Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Adware problems[RESOLVED]

Started by diehlal , Apr 28 2005 09:11 PM

  • This topic is locked This topic is locked

#1
diehlal
Posted 28 April 2005 - 09:11 PM

diehlal

    New Member

  • Member
  • Pip
  • 9 posts
Hi. Early today I was having major problems with adware, trojans, and viruses. I posted here and was referred to a checklist. Following the checklist I ran AdAware, Spybot, AVG Free, Updated my windows, and ran HiJackThis. I think my system is fairly clean now since AdAware and the other programs are no longer finding anything, but I was hoping someone could look over my HiJackThis log to make sure I'm not missing anything. I don't really know what I'm looking for, but I've spent the last 4 hours working on my computer so I would really like to get everything. Thank you, Alex Diehl.

Logfile of HijackThis v1.99.1
Scan saved at 11:10:04 PM, on 4/28/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jucheck.exe
C:\Program Files\Canon\MultiPASS\monitr32.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Canon\MultiPASS\MPTBox.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Canon\MultiPASS\mpservic.exe
C:\WINDOWS\System32\?hkdsk.exe
C:\WINDOWS\System32\vtodmgr.exe
C:\Documents and Settings\user\Application Data\nnor.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\FxRedir.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://w-find.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://w-find.com/index.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://w-find.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://w-find.com/index.htm
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {ED103D9F-3070-4580-AB1E-E5C179C1AE41} - (no file)
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [checkrun] C:\windows\system32\elitexab32.exe
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [VCDK] C:\WINDOWS\VCDK.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [MP_STATUS_MONITOR] "C:\Program Files\Canon\MultiPASS\monitr32.exe" I
O4 - HKLM\..\Run: [MPTBox] "C:\Program Files\Canon\MultiPASS\MPTBox.exe"
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\RunOnce: [Srv32 spool service] C:\WINDOWS\System32\spoolsrv32.exe
O4 - HKCU\..\Run: [welvaxc] c:\windows\phcfyoe.exe
O4 - HKCU\..\Run: [Steam] C:\Program Files\Steam\Steam.exe -silent
O4 - HKCU\..\Run: [sfmapi] C:\WINDOWS\System32\sfmapi.exe
O4 - HKCU\..\Run: [qufajdr] c:\windows\phcfyoe.exe
O4 - HKCU\..\Run: [Pbcr] C:\WINDOWS\System32\?hkdsk.exe
O4 - HKCU\..\Run: [lfiyuyk] c:\windows\phcfyoe.exe
O4 - HKCU\..\Run: [iyxolol] c:\windows\phcfyoe.exe
O4 - HKCU\..\Run: [ftuktgk] c:\windows\vdffwfi.exe
O4 - HKCU\..\Run: [ednuwlm] c:\windows\phcfyoe.exe
O4 - HKCU\..\Run: [bopqRRMnP] vtodmgr.exe
O4 - HKCU\..\Run: [akmedpn] c:\windows\pglnyap.exe
O4 - HKCU\..\Run: [Aeae] C:\Documents and Settings\user\Application Data\nnor.exe
O4 - HKCU\..\Run: [mwjcjqw] c:\windows\tvdxbqw.exe
O4 - HKCU\..\Run: [pewgeee] c:\windows\tvdxbqw.exe
O4 - HKCU\..\Run: [maohfun] c:\windows\bydeprf.exe
O4 - HKCU\..\Run: [jchbebc] c:\windows\bydeprf.exe
O4 - HKCU\..\Run: [qpbqtjd] c:\windows\bydeprf.exe
O4 - HKCU\..\Run: [bravofn] c:\windows\bydeprf.exe
O4 - HKCU\..\Run: [yfjvynp] c:\windows\bydeprf.exe
O4 - HKCU\..\Run: [hokplry] c:\windows\bydeprf.exe
O4 - HKCU\..\Run: [qmhlmbm] c:\windows\oyhaxwv.exe
O4 - HKCU\..\RunOnce: [Srv32 spool service] C:\WINDOWS\System32\spoolsrv32.exe
O4 - Startup: BJ Status Monitor Canon i860.lnk = C:\Documents and Settings\user\cnmss Canon i860 (Local).exe
O4 - Startup: Download Plus.lnk = C:\Documents and Settings\user\Application Data\DownloadPlus.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Microsoft AntiSpyware helper - {CA2F468C-7343-4D3A-BF91-3A88FB1ADCBE} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {CA2F468C-7343-4D3A-BF91-3A88FB1ADCBE} - (no file) (HKCU)
O10 - Unknown file in Winsock LSP: c:\windows\system32\flsmngr.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\flsmngr.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\flsmngr.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.../kavwebscan.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplane...DC_1_0_0_44.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcaf...84/mcinsctl.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.c.../cpcScanner.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcaf...,21/mcgdmgr.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.app.../ITDetector.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Loading Outpost Connections (KDE) - Unknown owner - C:\WINDOWS\System32\cmdtel.exe (file missing)
O23 - Service: Debug oupost relations (LAGOS) - Unknown owner - C:\WINDOWS\System32\ahtun.exe (file missing)
O23 - Service: MPService - Canon Information Systems - C:\Program Files\Canon\MultiPASS\mpservic.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - Unknown owner - C:\WINDOWS\System32\nvsvc32.exe (file missing)
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe

Thanks again.
  • 0

Advertisements

#2
greyknight17
Posted 28 April 2005 - 09:30 PM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Hi Alex, you definitely have some bad stuff in there.

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should 'not' have any open browsers when you are following the procedures below.

Go to My Computer->Tools/View->Folder Options->View tab and make sure that 'Show hidden files and folders' (or 'Show all files') is enabled. Also make sure that 'Display the contents of system folders' is checked. If you have Windows XP, the search feature is a little different. When you click on 'All files and folders' on the left pane, click on the 'More advanced options' at the bottom. Make sure that 'Search system folders', 'Search hidden files and folders', and 'Search subfolders' are checked.

For the options that you checked/enabled earlier, you may uncheck them after your log is clean. If we ask you to fix a program that you use or want to keep, please post back saying that (we don't know every program that exists, so we may tell you to delete a program that we think is bad to keep).

Download LSPFix http://www.greyknigh.../spy/LSPFix.exe and run it. Click on flsmngr.dll on the left window and click on the arrow pointing to the right. Click Finish and follow the prompts.

Reboot into Safe Mode by hitting the F8 key until menu shows up. In some systems, this may be the F5 key, so try that if F8 doesn't work.
Go to Start->Run and type in services.msc and hit OK. Then look for Debug oupost relations (LAGOS) and double click on it. Click on the Stop button and under Startup type, choose Disabled. Do the same for Loading Outpost Connections (KDE).

Make sure to close any open browsers. Go into HijackThis->Config->Misc. Tools->Open process manager. Select the following and click 'Kill process' for each one if they are still listed (they shouldn't be - but double check):

C:\WINDOWS\System32\?hkdsk.exe
C:\WINDOWS\System32\vtodmgr.exe
C:\Documents and Settings\user\Application Data\nnor.exe

Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://w-find.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://w-find.com/index.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://w-find.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://w-find.com/index.htm
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {ED103D9F-3070-4580-AB1E-E5C179C1AE41} - (no file)
O4 - HKLM\..\Run: [checkrun] C:\windows\system32\elitexab32.exe
O4 - HKLM\..\Run: [VCDK] C:\WINDOWS\VCDK.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\RunOnce: [Srv32 spool service] C:\WINDOWS\System32\spoolsrv32.exe
O4 - HKCU\..\Run: [welvaxc] c:\windows\phcfyoe.exe
O4 - HKCU\..\Run: [sfmapi] C:\WINDOWS\System32\sfmapi.exe
O4 - HKCU\..\Run: [qufajdr] c:\windows\phcfyoe.exe
O4 - HKCU\..\Run: [Pbcr] C:\WINDOWS\System32\?hkdsk.exe
O4 - HKCU\..\Run: [lfiyuyk] c:\windows\phcfyoe.exe
O4 - HKCU\..\Run: [iyxolol] c:\windows\phcfyoe.exe
O4 - HKCU\..\Run: [ftuktgk] c:\windows\vdffwfi.exe
O4 - HKCU\..\Run: [ednuwlm] c:\windows\phcfyoe.exe
O4 - HKCU\..\Run: [bopqRRMnP] vtodmgr.exe
O4 - HKCU\..\Run: [akmedpn] c:\windows\pglnyap.exe
O4 - HKCU\..\Run: [Aeae] C:\Documents and Settings\user\Application Data\nnor.exe
O4 - HKCU\..\Run: [mwjcjqw] c:\windows\tvdxbqw.exe
O4 - HKCU\..\Run: [pewgeee] c:\windows\tvdxbqw.exe
O4 - HKCU\..\Run: [maohfun] c:\windows\bydeprf.exe
O4 - HKCU\..\Run: [jchbebc] c:\windows\bydeprf.exe
O4 - HKCU\..\Run: [qpbqtjd] c:\windows\bydeprf.exe
O4 - HKCU\..\Run: [bravofn] c:\windows\bydeprf.exe
O4 - HKCU\..\Run: [yfjvynp] c:\windows\bydeprf.exe
O4 - HKCU\..\Run: [hokplry] c:\windows\bydeprf.exe
O4 - HKCU\..\Run: [qmhlmbm] c:\windows\oyhaxwv.exe
O4 - HKCU\..\RunOnce: [Srv32 spool service] C:\WINDOWS\System32\spoolsrv32.exe
O4 - Startup: Download Plus.lnk = C:\Documents and Settings\user\Application Data\DownloadPlus.exe
O9 - Extra button: Microsoft AntiSpyware helper - {CA2F468C-7343-4D3A-BF91-3A88FB1ADCBE} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {CA2F468C-7343-4D3A-BF91-3A88FB1ADCBE} - (no file) (HKCU)
O10 - Unknown file in Winsock LSP: c:\windows\system32\flsmngr.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\flsmngr.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\flsmngr.dll
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplane...DC_1_0_0_44.cab
O23 - Service: Loading Outpost Connections (KDE) - Unknown owner - C:\WINDOWS\System32\cmdtel.exe (file missing)
O23 - Service: Debug oupost relations (LAGOS) - Unknown owner - C:\WINDOWS\System32\ahtun.exe (file missing)

Delete the following Files/Folders (delete folders if no filename is specified) according to their directory (if none, just do a search for them) and delete them if they exist:

C:\Documents and Settings\user\Application Data\DownloadPlus.exe
C:\Documents and Settings\user\Application Data\nnor.exe
c:\windows\bydeprf.exe
c:\windows\oyhaxwv.exe
c:\windows\pglnyap.exe
c:\windows\phcfyoe.exe
C:\WINDOWS\System32\ahtun.exe
C:\WINDOWS\System32\cmdtel.exe
C:\windows\system32\elitexab32.exe
c:\windows\system32\flsmngr.dll
C:\WINDOWS\System32\sfmapi.exe
C:\WINDOWS\System32\spoolsrv32.exe
C:\WINDOWS\System32\vtodmgr.exe
c:\windows\tvdxbqw.exe
C:\WINDOWS\VCDK.exe
c:\windows\vdffwfi.exe

Do a search for ?hkdsk.exe and right click on any of the files found. Go to Properties->Version tab and see if it's from Microsoft. Do this for each file found. If it's not from Microsoft (or doesn't even have a version tab) and it was created recently, then delete it.

Reboot into Normal Mode run a new HijackThis scan. Save the log file and post it here.

Please empty any Quarantine folder in your antivirus program and purge all recovery items in the Spybot program (if you use it) before running this tool.

Download the Mwav virus checker at http://www.mwti.net/antivirus/mwav.asp (Use Link 3)

1. Save it to a folder.
2. Reboot into Safe Mode.
3. Double click the Mwav.exe file. This is a stand alone tool and NOT just a virus checker......so it won't install anything.
4. Select all local drives, scan all files, and press SCAN. When it is completed, anything found will be displayed in the lower pane.
5. In the Virus Log Information Pane......
Left click and highlight all the information in the Lower pane --- Use &CTRL C &on your keyboard to copy everything found in the lower pane and save it to a notepad file
*Note* If prompted that a virus was found and you need to purchase the product to remove the malware, just close out the prompt and let it continue scanning. We are not going to use this to remove anything...but to ID the bad files.

Once you copy that to a Notepad file...highlight the text and copy it here.
  • 0

#3
tnsc
Posted 28 April 2005 - 09:36 PM

tnsc

    New Member

  • Member
  • Pip
  • 3 posts
Please refrain from replying to topics in the maleware forum until you have been trained at GeekU
If looking looking to become a member please see Here
Thanks
Don

Edited by don77, 28 April 2005 - 09:41 PM.

  • 0

#4
diehlal
Posted 28 April 2005 - 10:26 PM

diehlal

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
Thank you so much for the help. I have done everything you listed up to the Mwav scanner. Here is my HijackThis log:

Logfile of HijackThis v1.99.1
Scan saved at 12:24:17 AM, on 4/29/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Canon\MultiPASS\mpservic.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jucheck.exe
C:\Program Files\Canon\MultiPASS\monitr32.exe
C:\Program Files\Canon\MultiPASS\MPTBox.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\FxRedir.EXE
C:\HJT\HijackThis.exe

O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [MP_STATUS_MONITOR] "C:\Program Files\Canon\MultiPASS\monitr32.exe" I
O4 - HKLM\..\Run: [MPTBox] "C:\Program Files\Canon\MultiPASS\MPTBox.exe"
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKCU\..\Run: [Steam] C:\Program Files\Steam\Steam.exe -silent
O4 - Startup: BJ Status Monitor Canon i860.lnk = C:\Documents and Settings\user\cnmss Canon i860 (Local).exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.../kavwebscan.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcaf...84/mcinsctl.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.c.../cpcScanner.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcaf...,21/mcgdmgr.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.app.../ITDetector.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MPService - Canon Information Systems - C:\Program Files\Canon\MultiPASS\mpservic.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - Unknown owner - C:\WINDOWS\System32\nvsvc32.exe (file missing)
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe

I will post the results from the scanner asap. Thanks again.
  • 0

#5
greyknight17
Posted 28 April 2005 - 10:57 PM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
You should really try to post everything in one reply since it will be faster for both of us that way.

OK, the HijackThis log is clean. Let's have a look at the mwav scan.
  • 0

#6
diehlal
Posted 29 April 2005 - 06:09 AM

diehlal

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
Sorry, I fell asleep waiting for the scan to finish, results are not...happy. Here's the log:

File System Found infected by "SideFind Spyware/Adware" Virus. Action Taken: No Action Taken.
File System Found infected by "Lycos Sidesearch Spyware/Adware" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\cxtpls_loader.exe infected by "Trojan-Downloader.Win32.Apropo.ab" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\shop1004.exe infected by "not-a-virus:AdWare.Sahat.m" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\bln02nqv.exe infected by "not-a-virus:AdWare.Sahat.o" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\glfexdyb.exe infected by "Trojan-Dropper.Win32.Small.wv" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\srpcsrv32.dll infected by "Trojan-Downloader.Win32.Adload.g" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\taskmg.exe infected by "Trojan.Win32.Hpt.j" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\txfdb32.dll infected by "Trojan-Downloader.Win32.Adload.g" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\winb2s32.dll infected by "not-a-virus:AdWare.ToolBar.Ilookup.b" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\winb2s33.dll infected by "not-a-virus:AdWare.ToolBar.Ilookup.b" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\wldr.dll infected by "Trojan-Downloader.Win32.Agent.le" Virus. Action Taken: No Action Taken.
File C:\DOCUME~1\user\LOCALS~1\Temp\180SAInstaller.exe infected by "not-a-virus:AdWare.180Solutions.g" Virus. Action Taken: No Action Taken.
File C:\DOCUME~1\user\LOCALS~1\Temp\7ba7EF.exe infected by "Trojan-Downloader.Win32.IstBar.gen" Virus. Action Taken: No Action Taken.
File C:\DOCUME~1\user\LOCALS~1\Temp\Ahe8Y0.exe infected by "Trojan-Downloader.Win32.IstBar.gen" Virus. Action Taken: No Action Taken.
File C:\DOCUME~1\user\LOCALS~1\Temp\Del77.tmp infected by "not-a-virus:AdWare.180Solutions.e" Virus. Action Taken: No Action Taken.
File C:\DOCUME~1\user\LOCALS~1\Temp\II18A.tmp infected by "not-a-virus:AdWare.BetterInternet" Virus. Action Taken: No Action Taken.
File C:\DOCUME~1\user\LOCALS~1\Temp\II18B.tmp infected by "not-a-virus:AdWare.BetterInternet" Virus. Action Taken: No Action Taken.
File C:\DOCUME~1\user\LOCALS~1\Temp\II22.exe infected by "Trojan.Win32.Qhost.x" Virus. Action Taken: No Action Taken.
File C:\DOCUME~1\user\LOCALS~1\Temp\II58.tmp infected by "Trojan.Win32.Qhost.x" Virus. Action Taken: No Action Taken.
File C:\DOCUME~1\user\LOCALS~1\Temp\II59.tmp infected by "Trojan.Win32.Qhost.x" Virus. Action Taken: No Action Taken.
File C:\DOCUME~1\user\LOCALS~1\Temp\II5B.tmp infected by "Trojan.Win32.Qhost.x" Virus. Action Taken: No Action Taken.
File C:\DOCUME~1\user\LOCALS~1\Temp\II96.tmp infected by "Trojan.Win32.Qhost.x" Virus. Action Taken: No Action Taken.
File C:\DOCUME~1\user\LOCALS~1\Temp\II97.tmp infected by "Trojan.Win32.Qhost.x" Virus. Action Taken: No Action Taken.
File C:\DOCUME~1\user\LOCALS~1\Temp\IIAA.tmp infected by "not-a-virus:AdWare.BetterInternet" Virus. Action Taken: No Action Taken.
File C:\DOCUME~1\user\LOCALS~1\Temp\IIAB.tmp infected by "not-a-virus:AdWare.BetterInternet" Virus. Action Taken: No Action Taken.
File C:\DOCUME~1\user\LOCALS~1\Temp\IID8.tmp infected by "Trojan.Win32.Qhost.x" Virus. Action Taken: No Action Taken.
File C:\DOCUME~1\user\LOCALS~1\Temp\IID9.tmp infected by "Trojan.Win32.Qhost.x" Virus. Action Taken: No Action Taken.
File C:\DOCUME~1\user\LOCALS~1\Temp\IIF.tmp infected by "not-a-virus:AdWare.Sahat.a" Virus. Action Taken: No Action Taken.
File C:\DOCUME~1\user\LOCALS~1\Temp\iinstall.exe infected by "Trojan-Downloader.Win32.IstBar.ir" Virus. Action Taken: No Action Taken.
File C:\DOCUME~1\user\LOCALS~1\Temp\naCbDc.exe infected by "Trojan-Downloader.Win32.IstBar.gen" Virus. Action Taken: No Action Taken.
File C:\DOCUME~1\user\LOCALS~1\Temp\res61.tmp infected by "not-a-virus:AdWare.180Solutions.g" Virus. Action Taken: No Action Taken.
File C:\DOCUME~1\user\LOCALS~1\Temp\SdQfHq.exe infected by "Trojan-Downloader.Win32.IstBar.gen" Virus. Action Taken: No Action Taken.
File C:\DOCUME~1\user\LOCALS~1\Temp\shop1004.exe infected by "not-a-virus:AdWare.Sahat.m" Virus. Action Taken: No Action Taken.
File C:\DOCUME~1\user\LOCALS~1\TEMPOR~1\Content.IE5\S5C7034R\file[1].exe infected by "Trojan-Dropper.Win32.Small.oy" Virus. Action Taken: No Action Taken.
File C:\Documents and Settings\All Users\Application Data\AOL Downloads\setup90\comp01.000 tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\Documents and Settings\user\Local Settings\Application Data\{35A3A4F2-B792-11D6-A78A-00B0D0142040}\Java 2 SDK, SE v1.4.2_04.msi tagged as not-a-virus:JavaClass.Chart. No Action Taken.
File C:\Documents and Settings\user\Local Settings\Application Data\{35A3A4F2-B792-11D6-A78A-00B0D0142050}\Java 2 SDK, SE v1.4.2_05.msi tagged as not-a-virus:JavaClass.Chart. No Action Taken.
File C:\Documents and Settings\user\Local Settings\Temp\180SAInstaller.exe infected by "not-a-virus:AdWare.180Solutions.g" Virus. Action Taken: No Action Taken.
File C:\Documents and Settings\user\Local Settings\Temp\7ba7EF.exe infected by "Trojan-Downloader.Win32.IstBar.gen" Virus. Action Taken: No Action Taken.
File C:\Documents and Settings\user\Local Settings\Temp\Ahe8Y0.exe infected by "Trojan-Downloader.Win32.IstBar.gen" Virus. Action Taken: No Action Taken.
File C:\Documents and Settings\user\Local Settings\Temp\Del77.tmp infected by "not-a-virus:AdWare.180Solutions.e" Virus. Action Taken: No Action Taken.
File C:\Documents and Settings\user\Local Settings\Temp\II18A.tmp infected by "not-a-virus:AdWare.BetterInternet" Virus. Action Taken: No Action Taken.
File C:\Documents and Settings\user\Local Settings\Temp\II18B.tmp infected by "not-a-virus:AdWare.BetterInternet" Virus. Action Taken: No Action Taken.
File C:\Documents and Settings\user\Local Settings\Temp\II22.exe infected by "Trojan.Win32.Qhost.x" Virus. Action Taken: No Action Taken.
File C:\Documents and Settings\user\Local Settings\Temp\II58.tmp infected by "Trojan.Win32.Qhost.x" Virus. Action Taken: No Action Taken.
File C:\Documents and Settings\user\Local Settings\Temp\II59.tmp infected by "Trojan.Win32.Qhost.x" Virus. Action Taken: No Action Taken.
File C:\Documents and Settings\user\Local Settings\Temp\II5B.tmp infected by "Trojan.Win32.Qhost.x" Virus. Action Taken: No Action Taken.
File C:\Documents and Settings\user\Local Settings\Temp\II96.tmp infected by "Trojan.Win32.Qhost.x" Virus. Action Taken: No Action Taken.
File C:\Documents and Settings\user\Local Settings\Temp\II97.tmp infected by "Trojan.Win32.Qhost.x" Virus. Action Taken: No Action Taken.
File C:\Documents and Settings\user\Local Settings\Temp\IIAA.tmp infected by "not-a-virus:AdWare.BetterInternet" Virus. Action Taken: No Action Taken.
File C:\Documents and Settings\user\Local Settings\Temp\IIAB.tmp infected by "not-a-virus:AdWare.BetterInternet" Virus. Action Taken: No Action Taken.
File C:\Documents and Settings\user\Local Settings\Temp\IID8.tmp infected by "Trojan.Win32.Qhost.x" Virus. Action Taken: No Action Taken.
File C:\Documents and Settings\user\Local Settings\Temp\IID9.tmp infected by "Trojan.Win32.Qhost.x" Virus. Action Taken: No Action Taken.
File C:\Documents and Settings\user\Local Settings\Temp\IIF.tmp infected by "not-a-virus:AdWare.Sahat.a" Virus. Action Taken: No Action Taken.
File C:\Documents and Settings\user\Local Settings\Temp\iinstall.exe infected by "Trojan-Downloader.Win32.IstBar.ir" Virus. Action Taken: No Action Taken.
File C:\Documents and Settings\user\Local Settings\Temp\naCbDc.exe infected by "Trojan-Downloader.Win32.IstBar.gen" Virus. Action Taken: No Action Taken.
File C:\Documents and Settings\user\Local Settings\Temp\res61.tmp infected by "not-a-virus:AdWare.180Solutions.g" Virus. Action Taken: No Action Taken.
File C:\Documents and Settings\user\Local Settings\Temp\SdQfHq.exe infected by "Trojan-Downloader.Win32.IstBar.gen" Virus. Action Taken: No Action Taken.
File C:\Documents and Settings\user\Local Settings\Temp\shop1004.exe infected by "not-a-virus:AdWare.Sahat.m" Virus. Action Taken: No Action Taken.
File C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\S5C7034R\file[1].exe infected by "Trojan-Dropper.Win32.Small.oy" Virus. Action Taken: No Action Taken.
File C:\Documents and Settings\user\My Documents\CAT-FF7.ZIP tagged as not-a-virus:Cracker.AssasinPatch. No Action Taken.
File C:\Documents and Settings\user\My Documents\mirc612.exe tagged as not-a-virus:RiskWare.mIRC.6.12. No Action Taken.
File C:\HJT\backups\backup-20050428-160754-815.dll infected by "not-a-virus:AdWare.WinAD.ak" Virus. Action Taken: No Action Taken.
File C:\j2sdk1.4.2_05\demo\applets\BarChart\BarChart.class tagged as not-a-virus:JavaClass.Chart. No Action Taken.
File C:\j2sdk1.4.2_05\demo\plugin\applets\BarChart\BarChart.class tagged as not-a-virus:JavaClass.Chart. No Action Taken.
File C:\Program Files\Common Files\Java\Update\Base Images\j2sdk1.4.2-b28\demos.zip tagged as not-a-virus:JavaClass.Chart. No Action Taken.
File C:\Program Files\mIRC\mirc.exe tagged as not-a-virus:RiskWare.mIRC.6.12. No Action Taken.
File C:\Sierra\Counter-Strike\hltv.exe tagged as not-a-virus:RiskWare.Proxy.Hltv. No Action Taken.
File C:\System Volume Information\_restore{32822BAE-24A6-48C5-B6E2-EC0D060DC7FC}\RP362\A0101583.exe infected by "Trojan.Win32.Qhost.x" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{32822BAE-24A6-48C5-B6E2-EC0D060DC7FC}\RP365\A0101808.dll infected by "Trojan-Downloader.Win32.Agent.bc" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{32822BAE-24A6-48C5-B6E2-EC0D060DC7FC}\RP365\A0101820.dll infected by "Trojan-Downloader.Win32.Agent.bc" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{32822BAE-24A6-48C5-B6E2-EC0D060DC7FC}\RP370\A0108003.exe infected by "Trojan-Dropper.Win32.Small.ue" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{32822BAE-24A6-48C5-B6E2-EC0D060DC7FC}\RP371\A0108029.dll infected by "Trojan-Downloader.Win32.Small.amg" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{32822BAE-24A6-48C5-B6E2-EC0D060DC7FC}\RP371\A0108030.exe infected by "Trojan-Dropper.Win32.Agent.hh" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{32822BAE-24A6-48C5-B6E2-EC0D060DC7FC}\RP371\A0108031.exe infected by "not-a-virus:AdWare.BargianBuddy.n" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{32822BAE-24A6-48C5-B6E2-EC0D060DC7FC}\RP371\A0108033.exe infected by "not-a-virus:AdWare.BargainBuddy.n" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{32822BAE-24A6-48C5-B6E2-EC0D060DC7FC}\RP372\A0108043.exe infected by "Trojan-Downloader.Win32.Dyfuca.dx" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{32822BAE-24A6-48C5-B6E2-EC0D060DC7FC}\RP372\A0108044.exe infected by "Trojan-Downloader.Win32.Dyfuca.dx" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{32822BAE-24A6-48C5-B6E2-EC0D060DC7FC}\RP372\A0108077.exe infected by "Trojan-Downloader.Win32.IstBar.gen" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{32822BAE-24A6-48C5-B6E2-EC0D060DC7FC}\RP372\A0108090.dll infected by "Trojan-Downloader.Win32.Apropo.w" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{32822BAE-24A6-48C5-B6E2-EC0D060DC7FC}\RP372\A0108094.exe infected by "not-a-virus:AdWare.Apropos.f" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{32822BAE-24A6-48C5-B6E2-EC0D060DC7FC}\RP372\A0108095.dll infected by "not-a-virus:AdWare.Apropos.f" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{32822BAE-24A6-48C5-B6E2-EC0D060DC7FC}\RP372\A0108096.exe infected by "not-a-virus:AdWare.BargianBuddy.n" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{32822BAE-24A6-48C5-B6E2-EC0D060DC7FC}\RP372\A0108097.dll infected by "not-a-virus:AdWare.BargainBuddy.n" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{32822BAE-24A6-48C5-B6E2-EC0D060DC7FC}\RP372\A0108098.exe infected by "not-a-virus:AdWare.BargianBuddy.n" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{32822BAE-24A6-48C5-B6E2-EC0D060DC7FC}\RP372\A0108099.exe infected by "not-a-virus:AdWare.BargianBuddy.n" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{32822BAE-24A6-48C5-B6E2-EC0D060DC7FC}\RP372\A0108100.srg infected by "not-a-virus:AdWare.BargianBuddy.n" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{32822BAE-24A6-48C5-B6E2-EC0D060DC7FC}\RP372\A0108101.vxd infected by "not-a-virus:AdWare.BargianBuddy.n" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{32822BAE-24A6-48C5-B6E2-EC0D060DC7FC}\RP373\A0109166.exe infected by "Trojan-Downloader.Win32.IstBar.gen" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{32822BAE-24A6-48C5-B6E2-EC0D060DC7FC}\RP373\A0109209.exe infected by "Trojan.Win32.StartPage.nk" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{32822BAE-24A6-48C5-B6E2-EC0D060DC7FC}\RP373\A0109210.exe infected by "Trojan.Win32.StartPage.nk" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{32822BAE-24A6-48C5-B6E2-EC0D060DC7FC}\RP373\A0109211.exe infected by "Trojan.Win32.StartPage.nk" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{32822BAE-24A6-48C5-B6E2-EC0D060DC7FC}\RP373\A0109212.exe infected by "Trojan.Win32.StartPage.nk" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{32822BAE-24A6-48C5-B6E2-EC0D060DC7FC}\RP373\A0109214.dll infected by "not-a-virus:AdWare.ToolBar.EliteBar.af" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{32822BAE-24A6-48C5-B6E2-EC0D060DC7FC}\RP373\A0109219.exe infected by "Trojan-Downloader.Win32.IstBar.gen" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{32822BAE-24A6-48C5-B6E2-EC0D060DC7FC}\RP373\A0109267.exe infected by "Trojan-Downloader.Win32.Petrolin.a" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{32822BAE-24A6-48C5-B6E2-EC0D060DC7FC}\RP373\A0109268.dll infected by "not-a-virus:AdWare.SearchPage" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{32822BAE-24A6-48C5-B6E2-EC0D060DC7FC}\RP373\A0109273.dll infected by "Trojan-Downloader.Win32.Agent.bc" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{32822BAE-24A6-48C5-B6E2-EC0D060DC7FC}\RP373\A0109289.exe infected by "Email-Worm.Win32.Bagz.h" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{32822BAE-24A6-48C5-B6E2-EC0D060DC7FC}\RP373\A0109290.exe infected by "Email-Worm.Win32.Bagz.i" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{32822BAE-24A6-48C5-B6E2-EC0D060DC7FC}\RP374\A0109305.exe infected by "Trojan-Downloader.Win32.IstBar.gen" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{32822BAE-24A6-48C5-B6E2-EC0D060DC7FC}\RP378\A0109346.exe infected by "not-a-virus:AdWare.PurityScan.w" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{32822BAE-24A6-48C5-B6E2-EC0D060DC7FC}\RP378\A0109355.exe infected by "not-a-virus:AdWare.FindSpy.e" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{32822BAE-24A6-48C5-B6E2-EC0D060DC7FC}\RP378\A0109356.exe infected by "not-a-virus:AdWare.Apropos.i" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\cxtpls_loader.exe infected by "Trojan-Downloader.Win32.Apropo.ab" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\Downloaded Program Files\QaBar.dll infected by "Trojan-Clicker.Win32.Qabar.a" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\shop1004.exe infected by "not-a-virus:AdWare.Sahat.m" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system\Loader.dll infected by "Trojan-Downloader.Win32.Agent.li" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\bln02nqv.exe infected by "not-a-virus:AdWare.Sahat.o" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\glfexdyb.exe infected by "Trojan-Dropper.Win32.Small.wv" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\srpcsrv32.dll infected by "Trojan-Downloader.Win32.Adload.g" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\taskmg.exe infected by "Trojan.Win32.Hpt.j" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\txfdb32.dll infected by "Trojan-Downloader.Win32.Adload.g" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\winb2s32.dll infected by "not-a-virus:AdWare.ToolBar.Ilookup.b" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\winb2s33.dll infected by "not-a-virus:AdWare.ToolBar.Ilookup.b" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\wldr.dll infected by "Trojan-Downloader.Win32.Agent.le" Virus. Action Taken: No Action Taken.

Thank you.
  • 0

#7
greyknight17
Posted 29 April 2005 - 07:17 AM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Download KillBox http://www.greyknigh...spy/KillBox.exe. Run KillBox and check the box that says 'End Explorer Shell While Killing File'. Next click on 'Delete on Reboot'. For each of the following files below, check the box that says 'Unregister .dll Before Deleting' if it's not grayed out. Copy and paste each of the following into KillBox (hitting the X button for each file - choose NO when it asks if you want to reboot):

C:\WINDOWS\cxtpls_loader.exe
C:\Documents and Settings\user\My Documents\CAT-FF7.ZIP
C:\HJT\backups\backup-20050428-160754-815.dll
C:\Sierra\Counter-Strike\hltv.exe
C:\WINDOWS\cxtpls_loader.exe
C:\WINDOWS\Downloaded Program Files\QaBar.dll
C:\WINDOWS\shop1004.exe
C:\WINDOWS\system\Loader.dll
C:\WINDOWS\system32\bln02nqv.exe
C:\WINDOWS\system32\glfexdyb.exe
C:\WINDOWS\system32\srpcsrv32.dll
C:\WINDOWS\system32\taskmg.exe
C:\WINDOWS\system32\txfdb32.dll
C:\WINDOWS\system32\winb2s32.dll
C:\WINDOWS\system32\winb2s33.dll
C:\WINDOWS\system32\wldr.dll

The Temp folders should be cleaned out periodically as installation programs and hijack programs leave a lot of junk there. Download CleanUp! http://cleanup.stevengould.org/ (Alternate Link if main link don't work - http://www.greyknigh...spy/Cleanup.exe ) and install it. Run CleanUp! and click on CleanUp! button. When it asks you if you want to logoff, click on Yes.

Turn off system restore by right clicking on My Computer and go to Properties->System Restore and check the box for Turn off System Restore. Click Apply and then OK. Restart your computer and uncheck the same box to enable System Restore.

Restart. Run a new mwav scan and post the log here.
  • 0

#8
diehlal
Posted 29 April 2005 - 12:55 PM

diehlal

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
Here is the log from the scan:

File System Found infected by "SideFind Spyware/Adware" Virus. Action Taken: No Action Taken.
File System Found infected by "Lycos Sidesearch Spyware/Adware" Virus. Action Taken: No Action Taken.
File C:\Documents and Settings\All Users\Application Data\AOL Downloads\setup90\comp01.000 tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\Documents and Settings\user\Local Settings\Application Data\{35A3A4F2-B792-11D6-A78A-00B0D0142040}\Java 2 SDK, SE v1.4.2_04.msi tagged as not-a-virus:JavaClass.Chart. No Action Taken.
File C:\Documents and Settings\user\Local Settings\Application Data\{35A3A4F2-B792-11D6-A78A-00B0D0142050}\Java 2 SDK, SE v1.4.2_05.msi tagged as not-a-virus:JavaClass.Chart. No Action Taken.
File C:\Documents and Settings\user\My Documents\mirc612.exe tagged as not-a-virus:RiskWare.mIRC.6.12. No Action Taken.
File C:\j2sdk1.4.2_05\demo\applets\BarChart\BarChart.class tagged as not-a-virus:JavaClass.Chart. No Action Taken.
File C:\j2sdk1.4.2_05\demo\plugin\applets\BarChart\BarChart.class tagged as not-a-virus:JavaClass.Chart. No Action Taken.
File C:\Program Files\Common Files\Java\Update\Base Images\j2sdk1.4.2-b28\demos.zip tagged as not-a-virus:JavaClass.Chart. No Action Taken.
File C:\Program Files\mIRC\mirc.exe tagged as not-a-virus:RiskWare.mIRC.6.12. No Action Taken.
  • 0

#9
greyknight17
Posted 29 April 2005 - 06:50 PM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Follow the instructions here. You don't need to use their antivirus. Update AVG and see if it can find any traces of SideFind.

Go to Start->Run and type in regedit and hit OK. Go to File->Export and save the registry somewhere as a backup. Close the Registry Editor now. Go to Start->Run and type in notepad and hit OK. Then copy and paste the following into Notepad:

REGEDIT4
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00000762-3965-4A1A-98CE-3D4BF457D4C8}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{000007AB-7059-463E-BD44-101A1750D732}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{00000762-3965-4A1A-98CE-3D4BF457D4C8}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{000007AB-7059-463E-BD44-101A1750D732}]

Save the file as "delete.reg". Make sure to save it with the quotes. Double click on it and choose Yes to merge it. You may delete the file afterwards.

Go to c:\program files\ and delete the Lycos and SideFind folders if present.

Go to your add/remove panel and look for SideFind and Lycos SideSearch. Uninstall them if found.

Run one more mwav scan and post the log here. You should be ok now.
  • 0

#10
diehlal
Posted 30 April 2005 - 12:27 AM

diehlal

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
I followed all of your directions in that last post but I didn't actually delete or chagne any files. When I followed the directions to get rid of Sidefind, I got a message saying the file could not be found. I searched my C: Drive for "sidefind" and came up with nothing. Then I made the changes to the registry. There were no files in Program Files with the name Sidefind or Lycos. They were also not visable in my add/remove files list. Here is the log created by the scan:

File System Found infected by "SideFind Spyware/Adware" Virus. Action Taken: No Action Taken.
File System Found infected by "Lycos Sidesearch Spyware/Adware" Virus. Action Taken: No Action Taken.
File C:\Documents and Settings\All Users\Application Data\AOL Downloads\setup90\comp01.000 tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\Documents and Settings\user\Local Settings\Application Data\{35A3A4F2-B792-11D6-A78A-00B0D0142040}\Java 2 SDK, SE v1.4.2_04.msi tagged as not-a-virus:JavaClass.Chart. No Action Taken.
File C:\Documents and Settings\user\Local Settings\Application Data\{35A3A4F2-B792-11D6-A78A-00B0D0142050}\Java 2 SDK, SE v1.4.2_05.msi tagged as not-a-virus:JavaClass.Chart. No Action Taken.
File C:\Documents and Settings\user\My Documents\mirc612.exe tagged as not-a-virus:RiskWare.mIRC.6.12. No Action Taken.
File C:\j2sdk1.4.2_05\demo\applets\BarChart\BarChart.class tagged as not-a-virus:JavaClass.Chart. No Action Taken.
File C:\j2sdk1.4.2_05\demo\plugin\applets\BarChart\BarChart.class tagged as not-a-virus:JavaClass.Chart. No Action Taken.
File C:\Program Files\Common Files\Java\Update\Base Images\j2sdk1.4.2-b28\demos.zip tagged as not-a-virus:JavaClass.Chart. No Action Taken.
File C:\Program Files\mIRC\mirc.exe tagged as not-a-virus:RiskWare.mIRC.6.12. No Action Taken.
  • 0

#11
greyknight17
Posted 30 April 2005 - 09:41 AM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
OK, I can't think of anything else. I told you all the registry and file entries that they may be located in. What I'm thinking now is that it's either catching a false positive or there's just some minor remnants of them remaining. I'm sure they won't cause any trouble since the main registry keys and files are not there anymore.

Turn off system restore by right clicking on My Computer and go to Properties->System Restore and check the box for Turn off System Restore. Click Apply and then OK. Restart your computer and uncheck the same box to enable System Restore.

Make sure to get the latest updates for Windows and Internet Explorer at http://v5.windowsupd...t.aspx?ln=en-us.

Your log is clean.

To help prevent future spyware installations/infections, please read the Anti-Spyware Tutorial and use the tools provided.

Are there any problems now? If not, you should be set to go.
  • 0

#12
diehlal
Posted 30 April 2005 - 11:19 PM

diehlal

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
There doesn't seem to be a problem anymore.

Thank you for all the help, you're a life-saver.
  • 0

#13
greyknight17
Posted 01 May 2005 - 10:52 AM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :tazz:

If your the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP