Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Security iGuard and more?


  • This topic is locked This topic is locked

#1
theberkin8or

theberkin8or

    New Member

  • Member
  • Pip
  • 7 posts
Ok I have been having trouble with trogains for a while becuase I was stupid and decided i would use internet explorier instead of just going to firefox (plus i wanted to wait for service pack 2 to work all the bugs out) My anti virus was pretty much put all of them away in the quaritine but now i seem to have gotten this program Security Iguard. with it came this thing that takes over my background and gave me the classic "your boss will find out about your p***" line. I uninstalled iguard and deteled the file that I thought was teh source of the background. Now I have a white background that turns yellow when i move the mouse and http://daosearch.com/ has taken over every time I try to click a link that saids download ( which has prevented me from getting TDS-3). O and when i try and restart windows it saids it is trying to end a program that hasn't been showing up in the task manger or the processes, it begins with 20d58a7.

This is very frustrating any ideas on how to fix this. Btw I think what you guys are going is great. IMO it is truely sick that people are trying to make money making spyware then getting people to pay to remove it, I am glade someone is fighting that system.

Logfile of HijackThis v1.98.2
Scan saved at 12:07:13 AM, on 3/28/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\CTHELPER.EXE
C:\WINDOWS\System32\Services\{C73E15C1-0A6A-45FC-B7D0-EE4E9730A97E}\SVCHOST.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\r?ndll32.exe
C:\Program Files\UltraMon\UltraMon.exe
C:\Program Files\UltraMon\UltraMonTaskbar.exe
C:\WINDOWS\System32\mocih.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\System32\cmdtel.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\Documents and Settings\James Berkeley\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://daosearch.com...5&said=nicket_a
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Name - {464F686D-F160-4832-B679-55E2FBD0A72F} - C:\WINDOWS\System32\mssah.dll (file missing)
O2 - BHO: (no name) - {52B2CB22-30E3-B0AD-A1D3-8E7E7FD2A9BA} - C:\WINDOWS\javapg.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Name - {E6AE565D-02A8-405A-BBFA-409EC1863D8D} - C:\WINDOWS\System32\mssah.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [winfd.exe] C:\WINDOWS\winfd.exe
O4 - HKLM\..\Run: [Service Host] C:\WINDOWS\System32\Services\{C73E15C1-0A6A-45FC-B7D0-EE4E9730A97E}\SVCHOST.EXE
O4 - HKLM\..\Run: [Security iGuard] C:\Program Files\Security iGuard\Security iGuard.exe
O4 - HKLM\..\RunOnce: [dwtfw.exe] dwtfw.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Seamcews] C:\WINDOWS\System32\r?ndll32.exe
O4 - Startup: dual.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: UltraMon.lnk = C:\Program Files\UltraMon\UltraMon.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: Microsoft AntiSpyware helper - {11AF332B-A36B-49A8-A5B1-F1CAF6B2A545} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {11AF332B-A36B-49A8-A5B1-F1CAF6B2A545} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {610D508F-0F08-4769-B0F9-18B0E9FE572E} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {610D508F-0F08-4769-B0F9-18B0E9FE572E} - (no file) (HKCU)
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative....009/CTSUEng.cab
O16 - DPF: {10000000-1000-0000-1000-000000000000} - file://C:\Program Files\Internet Explorer\ddebnepf.exe
O16 - DPF: {20832F61-7860-1106-303A-5B6543FB49B4} - http://69.50.182.94/1/rdgUS1882.exe
O16 - DPF: {3E670CED-1CA0-3AA6-9E53-5F7814181277} - http://69.50.182.94/1/rdgUS1882.exe
O16 - DPF: {74D17C9E-884F-1E18-B46F-43A62452992A} - http://69.50.182.94/1/rdgUS1882.exe
O16 - DPF: {7E1ADB0C-DEB4-52A0-5EF9-0DD65A9EB104} - http://69.50.182.94/1/rdgUS1882.exe
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative....15010/CTPID.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{51B8D17D-5655-4060-9850-F951E4F5C7E6}: NameServer = 69.50.176.197,195.225.176.31
O17 - HKLM\System\CCS\Services\Tcpip\..\{E3C56599-4E77-4C94-B9E5-2DC85DBD1587}: NameServer = 69.50.176.197,195.225.176.31
  • 0

Advertisements


#2
g2i2r4

g2i2r4

    retired HiJack Helper

  • Retired Staff
  • 5,080 posts
Welcome theberkin8or to Geeks to Go!

I recommend you print this advice. In safe mode you will not have this page available.

***

Download CleanUp!.
Don't run the program, we'll do that later.

***

Download CWShredder, update it. Then open the program and click ‘fix’.

***

Download About:Buster

First unzip all files from the zip folder to a folder or your desktop. Start it and hit ok. Then hit update. A new screen should popup. On that screen hit Check for Updates. If it sais it found an update hit Download Updates. If it doesnt it will automatically tell you and exit. Now for the scanning part. Hit start and then Ok. The program should start scanning. Then hit exit and reboot.
Once rebooted run about:Buster once more to make sure everything is ok.

****Restart the computer.
*as soon as BIOS is loaded begin tapping the F8 key until the Advanced Options menu appears.
*Use the arrow keys to select the Safe mode menu item
*press Enter.
***

Close all programs leaving only HijackThis running. Place a check against each of the following, making sure you get them all and not any others by mistake:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://daosearch.com...5&said=nicket_a

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank

O2 - BHO: Name - {464F686D-F160-4832-B679-55E2FBD0A72F} - C:\WINDOWS\System32\mssah.dll (file missing)

O2 - BHO: (no name) - {52B2CB22-30E3-B0AD-A1D3-8E7E7FD2A9BA} - C:\WINDOWS\javapg.dll (file missing)

O2 - BHO: Name - {E6AE565D-02A8-405A-BBFA-409EC1863D8D} - C:\WINDOWS\System32\mssah.dll (file missing)

O4 - HKLM\..\Run: [winfd.exe] C:\WINDOWS\winfd.exe

O4 - HKLM\..\Run: [Service Host] C:\WINDOWS\System32\Services\{C73E15C1-0A6A-45FC-B7D0-EE4E9730A97E}\SVCHOST.EXE

O4 - HKLM\..\RunOnce: [dwtfw.exe] dwtfw.exe

O4 - HKCU\..\Run: [Seamcews] C:\WINDOWS\System32\r?ndll32.exe

O16 - DPF: {10000000-1000-0000-1000-000000000000} - file://C:\Program Files\Internet Explorer\ddebnepf.exe

O16 - DPF: {20832F61-7860-1106-303A-5B6543FB49B4} - http://69.50.182.94/1/rdgUS1882.exe

O16 - DPF: {3E670CED-1CA0-3AA6-9E53-5F7814181277} - http://69.50.182.94/1/rdgUS1882.exe

O16 - DPF: {74D17C9E-884F-1E18-B46F-43A62452992A} - http://69.50.182.94/1/rdgUS1882.exe

O16 - DPF: {7E1ADB0C-DEB4-52A0-5EF9-0DD65A9EB104} - http://69.50.182.94/1/rdgUS1882.exe

O17 - HKLM\System\CCS\Services\Tcpip\..\{51B8D17D-5655-4060-9850-F951E4F5C7E6}: NameServer = 69.50.176.197,195.225.176.31

O17 - HKLM\System\CCS\Services\Tcpip\..\{E3C56599-4E77-4C94-B9E5-2DC85DBD1587}: NameServer = 69.50.176.197,195.225.176.31

Click on Fix Checked when finished and exit HijackThis.

***

We need to make sure all hidden files are showing so please:* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.
* Under the Hidden files and folders heading select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Click Yes to confirm.
* Click OK.
***

Delete the following files:

C:\WINDOWS\winfd.exe

C:\WINDOWS\System32\mocih.exe

C:\WINDOWS\System32\cmdtel.exe

C:\Program Files\Internet Explorer\ddebnepf.exe

***

Find and doubleclick the file cleanup312.exe.

Go to option
Select ‘custom’
Put a check to:* Cookies
* Prefetch
* Temp
* All users.
Press 'cleanup!'

Once it's done, decline log off. Instead, reboot into normal mode.

***

Please do an online scan, 2 would be better,

Trend Micro Housecall
Panda online scan

Make sure that you choose "fix" or "clean".

***

Reboot once more. Answer back in this topic.
Post a fresh HijackThis log. Let me know how the online virusscans did.
  • 0

#3
theberkin8or

theberkin8or

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
I couldn't get the about:buster to work but there are no longer any active problems. when I ran Trend Micro it said my system was fine but then with Pandra it said i had a number of things. here is the log. I would love to get my system completely clear and then put service pack 2 on


Incident Status Location

Virus:Trj/Downloader.BCK Disinfected Operating system
Adware:Adware/eZula No disinfected Windows Registry
Adware:Adware/CWS.Yexe No disinfected C:\WINDOWS\System32\services
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\James Berkeley\Favorites\Sites about\Ab scissor.url
Adware:Adware/CWS.Searchmeup No disinfected C:\WINDOWS\System32\srpcsrv32.dll
Adware:Adware/CWS.008k No disinfected C:\WINDOWS\apipo.exe
Virus:Trj/Downloader.BFG Disinfected Operating system
Adware:Adware/PurityScan No disinfected C:\Documents and Settings\James Berkeley\Application Data\occh.exe
Adware:Adware/Minibug.A No disinfected C:\Program Files\AWS\WeatherBug\MiniBugTransporter.dll
Possible Virus. No disinfected C:\Program Files\Windows Media Player\wmplayer.exe.tmp
Adware:Adware/StartPage.BK No disinfected C:\WINDOWS\bwtrm.dll
Adware:Adware/StartPage.BK No disinfected C:\WINDOWS\eqilp.dll
Adware:Adware/StartPage.BK No disinfected C:\WINDOWS\kjsgz.dll
Adware:Adware/StartPage.BK No disinfected C:\WINDOWS\neddu.dll
Possible Virus. No disinfected C:\WINDOWS\system32\dwxpa.exe
Adware:Adware/StartPage.BK No disinfected C:\WINDOWS\system32\qkfoj.dll
Adware:Adware/PurityScan No disinfected C:\WINDOWS\system32\RNDLL3~1.EXE
Virus:Trj/Downloader.BCK Disinfected C:\WINDOWS\system32\thun32.dll
Virus:Trj/Downloader.BFG Disinfected C:\WINDOWS\wldr.dll

here is my hijackthis log

Logfile of HijackThis v1.98.2
Scan saved at 3:23:10 PM, on 3/28/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\CTHELPER.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\InterMute\SpySubtract\SpySub.exe
C:\Program Files\UltraMon\UltraMon.exe
C:\Program Files\UltraMon\UltraMonTaskbar.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Documents and Settings\James Berkeley\Desktop\HijackThis.exe

R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Startup: dual.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\InterMute\SpySubtract\SpySub.exe
O4 - Global Startup: UltraMon.lnk = C:\Program Files\UltraMon\UltraMon.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative....009/CTSUEng.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative....15010/CTPID.cab
  • 0

#4
g2i2r4

g2i2r4

    retired HiJack Helper

  • Retired Staff
  • 5,080 posts
What went wrong with About:Buster. We really need it to run.
  • 0

#5
theberkin8or

theberkin8or

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
it saids "run-time error '339' Componet 'MSCOMCTL.OCX' or one of its dependencies not correctly registered: a file is missing or invalid"
  • 0

#6
g2i2r4

g2i2r4

    retired HiJack Helper

  • Retired Staff
  • 5,080 posts
Download the file in the link below and run it. It will give you the necessary file.

http://www.javacools...ngfilesetup.exe

Then retry the About:Buster advise.
  • 0

#7
theberkin8or

theberkin8or

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
ok got it to work. I was wrong about the not having any thing happening, there is still a box that is like my background was turning white and yellow (though it is much less annoying).

here is my virus scan log now.

Incident Status Location

Adware:Adware/PurityScan No disinfected C:\Documents and Settings\James Berkeley\Application Data\occh.exe
Adware:Adware/Minibug.A No disinfected C:\Program Files\AWS\WeatherBug\MiniBugTransporter.dll
Possible Virus. No disinfected C:\Program Files\Windows Media Player\wmplayer.exe.tmp
Adware:Adware/StartPage.BK No disinfected C:\WINDOWS\bwtrm.dll
Adware:Adware/StartPage.BK No disinfected C:\WINDOWS\eqilp.dll
Adware:Adware/StartPage.BK No disinfected C:\WINDOWS\kjsgz.dll
Adware:Adware/StartPage.BK No disinfected C:\WINDOWS\neddu.dll
Possible Virus. No disinfected C:\WINDOWS\system32\dwxpa.exe
Adware:Adware/StartPage.BK No disinfected C:\WINDOWS\system32\qkfoj.dll
Adware:Adware/PurityScan No disinfected C:\WINDOWS\system32\RNDLL3~1.EXE

and my Hijack this log:

Logfile of HijackThis v1.98.2
Scan saved at 11:35:48 PM, on 3/28/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\CTHELPER.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\InterMute\SpySubtract\SpySub.exe
C:\Program Files\UltraMon\UltraMon.exe
C:\Program Files\UltraMon\UltraMonTaskbar.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\James Berkeley\Desktop\HijackThis.exe

R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Startup: dual.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\InterMute\SpySubtract\SpySub.exe
O4 - Global Startup: UltraMon.lnk = C:\Program Files\UltraMon\UltraMon.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative....009/CTSUEng.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative....15010/CTPID.cab
  • 0

#8
g2i2r4

g2i2r4

    retired HiJack Helper

  • Retired Staff
  • 5,080 posts
Thanks for the feedback. We will kill those files Panda couldn't get desinfected now.

***

Go to start – rightclick this computer/my computer
Go to properties
Go to the tab system restore
Put a check to ’turn off system restore (on all drives).’
Press ‘apply’.

***

Go to http://www.puritysca.../uninstall.html and follow the instructions.
Removing this adware component from the system will likely cause the program that installed it to not function as intended. The uninstaller generally identifies the programs that will not work after uninstallation.

***

Download Pocket Killbox.
Unzip the files to a folder like c:\killbox\
Don't run the program, we'll do that later.

****Restart the computer.
*as soon as BIOS is loaded begin tapping the F8 key until the Advanced Options menu appears.
*Use the arrow keys to select the Safe mode menu item
*press Enter.
***

Run About:Buster once more. Save the log that it makes.

***

Run Killbox (doubleclick Killbox.exe).

In the "Paste Full Path of File to Delete" box, copy and paste:
C:\Documents and Settings\James Berkeley\Application Data\occh.exe
Go to "Action" and choose "Delete on reboot".
In the next window go to "File" - "Add file". The above mentioned file will be added to the list in the screen.
Also copy and paste:
C:\Program Files\AWS\WeatherBug\MiniBugTransporter.dll
C:\Program Files\Windows Media Player\wmplayer.exe.tmp
C:\WINDOWS\bwtrm.dll
C:\WINDOWS\eqilp.dll
C:\WINDOWS\kjsgz.dll
C:\WINDOWS\neddu.dll
C:\WINDOWS\system32\dwxpa.exe
C:\WINDOWS\system32\qkfoj.dll
C:\WINDOWS\system32\RNDLL3~1.EXE

(one by one) and add them to the list, using the same method.

Once you’re done go to "Action", and choose "Process and Reboot".

***

Scan again using Panda online virusscan. Post the results here in your answer.

***

Open HijackThis
Go to ‘config’
Go to ‘misc tools’
Put a check in the boxes next to the button ‘generate start up log’
Then press the button itself. It will open a notepad file.
Copy and past the content of that file here in your answer.

***

Post back here:
an About:Buster log
an update on what Panda found
a startuplog from HijackThis.

I would also like to know how this all went.
  • 0

#9
theberkin8or

theberkin8or

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Gahh! Something happend. It all came back, a virus appeared "Trogan horse download. Small.30.BL" and then another trogan horse. I security is back. I went through all the steps again but the virus came back and avg couldn't stop it. I also ran AVG during while in safe mode. Before I "fixed" them Ad adware had about 200 infected files and spybot found a bunch. I don't know what happend. here is my new log file... got to love this... :-\

Logfile of HijackThis v1.98.2
Scan saved at 12:40:59 AM, on 3/30/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\CTHELPER.EXE
C:\windows\system32\taskmg.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\InterMute\SpySubtract\SpySub.exe
C:\Program Files\UltraMon\UltraMon.exe
C:\Documents and Settings\James Berkeley\Start Menu\Programs\Startup\winupdate81678125[1].exe
C:\Program Files\UltraMon\UltraMonTaskbar.exe
C:\WINDOWS\System32\mocih.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\System32\cmdtel.exe
C:\WINDOWS\System32\Services\{787297B3-C0ED-4FF7-A114-C3827CA049D5}\SVCHOST.EXE
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\Downloaded Program Files\CONFLICT.7\rdgUS1882.exe
C:\Program Files\Outlook Express\msimn.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\James Berkeley\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://daosearch.com...5&said=nicket_a
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Loader Class - {2E246FAE-8420-11D9-870D-000C2917DE7F} - C:\WINDOWS\SYSTEM\Loader.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [Windows Task Manager] c:\windows\system32\taskmg.exe
O4 - HKLM\..\Run: [Service Host] C:\WINDOWS\System32\Services\{787297B3-C0ED-4FF7-A114-C3827CA049D5}\SVCHOST.EXE
O4 - HKLM\..\Run: [Security iGuard] C:\Program Files\Security iGuard\Security iGuard.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Startup: dual.lnk = ?
O4 - Startup: winupdate81678125[1].exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\InterMute\SpySubtract\SpySub.exe
O4 - Global Startup: UltraMon.lnk = C:\Program Files\UltraMon\UltraMon.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: Microsoft AntiSpyware helper - {88BA4F59-73C3-4859-A1F2-13DB51C9F6FF} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {88BA4F59-73C3-4859-A1F2-13DB51C9F6FF} - (no file) (HKCU)
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative....009/CTSUEng.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative....15010/CTPID.cab
  • 0

#10
g2i2r4

g2i2r4

    retired HiJack Helper

  • Retired Staff
  • 5,080 posts
It looks like you have an infection that can recover itself ànd additionally can have other infections to join him.

I'll prepare a fix, please hold on.
  • 0

#11
g2i2r4

g2i2r4

    retired HiJack Helper

  • Retired Staff
  • 5,080 posts
Please follow this link to a perfect advice by Calamity Jane. Follow her advice by the letter, including the added text on Microsoft Antispyware (dated 25 March 2005).

Print out the entire text and follow her lead.

At the end, post back here with a fresh log using HijackThis.

Good Luck!
  • 0

#12
theberkin8or

theberkin8or

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
ok new log file

Logfile of HijackThis v1.98.2
Scan saved at 10:20:22 PM, on 3/30/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\CTHELPER.EXE
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\InterMute\SpySubtract\SpySub.exe
C:\Program Files\UltraMon\UltraMon.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\Program Files\UltraMon\UltraMonTaskbar.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\James Berkeley\Desktop\HijackThis.exe

R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [KAVPersonal50] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe" /minimize
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Startup: dual.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\InterMute\SpySubtract\SpySub.exe
O4 - Global Startup: UltraMon.lnk = C:\Program Files\UltraMon\UltraMon.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative....009/CTSUEng.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative....15010/CTPID.cab
  • 0

#13
theberkin8or

theberkin8or

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
you want me to do the online virus scans again? O and the white box that turns to yellow is still there...
  • 0

#14
g2i2r4

g2i2r4

    retired HiJack Helper

  • Retired Staff
  • 5,080 posts
Please download the latest version of HiJack This. Click here to download the latest version (1.99.1). Please save it in a permanent folder (such as C:\HJT). This is to ensure that backups are saved and accessible in the event you should need it. Follow the instructions below if you are unsure how to save it in a permanent folder:1.) Click on the link to download HiJackThis.exe.
2.) When it pulls up the box (for you to pick a location to save the file), click on the pulldown menu and select "[C:]".
3.) Click on the button to "create new folder" and name the folder HiJackThis
4.) Double click on the folder you just made (to go into the folder) and click "save" on the bottom of the box.
***

Go to ‘config’
Go to ‘misc tools’
Press the button ‘open uninstall manager’
press the button 'save list'.
post the content of that file here in your answer.

***

Open HijackThis
Go to ‘config’
Go to ‘misc tools’
Put a check in the boxes next to the button ‘generate start up log’
Then press the button itself. It will open a notepad file.
Copy and paste the content of that file here in your answer.

***

Run Killbox (doubleclick Killbox.exe).

Run it, and click the radio button that says Delete a file on reboot. For each of the files you need to delete, paste them one at a time into the full path of file to delete box and click the red circle with a white cross in it.
C:\windows\system\msmsgs.exe
c:\windows\system\sites.ini
C:\WINDOWS\POPUPER.EXE
The program will ask you if you want to reboot; say No each time until the last one has been pasted in whereupon you should answer Yes.

Let the system reboot.

***
Run an online virusscan here.

***

Reboot your computer.
Please post:
a fresh log using HijackThis
the uninstall list
the startuplist

Let me now what the virusscan did.

No reply was posted for more than two weeks.

This topic is now closed. If you are the topicowner and still need assistance, please send me a PM.

Edited by g2i2r4, 21 April 2005 - 02:00 PM.

  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP