Spybot.QV.worm Disinfected C:\Documents and Settings\All Users\Start Menu\Programs\Startup\rtdd.exe
Adware:Adware/MediaTickets No disinfected C:\Install.exe[trufkz.html]
Virus:Trj/LowZones.BB No disinfected C:\Install.exe[kans.reg]
Virus:Trj/LowZones.BB No disinfected C:\Install.exe[kansup.reg]
Virus:Trj/LowZones.BB Disinfected C:\kans.reg
Virus:Trj/LowZones.BB Disinfected C:\kansup.reg
Spyware:Spyware/Dyfuca No disinfected C:\Program Files\Krzk\Hoyp.exe
Virus:Bck/Paci.A Disinfected C:\RECYCLER\S-1-5-21-3328232656-4261223495-3301652059-1008\Dc11.exe
Adware:Adware/Apropos No disinfected C:\RECYCLER\S-1-5-21-3328232656-4261223495-3301652059-1008\Dc16.exe
Adware:Adware/StartPage.DD No disinfected C:\RECYCLER\S-1-5-21-3328232656-4261223495-3301652059-1008\Dc19.exe
Virus:Trj/TedapuNews.A Disinfected C:\RECYCLER\S-1-5-21-3328232656-4261223495-3301652059-1008\Dc7.exe
Virus:Trj/Delprot.A Disinfected C:\RECYCLER\S-1-5-21-3328232656-4261223495-3301652059-1008\Dc8\delprot.sys
Adware:Adware/ISearch No disinfected C:\RECYCLER\S-1-5-21-3328232656-4261223495-3301652059-1008\Dc8\ffisearch.exe
Adware:Adware/ISearch No disinfected C:\RECYCLER\S-1-5-21-3328232656-4261223495-3301652059-1008\Dc8\isearch.xpi[isearch.jar][isearch.js]
Virus:Trj/Small.GO Disinfected C:\temporary\aun_0008.exe
Adware:Adware/MediaTickets No disinfected C:\trufkz.html
Adware:Adware/NetPals No disinfected C:\WINDOWS\Downloaded Program Files\ATPartners.inf
Adware:Adware/Zango No disinfected C:\WINDOWS\Downloaded Program Files\ClientAX.inf
Adware:Adware/EliteBar No disinfected C:\WINDOWS\EliteToolBar\EliteToolBar.dll
Adware:Adware/Ucmore No disinfected C:\WINDOWS\IEMenuExtension.exe
Spyware:Spyware/BetterInet No disinfected C:\WINDOWS\INF\ceres.inf
Adware:Adware/Transponder No disinfected C:\WINDOWS\INF\dlmax.inf
Possible Virus. No disinfected C:\WINDOWS\inst\3p_1.exe
Adware:Adware/DelFinMedia No disinfected C:\WINDOWS\mm15201518.Stub.exe
Adware:Adware/StartPage.DD No disinfected C:\WINDOWS\protector_update.exe
Spyware:Spyware/SurfSideKick No disinfected C:\WINDOWS\sskb5.exe
Virus:Trj/Imiserv.D Disinfected C:\WINDOWS\systb.exe
Virus:Trj/Startpage.SJ Disinfected C:\WINDOWS\SYSTEM\urdprw.exe
Virus:Trj/Downloader.AWZ Disinfected C:\WINDOWS\SYSTEM32\20007.exe
Virus:Trj/TSUpdate.A Disinfected C:\WINDOWS\SYSTEM32\Cache\AMEX_54.exe
Adware:Adware/Beginto No disinfected C:\WINDOWS\SYSTEM32\Cache\b2s-537466.exe
Adware:Adware/ISearch No disinfected C:\WINDOWS\SYSTEM32\Cache\HLInstaller.exe
Adware:Adware/ISearch No disinfected C:\WINDOWS\SYSTEM32\Cache\MTE0MzA6ODoxMg.exe
Adware:Adware/ISearch No disinfected C:\WINDOWS\SYSTEM32\Cache\MTE1NjE6ODoxMg.exe
Adware:Adware/ISearch No disinfected C:\WINDOWS\SYSTEM32\Cache\MTE1NTA6ODoxMg.exe
Virus:Trj/Downloader.BJM Disinfected C:\WINDOWS\SYSTEM32\Cache\pi1_51.exe
Adware:Adware/nCase No disinfected C:\WINDOWS\SYSTEM32\Cache\pop.exe
Adware:Adware/nCase No disinfected C:\WINDOWS\SYSTEM32\Cache\saie1101.exe
Virus:Trj/SCBop.B Disinfected C:\WINDOWS\SYSTEM32\Cache\setup.exe
Spyware:Spyware/UrlSpy No disinfected C:\WINDOWS\SYSTEM32\Cache\setup1015.exe
Virus:Trj/Downloader.BJF Disinfected C:\WINDOWS\SYSTEM32\Cache\skh2.exe
Virus:Trj/Downloader.AZI Disinfected C:\WINDOWS\SYSTEM32\Cache\SSK_B5 MVSSK 3.EXE
Virus:Trj/Downloader.BJI Disinfected C:\WINDOWS\SYSTEM32\Cache\VCMnet7 updated 030905.exe
Adware:Adware/TopRebates No disinfected C:\WINDOWS\SYSTEM32\Cache\WebRebates_Auto_InstallSilent.exe
Adware:Adware/VirtualBouncer No disinfected C:\WINDOWS\SYSTEM32\Cache\wrapperouter.exe
Adware:Adware/EliteBar No disinfected C:\WINDOWS\SYSTEM32\doolsav.dat
Adware:Adware/StartPage.DD No disinfected C:\WINDOWS\SYSTEM32\elitedec32.exe
Adware:Adware/EliteBar No disinfected C:\WINDOWS\SYSTEM32\elitedoolsav.dat
Virus:Trj/Startpage.SJ Disinfected C:\WINDOWS\SYSTEM32\eliteerror32.dat
Adware:Adware/Startpage.CM No disinfected C:\WINDOWS\SYSTEM32\elitefvy32.exe
Adware:Adware/Startpage.CM No disinfected C:\WINDOWS\SYSTEM32\elitejgh32.exe
Virus:Trj/Startpage.SJ Disinfected C:\WINDOWS\SYSTEM32\elitekpc32.exe
Adware:Adware/StartPage.DD No disinfected C:\WINDOWS\SYSTEM32\eliteuzw32.exe
Adware:Adware/StartPage.DD No disinfected C:\WINDOWS\SYSTEM32\elitevba32.exe
Adware:Adware/Startpage.CM No disinfected C:\WINDOWS\SYSTEM32\elitevbg32.exe
Virus:Trj/Startpage.SJ Disinfected C:\WINDOWS\SYSTEM32\elitewgf32.exe
Adware:Adware/Startpage.CM No disinfected C:\WINDOWS\SYSTEM32\elitewje32.exe
Adware:Adware/Startpage.CM No disinfected C:\WINDOWS\SYSTEM32\elitexkt32.exe
Adware:Adware/StartPage.DD No disinfected C:\WINDOWS\SYSTEM32\eliteyzx32.exe
Adware:Adware/ISearch No disinfected C:\WINDOWS\SYSTEM32\HyperLinker.exe
Virus:W32/Spybot.QV.worm Disinfected C:\WINDOWS\SYSTEM32\inrraz.exe
Virus:Trj/Small.GZ Disinfected C:\WINDOWS\SYSTEM32\msdioo.exe
Spyware:Spyware/ClientMan No disinfected C:\WINDOWS\SYSTEM32\mseggo.gif
Adware:Adware/Adtomi No disinfected C:\WINDOWS\SYSTEM32\nwp69c.exe
Adware:Adware/WUpd No disinfected C:\WINDOWS\SYSTEM32\pop2.exe
Spyware:Spyware/BargainBuddy No disinfected C:\WINDOWS\SYSTEM32\rtixdnt5.exe
Adware:Adware/nCase No disinfected C:\WINDOWS\SYSTEM32\saie1108.exe
Adware:Adware/QoolShown No disinfected C:\WINDOWS\SYSTEM32\sgppeyy.dll
Adware:Adware/QoolShown No disinfected C:\WINDOWS\SYSTEM32\sgppeyy.dll.tmp
Virus:Trj/Downloader.AZI Disinfected C:\WINDOWS\SYSTEM32\SSK_B5_MVSSK2.EXE
Adware:Adware/Apropos No disinfected C:\WINDOWS\SYSTEM32\t2_667279.exe
Spyware:Spyware/ISTbar No disinfected C:\WINDOWS\SYSTEM32\tsuninst.exe
Spyware:Spyware/TVMedia No disinfected C:\WINDOWS\SYSTEM32\TVM_B5_43.EXE
Virus:W32/Spybot.QV.worm Disinfected C:\WINDOWS\SYSTEM32\wvqqg.dat
heres the HijackThis log

Logfile of HijackThis v1.99.1
Scan saved at 11:23:19 PM, on 3/26/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WUSB54Gv4.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Krzk\Hoyp.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\InfoMyCa.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://support.dell....5DS&appindex=DS
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost;
O2 - BHO: (no name) - {091E0863-FBB8-4A39-9A6F-C5C298FCF3BB} - C:\Program Files\wfvaxbnh\wfvaxbnh.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {558B4C7D-6940-4123-9322-A9C4671A1B42} - C:\Program Files\wfvaxbnh\wfvaxbnh.dll (file missing)
O2 - BHO: (no name) - {6BD3F7DB-7638-4D6B-9865-FFA9F7EA96A8} - C:\Program Files\wfvaxbnh\wfvaxbnh.dll (file missing)
O2 - BHO: (no name) - {6BDC46F0-1D83-4E45-9F60-EEE6EC30CC63} - C:\Program Files\wfvaxbnh\wfvaxbnh.dll (file missing)
O2 - BHO: (no name) - {8719FA7F-7D52-4B3B-8D51-75E5D03FFCA1} - C:\Program Files\wfvaxbnh\wfvaxbnh.dll (file missing)
O2 - BHO: (no name) - {885F5E7B-DD6C-4105-9BE3-68FE47A81358} - C:\Program Files\wfvaxbnh\wfvaxbnh.dll (file missing)
O2 - BHO: (no name) - {979BB70A-3503-4A93-A795-A0689F0372E3} - C:\Program Files\wfvaxbnh\wfvaxbnh.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [MCAgentExe] C:\Program Files\McAfee.com\Agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [VirusScan Online] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [WUSB54Gv4] C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\InvokeSvc3.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Etvawdhm] C:\Program Files\Krzk\Hoyp.exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [etbrun] C:\windows\system32\elitexiv32.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {88D758A3-D33B-45FD-91E3-67749B4057FA} - http://dm.screensave.../sinstaller.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {9FC5238F-12C4-454F-B1B5-74599A21DE47} (Webshots Photo Uploader) - http://community.web...otoUploader.CAB
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://www.popcap.co...aploader_v6.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalci...illama/ampx.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Mcafee.com Corporation - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: WUSB54Gv4SVC - Unknown owner - C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe" "WUSB54Gv4.exe (file missing)

last thing, when i did the trendmicro log i didn't see where you coul save a log but it did say there was a non fixeable Troj SMALL.SN in c:\programs\Krzk\Hoyp.exe
  • 0

#7
Guest_thatman_*
Posted 26 March 2005 - 11:53 PM

Guest_thatman_*
  • Guest
Hi nate_nvs

Welcome to geekstogo ;)

Please read through the instructions before you start (you may want to print this out).

Please set your system to show all files; please see here if you're unsure how to do this.

Download the ccleaner unzip the ccleaner int it's own folder.
I use this Program and is setup like this all boxs are check. Click on auto-startup
Now run the ccleaner

Close all programs leaving only HijackThis running. Place a check against each of the following, making sure you get them all and not any others by mistake:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://support.dell....5DS&appindex=DS
O2 - BHO: (no name) - {091E0863-FBB8-4A39-9A6F-C5C298FCF3BB} - C:\Program Files\wfvaxbnh\wfvaxbnh.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {558B4C7D-6940-4123-9322-A9C4671A1B42} - C:\Program Files\wfvaxbnh\wfvaxbnh.dll (file missing)
O2 - BHO: (no name) - {6BD3F7DB-7638-4D6B-9865-FFA9F7EA96A8} - C:\Program Files\wfvaxbnh\wfvaxbnh.dll (file missing)
O2 - BHO: (no name) - {6BDC46F0-1D83-4E45-9F60-EEE6EC30CC63} - C:\Program Files\wfvaxbnh\wfvaxbnh.dll (file missing)
O2 - BHO: (no name) - {8719FA7F-7D52-4B3B-8D51-75E5D03FFCA1} - C:\Program Files\wfvaxbnh\wfvaxbnh.dll (file missing)
O2 - BHO: (no name) - {885F5E7B-DD6C-4105-9BE3-68FE47A81358} - C:\Program Files\wfvaxbnh\wfvaxbnh.dll (file missing)
O2 - BHO: (no name) - {979BB70A-3503-4A93-A795-A0689F0372E3} - C:\Program Files\wfvaxbnh\wfvaxbnh.dll (file missing)
O4 - HKLM\..\Run: [Etvawdhm] C:\Program Files\Krzk\Hoyp.exe
O4 - HKLM\..\Run: [etbrun] C:\windows\system32\elitexiv32.exe

Click on Fix Checked when finished and exit HijackThis.

Reboot into Safe Mode: please see here if you are not sure how to do this.

Clean out temporary and TIF files. Go to Start > Run and type in the box: cleanmgr. Let it scan your system for files to remove. Make sure all are checked and then press *ok* to remove:
Clean out all temp files in Mozilla, Internet Explorer.
Internet Explorer: Tools/ Internet Options/ General/ Temporary internet files/ Delete Files (NOTE, that this may take very long!). You can also set the memory limit to about 80 MB at the Settings.

Now run the ccleaner

Using Windows Explorer, locate the following files/folders, and delete them: If Found

C:\Program Files\wfvaxbnh<--Delete the whole folder
C:\Program Files\Krzk<--Delete the whole folder
C:\windows\system32\elitexiv32.exe<--Delete this file
C:\WINDOWS\System32\sgppeyy.dll<--Delete this file
C:\Program Files\Krzk<--Delete the whole folder
C:\WINDOWS\System32\ezPopStub.exe<--Delete this file
C:\WINDOWS\System32\FLEOK<--Delete this file
C:\WINDOWS\unstall.exe<--Delete this file
C:\WINDOWS\bsx32<--Delete this file
C:\Program Files\cxtpls<--Delete the whole folder
C:\WINDOWS\downloaded program files\ATPartners.inf<--Delete the whole folder
C:\WINDOWS\System32\tsuninst.exe<--Delete this file
C:\WINDOWS\System32\tvm_b5*.exe<--Delete this file
C:\keys.ini<--Delete the whole folder
C:\WINDOWS\farmmext.ini<--Delete this file
C:\Program Files\Ares<--Delete the whole folder
C:\WINDOWS\EliteToolBar<--Delete the whole folder
C:\WINDOWS\IEMenuExtension.exe<--Delete this file
C:\WINDOWS\dlmax.dll<--Delete this file
C:\Install.exe[trufkz.html]<--Delete the whole folder
C:\temporary<--Delete the whole folder
C:\trufkz.html<--Delete the whole folder
C:\WINDOWS\Downloaded Program Files\ATPartners.inf<--Delete this file
C:\WINDOWS\Downloaded Program Files\ClientAX.inf<--Delete this file
C:\WINDOWS\EliteToolBar\EliteToolBar.dll<--Delete this file
C:\WINDOWS\INF\ceres.inf<--Delete this file
C:\WINDOWS\INF\dlmax.inf<--Delete this file
C:\WINDOWS\inst\3p_1.exe<--Delete this file
C:\WINDOWS\mm15201518.Stub.exe<--Delete this file
C:\WINDOWS\protector_update.exe<--Delete this file
C:\WINDOWS\sskb5.exe<--Delete this file
C:\WINDOWS\SYSTEM32\Cache\AMEX_54.exe<--Delete this file
C:\WINDOWS\SYSTEM32\Cache\b2s-537466.exe<--Delete this file
C:\WINDOWS\SYSTEM32\Cache\HLInstaller.exe<--Delete this file
C:\WINDOWS\SYSTEM32\Cache\MTE0MzA6ODoxMg.exe<--Delete this file
C:\WINDOWS\SYSTEM32\Cache\MTE1NjE6ODoxMg.exe<--Delete this file
C:\WINDOWS\SYSTEM32\Cache\MTE1NTA6ODoxMg.exe<--Delete this file
C:\WINDOWS\SYSTEM32\Cache\pop.exe<--Delete this file
C:\WINDOWS\SYSTEM32\Cache\saie1101.exe<--Delete this file
C:\WINDOWS\SYSTEM32\Cache\setup1015.exe<--Delete this file
C:\WINDOWS\SYSTEM32\Cache\WebRebates_Auto_InstallSilent.exe<--Delete this file
C:\WINDOWS\SYSTEM32\Cache\wrapperouter.exe<--Delete this file
C:\WINDOWS\SYSTEM32\doolsav.dat<--Delete this file
C:\WINDOWS\SYSTEM32\elitedec32.exe<--Delete this file
C:\WINDOWS\SYSTEM32\elitedoolsav.dat<--Delete this file
C:\WINDOWS\SYSTEM32\elitefvy32.exe<--Delete this file
C:\WINDOWS\SYSTEM32\elitejgh32.exe<--Delete this file
C:\WINDOWS\SYSTEM32\eliteuzw32.exe<--Delete this file
C:\WINDOWS\SYSTEM32\elitevba32.exe<--Delete this file
C:\WINDOWS\SYSTEM32\elitevbg32.exe<--Delete this file
C:\WINDOWS\SYSTEM32\elitewje32.exe<--Delete this file
C:\WINDOWS\SYSTEM32\elitexkt32.exe<--Delete this file
C:\WINDOWS\SYSTEM32\eliteyzx32.exe<--Delete this file
C:\WINDOWS\SYSTEM32\HyperLinker.exe<--Delete this file
C:\WINDOWS\SYSTEM32\mseggo.gif<--Delete this file
C:\WINDOWS\SYSTEM32\nwp69c.exe<--Delete this file
C:\WINDOWS\SYSTEM32\pop2.exe<--Delete this file
C:\WINDOWS\SYSTEM32\rtixdnt5.exe<--Delete this file
C:\WINDOWS\SYSTEM32\saie1108.exe<--Delete this file
C:\WINDOWS\SYSTEM32\sgppeyy.dll<--Delete this file
C:\WINDOWS\SYSTEM32\sgppeyy.dll.tmp<--Delete this file
C:\WINDOWS\SYSTEM32\t2_667279.exe<--Delete this file
C:\WINDOWS\SYSTEM32\tsuninst.exe<--Delete this file
C:\WINDOWS\SYSTEM32\TVM_B5_43.EXE<--Delete this file

Exit Explorer,

Please run the following free, online virus scans.
http://www.pandasoft...n_principal.htm

Please post the logs From Panda virus scan and HJT.log we will need them to remove previous infections that have left files on your system.

Kc :tazz:
  • 0

#8
nate_nvs
Posted 27 March 2005 - 01:28 AM

nate_nvs

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
so did every thing as stated and here is the logs. does it look any better?

Logfile of HijackThis v1.99.1
Scan saved at 2:23:46 AM, on 3/27/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\InfoMyCa.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\WINDOWS\system32\cisvc.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WUSB54Gv4.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\System32\inrraz.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost;
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [MCAgentExe] C:\Program Files\McAfee.com\Agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [VirusScan Online] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [WUSB54Gv4] C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\InvokeSvc3.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\System32\inrraz.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Mcafee.com Corporation - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: WUSB54Gv4SVC - Unknown owner - C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe" "WUSB54Gv4.exe (file missing)

active scan results

Incident Status Location

Adware:Adware/eZula No disinfected Windows Registry
Adware:Adware/nCase No disinfected C:\WINDOWS\System32\saie_*.dat
Adware:Adware/SAHAgent No disinfected Windows Registry
Adware:Adware/BookedSpace No disinfected C:\WINDOWS\bsx32
Adware:Adware/Apropos No disinfected C:\WINDOWS\System32\cache\cxtpls_loader.exe
Adware:Adware/FavoriteMan No disinfected C:\WINDOWS\downloaded program files\ATPartners.inf
Adware:Adware/DelFinMedia No disinfected C:\keys.ini
Adware:Adware/ISearch No disinfected Windows Registry
Adware:Adware/EliteBar No disinfected C:\WINDOWS\sideb.exe
Spyware:Spyware/SurfSideKick No disinfected Windows Registry
Adware:Adware/ISearch No disinfected C:\Documents and Settings\Alex\Local Settings\Temp\B29734339\build3.exe
Spyware:Spyware/ISTbar No disinfected C:\Documents and Settings\Alex\Local Settings\Temp\GLF1AEGLF1AE.EXE
Spyware:Spyware/ISTbar No disinfected C:\Documents and Settings\Alex\Local Settings\Temp\GLF5AGLF5A.EXE
Spyware:Spyware/SurfSideKick No disinfected C:\Documents and Settings\Alex\Local Settings\Temp\i3D.tmp
Spyware:Spyware/SurfSideKick No disinfected C:\Documents and Settings\Alex\Local Settings\Temp\i65.tmp
Spyware:Spyware/SurfSideKick No disinfected C:\Documents and Settings\Alex\Local Settings\Temp\ms63.tmp
Possible Virus. No disinfected C:\Documents and Settings\Alex\Local Settings\Temp\ptf_0002.exe
Possible Virus. No disinfected C:\Documents and Settings\Alex\Local Settings\Temp\ptf_0004.exe
Adware:Adware/SAHAgent No disinfected C:\Documents and Settings\Alex\Local Settings\Temp\SAHAGE~1.EXE
Adware:Adware/EliteBar No disinfected C:\Documents and Settings\Alex\Local Settings\Temp\suicidetb.exe
Adware:Adware/WinTools No disinfected C:\Documents and Settings\Alex\Local Settings\Temp\toolbar.dll
Spyware:Spyware/ISTbar No disinfected C:\Documents and Settings\Alex\Local Settings\Temp\tsinstall_4_0_3_8_b17.exe
Spyware:Spyware/TVMedia No disinfected C:\Documents and Settings\Alex\Local Settings\Temp\Tvm.upd
Spyware:Spyware/TVMedia No disinfected C:\Documents and Settings\Alex\Local Settings\Temp\tvmupdater.exe
Spyware:Spyware/TVMedia No disinfected C:\Documents and Settings\Alex\Local Settings\Temp\U45.tmp
Adware:Adware/Comet No disinfected C:\Documents and Settings\Alex\Local Settings\Temp\unpack\CC_43.inf
Spyware:Spyware/Dyfuca No disinfected C:\RECYCLER\S-1-5-21-3328232656-4261223495-3301652059-1008\Dc1\Hoyp.exe
Adware:Adware/DelFinMedia No disinfected C:\RECYCLER\S-1-5-21-3328232656-4261223495-3301652059-1008\Dc10.exe
Adware:Adware/StartPage.DD No disinfected C:\RECYCLER\S-1-5-21-3328232656-4261223495-3301652059-1008\Dc11.exe
Spyware:Spyware/SurfSideKick No disinfected C:\RECYCLER\S-1-5-21-3328232656-4261223495-3301652059-1008\Dc12.exe
Possible Virus. No disinfected C:\RECYCLER\S-1-5-21-3328232656-4261223495-3301652059-1008\Dc13.exe
Spyware:Spyware/BetterInet No disinfected C:\RECYCLER\S-1-5-21-3328232656-4261223495-3301652059-1008\Dc14.inf
Adware:Adware/Transponder No disinfected C:\RECYCLER\S-1-5-21-3328232656-4261223495-3301652059-1008\Dc15.inf
Adware:Adware/QoolShown No disinfected C:\RECYCLER\S-1-5-21-3328232656-4261223495-3301652059-1008\Dc16.dll
Spyware:Spyware/ISTbar No disinfected C:\RECYCLER\S-1-5-21-3328232656-4261223495-3301652059-1008\Dc19.exe
Adware:Adware/Beginto No disinfected C:\RECYCLER\S-1-5-21-3328232656-4261223495-3301652059-1008\Dc20.exe
Adware:Adware/ISearch No disinfected C:\RECYCLER\S-1-5-21-3328232656-4261223495-3301652059-1008\Dc21.exe
Adware:Adware/ISearch No disinfected C:\RECYCLER\S-1-5-21-3328232656-4261223495-3301652059-1008\Dc22.exe
Adware:Adware/ISearch No disinfected C:\RECYCLER\S-1-5-21-3328232656-4261223495-3301652059-1008\Dc23.exe
Adware:Adware/ISearch No disinfected C:\RECYCLER\S-1-5-21-3328232656-4261223495-3301652059-1008\Dc24.exe
Adware:Adware/nCase No disinfected C:\RECYCLER\S-1-5-21-3328232656-4261223495-3301652059-1008\Dc25.exe
Adware:Adware/nCase No disinfected C:\RECYCLER\S-1-5-21-3328232656-4261223495-3301652059-1008\Dc26.exe
Spyware:Spyware/UrlSpy No disinfected C:\RECYCLER\S-1-5-21-3328232656-4261223495-3301652059-1008\Dc27.exe
Adware:Adware/TopRebates No disinfected C:\RECYCLER\S-1-5-21-3328232656-4261223495-3301652059-1008\Dc28.exe
Adware:Adware/VirtualBouncer No disinfected C:\RECYCLER\S-1-5-21-3328232656-4261223495-3301652059-1008\Dc29.exe
Adware:Adware/EliteBar No disinfected C:\RECYCLER\S-1-5-21-3328232656-4261223495-3301652059-1008\Dc30.dat
Adware:Adware/StartPage.DD No disinfected C:\RECYCLER\S-1-5-21-3328232656-4261223495-3301652059-1008\Dc31.exe
Adware:Adware/StartPage.DD No disinfected C:\RECYCLER\S-1-5-21-3328232656-4261223495-3301652059-1008\Dc32.exe
Adware:Adware/EliteBar No disinfected C:\RECYCLER\S-1-5-21-3328232656-4261223495-3301652059-1008\Dc33.dat
Adware:Adware/Startpage.CM No disinfected C:\RECYCLER\S-1-5-21-3328232656-4261223495-3301652059-1008\Dc34.exe
Adware:Adware/Startpage.CM No disinfected C:\RECYCLER\S-1-5-21-3328232656-4261223495-3301652059-1008\Dc35.exe
Adware:Adware/StartPage.DD No disinfected C:\RECYCLER\S-1-5-21-3328232656-4261223495-3301652059-1008\Dc36.exe
Adware:Adware/StartPage.DD No disinfected C:\RECYCLER\S-1-5-21-3328232656-4261223495-3301652059-1008\Dc37.exe
Adware:Adware/Startpage.CM No disinfected C:\RECYCLER\S-1-5-21-3328232656-4261223495-3301652059-1008\Dc38.exe
Adware:Adware/Startpage.CM No disinfected C:\RECYCLER\S-1-5-21-3328232656-4261223495-3301652059-1008\Dc39.exe
Adware:Adware/Startpage.CM No disinfected C:\RECYCLER\S-1-5-21-3328232656-4261223495-3301652059-1008\Dc40.exe
Adware:Adware/ISearch No disinfected C:\RECYCLER\S-1-5-21-3328232656-4261223495-3301652059-1008\Dc41.exe
Adware:Adware/Adtomi No disinfected C:\RECYCLER\S-1-5-21-3328232656-4261223495-3301652059-1008\Dc42.exe
Adware:Adware/WUpd No disinfected C:\RECYCLER\S-1-5-21-3328232656-4261223495-3301652059-1008\Dc43.exe
Adware:Adware/nCase No disinfected C:\RECYCLER\S-1-5-21-3328232656-4261223495-3301652059-1008\Dc44.exe
Adware:Adware/Apropos No disinfected C:\RECYCLER\S-1-5-21-3328232656-4261223495-3301652059-1008\Dc45.exe
Adware:Adware/EliteBar No disinfected C:\RECYCLER\S-1-5-21-3328232656-4261223495-3301652059-1008\Dc5\EliteToolBar.dll
Adware:Adware/Ucmore No disinfected C:\RECYCLER\S-1-5-21-3328232656-4261223495-3301652059-1008\Dc6.exe
Adware:Adware/MediaTickets No disinfected C:\RECYCLER\S-1-5-21-3328232656-4261223495-3301652059-1008\Dc9.html
Adware:Adware/NetPals No disinfected C:\WINDOWS\Downloaded Program Files\ATPartners.inf
Adware:Adware/Zango No disinfected C:\WINDOWS\Downloaded Program Files\ClientAX.inf
  • 0

#9
Guest_thatman_*
Posted 27 March 2005 - 01:55 AM

Guest_thatman_*
  • Guest
Hi nate_nvs

It looks a lot better to me ;)

1. Download the CCleaner unzip the file to install.
2. Open CCleaner.
3. Place a check by everything in the Applications tab.
4. Place a check by Internet Explorer, Windows explorer, and System in the Windows tab.
5. Hit the button that says Run CCleaner
6. Reboot into safemode

Using windows EXplorer delete the following files and folders.

C:\WINDOWS\System32\saie_*.dat<--Delete this file
C:\WINDOWS\bsx32<--Delete this file
C:\WINDOWS\System32\cache\cxtpls_loader.exe<--Delete this file
C:\WINDOWS\downloaded program files\ATPartners.inf<--Delete this file
C:\keys.ini<--Delete the whole folder
C:\WINDOWS\sideb.exe<--Delete this file
C:\WINDOWS\Downloaded Program Files\ATPartners.inf<--Delete this file
C:\WINDOWS\Downloaded Program Files\ClientAX.inf<--Delete this file

Run the ccleaner again

Reboot as normal

Please run the following free, online virus scans.
http://www.pandasoft...n_principal.htm
http://housecall.tre.../start_corp.asp

Please post the logs From both virus scans and HJT.log we will need them to remove previous infections that have left files on your system.

Kc

Do you still use the Kaspersky Anti-Virus application
kavsvc.exe is a process associated with the Kaspersky Anti-Virus application
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\System32\inrraz.exe

Kc :tazz:
  • 0

#10
nate_nvs
Posted 27 March 2005 - 10:45 PM

nate_nvs

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Every thing done heres the files.

I don't use the Kaspersky Anti-Virus application


Logfile of HijackThis v1.99.1
Scan saved at 11:42:21 PM, on 3/27/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\InfoMyCa.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\WINDOWS\system32\cisvc.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WUSB54Gv4.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\System32\inrraz.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost;
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [MCAgentExe] C:\Program Files\McAfee.com\Agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [VirusScan Online] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [WUSB54Gv4] C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\InvokeSvc3.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\System32\inrraz.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Mcafee.com Corporation - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: WUSB54Gv4SVC - Unknown owner - C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe" "WUSB54Gv4.exe (file missing)





Active scan log


Incident Status Location

Adware:Adware/QoolShown No disinfected C:\WINDOWS\System32\sgppeyy.dll
Virus:W32/Spybot.QV.worm No disinfected Operating system
Adware:Adware/eZula No disinfected Windows Registry
Adware:Adware/BookedSpace No disinfected C:\WINDOWS\System32\bs?.dll
Adware:Adware/Apropos No disinfected Windows Registry
Adware:Adware/FavoriteMan No disinfected C:\WINDOWS\downloaded program files\ATPartners.inf
Adware:Adware/ISearch No disinfected Windows Registry
Adware:Adware/ISearch No disinfected C:\Documents and Settings\Alex\Local Settings\Temp\B29734339\build3.exe
Adware:Adware/nCase No disinfected C:\Documents and Settings\Alex\Local Settings\Temp\Del12.tmp
Spyware:Spyware/ISTbar No disinfected C:\Documents and Settings\Alex\Local Settings\Temp\GLF1AEGLF1AE.EXE
Spyware:Spyware/ISTbar No disinfected C:\Documents and Settings\Alex\Local Settings\Temp\GLF5AGLF5A.EXE
Spyware:Spyware/SurfSideKick No disinfected C:\Documents and Settings\Alex\Local Settings\Temp\i3D.tmp
Spyware:Spyware/SurfSideKick No disinfected C:\Documents and Settings\Alex\Local Settings\Temp\i65.tmp
Spyware:Spyware/BargainBuddy No disinfected C:\Documents and Settings\Alex\Local Settings\Temp\installer_MARKETING18.exe
Spyware:Spyware/SurfSideKick No disinfected C:\Documents and Settings\Alex\Local Settings\Temp\ms63.tmp
Adware:Adware/Apropos No disinfected C:\Documents and Settings\Alex\Local Settings\Temp\ms74.tmp
Possible Virus. No disinfected C:\Documents and Settings\Alex\Local Settings\Temp\ptf_0002.exe
Possible Virus. No disinfected C:\Documents and Settings\Alex\Local Settings\Temp\ptf_0004.exe
Adware:Adware/SAHAgent No disinfected C:\Documents and Settings\Alex\Local Settings\Temp\SAHAGE~1.EXE
Adware:Adware/EliteBar No disinfected C:\Documents and Settings\Alex\Local Settings\Temp\suicidetb.exe
Adware:Adware/MyWebSearch No disinfected C:\Documents and Settings\Alex\Local Settings\Temp\TBPS.exe
Adware:Adware/WinTools No disinfected C:\Documents and Settings\Alex\Local Settings\Temp\toolbar.dll
Spyware:Spyware/ISTbar No disinfected C:\Documents and Settings\Alex\Local Settings\Temp\tsinstall_4_0_3_8_b17.exe
Spyware:Spyware/TVMedia No disinfected C:\Documents and Settings\Alex\Local Settings\Temp\Tvm.upd
Spyware:Spyware/TVMedia No disinfected C:\Documents and Settings\Alex\Local Settings\Temp\tvmupdater.exe
Spyware:Spyware/TVMedia No disinfected C:\Documents and Settings\Alex\Local Settings\Temp\U45.tmp
Adware:Adware/Comet No disinfected C:\Documents and Settings\Alex\Local Settings\Temp\unpack\CC_43.inf
Adware:Adware/Comet No disinfected C:\Documents and Settings\Alex\Local Settings\Temp\unpack\inst43.exe
Virus:Trj/Downloader.BBB Disinfected C:\Documents and Settings\Alex\Local Settings\Temp\vmstmp\vmstmp.exe
Virus:W32/Spybot.QV.worm Disinfected C:\Documents and Settings\All Users\Start Menu\Programs\Startup\rtdd.exe
Spyware:Spyware/ClearSearch No disinfected C:\HJT\backups\backup-20050326-150632-153.dll
Spyware:Spyware/ClearSearch No disinfected C:\HJT\backups\backup-20050326-150632-317.dll
Adware:Adware/PurityScan No disinfected C:\HJT\backups\backup-20050326-150632-438.dll
Spyware:Spyware/ClearSearch No disinfected C:\HJT\backups\backup-20050326-150632-486.dll
Spyware:Spyware/ClearSearch No disinfected C:\HJT\backups\backup-20050326-150632-516.dll
Spyware:Spyware/ClearSearch No disinfected C:\HJT\backups\backup-20050326-150632-557.dll
Adware:Adware/PurityScan No disinfected C:\HJT\backups\backup-20050326-150632-818.dll
Spyware:Spyware/ClearSearch No disinfected C:\HJT\backups\backup-20050326-150632-926.dll
Spyware:Spyware/ClearSearch No disinfected C:\HJT\backups\backup-20050326-150632-936.dll
Spyware:Spyware/ClearSearch No disinfected C:\HJT\backups\backup-20050326-150632-963.dll
Spyware:Spyware/ClearSearch No disinfected C:\HJT\backups\backup-20050326-150632-992.dll
Adware:Adware/Minibug.A No disinfected C:\Program Files\AWS\WeatherBug\MiniBugTransporter.dll
Adware:Adware/SAHAgent No disinfected C:\WINDOWS\70tovmto.exe
Adware:Adware/SAHAgent No disinfected C:\WINDOWS\a95kfrhe.exe
Spyware:Spyware/BetterInet No disinfected C:\WINDOWS\Buddy.exe
Adware:Adware/NetPals No disinfected C:\WINDOWS\Downloaded Program Files\ATPartners.inf
Adware:Adware/Zango No disinfected C:\WINDOWS\Downloaded Program Files\ClientAX.inf
Spyware:Spyware/BargainBuddy No disinfected C:\WINDOWS\installer_SIAC.exe
Virus:Trj/SCBop.B Disinfected C:\WINDOWS\ms0566764-87202005.exe
Adware:Adware/SAHAgent No disinfected C:\WINDOWS\shop1004.exe
Virus:Trj/SCBop.B Disinfected C:\WINDOWS\sys01872066764-.exe
Virus:Trj/StartPage.PX Disinfected C:\WINDOWS\SYSTEM32\7m5e.dll
Adware:Adware/SAHAgent No disinfected C:\WINDOWS\SYSTEM32\bln02nqv.exe
Spyware:Spyware/ClearSearch No disinfected C:\WINDOWS\SYSTEM32\Cache\CSv13P108.exe
Virus:Trj/Downloader.BJG Disinfected C:\WINDOWS\SYSTEM32\Cache\EDow_AS2.exe
Adware:Adware/eZula No disinfected C:\WINDOWS\SYSTEM32\Cache\ezstub.exe
Virus:Trj/Delf.EB Disinfected C:\WINDOWS\SYSTEM32\Cache\HelperInstall.exe
Spyware:Spyware/BargainBuddy No disinfected C:\WINDOWS\SYSTEM32\Cache\installer_MARKETING17.exe
Virus:Trj/Dropper.DA Disinfected C:\WINDOWS\SYSTEM32\Cache\seedcorn.exe
Adware:Adware/AdLogix No disinfected C:\WINDOWS\SYSTEM32\Cache\videoinst.exe
Adware:Adware/Apropos No disinfected C:\WINDOWS\SYSTEM32\cxtpls_loader.exe
Adware:Adware/HuntBar No disinfected C:\WINDOWS\SYSTEM32\EDow_AS2.exe
Virus:W32/Spybot.QV.worm Disinfected C:\WINDOWS\SYSTEM32\inrraz.exe
Virus:Trj/Downloader.BJG Disinfected C:\WINDOWS\SYSTEM32\installer_MARKETING18.exe
Spyware:Spyware/ClientMan No disinfected C:\WINDOWS\SYSTEM32\msfaol.dll
Spyware:Spyware/ClientMan No disinfected C:\WINDOWS\SYSTEM32\msiaih.dll
Virus:Trj/Imk.A Disinfected C:\WINDOWS\SYSTEM32\msnimk.gif
Adware:Adware/SAHAgent No disinfected C:\WINDOWS\SYSTEM32\q17i9a4j.exe
Adware:Adware/QoolShown No disinfected C:\WINDOWS\SYSTEM32\sgppeyy.dll
Adware:Adware/ILookup No disinfected C:\WINDOWS\SYSTEM32\trgen.dll
Virus:W32/Spybot.QV.worm Disinfected C:\WINDOWS\SYSTEM32\wvqqg.dat
Virus:Trj/SCBop.B Disinfected C:\WINDOWS\win320864-87206672005.exe
  • 0

#11
Guest_thatman_*
Posted 28 March 2005 - 04:26 AM

Guest_thatman_*
  • Guest
Hi nate_nvs

Reboot into safemode

Use windows add remove program files to uninstall the following program
C:\Program Files\AWS\WeatherBug\MiniBugTransporter.dll<--this is for you to keep or delete

You can remove all the backup files in HijackThis just delete them
C:\HJT\backups\backup-20050326-150632-818.dll
C:\HJT\backups\backup-20050326-150632-926.dll
C:\HJT\backups\backup-20050326-150632-936.dll
C:\HJT\backups\backup-20050326-150632-963.dll
C:\HJT\backups\backup-20050326-150632-992.dll

Using windows explorer delete the following files and folders:

C:\WINDOWS\70tovmto.exe<--Delete this file
C:\WINDOWS\a95kfrhe.exe<--Delete this file
C:\WINDOWS\Buddy.exe<--Delete this file
C:\WINDOWS\Downloaded Program Files\ATPartners.inf<--Delete this file
C:\WINDOWS\Downloaded Program Files\ClientAX.inf<--Delete this file
C:\WINDOWS\installer_SIAC.exe<--Delete this file
C:\WINDOWS\shop1004.exe<--Delete this file
C:\WINDOWS\SYSTEM32\bln02nqv.exe<--Delete this file
C:\WINDOWS\SYSTEM32\Cache\CSv13P108.exe<--Delete this file
C:\WINDOWS\SYSTEM32\Cache\ezstub.exe<--Delete this file
C:\WINDOWS\SYSTEM32\Cache\installer_MARKETING17.exe<--Delete this file
C:\WINDOWS\SYSTEM32\Cache\videoinst.exe<--Delete this file
C:\WINDOWS\SYSTEM32\cxtpls_loader.exe<--Delete this file
C:\WINDOWS\SYSTEM32\EDow_AS2.exe<--Delete this file
C:\WINDOWS\SYSTEM32\msfaol.dll<--Delete this file
C:\WINDOWS\SYSTEM32\msiaih.dll<--Delete this file
C:\WINDOWS\SYSTEM32\q17i9a4j.exe<--Delete this file
C:\WINDOWS\SYSTEM32\sgppeyy.dll<--Delete this file
C:\WINDOWS\SYSTEM32\trgen.dll<--Delete this file

Exit explorer.

Run the ccleaner
Place a check by everything in the Applications tab.
Place a check by Internet Explorer, Windows explorer, and System in the Windows tab.

If you want to run a virus scan post the log and a HJT.log

Kc :tazz:
  • 0

#12
Guest_thatman_*
Posted 15 April 2005 - 11:28 AM

Guest_thatman_*
  • Guest
No reply from user

Topic closed

Kc
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP