Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Browser modifier [closed]


  • This topic is locked This topic is locked

#1
davmic0907

davmic0907

    Member

  • Member
  • PipPip
  • 30 posts
Have followed all steps as instructed - with the exception of the microsft update as this thing will not allow me to connect to the microsoft site - keeps coming up with various top finder & if finder search engines.

HJT log as follows:

Logfile of HijackThis v1.99.1
Scan saved at 19:10:58, on 01/04/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\wanmpsvc.exe
C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\WINDOWS\System32\gsicon.exe
C:\WINDOWS\System32\dslagent.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Voyager100Test\fts.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\AOL 9.0\aoltray.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\mdm.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\Program Files\Grisoft\AVG Free\avgcc.exe
C:\Program Files\Grisoft\AVG Free\avgemc.exe
C:\Program Files\AOL 9.0\waol.exe
C:\Program Files\AOL 9.0\shellmon.exe
C:\Program Files\Common Files\AOL\aoltpspd.exe
C:\Documents and Settings\jason o'grady\Desktop\HijackThis.exe

O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [GSICONEXE] gsicon.exe
O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [%FP%Friendly fts.exe] "C:\Program Files\Voyager100Test\fts.exe"
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: AOL 9.0 Tray Icon.lnk = C:\Program Files\AOL 9.0\aoltray.exe
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {24311111-1111-1121-1111-111191113457} - file://c:\eied_s7.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.c...nst_current.cab
O16 - DPF: {33331111-1111-1111-1111-611111193457} - file://c:\ex.cab
O16 - DPF: {33331111-1111-1111-1111-611111193458} - file://c:\ex.cab
O16 - DPF: {43331111-1111-1111-1111-611111195622} - file://c:\ex.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aolsvc....kup/qdiagcc.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1104430329975
O17 - HKLM\System\CCS\Services\Tcpip\..\{3550CB3E-7CA1-41DF-9137-6834F2B3829C}: NameServer = 205.188.146.145
O21 - SSODL: SystemCheck2 - {54645654-2225-4455-44A1-9F4543D34545} - C:\WINDOWS\System32\vbsys2.dll
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\\aolserv.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
  • 0

Advertisements


#2
g2i2r4

g2i2r4

    retired HiJack Helper

  • Retired Staff
  • 5,080 posts
Hi davmic0907 and welcome to Geeks to Go!

Sorry for the delay, the forums are very busy now.

If you're still in need, post back here in this topic with a fresh log using HijackThis. If you solved the problem, please let me know.
  • 0

#3
davmic0907

davmic0907

    Member

  • Topic Starter
  • Member
  • PipPip
  • 30 posts
Thanks
Yes still need help - here is copy latest log

Logfile of HijackThis v1.99.1
Scan saved at 22:50:02, on 11/04/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\wanmpsvc.exe
C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\WINDOWS\System32\gsicon.exe
C:\WINDOWS\System32\dslagent.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\Program Files\Voyager100Test\fts.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\AOL 9.0\aoltray.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\AOL 9.0\waol.exe
C:\Program Files\AOL 9.0\shellmon.exe
C:\Program Files\Common Files\AOL\aoltpspd.exe
C:\WINDOWS\System32\mdm.exe
C:\Documents and Settings\jason o'grady\Desktop\HijackThis.exe

O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [GSICONEXE] gsicon.exe
O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [%FP%Friendly fts.exe] "C:\Program Files\Voyager100Test\fts.exe"
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: AOL 9.0 Tray Icon.lnk = C:\Program Files\AOL 9.0\aoltray.exe
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {24311111-1111-1121-1111-111191113457} - file://c:\eied_s7.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.c...nst_current.cab
O16 - DPF: {33331111-1111-1111-1111-611111193457} - file://c:\ex.cab
O16 - DPF: {33331111-1111-1111-1111-611111193458} - file://c:\ex.cab
O16 - DPF: {43331111-1111-1111-1111-611111195622} - file://c:\ex.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aolsvc....kup/qdiagcc.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1104430329975
O17 - HKLM\System\CCS\Services\Tcpip\..\{3550CB3E-7CA1-41DF-9137-6834F2B3829C}: NameServer = 205.188.146.145
O21 - SSODL: SystemCheck2 - {54645654-2225-4455-44A1-9F4543D34545} - C:\WINDOWS\System32\vbsys2.dll
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\\aolserv.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
  • 0

#4
g2i2r4

g2i2r4

    retired HiJack Helper

  • Retired Staff
  • 5,080 posts
davmic0907, thanks for replying so fast.

First let's download some helpers:

Download CleanUp!.
If the link doesn´t work, download it from here.
Don't run the program, we'll do that later.

***

Download Pocket Killbox.
Unzip the files to a folder like c:\killbox\
Don't run the program, we'll do that later.

***

Open HijackThis.
Close all programs leaving only HijackThis running. Place a check against each of the following, making sure you get them all and not any others by mistake:

O16 - DPF: {24311111-1111-1121-1111-111191113457} - file://c:\eied_s7.cab

O16 - DPF: {33331111-1111-1111-1111-611111193457} - file://c:\ex.cab

O16 - DPF: {33331111-1111-1111-1111-611111193458} - file://c:\ex.cab

O16 - DPF: {43331111-1111-1111-1111-611111195622} - file://c:\ex.cab

O21 - SSODL: SystemCheck2 - {54645654-2225-4455-44A1-9F4543D34545} - C:\WINDOWS\System32\vbsys2.dll

Click on Fix Checked when finished and exit HijackThis.

***

Find and doubleclick the file cleanup312.exe.

Go to option
Select ‘custom’
Put a check to:* Temp
* All users.
Press 'cleanup!'
Once it's done, do not log off. Answer No.

***

Run Killbox (doubleclick Killbox.exe).

Run it, and click the radio button that says Delete a file on reboot. For each of the files in th ebox below, paste them one at a time into the full path of file to delete box and click the red circle with a white cross in it.

The program will ask you if you want to reboot; say No each time until the last one has been pasted in whereupon you should answer Yes.

c:\eied_s7.cab
c:\ex.cab
C:\WINDOWS\System32\vbsys2.dll

Let the system reboot.

***

Please do an online scan, 2 would be better,

Trend Micro Housecall
Panda online scan

Make sure that you choose "fix" or "clean".

***

Reboot again.

Let me know about any files the online virusscanners could not remove (tell me the full path, c:\...etc).

Post back here with a fresh log using HijackThis.

How are things now?
  • 0

#5
davmic0907

davmic0907

    Member

  • Topic Starter
  • Member
  • PipPip
  • 30 posts
Sorry for delay in replying.
Did everything you suggested appart from online scan as won't let me download the housecall one & the panda one is blocked with this search engine thing again.
Did microsft antispyware but came up with same thing it always does which is when it gets to the "registry keys scanned" section & comes up with
"Possible browser hijack" (Browser modifier) - location: IE start page about blank.

New HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 11:41:20, on 13/04/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\wanmpsvc.exe
C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\WINDOWS\System32\gsicon.exe
C:\WINDOWS\System32\dslagent.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Voyager100Test\fts.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\AOL 9.0\aoltray.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\AOL 9.0\waol.exe
C:\Program Files\AOL 9.0\shellmon.exe
C:\Program Files\Common Files\AOL\aoltpspd.exe
C:\WINDOWS\System32\mdm.exe
C:\Documents and Settings\jason o'grady\Desktop\HijackThis.exe

O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [GSICONEXE] gsicon.exe
O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [%FP%Friendly fts.exe] "C:\Program Files\Voyager100Test\fts.exe"
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: AOL 9.0 Tray Icon.lnk = C:\Program Files\AOL 9.0\aoltray.exe
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.c...nst_current.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aolsvc....kup/qdiagcc.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1104430329975
O17 - HKLM\System\CCS\Services\Tcpip\..\{3550CB3E-7CA1-41DF-9137-6834F2B3829C}: NameServer = 205.188.146.145
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\\aolserv.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
  • 0

#6
g2i2r4

g2i2r4

    retired HiJack Helper

  • Retired Staff
  • 5,080 posts
If you have the Microsoft® Windows® AntiSpyware (Beta) installed, right-click the Windows AntiSpyware icon in the taskbar notification area and click "Shutdown Microsoft AntiSpyware".

For Spybot-SD Resident.
Open Spybot.
Go to advanced mode - Tools - Resident and uncheck both options for now.

Download CW-Shredder at the link below:
http://cwshredder.ne.../CWShredder.exe

Download 'SpSeHjfix' to the desktop.
Rightclick a blank part of the desktop and select new folder, call it ‘spfix’.
Unzip the file into that folder.

Disconnect from the net completely and Close ALL OPEN PROGRAMS.
Run 'SpSeHjfix' and click on "Start Disinfection".
When it's finished it will reboot your computer to finish the cleaning process.
The tool creates a log of the fix which will appear in the folder.

If it doesn't find any of the SE files or any hidden reinstallers, it will say system clean and not go on to next stage.

Now run the CWShredder - Hit The FIX button!

Reboot and post a fresh log using HijackThis and the log that was created by 'SpSeHjfix'.
Also, make sure Microsoft Antispyware is running and re-enable Spybot-SD Resident.
  • 0

#7
davmic0907

davmic0907

    Member

  • Topic Starter
  • Member
  • PipPip
  • 30 posts
ok did everything
new hjt log enclosed & also log from spfix

Logfile of HijackThis v1.99.1
Scan saved at 00:25:31, on 16/04/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\wanmpsvc.exe
C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\WINDOWS\System32\gsicon.exe
C:\WINDOWS\System32\dslagent.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Voyager100Test\fts.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\AOL 9.0\aoltray.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe
C:\Documents and Settings\jason o'grady\Desktop\HijackThis.exe

O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [GSICONEXE] gsicon.exe
O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [%FP%Friendly fts.exe] "C:\Program Files\Voyager100Test\fts.exe"
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: AOL 9.0 Tray Icon.lnk = C:\Program Files\AOL 9.0\aoltray.exe
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.c...nst_current.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aolsvc....kup/qdiagcc.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1104430329975
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\\aolserv.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe


(4/16/05 00:21:14) SPSeHjFix started v1.1.2
(4/16/05 00:21:14) OS: WinXP Service Pack 1 (5.1.2600)
(4/16/05 00:21:14) Language: english
(4/16/05 00:21:14) Win-Path: C:\WINDOWS
(4/16/05 00:21:14) System-Path: C:\WINDOWS\System32
(4/16/05 00:21:14) Temp-Path: C:\DOCUME~1\JASONO~1\LOCALS~1\Temp\
(4/16/05 00:21:24) Disinfection started
(4/16/05 00:21:24) Bad-Dll(IEP): (not found)
(4/16/05 00:21:24) Bad-Dll(IEP) in BHO: (not found)
(4/16/05 00:21:24) UBF: 4 - UBB: 2 - UBR: 12
(4/16/05 00:21:24) UBF: 4 - UBB: 2 - UBR: 12
(4/16/05 00:21:24) Bad IE-pages:
deleted: HKCU\Software\Microsoft\Internet Explorer\Main, Start Page: about:blank
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Start Page: about:blank
(4/16/05 00:21:24) Stealth-String not found
(4/16/05 00:21:24) Not infected->END
  • 0

#8
g2i2r4

g2i2r4

    retired HiJack Helper

  • Retired Staff
  • 5,080 posts
Download the Hoster from here. Press "Restore Original Hosts" and press "OK". Exit Program.

Click here to download eScan's mwav application. Double-click it to run it, select all local drives, scan all files, press 'scan' and when it is completed, anything found will be displayed in the lower pane. Highlight it, CTRL C and paste it in your next reply.
  • 0

#9
davmic0907

davmic0907

    Member

  • Topic Starter
  • Member
  • PipPip
  • 30 posts
here is the mwav log

Sat Apr 16 16:25:26 2005 => **********************************************************
Sat Apr 16 16:25:26 2005 => MicroWorld AntiVirus Toolkit Utility.
Sat Apr 16 16:25:26 2005 => Copyright © 2003-2005, MicroWorld Technologies Inc.
Sat Apr 16 16:25:26 2005 => **********************************************************
Sat Apr 16 16:25:26 2005 => Version 6.0.8 (C:\DOCUME~1\JASONO~1\LOCALS~1\Temp\mwavscan.com)
Sat Apr 16 16:25:26 2005 => Log File: C:\DOCUME~1\JASONO~1\LOCALS~1\Temp\MWAV.LOG
Sat Apr 16 16:25:26 2005 => MWAV Registered: FALSE.
Sat Apr 16 16:25:26 2005 => MWAV Mode: Only Scan files.
Sat Apr 16 16:25:26 2005 => Latest Date of files inside MWAV: 16 Apr 2005 10:38:17.
Sat Apr 16 16:25:34 2005 => AV Library Loaded...
Sat Apr 16 16:25:34 2005 => MWAV doing self scanning...
Sat Apr 16 16:25:34 2005 => Scanning File C:\DOCUME~1\JASONO~1\LOCALS~1\Temp\kavss.exe
Sat Apr 16 16:25:34 2005 => Scanning File C:\DOCUME~1\JASONO~1\LOCALS~1\Temp\Getvlist.exe
Sat Apr 16 16:25:34 2005 => Scanning File C:\DOCUME~1\JASONO~1\LOCALS~1\Temp\kavss.dll
Sat Apr 16 16:25:34 2005 => Scanning File C:\DOCUME~1\JASONO~1\LOCALS~1\Temp\kavssdi.dll
Sat Apr 16 16:25:34 2005 => Scanning File C:\DOCUME~1\JASONO~1\LOCALS~1\Temp\kavssi.dll
Sat Apr 16 16:25:34 2005 => Scanning File C:\DOCUME~1\JASONO~1\LOCALS~1\Temp\kavvlg.dll
Sat Apr 16 16:25:34 2005 => Scanning File C:\DOCUME~1\JASONO~1\LOCALS~1\Temp\msvlclnt.dll
Sat Apr 16 16:25:34 2005 => Scanning File C:\DOCUME~1\JASONO~1\LOCALS~1\Temp\ipc.dll
Sat Apr 16 16:25:34 2005 => Scanning File C:\DOCUME~1\JASONO~1\LOCALS~1\Temp\main.avi
Sat Apr 16 16:25:34 2005 => Scanning File C:\DOCUME~1\JASONO~1\LOCALS~1\Temp\virus.avi
Sat Apr 16 16:25:34 2005 => MWAV files are clean.
Sat Apr 16 16:25:34 2005 => Virus Database Date: 2005/04/16
Sat Apr 16 16:25:34 2005 => Virus Database Count: 126266

Sat Apr 16 16:26:35 2005 => **********************************************************
Sat Apr 16 16:26:35 2005 => MicroWorld AntiVirus Toolkit Utility.
Sat Apr 16 16:26:35 2005 => Copyright © 2003-2005, MicroWorld Technologies Inc.
Sat Apr 16 16:26:35 2005 =>
Sat Apr 16 16:26:35 2005 => Support: support@mwti.net
Sat Apr 16 16:26:35 2005 => Web: http://www.mwti.net
Sat Apr 16 16:26:35 2005 => **********************************************************
Sat Apr 16 16:26:35 2005 => Version 6.0.8 (C:\DOCUME~1\JASONO~1\LOCALS~1\Temp\mwavscan.com)
Sat Apr 16 16:26:35 2005 => Log File: C:\DOCUME~1\JASONO~1\LOCALS~1\Temp\MWAV.LOG
Sat Apr 16 16:26:35 2005 => User Account: jason o'grady
Sat Apr 16 16:26:35 2005 => Windows Root Folder: C:\WINDOWS
Sat Apr 16 16:26:35 2005 => Windows Sys32 Folder: C:\WINDOWS\System32
Sat Apr 16 16:26:35 2005 => OS: Windows NT
  • 0

#10
g2i2r4

g2i2r4

    retired HiJack Helper

  • Retired Staff
  • 5,080 posts
Can you post me the part that says "virus log information".

Looks like this:
File C:\DOCUME~1\usernaeml\LOCALS~1\TEMPOR~1\Content.IE5\UUEBXB2\mm63[1].ocx infected by "Trojan-Downloader.Win32.VB.ez" Virus. Action Taken: No Action Taken.

  • 0

Advertisements


#11
davmic0907

davmic0907

    Member

  • Topic Starter
  • Member
  • PipPip
  • 30 posts
sorry - correct part of log now:

File C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE infected by "Virus.Win32.Implinker.a" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\ms0b920b.dll infected by "not-a-virus:AdWare.Visiter" Virus. Action Taken: No Action Taken.
File C:\PROGRA~1\COMMON~1\AOL\ACS\AOLDial.exe infected by "Virus.Win32.Implinker.a" Virus. Action Taken: No Action Taken.
File C:\PROGRA~1\QUICKT~1\qttask.exe infected by "Virus.Win32.Implinker.a" Virus. Action Taken: No Action Taken.
File C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSPS~1.EXE infected by "Virus.Win32.Implinker.a" Virus. Action Taken: No Action Taken.
File C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe infected by "Virus.Win32.Implinker.a" Virus. Action Taken: No Action Taken.
File C:\PROGRA~1\COMMON~1\Real\UPDATE~1\REALSC~1.EXE infected by "Virus.Win32.Implinker.a" Virus. Action Taken: No Action Taken.
File C:\PROGRA~1\AOL9~1.0\aoltray.exe infected by "Virus.Win32.Implinker.a" Virus. Action Taken: No Action Taken.
File C:\PROGRA~1\COMMON~1\MICROS~1\WORKSS~1\wkcalrem.exe infected by "Virus.Win32.Implinker.a" Virus. Action Taken: No Action Taken.
File C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE infected by "Virus.Win32.Implinker.a" Virus. Action Taken: No Action Taken.
File C:\PROGRA~1\COMMON~1\AOL\ACS\AOLDial.exe infected by "Virus.Win32.Implinker.a" Virus. Action Taken: No Action Taken.
File C:\PROGRA~1\QUICKT~1\qttask.exe infected by "Virus.Win32.Implinker.a" Virus. Action Taken: No Action Taken.
File C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSPS~1.EXE infected by "Virus.Win32.Implinker.a" Virus. Action Taken: No Action Taken.
File C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe infected by "Virus.Win32.Implinker.a" Virus. Action Taken: No Action Taken.
File C:\PROGRA~1\COMMON~1\Real\UPDATE~1\REALSC~1.EXE infected by "Virus.Win32.Implinker.a" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\RESTORE.INS tagged as not-a-virus:NetTool.PsKill. No Action Taken.
File C:\WINDOWS\System32\ms0b920b.dll infected by "not-a-virus:AdWare.Visiter" Virus. Action Taken: No Action Taken.
File C:\Program Files\AOL 9.0\aoltray.exe infected by "Virus.Win32.Implinker.a" Virus. Action Taken: No Action Taken.
File C:\Program Files\AOL 9.0\Jiti\Jiti_mm.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\Program Files\Common Files\aolback\comp01.000 tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe infected by "Virus.Win32.Implinker.a" Virus. Action Taken: No Action Taken.
File C:\Program Files\Microsoft AntiSpyware\cleaner.log infected by "Exploit.HTML.Mht" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{449087FE-5F76-4B77-93B9-10D66F43E3F7}\RP106\A0022151.dll infected by "Trojan-Clicker.Win32.Agent.ac" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{449087FE-5F76-4B77-93B9-10D66F43E3F7}\RP83\A0018199.exe infected by "Virus.Win32.Implinker.a" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{449087FE-5F76-4B77-93B9-10D66F43E3F7}\RP83\A0018200.exe infected by "Virus.Win32.Implinker.a" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{449087FE-5F76-4B77-93B9-10D66F43E3F7}\RP83\A0018202.exe infected by "Virus.Win32.Implinker.a" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{449087FE-5F76-4B77-93B9-10D66F43E3F7}\RP83\A0018203.exe infected by "Virus.Win32.Implinker.a" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{449087FE-5F76-4B77-93B9-10D66F43E3F7}\RP83\A0018207.exe infected by "Virus.Win32.Implinker.a" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{449087FE-5F76-4B77-93B9-10D66F43E3F7}\RP83\A0018208.exe infected by "Virus.Win32.Implinker.a" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\RESTORE.INS tagged as not-a-virus:NetTool.PsKill. No Action Taken.
File C:\WINDOWS\system\RESTORE.INS tagged as not-a-virus:NetTool.PsKill. No Action Taken.
File C:\WINDOWS\system32\ms0b920b.dll infected by "not-a-virus:AdWare.Visiter" Virus. Action Taken: No Action Taken.
  • 0

#12
g2i2r4

g2i2r4

    retired HiJack Helper

  • Retired Staff
  • 5,080 posts
Please download:
Kaspersky Free Cleaner 12.0.0.1.

After doing it's job it may show return codes:
0 - nothing to clean
1 - virus was deleted and system restored
2 - to finalize removal of virus you should reboot system
3 - to finalize removal of virus you should reboot system and start program the second time
4 - program error.

Let me how it did.
  • 0

#13
davmic0907

davmic0907

    Member

  • Topic Starter
  • Member
  • PipPip
  • 30 posts
did as suggested but results didn't show in the way you suggest - came up as:

Files scanned 31056
Infected 20
disinfected 13
disinfect after reboot 7
deleted 0
delete after reboot 0

obviously rebooted system & did microsoft anitispyware scan straight away & still coming up with this browser hijacker.
  • 0

#14
g2i2r4

g2i2r4

    retired HiJack Helper

  • Retired Staff
  • 5,080 posts
My mistake, I forgot AntiSpyWare. When active, it restores what is changed.

Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs changing those files. This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected)

1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

2. Reboot.

As soon as we have the system cleared, do this:
3. Turn ON System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.

Please hold on, I'll prepare a new advise.

Edited by g2i2r4, 17 April 2005 - 09:42 AM.

  • 0

#15
g2i2r4

g2i2r4

    retired HiJack Helper

  • Retired Staff
  • 5,080 posts
I suspect you are infected with the rare CWS.Holax viral variant.
Please run the Computer Associates online scan here:
http://www3.ca.com/s...sinfo/scan.aspx
Follow the prompts to scan your hard drive. When the scan is finished it will produce a report of infected files at the bottom of the screen. Please copy the entire text of this report and post it here for me to see.
If I'm right, we'll be done in no time.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP