Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

HijackThis Log - don't think it's clean[RESOLVED]


  • This topic is locked This topic is locked

#16
miekiemoes

miekiemoes

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 5,503 posts
  • MVP
Also killbox the next file again:

C:\WINDOWS\JOZVA.DLL

Edit.. your hijackthislog is ok! :tazz:

Edited by miekiemoes, 05 April 2005 - 03:06 PM.

  • 0

Advertisements


#17
chicagochicklett

chicagochicklett

    Member

  • Topic Starter
  • Member
  • PipPip
  • 55 posts
While I reboot after the killbox deletion....

This message popped up when I tried to right click on the EGTHG file properties: "Windows cannot verify...APPS.inf file is missing."

Also, I found two files in the System folder that were created the same day as that EGTHG file - the day when my computer was inundated with spyware. The files are:

dgwfvi.exe
UpdInst.exe

Are these bad?
  • 0

#18
miekiemoes

miekiemoes

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 5,503 posts
  • MVP
About:

dgwfvi.exe
UpdInst.exe

I think they are related to L2M/VX2
Better to upload them on jotti virusscan and let them scan.

About EGTHG.. weird error you get. ("Windows cannot verify...APPS.inf file is missing.")
I thought this was a 95/98*admin issue? This could be related to malware. (a worm)
I just found this thread on the net: http://www.alamopc.o...ng/od1202.shtml
It describes the issue about a missing autoexec.nt or autoexec.bat... and you were having the same problems.
Anyway, I think the EGTHG is a bad one.. so, did you rename it?
Or move it to you desktop (not copy) and see if your are still getting those errors :
(NTVDM CPU encountered illegal instruction)

Also perform an online virusscan with the next online scanners:

housecall and/or Etrust and let it delete everything it finds.

If they couldn't delete some file, write them down and post it in your next reply.
(file+folder where it is present)
  • 0

#19
chicagochicklett

chicagochicklett

    Member

  • Topic Starter
  • Member
  • PipPip
  • 55 posts
For the UpdInst.exe file

Status:
INFECTED/MALWARE (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database) (Note: only non-destructive malware has been found. Considering the non-destructive nature of samples like these - although they can be a pain -, results will not be stored in the database.)
Packers detected:
-
Scanner results
AntiVir
Found nothing
Avast
Found nothing
AVG Antivirus
Found nothing
BitDefender
Found nothing
ClamAV
Found nothing
Dr.Web
Found nothing
F-Prot Antivirus
Found nothing
Fortinet
Found nothing
Kaspersky Anti-Virus
Found not-a-virus:AdWare.Look2Me.ab
mks_vir
Found .Look2me.A04
NOD32
Found nothing
Norman Virus Control
Found nothing
VBA32
Found Embedded.AdWare.Look2Me.ab (probable variant)

It go the 0 KB report for the dgwfvi.exe file, just like for the egthg one.
I've also noticed that my Nikon Montor window from my digital camera program keeps going to the taskbar when i start my cpmouter. I had this problem a few weeks ago, but it went away, and just returned this afternoon.

Yes, what that website says sounds right...do we know what to do about it regarding the autoexec, etc?
  • 0

#20
miekiemoes

miekiemoes

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 5,503 posts
  • MVP
Delete: UpdInst.exe

For the EGTHG~1.exe and dgwfvi.exe...I'm pretty sure those are malware, but i like to play it safe, so rename them and MOVE them to your desktop. (not copy)

Yes, what that website says sounds right...do we know what to do about it regarding the autoexec, etc?


That was an example it could be that.
The autoexec-issue is fixed now for you. About the 'APPS.inf file is missing'.. I still have to find out.. Never heard of it on a NT-machine.
That's why I thougt it was related to a worm that displays that message.

Can you perform those onlinescans now?
  • 0

#21
miekiemoes

miekiemoes

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 5,503 posts
  • MVP
About your nikon... This is normal that.. after a reboot, it goes to the taskbar.
Because, according to your log, it starts up with windows:

O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView6\NkvMon.exe
  • 0

#22
chicagochicklett

chicagochicklett

    Member

  • Topic Starter
  • Member
  • PipPip
  • 55 posts
I ran housecall, however when I told it to clean and rescan, it could not clean. It gave a bunch of reasons why. Any ideas??

Occasionally Trend Micro HouseCall is unable to clean malware from a system. Owing to the varying nature of viruses, trojans and worms, the way in which they may affect an operating system could mean that the cleaning process is not straightforward. Below are a few examples offering an explanation as to why an infection may not be cleaned by Trend Micro HouseCall.
The operating system denies write access to the infected files because they are being used by a running application or the malicious code itself.
Protected system files are infected - this may happen if security holes in the operating system are exploited by an intrusion.
The user profile you're currently using prohibits write access to the infected files.
The infection is the eicar test file or the malicious code itself. Such an infection cannot be cleaned because it is a test signature or malicious code.
The infection is located inside an uncleanable archive or file type. This may happen with archives that are not commonly used, or exotic constellations of infections in files or archives.
The infection is located inside an uncleanable archive or file type. This may happen with archives that are not commonly used, or exotic constellations of infections in files or archives. Archives should be ignored or deleted; automated cleaning is not recommended because:
After cleaning the file is not original anymore
Other files in the archive may be unknown malware
Inform the person who sent you the archive about the infection and ask for a clean archive.
Important note: Most of these problems do not occur if you install a product that offers realtime scanning and protection with automatic pattern file updates. This will ensure that no viruses or worms can even reach your PC and the product can execute scanning and cleaning operations at a deeper level within the operating system. Trend Micro offers several products for personal and business use, which offer realtime scanning and protect systems using many other innovative technologies. For further information please visit Trend Micro:
Trend Micro Personal Solutions Trend Micro Small and Medium Business Solutions Trend Micro Enterprise Solutions
I have run HouseCall, but I'm still infected? Below are some tips on how you can try to clean infections from your system. Note that these basically apply to customers who are not using (offline) Trend Micro products.
In most instances you can try to delete the infected file, however, please be careful as you may run the risk of losing important content if you accidentally delete the wrong file. From the infections that HouseCall has listed, click on an infection to select it, following which you should click the "Delete" button only if you are confident about what you are doing!
You can use the reported virus name to search in our virus encyclopaedia: Click here to open the virus encyclopaedia You will find detailed information about the malicious code within the encyclopaedia, including specific removal instructions and an explanation of what damage the code may have caused to your system. (Hint: go to the "Infection Finding" page and click on "Details". This will open the virus encyclopaedia for the selected virus.)
Sometimes the malicious files are backed up in the _restore folder (such as protected system files). In such cases, use the information on the page that can be found here
If nothing else helps to get rid of the infection, download the "Trend Micro Sysclean Package" from the following URL: http://uk.trendmicro...support/tsc.php The Sysclean Package is a small "unsupported!" scan/clean tool for Windows 32-bit platforms that can be run from the command line. To make it work you also need the latest pattern file from the following page: http://uk.trendmicro...ort/pattern.php The following hints should help you to use the free and unsupported tool sysclean.com:
Copy the file sysclean.com into the same folder as the extracted pattern file (named "lpt$vpn.###", where # stands for numbers).
Double-click on sysclean.com to start the scan, which opens an application window.
The information in this window will guide you through this application.
Integrated in sysclean.com is also a TSC (Trend Micro Damage Cleanup Service) that scans the infected system for currently active malicious code before the usual file scan is started. Although this system cleaning process can be very effective, Trend Micro advises that you use sysclean.com in Windows' "protected mode" (if available "Command line only"). Press F8 on your keyboard during startup to enter this mode. Running Windows in protected mode prevents most malicious code from being executed and enables malicious code to be removed from files that are generally used by the system.
  • 0

#23
miekiemoes

miekiemoes

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 5,503 posts
  • MVP
Yes, I knew housecall would give you those warnings, that's why I wanted you to write down those files. Please don't worry about those files... we'll get rid of it. We'll delete them manually afterwards.

Let's try something else, so I'll have a more clear look at it.

Download Escan: http://www.mwti.net/...e_utilities.asp
Better to disable your own virusscanner while performing the next scan.

In scan-options, check everything.
also, scan all files
When done, click scan.

When the scan is done, you'll get an option to make a log. You'll get a long log.
Open that log and copy and paste all the lines/files where it says 'infected' in your next reply.

Don't copy and paste the lines from infected files that are present in recovery or backupfolders from antispywarescanner (eg adaware, spybot s&d) or your virusscanner. Those I don't need.
I don't need the infected files/lines that are present in your System Volume Information-folder.
I just want all the other infected ones apart from those above.
  • 0

#24
chicagochicklett

chicagochicklett

    Member

  • Topic Starter
  • Member
  • PipPip
  • 55 posts
File C:\WINDOWS\sskb5.exe infected by "Trojan-Dropper.Win32.SurfSide.a" Virus.

File C:\WINDOWS\SYSTEM\UpdInst.exe infected by "not-a-virus:AdWare.Look2Me.ab" Virus.

File C:\WINDOWS\SYSTEM32\akcore.dll infected by "not-a-virus:AdWare.Coreak" Virus.
File C:\WINDOWS\SYSTEM32\akrules.dll infected by "Trojan-Downloader.Win32.Agent.bt" Virus.

File C:\WINDOWS\SYSTEM32\akupd.dll infected by "Trojan-Downloader.Win32.Agent.br" Virus.

File C:\WINDOWS\SYSTEM32\cache\HLInstaller.exe infected by "not-a-virus:AdWare.MDH.a" Virus.

File C:\WINDOWS\SYSTEM32\cache\pop.exe infected by "not-a-virus:AdWare.WinAD.ab" Virus.

File C:\WINDOWS\SYSTEM32\delfin.dll infected by "Trojan-Downloader.Win32.Miewer.a" Virus.

File C:\WINDOWS\SYSTEM32\goldnew2b.dll infected by "Trojan-Dropper.Win32.Miewer.f" Virus.

File C:\WINDOWS\SYSTEM32\midad.dll infected by "Trojan-Downloader.Win32.Miewer.a" Virus.

File C:\WINDOWS\SYSTEM32\netsync.exe infected by "not-a-virus:AdWare.SafeSurfing.d" Virus.

File C:\WINDOWS\SYSTEM32\psis80ex.ax infected by "not-a-virus:AdWare.BargainBuddy.l" Virus.

File C:\WINDOWS\SYSTEM32\rInRenDS.exe infected by "Trojan.Win32.Agent.az" Virus.

File C:\WINDOWS\SYSTEM32\rsyncmon.dll infected by "not-a-virus:AdWare.SafeSurfing.e" Virus.

File C:\WINDOWS\SYSTEM32\update.exe infected by "not-a-virus:AdWare.WinFetcher.g" Virus.

File C:\WINDOWS\Temp\bw2.com infected by "not-a-virus:AdWare.AdURL.c" Virus.

File C:\WINDOWS\Temp\GLB4B.tmp infected by "not-a-virus:AdWare.VirtualBouncer.j" Virus.

File C:\WINDOWS\wt\wtvh.dll infected by "not-a-virus:AdWare.WildTangent.b" Virus.

File C:\WINDOWS\icont.exe infected by "not-a-virus:AdWare.AdURL.c" Virus.

File C:\WINDOWS\loud.exe infected by "not-a-virus:AdWare.WinAD" Virus.

File C:\WINDOWS\mm15201518.Stub.exe infected by "not-a-virus:AdWare.EZula.ah" Virus.

File C:\WINDOWS\sskb5.exe infected by "Trojan-Dropper.Win32.SurfSide.a" Virus.

File C:\WINDOWS\SYSTEM\UpdInst.exe infected by "not-a-virus:AdWare.Look2Me.ab" Virus.

File C:\WINDOWS\SYSTEM32\akcore.dll infected by "not-a-virus:AdWare.Coreak" Virus.
File C:\WINDOWS\SYSTEM32\akrules.dll infected by "Trojan-Downloader.Win32.Agent.bt" Virus.

File C:\WINDOWS\SYSTEM32\akupd.dll infected by "Trojan-Downloader.Win32.Agent.br" Virus.

File C:\WINDOWS\SYSTEM32\cache\HLInstaller.exe infected by "not-a-virus:AdWare.MDH.a" Virus.

File C:\WINDOWS\SYSTEM32\cache\pop.exe infected by "not-a-virus:AdWare.WinAD.ab" Virus.

File C:\WINDOWS\SYSTEM32\delfin.dll infected by "Trojan-Downloader.Win32.Miewer.a" Virus.

File C:\WINDOWS\SYSTEM32\goldnew2b.dll infected by "Trojan-Dropper.Win32.Miewer.f" Virus.

File C:\WINDOWS\SYSTEM32\midad.dll infected by "Trojan-Downloader.Win32.Miewer.a" Virus.

File C:\WINDOWS\SYSTEM32\netsync.exe infected by "not-a-virus:AdWare.SafeSurfing.d" Virus.

File C:\WINDOWS\SYSTEM32\psis80ex.ax infected by "not-a-virus:AdWare.BargainBuddy.l" Virus.

File C:\WINDOWS\SYSTEM32\rInRenDS.exe infected by "Trojan.Win32.Agent.az" Virus.

File C:\WINDOWS\SYSTEM32\rsyncmon.dll infected by "not-a-virus:AdWare.SafeSurfing.e" Virus.

File C:\WINDOWS\SYSTEM32\update.exe infected by "not-a-virus:AdWare.WinFetcher.g" Virus.

File C:\WINDOWS\Temp\bw2.com infected by "not-a-virus:AdWare.AdURL.c" Virus.

File C:\WINDOWS\Temp\GLB4B.tmp infected by "not-a-virus:AdWare.VirtualBouncer.j" Virus

File C:\WINDOWS\wt\wtvh.dll infected by "not-a-virus:AdWare.WildTangent.b" Virus.



Here are all the files. No action was taken for any of them.
  • 0

#25
miekiemoes

miekiemoes

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 5,503 posts
  • MVP
Great job!
Yes, there is no action taken on those files, so we are going to delete them manually.
So, search for them and delete them. Better to do this in safe mode, because it could be that some files are in use and couldn't get deleted in normal mode.

Let's get your system clean again and delete the next files:

C:\WINDOWS\sskb5.exe
C:\WINDOWS\SYSTEM\UpdInst.exe
C:\WINDOWS\SYSTEM32\akcore.dll
C:\WINDOWS\SYSTEM32\akrules.dll
C:\WINDOWS\SYSTEM32\akupd.dll
C:\WINDOWS\SYSTEM32\cache\HLInstaller.exe
C:\WINDOWS\SYSTEM32\cache\pop.exe
C:\WINDOWS\SYSTEM32\delfin.dll
C:\WINDOWS\SYSTEM32\goldnew2b.dll
C:\WINDOWS\SYSTEM32\midad.dll
C:\WINDOWS\SYSTEM32\netsync.exe
C:\WINDOWS\SYSTEM32\psis80ex.ax
C:\WINDOWS\SYSTEM32\rInRenDS.exe
C:\WINDOWS\SYSTEM32\rsyncmon.dll
C:\WINDOWS\SYSTEM32\update.exe
C:\WINDOWS\Temp <== delete the whole content of this folder
C:\WINDOWS\wt <== this folder
C:\WINDOWS\icont.exe
C:\WINDOWS\loud.exe
C:\WINDOWS\mm15201518.Stub.exe

When done, i suggest you to perform a full ascan with adaware SE
Please make sure you don't use a previous version of adaware.

Download the latest version of Ad-Aware:
http://www.lavasoft....pport/download/

After installing AAW, and before running the program.
Please be sure to update the reference file following the instructions here:
http://www.lavahelp.net/howto/updref/

Reconfigure Ad-Aware for Full Scan:

Launch the program, and click on the Gear at the top of the start screen.

Click the 'Scanning' button.
Under Drives, Folders and Files, select 'Scan within Archives'.
Click 'Click here to select Drives + folders' and select your installed hard drives.

Under Memory & Registry, select all options.
Click the 'Advanced' button.
Under 'Log-file detail level', select all options.
Click the 'Tweaks' button.

Under 'Scanning Engine', select the following:
'Unload recognized processes during scanning.'
Under 'Cleaning Engine', select the following:
'Let Windows remove files in use after reboot.'
Click on 'Proceed' to save these Preferences.

Run the Ad-Aware scan and allow it to remove everything it finds and then REBOOT to allow it to finish.

Tell me in your next reply how things went... and if everything is running better on your system.
  • 0

Advertisements


#26
chicagochicklett

chicagochicklett

    Member

  • Topic Starter
  • Member
  • PipPip
  • 55 posts
Quick question - am I manually deleting these files through Killbox or do I just go to the specific folders, click delete, and send each file to the recycle bin?

Also, I have a friend in my dorm whose computer is completely inundated with spyware. I downloaded adaware, spybot, hijack this and ran them on her computer and clean out everything I knew was bad, but everytime she turns her computer back on, pop ups start and don't stop coming up. I've held off doing anything else to her computer while I am working on mine, but I was wondering if once we get my computer cleaned up, you can help me with hers, since she is in an even worse situation.

Thanks!
  • 0

#27
miekiemoes

miekiemoes

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 5,503 posts
  • MVP
Hi,

No need to use killbox on those files, because if you copy and paste the wrong folder in it, you'll have real problems.
It's better to go to the specific folders and delete them there. (rightclick on them and choose delete -- or select them and choose delete from the menu on your left side)

About your friend.. well, let her already post a hijackthislog in a new thread. Me or someone else will take it then.
Let her also perform a full online virusscan.

Edited by miekiemoes, 06 April 2005 - 07:37 AM.

  • 0

#28
chicagochicklett

chicagochicklett

    Member

  • Topic Starter
  • Member
  • PipPip
  • 55 posts
I ran ad-aware which found 3 objects, which I removed:


ClearSearch Object Recognized!
Type : File
Data : A0021353.DLL
Category : Data Miner
Comment :
Object : C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP193\
FileVersion : 1, 7, 0, 2
ProductVersion : 1, 7, 0, 2
ProductName : ClearSearch LoaderUpdater
CompanyName : ClearSearch
FileDescription : LoaderUpdater
InternalName : LoaderUpdater
LegalCopyright : Copyright © 2004
OriginalFilename : LoaderUpdater.dll


ClearSearch Object Recognized!
Type : File
Data : A0021354.DLL
Category : Data Miner
Comment :
Object : C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP193\

ClearSearch Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\microsoft\internet explorer\urlsearchhooks
Value : {CFBFAE00-17A6-11D0-99CB-00C04FD64497}



I successfully deleted all the files you previously listed. Now what?
  • 0

#29
miekiemoes

miekiemoes

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 5,503 posts
  • MVP
Well, it seems like your system is clean again! Well done!

An important thing to do is please disable your systemrestore.(note: this will delete all your system restore points and malware that were present in it).
How to disable system restore in XP
Reboot.. and after rebooting, enable it again, so a new systemrestorepoint will be made. A clean one now! :tazz:

To keep this clean in the future, I would suggest the following things:

Install Spywareblaster
SpywareBlaster doesn`t scan and clean for so-called spyware, but prevents it from being installed in the first place. It blocks the popular spyware ActiveX controls, and also prevents the installation of any of them via a webpage.

Let your antispywarescanner(s) scan frequently and don't forget to update before.

And I do suggest you perform an online virusscan once in a while. (housecall and/or Bitdefender). Because what one virusscanner can't find another one maybe can.
Also make sure that your virusscanner, the one that is installed on your system is always up to date!

Make sure your windows has the latest updates: http://windowsupdate.microsoft.com/

More info on how to prevent malware you can also find here (By Tony Klein)

Happy surfing again!
  • 0

#30
chicagochicklett

chicagochicklett

    Member

  • Topic Starter
  • Member
  • PipPip
  • 55 posts
Thank you so much!

Now that my computer is clean, I need to start working on my roommate's --- I've run ad-aware, spybot s&d so far, and it's found nothing, even though as soon as she goes to internet explorer, about 20 popups come up and don't stop.... I'm going to post a thread for her computer because she virtually cannot use IE b/c the pop-ups won't stop.

THANKS AGAIN!!!!
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP