Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Please help me to fix my malware problems [RESOLVED]

Started by schuylerwatson , May 09 2005 08:49 AM

  • This topic is locked This topic is locked

#1
schuylerwatson
Posted 09 May 2005 - 08:49 AM

schuylerwatson

    Member

  • Member
  • PipPip
  • 12 posts
I downloaded the enwido and hijackthis and spybot 1.4 and ran them all but i must be doing it wrong or somthing because that isrvs ist whatever its called wont leave my computer. It even connects it to the internet all by its self when i log off (i have a dialup 56k). here is a log after I ran hijack this and enwido... if someone could help me to cure this computer it would be great.. before i throw it out the window... thanks -sw

Hijack-----

Logfile of HijackThis v1.99.1
Scan saved at 10:15:07 AM, on 5/9/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svhost.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\Fujitsu\Fujitsu Hotkey Utility\IndicatorUty.exe
C:\Program Files\Fujitsu\BtnHnd\BtnHnd.exe
C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\AIM95\aim.exe
C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe
C:\Program Files\MSN\MSNCoreFiles\msn.exe
C:\Program Files\MSN\MSNIA\msniasvc.exe
C:\PROGRA~1\GROKSTER\GROKSTER.EXE
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\agcowrwa.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\svchost.exe
C:\WINDOWS\system32\freecell.exe
c:\windows\system32\biuedsg.exe
C:\Program Files\ISTsvc\istsvc.exe
C:\Documents and Settings\Owner\My Documents\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.carstats.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.fujitsupc.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:9022
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
F3 - REG:win.ini: run=C:\WINDOWS\system32\svhost.exe
O2 - BHO: BHObj Class - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINDOWS\nem220.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: RsyncHlpr Class - {16B238D5-80DE-47CE-8F17-B3ECE2C2248D} - C:\WINDOWS\system32\rsyncmon.dll (file missing)
O2 - BHO: BolgerObj Class - {302A3240-4805-4a34-97D7-1645A0B08410} - C:\WINDOWS\Bolger.dll (file missing)
O2 - BHO: IE Update Class - {5B4AB8E2-6DC5-477A-B637-BF3C1A2E5993} - C:\WINDOWS\isrvs\sysupd.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.02.3000.1002\en-xu\stmain.dll
O2 - BHO: ohb - {999A06FF-10EF-4A29-8640-69E99882C26B} - C:\WINDOWS\system32\nsq4E0.dll (file missing)
O2 - BHO: (no name) - {A0269420-A638-4509-889C-8FC3CC85DA7E} - C:\WINDOWS\drexinit.dll (file missing)
O2 - BHO: BAHelper Class - {A3FDD654-A057-4971-9844-4ED8E67DBBB8} - C:\Program Files\SideFind\sfbho.dll (file missing)
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [IndicatorUtility] C:\Program Files\Fujitsu\Fujitsu Hotkey Utility\IndicatorUty.exe
O4 - HKLM\..\Run: [LoadBtnHnd] C:\Program Files\Fujitsu\BtnHnd\BtnHnd.exe
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [System backup] C:\WINDOWS\system32\sm.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [4eJiWo] C:\WINDOWS\agcowrwa.exe
O4 - HKLM\..\Run: [Power Scan] C:\Program Files\Power Scan\powerscan.exe
O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe
O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe
O4 - HKLM\..\Run: [aagoxyx] c:\windows\system32\biuedsg.exe
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKCU\..\Run: [System backup] C:\WINDOWS\system32\sm.exe
O4 - HKCU\..\Run: [h0p7RTe5i] fonlgs.exe
O4 - HKCU\..\Run: [180ClientStubInstall] "C:\DOCUME~1\Owner\LOCALS~1\Temp\sais.exe"
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: SideFind - {10E42047-DEB9-4535-A118-B3F6EC39B807} - C:\Program Files\SideFind\sidefind.dll (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.fujitsupc.com/
O15 - Trusted Zone: *.addictivetechnologies.com
O15 - Trusted Zone: *.addictivetechnologies.net
O15 - Trusted Zone: *.admin2cash.biz
O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.bettersearch.biz
O15 - Trusted Zone: *.c4tdownload.com
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.crazywinnings.com
O15 - Trusted Zone: *.f1organizer.com
O15 - Trusted Zone: *.iframe.biz
O15 - Trusted Zone: *.megapornix.com
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.newiframe.biz
O15 - Trusted Zone: *.overpro.com
O15 - Trusted Zone: *.pizdato.biz
O15 - Trusted Zone: *.private-dialer.biz
O15 - Trusted Zone: *.private-iframe.biz
O15 - Trusted Zone: *.searchmiracle.com
O15 - Trusted Zone: *.slotch.com
O15 - Trusted Zone: *.sp2admin.biz
O15 - Trusted Zone: *.sp2[bleep]ed.biz
O15 - Trusted Zone: *.topconverting.com
O15 - Trusted Zone: *.traffic2cash.biz
O15 - Trusted Zone: *.vse-moe.biz
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.xxxtoolbar.com
O15 - Trusted Zone: *.ysbweb.com
O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone
O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone (HKLM)
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{9F5491CF-38B0-4039-BF81-9F5BE68D7B02}: NameServer = 198.6.100.6 198.6.1.6
O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - C:\WINDOWS\isrvs\mfiltis.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe



Enwido thingy----

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 10:13:54 AM, 5/9/2005
+ Report-Checksum: 92D2F313

+ Date of database: 5/7/2005
+ Version of scan engine: v3.0

+ Duration: 39 min
+ Scanned Files: 90498
+ Speed: 38.19 Files/Second
+ Infected files: 61
+ Removed files: 61
+ Files put in quarantine: 0
+ Files that could not be opened: 0
+ Files that could not be cleaned: 0

+ Binder: Yes
+ Crypter: Yes
+ Archives: Yes

+ Scanned items:
C:\
D:\

+ Scan result:
C:\WINDOWS\system32\nsq4E0.dll -> Spyware.Beginto.c -> Cleaned without backup
C:\Documents and Settings\Owner\Local Settings\Temp\optimize.exe -> TrojanDownloader.Dyfuca.dx -> Cleaned without backup
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\EEAMCFR0\127062[1].exe -> Not-A-Virus.PornWare.Downloader.Tibsystems -> Cleaned without backup
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\EEAMCFR0\optimize[1].exe -> TrojanDownloader.Dyfuca.dx -> Cleaned without backup
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\8L0FYHI5\istsvc[1].exe -> TrojanDownloader.IstBar -> Cleaned without backup
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\SHA74XM7\nem220[1].dll -> TrojanDownloader.Dyfuca -> Cleaned without backup
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\SHA74XM7\sfbho13[1].dll -> Spyware.SideFind -> Cleaned without backup
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\IYWAOYV4\istrecover[1].exe -> TrojanDownloader.IstBar.ij -> Cleaned without backup
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\IYWAOYV4\bb[1].exe -> TrojanDownloader.Adload.a -> Cleaned without backup
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned without backup
C:\Documents and Settings\Owner\Cookies\owner@spylog[1].txt -> Spyware.Tracking-Cookie -> Cleaned without backup
C:\Documents and Settings\Owner\Cookies\owner@mediaplex[1].txt -> Spyware.Tracking-Cookie -> Cleaned without backup
C:\Documents and Settings\Owner\Cookies\owner@list[2].txt -> Spyware.Tracking-Cookie -> Cleaned without backup
C:\Documents and Settings\Owner\Cookies\owner@realmedia[1].txt -> Spyware.Tracking-Cookie -> Cleaned without backup
C:\Documents and Settings\Owner\Cookies\owner@247realmedia[1].txt -> Spyware.Tracking-Cookie -> Cleaned without backup
C:\Documents and Settings\Owner\Cookies\owner@com[1].txt -> Spyware.Tracking-Cookie -> Cleaned without backup
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned without backup
C:\Documents and Settings\Owner\Cookies\owner@atdmt[2].txt -> Spyware.Tracking-Cookie -> Cleaned without backup
C:\Documents and Settings\Owner\Cookies\owner@dcsa237jn11e5hqth6qbnmpgy_1g3i[1].txt -> Spyware.Tracking-Cookie -> Cleaned without backup
C:\Documents and Settings\Owner\Cookies\[email protected][2].txt -> Spyware.Tracking-Cookie -> Cleaned without backup
C:\Documents and Settings\Owner\Cookies\owner@advertising[2].txt -> Spyware.Tracking-Cookie -> Cleaned without backup
C:\Documents and Settings\Owner\Cookies\[email protected][2].txt -> Spyware.Tracking-Cookie -> Cleaned without backup
C:\Documents and Settings\Owner\Cookies\owner@tribalfusion[2].txt -> Spyware.Tracking-Cookie -> Cleaned without backup
C:\Documents and Settings\Owner\Cookies\owner@fastclick[1].txt -> Spyware.Tracking-Cookie -> Cleaned without backup
C:\Documents and Settings\Owner\Cookies\owner@doubleclick[1].txt -> Spyware.Tracking-Cookie -> Cleaned without backup
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned without backup
C:\Documents and Settings\Owner\Cookies\[email protected][2].txt -> Spyware.Tracking-Cookie -> Cleaned without backup
C:\Documents and Settings\Owner\Cookies\owner@exitexchange[2].txt -> Spyware.Tracking-Cookie -> Cleaned without backup
C:\Program Files\Common Files\System\Mapi\1033\tool.exe -> Spyware.HotSearchBar.e -> Cleaned without backup
C:\Program Files\Common Files\System\Mapi\1033\efvefefe.exe -> TrojanDownloader.IstBar.it -> Cleaned without backup
C:\Program Files\Common Files\System\Mapi\1033\sefer.exe -> Spyware.Agent.bn -> Cleaned without backup
C:\Program Files\Common Files\System\Mapi\1033\efefe.exe -> Spyware.ISearch.d -> Cleaned without backup
C:\Program Files\Common Files\System\Mapi\1033\video2.exe -> TrojanDownloader.Small.my -> Cleaned without backup
C:\Program Files\SideFind\sfbho.dll -> Spyware.SideFind -> Cleaned without backup
C:\Program Files\SideFind\sidefind.dll -> Spyware.SideFind -> Cleaned without backup
C:\Program Files\Grokster\TopSearch.dll -> Spyware.Altnet.c -> Cleaned without backup
C:\Program Files\Grokster\abcdefghi.dll -> Spyware.Altnet.c -> Cleaned without backup
C:\Program Files\ISTsvc\istsvc.exe -> TrojanDownloader.IstBar -> Cleaned without backup
C:\Program Files\WebSiteViewer\127062.dlr -> Dialer.Generic -> Cleaned without backup
C:\Program Files\WebSiteViewer\127062.exe -> Not-A-Virus.PornWare.Downloader.Tibsystems -> Cleaned without backup
C:\Program Files\Internet Optimizer\optimize.exe -> TrojanDownloader.Dyfuca.dx -> Cleaned without backup
C:\System Volume Information\_restore{B1DAA04E-5976-4D21-AC28-AA8C1BA70FCB}\RP522\A0126847.sys -> Trojan.Delprot.a -> Cleaned without backup
C:\System Volume Information\_restore{B1DAA04E-5976-4D21-AC28-AA8C1BA70FCB}\RP522\A0126848.dll -> Spyware.ISearch.d -> Cleaned without backup
C:\System Volume Information\_restore{B1DAA04E-5976-4D21-AC28-AA8C1BA70FCB}\RP522\A0126849.dll -> TrojanDownloader.Ieser.a -> Cleaned without backup
C:\System Volume Information\_restore{B1DAA04E-5976-4D21-AC28-AA8C1BA70FCB}\RP522\A0126850.exe -> Trojan.Isearch -> Cleaned without backup
C:\System Volume Information\_restore{B1DAA04E-5976-4D21-AC28-AA8C1BA70FCB}\RP522\A0126851.REG -> Trojan.LowZones.a -> Cleaned without backup
C:\System Volume Information\_restore{B1DAA04E-5976-4D21-AC28-AA8C1BA70FCB}\RP522\A0126852.exe -> Spyware.HotSearchBar.e -> Cleaned without backup
C:\System Volume Information\_restore{B1DAA04E-5976-4D21-AC28-AA8C1BA70FCB}\RP522\A0126853.exe -> TrojanDownloader.IstBar.it -> Cleaned without backup
C:\System Volume Information\_restore{B1DAA04E-5976-4D21-AC28-AA8C1BA70FCB}\RP522\A0126854.exe -> Spyware.Agent.bn -> Cleaned without backup
C:\System Volume Information\_restore{B1DAA04E-5976-4D21-AC28-AA8C1BA70FCB}\RP522\A0126855.exe -> Spyware.ISearch.d -> Cleaned without backup
C:\System Volume Information\_restore{B1DAA04E-5976-4D21-AC28-AA8C1BA70FCB}\RP522\A0126856.exe -> TrojanDownloader.Small.my -> Cleaned without backup
C:\System Volume Information\_restore{B1DAA04E-5976-4D21-AC28-AA8C1BA70FCB}\RP522\A0126857.exe -> Spyware.Gator -> Cleaned without backup
C:\System Volume Information\_restore{B1DAA04E-5976-4D21-AC28-AA8C1BA70FCB}\RP522\A0126858.exe -> Spyware.Gator -> Cleaned without backup
C:\System Volume Information\_restore{B1DAA04E-5976-4D21-AC28-AA8C1BA70FCB}\RP522\A0126859.exe -> Spyware.HotSearchBar.e -> Cleaned without backup
C:\System Volume Information\_restore{B1DAA04E-5976-4D21-AC28-AA8C1BA70FCB}\RP522\A0126860.exe -> TrojanDownloader.IstBar.it -> Cleaned without backup
C:\System Volume Information\_restore{B1DAA04E-5976-4D21-AC28-AA8C1BA70FCB}\RP522\A0126861.exe -> Spyware.Agent.bn -> Cleaned without backup
C:\System Volume Information\_restore{B1DAA04E-5976-4D21-AC28-AA8C1BA70FCB}\RP522\A0126862.exe -> Spyware.ISearch.d -> Cleaned without backup
C:\System Volume Information\_restore{B1DAA04E-5976-4D21-AC28-AA8C1BA70FCB}\RP522\A0126863.exe -> TrojanDownloader.Small.my -> Cleaned without backup
C:\System Volume Information\_restore{B1DAA04E-5976-4D21-AC28-AA8C1BA70FCB}\RP522\A0126864.dll -> Spyware.SideFind -> Cleaned without backup
C:\System Volume Information\_restore{B1DAA04E-5976-4D21-AC28-AA8C1BA70FCB}\RP522\A0126865.dll -> Spyware.Apropos -> Cleaned without backup
C:\System Volume Information\_restore{B1DAA04E-5976-4D21-AC28-AA8C1BA70FCB}\RP522\A0126866.dll -> Spyware.eUniverse -> Cleaned without backup


::Report End


I have things like sex.lnk that keeps showing up on my desktop and aurora pop ups etc... there is somthing on my start menu under connect to icon which says connect to tibs147 or somthing under my internet connections and when i log off it turns on and connects me back to the internet.. i have to pull out my phone cord to sign off now :-( thanks
  • 0

Advertisements

#2
greyknight17
Posted 09 May 2005 - 06:24 PM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Welcome to GTG.

Download KillBox http://www.atribune....ads/KillBox.exe
Download and install CleanUp http://cleanup.stevengould.org/

Go to My Computer->Tools->Folder Options->View tab and make sure that Show hidden files and folders is enabled. Also make sure that the System Files and Folders are showing/visible also. Please make sure system restore is enabled by right clicking on My Computer and go to Properties->System Restore and make sure that System Restore is enabled (box should be unchecked). Once you're clean we will turn this off and then create a new restore point.

Close out all open windows and disconnect the computer from any internet access.

Download FxIstbar[/b] and run it. Do not restart yet.

Right click on this link and choose Save As. Save it to your desktop. Right click on that file and choose Install. It will run immediately (you won't be able to see anything happen). You may delete it afterwards.

Uninstall the following via the Add/Remove Panel (Start->(Settings)->Control Panel->Add/Remove Programs) if they exist:

Grokster, I don't recommend using P2P programs since they may contribute to these problems
SideFind
PowerScan

1. SKIP

2. Go to Start->Run and type in services.msc and hit OK. Then look for 'System Startup Service (SvcProc)' and double click on it. Click on the Stop button and under Startup type, choose Disabled.

3. Run the CleanUp program you just installed and when prompted to reboot/logoff select NO.

4. Run KillBox. Go to Tools > Delete Temp Files > Click *OK* Copy and paste the following locations into KillBox one at a time. Checkmark the box that says 'Delete on Reboot' and checkmark the box 'Unregister DLL' (If available) Click the red circle with the white X and it will ask you to confirm the file for deletion, say YES and when the next box opens prompting you to reboot now...click NO...and proceed with the next file. Once you get to the last one click NO when it asks you to reboot.

**Note** Don't let KillBox reboot the computer...Reboot manually after the fixes for the HijackThis (see below).

C:\Windows\System32\svcproc.exe
C:\Windows\System32\Nail.exe
C:\WINDOWS\system32\svhost.exe
C:\WINDOWS\agcowrwa.exe
C:\Program Files\Internet Explorer\svchost.exe
c:\windows\system32\biuedsg.exe
C:\Program Files\ISTsvc\
C:\WINDOWS\nem220.dll
C:\WINDOWS\system32\rsyncmon.dll
C:\WINDOWS\Bolger.dll
C:\WINDOWS\system32\nsq4E0.dll
C:\WINDOWS\drexinit.dll
C:\WINDOWS\system32\sm.exe
C:\WINDOWS\agcowrwa.exe
C:\Program Files\Power Scan\
c:\windows\system32\biuedsg.exe
C:\WINDOWS\system32\sm.exe
C:\WINDOWS\system32\fonlgs.exe
C:\Program Files\SideFind\

5. Go to Start->Run and type in cmd and hit OK. Then type in each of the following (hit Enter key after each line):

cd windows
nail.exe /FullRemove
exit

6. Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):

R3 - Default URLSearchHook is missing
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
F3 - REG:win.ini: run=C:\WINDOWS\system32\svhost.exe
O2 - BHO: BHObj Class - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINDOWS\nem220.dll
O2 - BHO: RsyncHlpr Class - {16B238D5-80DE-47CE-8F17-B3ECE2C2248D} - C:\WINDOWS\system32\rsyncmon.dll (file missing)
O2 - BHO: BolgerObj Class - {302A3240-4805-4a34-97D7-1645A0B08410} - C:\WINDOWS\Bolger.dll (file missing)
O2 - BHO: IE Update Class - {5B4AB8E2-6DC5-477A-B637-BF3C1A2E5993} - C:\WINDOWS\isrvs\sysupd.dll
O2 - BHO: ohb - {999A06FF-10EF-4A29-8640-69E99882C26B} - C:\WINDOWS\system32\nsq4E0.dll (file missing)
O2 - BHO: (no name) - {A0269420-A638-4509-889C-8FC3CC85DA7E} - C:\WINDOWS\drexinit.dll (file missing)
O2 - BHO: BAHelper Class - {A3FDD654-A057-4971-9844-4ED8E67DBBB8} - C:\Program Files\SideFind\sfbho.dll (file missing)
O4 - HKLM\..\Run: [System backup] C:\WINDOWS\system32\sm.exe
O4 - HKLM\..\Run: [4eJiWo] C:\WINDOWS\agcowrwa.exe
O4 - HKLM\..\Run: [Power Scan] C:\Program Files\Power Scan\powerscan.exe
O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe
O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe
O4 - HKLM\..\Run: [aagoxyx] c:\windows\system32\biuedsg.exe
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKCU\..\Run: [System backup] C:\WINDOWS\system32\sm.exe
O4 - HKCU\..\Run: [h0p7RTe5i] fonlgs.exe
O4 - HKCU\..\Run: [180ClientStubInstall] "C:\DOCUME~1\Owner\LOCALS~1\Temp\sais.exe"
O9 - Extra button: SideFind - {10E42047-DEB9-4535-A118-B3F6EC39B807} - C:\Program Files\SideFind\sidefind.dll (file missing)
O15 - Trusted Zone: *.addictivetechnologies.com
O15 - Trusted Zone: *.addictivetechnologies.net
O15 - Trusted Zone: *.admin2cash.biz
O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.bettersearch.biz
O15 - Trusted Zone: *.c4tdownload.com
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.crazywinnings.com
O15 - Trusted Zone: *.f1organizer.com
O15 - Trusted Zone: *.iframe.biz
O15 - Trusted Zone: *.megapornix.com
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.newiframe.biz
O15 - Trusted Zone: *.overpro.com
O15 - Trusted Zone: *.pizdato.biz
O15 - Trusted Zone: *.private-dialer.biz
O15 - Trusted Zone: *.private-iframe.biz
O15 - Trusted Zone: *.searchmiracle.com
O15 - Trusted Zone: *.slotch.com
O15 - Trusted Zone: *.sp2admin.biz
O15 - Trusted Zone: *.sp2[bleep]ed.biz
O15 - Trusted Zone: *.topconverting.com
O15 - Trusted Zone: *.traffic2cash.biz
O15 - Trusted Zone: *.vse-moe.biz
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.xxxtoolbar.com
O15 - Trusted Zone: *.ysbweb.com
O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone
O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone (HKLM)
O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - C:\WINDOWS\isrvs\mfiltis.dll
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe

7. Reboot the computer now. Reconnect your internet access and do this:

**Note** DO NOT REBOOT the computer during the removal process. If you do the filenames will change. If you can't leave the computer on now, I suggest not running the logs below yet. Wait until you can leave it on.

Download FindIt's.zip to your desktop: [url=http://forums.net-integration.net/index.php?act=Attach&type=post&id=142443]http://forums.net-integration.net/index.ph...=post&id=142443

1. Unzip/extract the files inside to a folder on your desktop.
2. Open the folder. Double click on FindIt's.bat and wait for Notepad to open a text file. It will take a while so please be patient ...
3. Then post the results here along with the new HijackThis log.
  • 0

#3
schuylerwatson
Posted 10 May 2005 - 10:39 AM

schuylerwatson

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
i cant get that cleanup website to download it says no page when i click the link for any of the versions... any suggestions? thanks for the help by the way.. cant wait to kill this virus junk.. i have deleted grokster and limewire too
  • 0

#4
greyknight17
Posted 10 May 2005 - 11:37 AM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
How about this link? Get it there and continue with the other steps I listed above.
  • 0

#5
schuylerwatson
Posted 10 May 2005 - 07:48 PM

schuylerwatson

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
Im sorry i just finally got back online.. i had to run spybot enwido etc a few times just to get to be able to get online... I tried your steps but there were some files for example in the hijack ones you told me to delete that were not there... i think things changed when i was working to get back online.. here is a hijack this log that I am running as I type this... Also there are some wierd things under "connect to" on my start menu (one is in spanish) and one is tibs41. Ihave all the programs now except the last one written in green in your instructions because u said to wait to do that log somthing I was not sure what you meants... if i could get new intructs that would be great. Also when i start windows it says somthing about cannot find file somthing ssytem32 or somthing. HEres my hijack thanks -sw

0----0-----0--

Logfile of HijackThis v1.99.1
Scan saved at 9:46:21 PM, on 5/10/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\Fujitsu\Fujitsu Hotkey Utility\IndicatorUty.exe
C:\Program Files\Fujitsu\BtnHnd\BtnHnd.exe
C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe
C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\MSN\MSNCoreFiles\msn.exe
C:\Program Files\MSN\MSNIA\msniasvc.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Documents and Settings\Owner\efvefefe.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Owner\video2.exe
C:\Documents and Settings\Owner\My Documents\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.fujitsupc.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:9022
F3 - REG:win.ini: run=C:\WINDOWS\system32\svhost.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.02.3000.1002\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [IndicatorUtility] C:\Program Files\Fujitsu\Fujitsu Hotkey Utility\IndicatorUty.exe
O4 - HKLM\..\Run: [LoadBtnHnd] C:\Program Files\Fujitsu\BtnHnd\BtnHnd.exe
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe
O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.fujitsupc.com/
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {79849612-A98F-45B8-95E9-4D13C7B6B35C} (Loader2 Control) - http://static.topcon...activex/mp3.ocx
O17 - HKLM\System\CCS\Services\Tcpip\..\{9F5491CF-38B0-4039-BF81-9F5BE68D7B02}: NameServer = 205.171.3.65 205.171.2.65
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
  • 0

#6
greyknight17
Posted 11 May 2005 - 04:31 PM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Where is the FindIt's log? I need that log also.
  • 0

#7
schuylerwatson
Posted 23 May 2005 - 05:17 PM

schuylerwatson

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
find its? is that a program sorry i must have missse dsomthing
  • 0

#8
greyknight17
Posted 23 May 2005 - 05:28 PM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
I asked you to download that earlier :tazz: It's the one in green that you have problems with. That's ok. Let's hold off on running that. I'll see if we can remove it in HijackThis as it is:

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should 'not' have any open browsers when you are following the procedures below.

Go to My Computer->Tools/View->Folder Options->View tab and make sure that 'Show hidden files and folders' (or 'Show all files') is enabled. Also make sure that 'Display the contents of system folders' is checked. If you have Windows XP, the search feature is a little different. When you click on 'All files and folders' on the left pane, click on the 'More advanced options' at the bottom. Make sure that 'Search system folders', 'Search hidden files and folders', and 'Search subfolders' are checked.

For the options that you checked/enabled earlier, you may uncheck them after your log is clean. If we ask you to fix a program that you use or want to keep, please post back saying that (we don't know every program that exists, so we may tell you to delete a program that we think is bad to keep).

If you have a fast internet connection (broadband), run an online virus scan at TrendMicro http://uk.trendmicro...call_launch.php. Just follow the instructions on the site to run the online scan. If any viruses/trojans are detected, try to delete or clean them in that site. You may use Panda ActiveScan also at http://www.pandasoft...ucts/activescan. Otherwise, make sure your antivirus program has the latest definitions and run a full system scan.

Reboot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work. Make sure to close any open browsers. Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):

F3 - REG:win.ini: run=C:\WINDOWS\system32\svhost.exe
O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe
O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe
O16 - DPF: {79849612-A98F-45B8-95E9-4D13C7B6B35C} (Loader2 Control) - http://static.topcon...activex/mp3.ocx

Delete the following Files/Folders (delete folders if no filename is specified) according to their directory (if none, just do a search for them) and delete them if they exist:

C:\Documents and Settings\Owner\efvefefe.exe
C:\Documents and Settings\Owner\video2.exe
C:\WINDOWS\system32\svhost.exe - careful on this one, make sure it's spelled exactly as shown here. There is a LEGITIMATE file called svchost.exe, so don't delete that one. This bad one is missing the letter C in it.
C:\WINDOWS\isrvs\

Reboot into Normal Mode run a new HijackThis scan. Save the log file and post it here.
  • 0

#9
schuylerwatson
Posted 24 May 2005 - 01:31 PM

schuylerwatson

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
sorry about that I had that program i confused it with fixits the thing from symmantac. the only problem is i am posting frm a friends pc because i cannot get online with mine now. when i try to sign on and it connects like 64 ie windows open and go all over the screen then the internet freezes up from all of them. I will post a new log once i fight my way back to the internet... ps i only have 56k if that helps
  • 0

#10
greyknight17
Posted 24 May 2005 - 08:28 PM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Just print the instructions out and go to your computer. Boot into Safe Mode to do the fix. Hopefully those windows won't popup in safe mode. Try running Panda if you can in Normal Mode after doing the fixes. If not, updated Ewido (if it has any updates) and run a full scan.

Post back a new log when you did all those.
  • 0

#11
schuylerwatson
Posted 25 May 2005 - 11:20 AM

schuylerwatson

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
lets see I think i may be set because i basically did all of those steps over and over and rebooted and did em again and now when i run ewido and hijack this and spybot they all say nothing found. The only thing that is strange is that i use msn to connect to the internet as my ISP and it deleted my location so i went to add one and when i connect it says there are no local access numbers even though there are... i will call msn to get that straightened out and once I do ill post a findits log for you. I think im all clean but i thoguht so the times before but once i got on the internet it came back so we will see thanks bye
  • 0

#12
greyknight17
Posted 20 June 2005 - 06:07 PM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :tazz:

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP