C:\WINDOWS\JOZVA.DLL
Edit.. your hijackthislog is ok!
Edited by miekiemoes, 05 April 2005 - 03:06 PM.
HijackThis Log - don't think it's clean[RESOLVED]
Started by
chicagochicklett
, Apr 01 2005 11:14 AM
-
This topic is locked
#16
Posted 05 April 2005 - 03:05 PM
miekiemoes
-
- Member
-
- 5,503 posts
Malware Expert
C:\WINDOWS\JOZVA.DLL
Edit.. your hijackthislog is ok!
#17
Posted 05 April 2005 - 03:22 PM
chicagochicklett
- Topic Starter
-
- Member
-
- 55 posts
Member
While I reboot after the killbox deletion....
This message popped up when I tried to right click on the EGTHG file properties: "Windows cannot verify...APPS.inf file is missing."
Also, I found two files in the System folder that were created the same day as that EGTHG file - the day when my computer was inundated with spyware. The files are:
dgwfvi.exe
UpdInst.exe
Are these bad?
This message popped up when I tried to right click on the EGTHG file properties: "Windows cannot verify...APPS.inf file is missing."
Also, I found two files in the System folder that were created the same day as that EGTHG file - the day when my computer was inundated with spyware. The files are:
dgwfvi.exe
UpdInst.exe
Are these bad?
#18
Posted 05 April 2005 - 03:52 PM
miekiemoes
-
- Member
-
- 5,503 posts
Malware Expert
About:
dgwfvi.exe
UpdInst.exe
I think they are related to L2M/VX2
Better to upload them on jotti virusscan and let them scan.
About EGTHG.. weird error you get. ("Windows cannot verify...APPS.inf file is missing.")
I thought this was a 95/98*admin issue? This could be related to malware. (a worm)
I just found this thread on the net: http://www.alamopc.o...ng/od1202.shtml
It describes the issue about a missing autoexec.nt or autoexec.bat... and you were having the same problems.
Anyway, I think the EGTHG is a bad one.. so, did you rename it?
Or move it to you desktop (not copy) and see if your are still getting those errors :
(NTVDM CPU encountered illegal instruction)
Also perform an online virusscan with the next online scanners:
housecall and/or Etrust and let it delete everything it finds.
If they couldn't delete some file, write them down and post it in your next reply.
(file+folder where it is present)
dgwfvi.exe
UpdInst.exe
I think they are related to L2M/VX2
Better to upload them on jotti virusscan and let them scan.
About EGTHG.. weird error you get. ("Windows cannot verify...APPS.inf file is missing.")
I thought this was a 95/98*admin issue? This could be related to malware. (a worm)
I just found this thread on the net: http://www.alamopc.o...ng/od1202.shtml
It describes the issue about a missing autoexec.nt or autoexec.bat... and you were having the same problems.
Anyway, I think the EGTHG is a bad one.. so, did you rename it?
Or move it to you desktop (not copy) and see if your are still getting those errors :
(NTVDM CPU encountered illegal instruction)
Also perform an online virusscan with the next online scanners:
housecall and/or Etrust and let it delete everything it finds.
If they couldn't delete some file, write them down and post it in your next reply.
(file+folder where it is present)
#19
Posted 05 April 2005 - 05:32 PM
chicagochicklett
- Topic Starter
-
- Member
-
- 55 posts
Member
For the UpdInst.exe file
Status:
INFECTED/MALWARE (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database) (Note: only non-destructive malware has been found. Considering the non-destructive nature of samples like these - although they can be a pain -, results will not be stored in the database.)
Packers detected:
-
Scanner results
AntiVir
Found nothing
Avast
Found nothing
AVG Antivirus
Found nothing
BitDefender
Found nothing
ClamAV
Found nothing
Dr.Web
Found nothing
F-Prot Antivirus
Found nothing
Fortinet
Found nothing
Kaspersky Anti-Virus
Found not-a-virus:AdWare.Look2Me.ab
mks_vir
Found .Look2me.A04
NOD32
Found nothing
Norman Virus Control
Found nothing
VBA32
Found Embedded.AdWare.Look2Me.ab (probable variant)
It go the 0 KB report for the dgwfvi.exe file, just like for the egthg one.
I've also noticed that my Nikon Montor window from my digital camera program keeps going to the taskbar when i start my cpmouter. I had this problem a few weeks ago, but it went away, and just returned this afternoon.
Yes, what that website says sounds right...do we know what to do about it regarding the autoexec, etc?
Status:
INFECTED/MALWARE (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database) (Note: only non-destructive malware has been found. Considering the non-destructive nature of samples like these - although they can be a pain -, results will not be stored in the database.)
Packers detected:
-
Scanner results
AntiVir
Found nothing
Avast
Found nothing
AVG Antivirus
Found nothing
BitDefender
Found nothing
ClamAV
Found nothing
Dr.Web
Found nothing
F-Prot Antivirus
Found nothing
Fortinet
Found nothing
Kaspersky Anti-Virus
Found not-a-virus:AdWare.Look2Me.ab
mks_vir
Found .Look2me.A04
NOD32
Found nothing
Norman Virus Control
Found nothing
VBA32
Found Embedded.AdWare.Look2Me.ab (probable variant)
It go the 0 KB report for the dgwfvi.exe file, just like for the egthg one.
I've also noticed that my Nikon Montor window from my digital camera program keeps going to the taskbar when i start my cpmouter. I had this problem a few weeks ago, but it went away, and just returned this afternoon.
Yes, what that website says sounds right...do we know what to do about it regarding the autoexec, etc?
#20
Posted 05 April 2005 - 05:46 PM
miekiemoes
-
- Member
-
- 5,503 posts
Malware Expert
Delete: UpdInst.exe
For the EGTHG~1.exe and dgwfvi.exe...I'm pretty sure those are malware, but i like to play it safe, so rename them and MOVE them to your desktop. (not copy)
That was an example it could be that.
The autoexec-issue is fixed now for you. About the 'APPS.inf file is missing'.. I still have to find out.. Never heard of it on a NT-machine.
That's why I thougt it was related to a worm that displays that message.
Can you perform those onlinescans now?
For the EGTHG~1.exe and dgwfvi.exe...I'm pretty sure those are malware, but i like to play it safe, so rename them and MOVE them to your desktop. (not copy)
Yes, what that website says sounds right...do we know what to do about it regarding the autoexec, etc?
That was an example it could be that.
The autoexec-issue is fixed now for you. About the 'APPS.inf file is missing'.. I still have to find out.. Never heard of it on a NT-machine.
That's why I thougt it was related to a worm that displays that message.
Can you perform those onlinescans now?
#21
Posted 05 April 2005 - 05:51 PM
miekiemoes
-
- Member
-
- 5,503 posts
Malware Expert
About your nikon... This is normal that.. after a reboot, it goes to the taskbar.
Because, according to your log, it starts up with windows:
O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView6\NkvMon.exe
Because, according to your log, it starts up with windows:
O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView6\NkvMon.exe
#22
Posted 05 April 2005 - 06:07 PM
chicagochicklett
- Topic Starter
-
- Member
-
- 55 posts
Member
I ran housecall, however when I told it to clean and rescan, it could not clean. It gave a bunch of reasons why. Any ideas??
Occasionally Trend Micro HouseCall is unable to clean malware from a system. Owing to the varying nature of viruses, trojans and worms, the way in which they may affect an operating system could mean that the cleaning process is not straightforward. Below are a few examples offering an explanation as to why an infection may not be cleaned by Trend Micro HouseCall.
The operating system denies write access to the infected files because they are being used by a running application or the malicious code itself.
Protected system files are infected - this may happen if security holes in the operating system are exploited by an intrusion.
The user profile you're currently using prohibits write access to the infected files.
The infection is the eicar test file or the malicious code itself. Such an infection cannot be cleaned because it is a test signature or malicious code.
The infection is located inside an uncleanable archive or file type. This may happen with archives that are not commonly used, or exotic constellations of infections in files or archives.
The infection is located inside an uncleanable archive or file type. This may happen with archives that are not commonly used, or exotic constellations of infections in files or archives. Archives should be ignored or deleted; automated cleaning is not recommended because:
After cleaning the file is not original anymore
Other files in the archive may be unknown malware
Inform the person who sent you the archive about the infection and ask for a clean archive.
Important note: Most of these problems do not occur if you install a product that offers realtime scanning and protection with automatic pattern file updates. This will ensure that no viruses or worms can even reach your PC and the product can execute scanning and cleaning operations at a deeper level within the operating system. Trend Micro offers several products for personal and business use, which offer realtime scanning and protect systems using many other innovative technologies. For further information please visit Trend Micro:
Trend Micro Personal Solutions Trend Micro Small and Medium Business Solutions Trend Micro Enterprise Solutions
I have run HouseCall, but I'm still infected? Below are some tips on how you can try to clean infections from your system. Note that these basically apply to customers who are not using (offline) Trend Micro products.
In most instances you can try to delete the infected file, however, please be careful as you may run the risk of losing important content if you accidentally delete the wrong file. From the infections that HouseCall has listed, click on an infection to select it, following which you should click the "Delete" button only if you are confident about what you are doing!
You can use the reported virus name to search in our virus encyclopaedia: Click here to open the virus encyclopaedia You will find detailed information about the malicious code within the encyclopaedia, including specific removal instructions and an explanation of what damage the code may have caused to your system. (Hint: go to the "Infection Finding" page and click on "Details". This will open the virus encyclopaedia for the selected virus.)
Sometimes the malicious files are backed up in the _restore folder (such as protected system files). In such cases, use the information on the page that can be found here
If nothing else helps to get rid of the infection, download the "Trend Micro Sysclean Package" from the following URL: http://uk.trendmicro...support/tsc.php The Sysclean Package is a small "unsupported!" scan/clean tool for Windows 32-bit platforms that can be run from the command line. To make it work you also need the latest pattern file from the following page: http://uk.trendmicro...ort/pattern.php The following hints should help you to use the free and unsupported tool sysclean.com:
Copy the file sysclean.com into the same folder as the extracted pattern file (named "lpt$vpn.###", where # stands for numbers).
Double-click on sysclean.com to start the scan, which opens an application window.
The information in this window will guide you through this application.
Integrated in sysclean.com is also a TSC (Trend Micro Damage Cleanup Service) that scans the infected system for currently active malicious code before the usual file scan is started. Although this system cleaning process can be very effective, Trend Micro advises that you use sysclean.com in Windows' "protected mode" (if available "Command line only"). Press F8 on your keyboard during startup to enter this mode. Running Windows in protected mode prevents most malicious code from being executed and enables malicious code to be removed from files that are generally used by the system.
Occasionally Trend Micro HouseCall is unable to clean malware from a system. Owing to the varying nature of viruses, trojans and worms, the way in which they may affect an operating system could mean that the cleaning process is not straightforward. Below are a few examples offering an explanation as to why an infection may not be cleaned by Trend Micro HouseCall.
The operating system denies write access to the infected files because they are being used by a running application or the malicious code itself.
Protected system files are infected - this may happen if security holes in the operating system are exploited by an intrusion.
The user profile you're currently using prohibits write access to the infected files.
The infection is the eicar test file or the malicious code itself. Such an infection cannot be cleaned because it is a test signature or malicious code.
The infection is located inside an uncleanable archive or file type. This may happen with archives that are not commonly used, or exotic constellations of infections in files or archives.
The infection is located inside an uncleanable archive or file type. This may happen with archives that are not commonly used, or exotic constellations of infections in files or archives. Archives should be ignored or deleted; automated cleaning is not recommended because:
After cleaning the file is not original anymore
Other files in the archive may be unknown malware
Inform the person who sent you the archive about the infection and ask for a clean archive.
Important note: Most of these problems do not occur if you install a product that offers realtime scanning and protection with automatic pattern file updates. This will ensure that no viruses or worms can even reach your PC and the product can execute scanning and cleaning operations at a deeper level within the operating system. Trend Micro offers several products for personal and business use, which offer realtime scanning and protect systems using many other innovative technologies. For further information please visit Trend Micro:
Trend Micro Personal Solutions Trend Micro Small and Medium Business Solutions Trend Micro Enterprise Solutions
I have run HouseCall, but I'm still infected? Below are some tips on how you can try to clean infections from your system. Note that these basically apply to customers who are not using (offline) Trend Micro products.
In most instances you can try to delete the infected file, however, please be careful as you may run the risk of losing important content if you accidentally delete the wrong file. From the infections that HouseCall has listed, click on an infection to select it, following which you should click the "Delete" button only if you are confident about what you are doing!
You can use the reported virus name to search in our virus encyclopaedia: Click here to open the virus encyclopaedia You will find detailed information about the malicious code within the encyclopaedia, including specific removal instructions and an explanation of what damage the code may have caused to your system. (Hint: go to the "Infection Finding" page and click on "Details". This will open the virus encyclopaedia for the selected virus.)
Sometimes the malicious files are backed up in the _restore folder (such as protected system files). In such cases, use the information on the page that can be found here
If nothing else helps to get rid of the infection, download the "Trend Micro Sysclean Package" from the following URL: http://uk.trendmicro...support/tsc.php The Sysclean Package is a small "unsupported!" scan/clean tool for Windows 32-bit platforms that can be run from the command line. To make it work you also need the latest pattern file from the following page: http://uk.trendmicro...ort/pattern.php The following hints should help you to use the free and unsupported tool sysclean.com:
Copy the file sysclean.com into the same folder as the extracted pattern file (named "lpt$vpn.###", where # stands for numbers).
Double-click on sysclean.com to start the scan, which opens an application window.
The information in this window will guide you through this application.
Integrated in sysclean.com is also a TSC (Trend Micro Damage Cleanup Service) that scans the infected system for currently active malicious code before the usual file scan is started. Although this system cleaning process can be very effective, Trend Micro advises that you use sysclean.com in Windows' "protected mode" (if available "Command line only"). Press F8 on your keyboard during startup to enter this mode. Running Windows in protected mode prevents most malicious code from being executed and enables malicious code to be removed from files that are generally used by the system.
#23
Posted 05 April 2005 - 06:28 PM
miekiemoes
-
- Member
-
- 5,503 posts
Malware Expert
Yes, I knew housecall would give you those warnings, that's why I wanted you to write down those files. Please don't worry about those files... we'll get rid of it. We'll delete them manually afterwards.
Let's try something else, so I'll have a more clear look at it.
Download Escan: http://www.mwti.net/...e_utilities.asp
Better to disable your own virusscanner while performing the next scan.
In scan-options, check everything.
also, scan all files
When done, click scan.
When the scan is done, you'll get an option to make a log. You'll get a long log.
Open that log and copy and paste all the lines/files where it says 'infected' in your next reply.
Don't copy and paste the lines from infected files that are present in recovery or backupfolders from antispywarescanner (eg adaware, spybot s&d) or your virusscanner. Those I don't need.
I don't need the infected files/lines that are present in your System Volume Information-folder.
I just want all the other infected ones apart from those above.
Let's try something else, so I'll have a more clear look at it.
Download Escan: http://www.mwti.net/...e_utilities.asp
Better to disable your own virusscanner while performing the next scan.
In scan-options, check everything.
also, scan all files
When done, click scan.
When the scan is done, you'll get an option to make a log. You'll get a long log.
Open that log and copy and paste all the lines/files where it says 'infected' in your next reply.
Don't copy and paste the lines from infected files that are present in recovery or backupfolders from antispywarescanner (eg adaware, spybot s&d) or your virusscanner. Those I don't need.
I don't need the infected files/lines that are present in your System Volume Information-folder.
I just want all the other infected ones apart from those above.
#24
Posted 05 April 2005 - 08:58 PM
chicagochicklett
- Topic Starter
-
- Member
-
- 55 posts
Member
File C:\WINDOWS\sskb5.exe infected by "Trojan-Dropper.Win32.SurfSide.a" Virus.
File C:\WINDOWS\SYSTEM\UpdInst.exe infected by "not-a-virus:AdWare.Look2Me.ab" Virus.
File C:\WINDOWS\SYSTEM32\akcore.dll infected by "not-a-virus:AdWare.Coreak" Virus.
File C:\WINDOWS\SYSTEM32\akrules.dll infected by "Trojan-Downloader.Win32.Agent.bt" Virus.
File C:\WINDOWS\SYSTEM32\akupd.dll infected by "Trojan-Downloader.Win32.Agent.br" Virus.
File C:\WINDOWS\SYSTEM32\cache\HLInstaller.exe infected by "not-a-virus:AdWare.MDH.a" Virus.
File C:\WINDOWS\SYSTEM32\cache\pop.exe infected by "not-a-virus:AdWare.WinAD.ab" Virus.
File C:\WINDOWS\SYSTEM32\delfin.dll infected by "Trojan-Downloader.Win32.Miewer.a" Virus.
File C:\WINDOWS\SYSTEM32\goldnew2b.dll infected by "Trojan-Dropper.Win32.Miewer.f" Virus.
File C:\WINDOWS\SYSTEM32\midad.dll infected by "Trojan-Downloader.Win32.Miewer.a" Virus.
File C:\WINDOWS\SYSTEM32\netsync.exe infected by "not-a-virus:AdWare.SafeSurfing.d" Virus.
File C:\WINDOWS\SYSTEM32\psis80ex.ax infected by "not-a-virus:AdWare.BargainBuddy.l" Virus.
File C:\WINDOWS\SYSTEM32\rInRenDS.exe infected by "Trojan.Win32.Agent.az" Virus.
File C:\WINDOWS\SYSTEM32\rsyncmon.dll infected by "not-a-virus:AdWare.SafeSurfing.e" Virus.
File C:\WINDOWS\SYSTEM32\update.exe infected by "not-a-virus:AdWare.WinFetcher.g" Virus.
File C:\WINDOWS\Temp\bw2.com infected by "not-a-virus:AdWare.AdURL.c" Virus.
File C:\WINDOWS\Temp\GLB4B.tmp infected by "not-a-virus:AdWare.VirtualBouncer.j" Virus.
File C:\WINDOWS\wt\wtvh.dll infected by "not-a-virus:AdWare.WildTangent.b" Virus.
File C:\WINDOWS\icont.exe infected by "not-a-virus:AdWare.AdURL.c" Virus.
File C:\WINDOWS\loud.exe infected by "not-a-virus:AdWare.WinAD" Virus.
File C:\WINDOWS\mm15201518.Stub.exe infected by "not-a-virus:AdWare.EZula.ah" Virus.
File C:\WINDOWS\sskb5.exe infected by "Trojan-Dropper.Win32.SurfSide.a" Virus.
File C:\WINDOWS\SYSTEM\UpdInst.exe infected by "not-a-virus:AdWare.Look2Me.ab" Virus.
File C:\WINDOWS\SYSTEM32\akcore.dll infected by "not-a-virus:AdWare.Coreak" Virus.
File C:\WINDOWS\SYSTEM32\akrules.dll infected by "Trojan-Downloader.Win32.Agent.bt" Virus.
File C:\WINDOWS\SYSTEM32\akupd.dll infected by "Trojan-Downloader.Win32.Agent.br" Virus.
File C:\WINDOWS\SYSTEM32\cache\HLInstaller.exe infected by "not-a-virus:AdWare.MDH.a" Virus.
File C:\WINDOWS\SYSTEM32\cache\pop.exe infected by "not-a-virus:AdWare.WinAD.ab" Virus.
File C:\WINDOWS\SYSTEM32\delfin.dll infected by "Trojan-Downloader.Win32.Miewer.a" Virus.
File C:\WINDOWS\SYSTEM32\goldnew2b.dll infected by "Trojan-Dropper.Win32.Miewer.f" Virus.
File C:\WINDOWS\SYSTEM32\midad.dll infected by "Trojan-Downloader.Win32.Miewer.a" Virus.
File C:\WINDOWS\SYSTEM32\netsync.exe infected by "not-a-virus:AdWare.SafeSurfing.d" Virus.
File C:\WINDOWS\SYSTEM32\psis80ex.ax infected by "not-a-virus:AdWare.BargainBuddy.l" Virus.
File C:\WINDOWS\SYSTEM32\rInRenDS.exe infected by "Trojan.Win32.Agent.az" Virus.
File C:\WINDOWS\SYSTEM32\rsyncmon.dll infected by "not-a-virus:AdWare.SafeSurfing.e" Virus.
File C:\WINDOWS\SYSTEM32\update.exe infected by "not-a-virus:AdWare.WinFetcher.g" Virus.
File C:\WINDOWS\Temp\bw2.com infected by "not-a-virus:AdWare.AdURL.c" Virus.
File C:\WINDOWS\Temp\GLB4B.tmp infected by "not-a-virus:AdWare.VirtualBouncer.j" Virus
File C:\WINDOWS\wt\wtvh.dll infected by "not-a-virus:AdWare.WildTangent.b" Virus.
Here are all the files. No action was taken for any of them.
File C:\WINDOWS\SYSTEM\UpdInst.exe infected by "not-a-virus:AdWare.Look2Me.ab" Virus.
File C:\WINDOWS\SYSTEM32\akcore.dll infected by "not-a-virus:AdWare.Coreak" Virus.
File C:\WINDOWS\SYSTEM32\akrules.dll infected by "Trojan-Downloader.Win32.Agent.bt" Virus.
File C:\WINDOWS\SYSTEM32\akupd.dll infected by "Trojan-Downloader.Win32.Agent.br" Virus.
File C:\WINDOWS\SYSTEM32\cache\HLInstaller.exe infected by "not-a-virus:AdWare.MDH.a" Virus.
File C:\WINDOWS\SYSTEM32\cache\pop.exe infected by "not-a-virus:AdWare.WinAD.ab" Virus.
File C:\WINDOWS\SYSTEM32\delfin.dll infected by "Trojan-Downloader.Win32.Miewer.a" Virus.
File C:\WINDOWS\SYSTEM32\goldnew2b.dll infected by "Trojan-Dropper.Win32.Miewer.f" Virus.
File C:\WINDOWS\SYSTEM32\midad.dll infected by "Trojan-Downloader.Win32.Miewer.a" Virus.
File C:\WINDOWS\SYSTEM32\netsync.exe infected by "not-a-virus:AdWare.SafeSurfing.d" Virus.
File C:\WINDOWS\SYSTEM32\psis80ex.ax infected by "not-a-virus:AdWare.BargainBuddy.l" Virus.
File C:\WINDOWS\SYSTEM32\rInRenDS.exe infected by "Trojan.Win32.Agent.az" Virus.
File C:\WINDOWS\SYSTEM32\rsyncmon.dll infected by "not-a-virus:AdWare.SafeSurfing.e" Virus.
File C:\WINDOWS\SYSTEM32\update.exe infected by "not-a-virus:AdWare.WinFetcher.g" Virus.
File C:\WINDOWS\Temp\bw2.com infected by "not-a-virus:AdWare.AdURL.c" Virus.
File C:\WINDOWS\Temp\GLB4B.tmp infected by "not-a-virus:AdWare.VirtualBouncer.j" Virus.
File C:\WINDOWS\wt\wtvh.dll infected by "not-a-virus:AdWare.WildTangent.b" Virus.
File C:\WINDOWS\icont.exe infected by "not-a-virus:AdWare.AdURL.c" Virus.
File C:\WINDOWS\loud.exe infected by "not-a-virus:AdWare.WinAD" Virus.
File C:\WINDOWS\mm15201518.Stub.exe infected by "not-a-virus:AdWare.EZula.ah" Virus.
File C:\WINDOWS\sskb5.exe infected by "Trojan-Dropper.Win32.SurfSide.a" Virus.
File C:\WINDOWS\SYSTEM\UpdInst.exe infected by "not-a-virus:AdWare.Look2Me.ab" Virus.
File C:\WINDOWS\SYSTEM32\akcore.dll infected by "not-a-virus:AdWare.Coreak" Virus.
File C:\WINDOWS\SYSTEM32\akrules.dll infected by "Trojan-Downloader.Win32.Agent.bt" Virus.
File C:\WINDOWS\SYSTEM32\akupd.dll infected by "Trojan-Downloader.Win32.Agent.br" Virus.
File C:\WINDOWS\SYSTEM32\cache\HLInstaller.exe infected by "not-a-virus:AdWare.MDH.a" Virus.
File C:\WINDOWS\SYSTEM32\cache\pop.exe infected by "not-a-virus:AdWare.WinAD.ab" Virus.
File C:\WINDOWS\SYSTEM32\delfin.dll infected by "Trojan-Downloader.Win32.Miewer.a" Virus.
File C:\WINDOWS\SYSTEM32\goldnew2b.dll infected by "Trojan-Dropper.Win32.Miewer.f" Virus.
File C:\WINDOWS\SYSTEM32\midad.dll infected by "Trojan-Downloader.Win32.Miewer.a" Virus.
File C:\WINDOWS\SYSTEM32\netsync.exe infected by "not-a-virus:AdWare.SafeSurfing.d" Virus.
File C:\WINDOWS\SYSTEM32\psis80ex.ax infected by "not-a-virus:AdWare.BargainBuddy.l" Virus.
File C:\WINDOWS\SYSTEM32\rInRenDS.exe infected by "Trojan.Win32.Agent.az" Virus.
File C:\WINDOWS\SYSTEM32\rsyncmon.dll infected by "not-a-virus:AdWare.SafeSurfing.e" Virus.
File C:\WINDOWS\SYSTEM32\update.exe infected by "not-a-virus:AdWare.WinFetcher.g" Virus.
File C:\WINDOWS\Temp\bw2.com infected by "not-a-virus:AdWare.AdURL.c" Virus.
File C:\WINDOWS\Temp\GLB4B.tmp infected by "not-a-virus:AdWare.VirtualBouncer.j" Virus
File C:\WINDOWS\wt\wtvh.dll infected by "not-a-virus:AdWare.WildTangent.b" Virus.
Here are all the files. No action was taken for any of them.
#25
Posted 06 April 2005 - 02:09 AM
miekiemoes
-
- Member
-
- 5,503 posts
Malware Expert
Great job!
Yes, there is no action taken on those files, so we are going to delete them manually.
So, search for them and delete them. Better to do this in safe mode, because it could be that some files are in use and couldn't get deleted in normal mode.
Let's get your system clean again and delete the next files:
C:\WINDOWS\sskb5.exe
C:\WINDOWS\SYSTEM\UpdInst.exe
C:\WINDOWS\SYSTEM32\akcore.dll
C:\WINDOWS\SYSTEM32\akrules.dll
C:\WINDOWS\SYSTEM32\akupd.dll
C:\WINDOWS\SYSTEM32\cache\HLInstaller.exe
C:\WINDOWS\SYSTEM32\cache\pop.exe
C:\WINDOWS\SYSTEM32\delfin.dll
C:\WINDOWS\SYSTEM32\goldnew2b.dll
C:\WINDOWS\SYSTEM32\midad.dll
C:\WINDOWS\SYSTEM32\netsync.exe
C:\WINDOWS\SYSTEM32\psis80ex.ax
C:\WINDOWS\SYSTEM32\rInRenDS.exe
C:\WINDOWS\SYSTEM32\rsyncmon.dll
C:\WINDOWS\SYSTEM32\update.exe
C:\WINDOWS\Temp <== delete the whole content of this folder
C:\WINDOWS\wt <== this folder
C:\WINDOWS\icont.exe
C:\WINDOWS\loud.exe
C:\WINDOWS\mm15201518.Stub.exe
When done, i suggest you to perform a full ascan with adaware SE
Please make sure you don't use a previous version of adaware.
Download the latest version of Ad-Aware:
http://www.lavasoft....pport/download/
After installing AAW, and before running the program.
Please be sure to update the reference file following the instructions here:
http://www.lavahelp.net/howto/updref/
Reconfigure Ad-Aware for Full Scan:
Launch the program, and click on the Gear at the top of the start screen.
Click the 'Scanning' button.
Under Drives, Folders and Files, select 'Scan within Archives'.
Click 'Click here to select Drives + folders' and select your installed hard drives.
Under Memory & Registry, select all options.
Click the 'Advanced' button.
Under 'Log-file detail level', select all options.
Click the 'Tweaks' button.
Under 'Scanning Engine', select the following:
'Unload recognized processes during scanning.'
Under 'Cleaning Engine', select the following:
'Let Windows remove files in use after reboot.'
Click on 'Proceed' to save these Preferences.
Run the Ad-Aware scan and allow it to remove everything it finds and then REBOOT to allow it to finish.
Tell me in your next reply how things went... and if everything is running better on your system.
Yes, there is no action taken on those files, so we are going to delete them manually.
So, search for them and delete them. Better to do this in safe mode, because it could be that some files are in use and couldn't get deleted in normal mode.
Let's get your system clean again and delete the next files:
C:\WINDOWS\sskb5.exe
C:\WINDOWS\SYSTEM\UpdInst.exe
C:\WINDOWS\SYSTEM32\akcore.dll
C:\WINDOWS\SYSTEM32\akrules.dll
C:\WINDOWS\SYSTEM32\akupd.dll
C:\WINDOWS\SYSTEM32\cache\HLInstaller.exe
C:\WINDOWS\SYSTEM32\cache\pop.exe
C:\WINDOWS\SYSTEM32\delfin.dll
C:\WINDOWS\SYSTEM32\goldnew2b.dll
C:\WINDOWS\SYSTEM32\midad.dll
C:\WINDOWS\SYSTEM32\netsync.exe
C:\WINDOWS\SYSTEM32\psis80ex.ax
C:\WINDOWS\SYSTEM32\rInRenDS.exe
C:\WINDOWS\SYSTEM32\rsyncmon.dll
C:\WINDOWS\SYSTEM32\update.exe
C:\WINDOWS\Temp <== delete the whole content of this folder
C:\WINDOWS\wt <== this folder
C:\WINDOWS\icont.exe
C:\WINDOWS\loud.exe
C:\WINDOWS\mm15201518.Stub.exe
When done, i suggest you to perform a full ascan with adaware SE
Please make sure you don't use a previous version of adaware.
Download the latest version of Ad-Aware:
http://www.lavasoft....pport/download/
After installing AAW, and before running the program.
Please be sure to update the reference file following the instructions here:
http://www.lavahelp.net/howto/updref/
Reconfigure Ad-Aware for Full Scan:
Launch the program, and click on the Gear at the top of the start screen.
Click the 'Scanning' button.
Under Drives, Folders and Files, select 'Scan within Archives'.
Click 'Click here to select Drives + folders' and select your installed hard drives.
Under Memory & Registry, select all options.
Click the 'Advanced' button.
Under 'Log-file detail level', select all options.
Click the 'Tweaks' button.
Under 'Scanning Engine', select the following:
'Unload recognized processes during scanning.'
Under 'Cleaning Engine', select the following:
'Let Windows remove files in use after reboot.'
Click on 'Proceed' to save these Preferences.
Run the Ad-Aware scan and allow it to remove everything it finds and then REBOOT to allow it to finish.
Tell me in your next reply how things went... and if everything is running better on your system.
#26
Posted 06 April 2005 - 06:54 AM
chicagochicklett
- Topic Starter
-
- Member
-
- 55 posts
Member
Quick question - am I manually deleting these files through Killbox or do I just go to the specific folders, click delete, and send each file to the recycle bin?
Also, I have a friend in my dorm whose computer is completely inundated with spyware. I downloaded adaware, spybot, hijack this and ran them on her computer and clean out everything I knew was bad, but everytime she turns her computer back on, pop ups start and don't stop coming up. I've held off doing anything else to her computer while I am working on mine, but I was wondering if once we get my computer cleaned up, you can help me with hers, since she is in an even worse situation.
Thanks!
Also, I have a friend in my dorm whose computer is completely inundated with spyware. I downloaded adaware, spybot, hijack this and ran them on her computer and clean out everything I knew was bad, but everytime she turns her computer back on, pop ups start and don't stop coming up. I've held off doing anything else to her computer while I am working on mine, but I was wondering if once we get my computer cleaned up, you can help me with hers, since she is in an even worse situation.
Thanks!
#27
Posted 06 April 2005 - 07:36 AM
miekiemoes
-
- Member
-
- 5,503 posts
Malware Expert
Hi,
No need to use killbox on those files, because if you copy and paste the wrong folder in it, you'll have real problems.
It's better to go to the specific folders and delete them there. (rightclick on them and choose delete -- or select them and choose delete from the menu on your left side)
About your friend.. well, let her already post a hijackthislog in a new thread. Me or someone else will take it then.
Let her also perform a full online virusscan.
No need to use killbox on those files, because if you copy and paste the wrong folder in it, you'll have real problems.
It's better to go to the specific folders and delete them there. (rightclick on them and choose delete -- or select them and choose delete from the menu on your left side)
About your friend.. well, let her already post a hijackthislog in a new thread. Me or someone else will take it then.
Let her also perform a full online virusscan.
Edited by miekiemoes, 06 April 2005 - 07:37 AM.
#28
Posted 06 April 2005 - 09:24 PM
chicagochicklett
- Topic Starter
-
- Member
-
- 55 posts
Member
I ran ad-aware which found 3 objects, which I removed:
ClearSearch Object Recognized!
Type : File
Data : A0021353.DLL
Category : Data Miner
Comment :
Object : C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP193\
FileVersion : 1, 7, 0, 2
ProductVersion : 1, 7, 0, 2
ProductName : ClearSearch LoaderUpdater
CompanyName : ClearSearch
FileDescription : LoaderUpdater
InternalName : LoaderUpdater
LegalCopyright : Copyright © 2004
OriginalFilename : LoaderUpdater.dll
ClearSearch Object Recognized!
Type : File
Data : A0021354.DLL
Category : Data Miner
Comment :
Object : C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP193\
ClearSearch Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\microsoft\internet explorer\urlsearchhooks
Value : {CFBFAE00-17A6-11D0-99CB-00C04FD64497}
I successfully deleted all the files you previously listed. Now what?
ClearSearch Object Recognized!
Type : File
Data : A0021353.DLL
Category : Data Miner
Comment :
Object : C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP193\
FileVersion : 1, 7, 0, 2
ProductVersion : 1, 7, 0, 2
ProductName : ClearSearch LoaderUpdater
CompanyName : ClearSearch
FileDescription : LoaderUpdater
InternalName : LoaderUpdater
LegalCopyright : Copyright © 2004
OriginalFilename : LoaderUpdater.dll
ClearSearch Object Recognized!
Type : File
Data : A0021354.DLL
Category : Data Miner
Comment :
Object : C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP193\
ClearSearch Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\microsoft\internet explorer\urlsearchhooks
Value : {CFBFAE00-17A6-11D0-99CB-00C04FD64497}
I successfully deleted all the files you previously listed. Now what?
#29
Posted 06 April 2005 - 10:59 PM
miekiemoes
-
- Member
-
- 5,503 posts
Malware Expert
Well, it seems like your system is clean again! Well done!
An important thing to do is please disable your systemrestore.(note: this will delete all your system restore points and malware that were present in it).
How to disable system restore in XP
Reboot.. and after rebooting, enable it again, so a new systemrestorepoint will be made. A clean one now!
To keep this clean in the future, I would suggest the following things:
Install Spywareblaster
SpywareBlaster doesn`t scan and clean for so-called spyware, but prevents it from being installed in the first place. It blocks the popular spyware ActiveX controls, and also prevents the installation of any of them via a webpage.
Let your antispywarescanner(s) scan frequently and don't forget to update before.
And I do suggest you perform an online virusscan once in a while. (housecall and/or Bitdefender). Because what one virusscanner can't find another one maybe can.
Also make sure that your virusscanner, the one that is installed on your system is always up to date!
Make sure your windows has the latest updates: http://windowsupdate.microsoft.com/
More info on how to prevent malware you can also find here (By Tony Klein)
Happy surfing again!
An important thing to do is please disable your systemrestore.(note: this will delete all your system restore points and malware that were present in it).
How to disable system restore in XP
Reboot.. and after rebooting, enable it again, so a new systemrestorepoint will be made. A clean one now!
To keep this clean in the future, I would suggest the following things:
Install Spywareblaster
SpywareBlaster doesn`t scan and clean for so-called spyware, but prevents it from being installed in the first place. It blocks the popular spyware ActiveX controls, and also prevents the installation of any of them via a webpage.
Let your antispywarescanner(s) scan frequently and don't forget to update before.
And I do suggest you perform an online virusscan once in a while. (housecall and/or Bitdefender). Because what one virusscanner can't find another one maybe can.
Also make sure that your virusscanner, the one that is installed on your system is always up to date!
Make sure your windows has the latest updates: http://windowsupdate.microsoft.com/
More info on how to prevent malware you can also find here (By Tony Klein)
Happy surfing again!
#30
Posted 07 April 2005 - 08:22 AM
chicagochicklett
- Topic Starter
-
- Member
-
- 55 posts
Member
Thank you so much!
Now that my computer is clean, I need to start working on my roommate's --- I've run ad-aware, spybot s&d so far, and it's found nothing, even though as soon as she goes to internet explorer, about 20 popups come up and don't stop.... I'm going to post a thread for her computer because she virtually cannot use IE b/c the pop-ups won't stop.
THANKS AGAIN!!!!
Now that my computer is clean, I need to start working on my roommate's --- I've run ad-aware, spybot s&d so far, and it's found nothing, even though as soon as she goes to internet explorer, about 20 popups come up and don't stop.... I'm going to post a thread for her computer because she virtually cannot use IE b/c the pop-ups won't stop.
THANKS AGAIN!!!!
Similar Topics
0 user(s) are reading this topic
0 members, 0 guests, 0 anonymous users
As Featured On:
Sign In
Create Account
