Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Pop ups and files [RESOLVED]

Started by frogger , May 16 2005 04:52 AM

  • This topic is locked This topic is locked

#16
therock247uk
Posted 29 May 2005 - 08:18 AM

therock247uk

    Expert

  • Expert
  • 14,672 posts
  • MVP
Please read these instructions carefully and print them out! Be sure to follow ALL instructions!

Please RIGHT-CLICK: HERE and go to Save As (in Internet Explorer it's "Save Target As") in order to download Grinler's reg file. Save it to your desktop.

Locate "smitfraud.reg" on your desktop and double-click it. When asked if you want to merge with the registry, click YES. Wait for the "merged successfully" prompt then follow the rest of the instructions below.

Go to Start > Control Panel > Add or Remove Programs and remove the following programs, if found:

Security IGuard
Virtual Maid
Search Maid

Exit Add/Remove Programs.

*IMPORTANT*CLICK THIS LINK TO LEARN HOW TO VIEW HIDDEN FILES

I need you to copy all of the Killbox file paths below and paste them into Notepad.

* Please download the Killbox by Option^Explicit. *In the event you already have Killbox, this is a new version that I need you to download.

* Save it to your desktop.

* Please double-click Killbox.exe to run it.

* Select "Delete on Reboot".

* Open the Notepad file where you saved the file paths earlier and copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C

C:\wp.exe
C:\wp.bmp
C:\bsw.exe
C:\Windows\sites.ini
C:\Windows\popuper.exe
C:\Windows\system32\hhk.dll
C:\Windows\System32\wldr.dll
C:\Windows\System32\helper.exe
C:\Windows\System32\intmon.exe
C:\Windows\System32\shnlog.exe
C:\Windows\System32\intmonp.exe
C:\Windows\System32\msmsgs.exe
C:\Windows\system32\msole32.exe
C:\Windows\System32\ole32vbs.exe

* Return to Killbox, go to the File menu, and choose "Paste from Clipboard".

* Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

If your computer does not restart automatically, please restart it manually.

While your computer is restarting, tap the F8 key continually until a menu appears. Use your up arrow key to highlight Safe Mode, then hit enter.

Make sure you can view hidden files.

Using Windows Explorer, delete the following, if found, (please do NOT try to find them by "search" because they will not show up that way)

FOLDERS to delete (in bold) if found:

C:\Program Files\Search Maid
C:\Program Files\Virtual Maid
C:\Windows\System32\Log Files
C:\Program Files\Security IGuard

While still in Safe Mode, do the following:

Make sure all programs and windows are closed. Run HiJackThis and place a check next to the following items, if found, then click FIX CHECKED:

items to fix

Close HiJackThis.

Reboot into normal mode.

1.) Download The Hoster Press "Restore Original Hosts" and press "OK". Exit Program.

2.) Right-Click HERE and Save As to download DelDomains.inf to your desktop.
To use: RIGHT-CLICK DelDomains.inf on your desktop and select: Install (no need to restart)
Note: This will remove all entries in the "Trusted Zone" and "Ranges" also.

3.) Download, install, and run CleanUp!

4.) Run this online virus scan: ActiveScan - Save the results from the scan!

Post a new HiJackThis log along with the results from ActiveScan.
  • 0

Advertisements

#17
frogger
Posted 31 May 2005 - 03:49 PM

frogger

    Member

  • Topic Starter
  • Member
  • PipPip
  • 32 posts
Hi,

Do you think the viruses have now been removed ?
Regards
Frogger
  • 0

#18
frogger
Posted 31 May 2005 - 03:51 PM

frogger

    Member

  • Topic Starter
  • Member
  • PipPip
  • 32 posts
Sorry. Forget my last reply. Will be back with HiJackThis log ASAP.

Frogger
  • 0

#19
frogger
Posted 31 May 2005 - 09:37 PM

frogger

    Member

  • Topic Starter
  • Member
  • PipPip
  • 32 posts
Hi mate,

The link you gave me for KillBox doesnt seem to work.
Should I use the link below.

http://www.bleepingc...les/killbox.php

Regards
Frogger
  • 0

#20
frogger
Posted 01 June 2005 - 04:04 AM

frogger

    Member

  • Topic Starter
  • Member
  • PipPip
  • 32 posts
Hi,

See below for Panda Scan

Incident Status Location

Adware:Adware/Searcher No disinfected C:\WINDOWS\System32\fltmgr.dll
Adware:Adware/Ucmore No disinfected C:\WINDOWS\ucmoreiex.exe
Spyware:Spyware/Cydoor No disinfected C:\WINDOWS\system\adcache
Adware:Adware/Gator No disinfected C:\WINDOWS\gator*.log
Adware:Adware/MyWay No disinfected C:\Program Files\MyWay
Adware:Adware/nCase No disinfected Windows Registry
Spyware:Spyware/Dyfuca No disinfected C:\WINDOWS\stwsi
Spyware:Spyware/ISTbar No disinfected C:\Program Files\Common Files\Totem Shared
Adware:Adware/CWS No disinfected C:\Documents and Settings\frogger\Favorites\AdultGambling.url
Adware:Adware/BookedSpace No disinfected Windows Registry
Adware:Adware/Twain-Tech No disinfected C:\WINDOWS\smdat32m.sys
Adware:Adware/WildTangent No disinfected C:\WINDOWS\wt\wtupdates
Spyware:Spyware/Altnet No disinfected Windows Registry
Spyware:Spyware/Iehelp No disinfected C:\WINDOWS\Downloaded Program Files\ipreg32.dll
Adware:Adware/InstaFinder No disinfected Windows Registry
Adware:Adware/Pacimedia No disinfected C:\Documents and Settings\frogger\Favorites\1111\1111.url
Virus:Trj/Iyus.M Disinfected Operating system
Adware:Adware/BlueScreenWarningNo disinfected Windows Registry
Spyware:Spyware/ISTbar No disinfected C:\TEMPOLD\Space\Jobs\Paul & Lou\$WRD1403.TMP
Spyware:Spyware/ISTbar No disinfected C:\TEMPOLD\Paul & Lou\$WRD1403.TMP
Virus:Trj/Downloader.CVJ Disinfected C:\WINDOWS\SYSTEM32\soroeosq.exe
Spyware:Spyware/WareOut No disinfected C:\WINDOWS\SYSTEM32\minidrv.exe
Adware:Adware/Searcher No disinfected C:\WINDOWS\SYSTEM32\fltmgr.dll
Virus:W32/Gaobot.DIH.worm Disinfected C:\WINDOWS\winser.exe
Spyware:Spyware/Iehelp No disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.1\ipreg32.inf
Spyware:Spyware/Iehelp No disinfected C:\WINDOWS\Downloaded Program Files\ipreg32.dll
Spyware:Spyware/Iehelp No disinfected C:\WINDOWS\Downloaded Program Files\ipreg32.inf
Virus:Trj/Downloader.AXC Disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.2\load.exe
Adware:Adware/Twain-Tech No disinfected C:\WINDOWS\smdat32m.sys
Adware:Adware/Gator No disinfected C:\WINDOWS\GatorSilentSetup.log
Spyware:Spyware/New.net No disinfected C:\WINDOWS\newdotnet2_78.dll
Adware:Adware/Gator No disinfected C:\WINDOWS\GatorPatch.log
Adware:Adware/NewDotNet.A No disinfected C:\WINDOWS\NDNuninstall4_50.exe
Spyware:Spyware/New.net No disinfected C:\WINDOWS\newdotnet3_36.dll
Adware:Adware/Popup.pop No disinfected C:\WINDOWS\winsx.inf
Adware:Adware/Ucmore No disinfected C:\WINDOWS\ucmoreiex.exe
Adware:Adware/Puper No disinfected C:\Internet Tools\HijackThis\backups\backup-20050520-212000-239.dll
Spyware:Spyware/ISTbar No disinfected C:\Internet Tools\HijackThis\backups\backup-20050520-212004-832.dll
Adware:Adware/Startpage.ABR No disinfected C:\Internet Tools\HijackThis\backups\backup-20050527-185151-868.dll
Adware:Adware/Spywad No disinfected C:\Program Files\Common Files\SYSTEM\Mapi\1033\NT\c.exe
Adware:Adware/ISearch No disinfected C:\Program Files\Common Files\SYSTEM\Mapi\1033\NT\down.exe
Adware:Adware/SpywareNo No disinfected C:\Program Files\Common Files\SYSTEM\Mapi\1033\NT\sefe.exe
Virus:Trj/Downloader.ANZ Disinfected C:\Program Files\Internet Explorer\vroyhjyu.exe
Adware:Adware/MyWay No disinfected C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
Virus:Trj/Downloader.CNQ Disinfected C:\Program Files\BinaryBiz\VirtualLab Client\start.exe
Adware:Adware/CWS No disinfected C:\Documents and Settings\All Users\Favorites\AdultGambling.url
Adware:Adware/CWS No disinfected C:\Documents and Settings\All Users\Favorites\Play Adult-Poker.url
Adware:Adware/CWS No disinfected C:\Documents and Settings\All Users\Favorites\Online Sex Poker Rooms.url
Adware:Adware/CWS No disinfected C:\Documents and Settings\All Users\Favorites\Kill Annoying Popups.url
Adware:Adware/CWS No disinfected C:\Documents and Settings\All Users\Favorites\Spyware Uninstall.url
Adware:Adware/CWS No disinfected C:\Documents and Settings\All Users\Favorites\Remove Toolbars.url
Adware:Adware/CWS No disinfected C:\Documents and Settings\All Users\Favorites\Free Online Dating.url
Adware:Adware/CWS No disinfected C:\Documents and Settings\All Users\Favorites\XXX personal photos.url
Adware:Adware/CWS No disinfected C:\Documents and Settings\All Users\Favorites\[bleep] Real Girls.url
Spyware:Spyware/ISTbar No disinfected C:\Documents and Settings\frogger\Local Settings\Temp\iinstall.exe
Virus:Trj/Downloader.CNQ Disinfected C:\Documents and Settings\frogger\My Documents\j-gmvl2a.zip[start.exe]
Virus:Trj/Downloader.CNQ Disinfected C:\Documents and Settings\frogger\My Documents\vrlmt0ia.zip[start.exe]
Adware:Adware/Pacimedia No disinfected C:\Documents and Settings\frogger\Favorites\1111\1111.url
Adware:Adware/CWS No disinfected C:\Documents and Settings\frogger\Favorites\AdultGambling.url
Adware:Adware/CWS No disinfected C:\Documents and Settings\frogger\Favorites\Play Adult-Poker.url
Adware:Adware/CWS No disinfected C:\Documents and Settings\frogger\Favorites\Online Sex Poker Rooms.url
Adware:Adware/CWS No disinfected C:\Documents and Settings\frogger\Favorites\Kill Annoying Popups.url
Adware:Adware/CWS No disinfected C:\Documents and Settings\frogger\Favorites\Spyware Uninstall.url
Adware:Adware/CWS No disinfected C:\Documents and Settings\frogger\Favorites\Remove Toolbars.url
Adware:Adware/CWS No disinfected C:\Documents and Settings\frogger\Favorites\Free Online Dating.url
Adware:Adware/CWS No disinfected C:\Documents and Settings\frogger\Favorites\XXX personal photos.url
Adware:Adware/CWS No disinfected C:\Documents and Settings\frogger\Favorites\[bleep] Real Girls.url
Adware:Adware/SpywareNo No disinfected C:\RecoveryBin\Volume-5cc68ec1-8410-11d9-ad7d-806d6172696f\Documents and Settings\frogger\sefe(01C55FCFDC421054).exe
Adware:Adware/ISearch No disinfected C:\RecoveryBin\Volume-5cc68ec1-8410-11d9-ad7d-806d6172696f\Documents and Settings\frogger\down(01C563A0A9350018).exe
Adware:Adware/SpywareNo No disinfected C:\RecoveryBin\Volume-5cc68ec1-8410-11d9-ad7d-806d6172696f\Documents and Settings\frogger\sefe(01C563A0AB71001C).exe
Spyware:Spyware/WareOut No disinfected C:\RecoveryBin\Volume-5cc68ec1-8410-11d9-ad7d-806d6172696f\Program Files\WareOut\WareOut(01C5609FE6B60007).exe
Spyware:Spyware/WareOut No disinfected C:\RecoveryBin\Volume-5cc68ec1-8410-11d9-ad7d-806d6172696f\Program Files\WareOut\WareOutUpdate(01C5609FE6B60008).exe
Virus:Trj/Downloader.CQM Disinfected C:\RecoveryBin\Volume-5cc68ec1-8410-11d9-ad7d-806d6172696f\WINDOWS\System32\ms_djki(01C55FC4C8980002).exe
Virus:Trj/Downloader.CQM Disinfected C:\RecoveryBin\Volume-5cc68ec1-8410-11d9-ad7d-806d6172696f\WINDOWS\System32\ms_dfoc(01C55FC5E0E20002).exe
Virus:Trj/Multidropper.AJT Disinfected C:\RecoveryBin\Volume-5cc68ec1-8410-11d9-ad7d-806d6172696f\WINDOWS\System32\agjmvsdl(01C55FD00E6D1055).exe
Virus:W32/Bagz.V.worm Disinfected C:\RecoveryBin\Volume-5cc68ec1-8410-11d9-ad7d-806d6172696f\WINDOWS\System32\scombo(01C55FD011021057).exe
Adware:Adware/Searcher No disinfected C:\RecoveryBin\Volume-5cc68ec1-8410-11d9-ad7d-806d6172696f\WINDOWS\System32\scombopp(01C55FD011BC1058).exe
Virus:Trj/Downloader.CQM Disinfected C:\RecoveryBin\Volume-5cc68ec1-8410-11d9-ad7d-806d6172696f\WINDOWS\System32\ms_dstg(01C55FE2AA810002).exe
Virus:Trj/Downloader.CQM Disinfected C:\RecoveryBin\Volume-5cc68ec1-8410-11d9-ad7d-806d6172696f\WINDOWS\System32\ms_dqlw(01C56031CEE10002).exe
Spyware:Spyware/AdClicker No disinfected C:\RecoveryBin\Volume-5cc68ec1-8410-11d9-ad7d-806d6172696f\WINDOWS\System32\dmsadmins(01C56031ED790008).exe
Virus:Trj/Downloader.CCZ Disinfected C:\RecoveryBin\Volume-5cc68ec1-8410-11d9-ad7d-806d6172696f\WINDOWS\System32\sesmgr(01C56031EDA1000A).exe
Virus:Trj/Downloader.CQM Disinfected C:\RecoveryBin\Volume-5cc68ec1-8410-11d9-ad7d-806d6172696f\WINDOWS\System32\ms_dmid(01C56060A8B40002).exe
Spyware:Spyware/AdClicker No disinfected C:\RecoveryBin\Volume-5cc68ec1-8410-11d9-ad7d-806d6172696f\WINDOWS\System32\dmsadmins(01C560643C8E000E).exe
Virus:Trj/Downloader.CCZ Disinfected C:\RecoveryBin\Volume-5cc68ec1-8410-11d9-ad7d-806d6172696f\WINDOWS\System32\sesmgr(01C560643CB70010).exe
Virus:Trj/Downloader.CQM Disinfected C:\RecoveryBin\Volume-5cc68ec1-8410-11d9-ad7d-806d6172696f\WINDOWS\System32\ms_dkth(01C5609A51130002).exe
Spyware:Spyware/AdClicker No disinfected C:\RecoveryBin\Volume-5cc68ec1-8410-11d9-ad7d-806d6172696f\WINDOWS\System32\dmsadmins(01C5609A70970007).exe
Virus:Trj/Downloader.CCZ Disinfected C:\RecoveryBin\Volume-5cc68ec1-8410-11d9-ad7d-806d6172696f\WINDOWS\System32\sesmgr(01C5609A70C7000A).exe
Virus:Trj/Downloader.CQM Disinfected C:\RecoveryBin\Volume-5cc68ec1-8410-11d9-ad7d-806d6172696f\WINDOWS\System32\ms_dera(01C5609BF7A70002).exe
Virus:Trj/Downloader.CQM Disinfected C:\RecoveryBin\Volume-5cc68ec1-8410-11d9-ad7d-806d6172696f\WINDOWS\System32\ms_dgom(01C5611C9BDD0002).exe
Virus:Trj/Downloader.CQM Disinfected C:\RecoveryBin\Volume-5cc68ec1-8410-11d9-ad7d-806d6172696f\WINDOWS\System32\ms_drlh(01C5611CC8A40006).exe
Virus:Trj/Downloader.CWZ Disinfected C:\RecoveryBin\Volume-5cc68ec1-8410-11d9-ad7d-806d6172696f\WINDOWS\Downloaded Program Files\open(01C566DE037700D7).exe
Adware:Adware/SAHAgent No disinfected C:\RecoveryBin\Volume-5cc68ec1-8410-11d9-ad7d-806d6172696f\WINDOWS\shop1004(01C563996E50086C).exe




Logfile of HijackThis v1.99.1
Scan saved at 8:04:15 PM, on 01/06/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Vet\VetTray.exe
C:\WINDOWS\System32\keyhook.exe
C:\PROGRA~1\Nokia\NOKIAP~1\TRAYAP~1.EXE
C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\SYSTEM32\sistray.exe
C:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE
C:\Vet\isafe.exe
C:\WINDOWS\system32\crypserv.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Executive Software\Undelete\UdServe.exe
C:\Vet\VetMsg.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Internet Tools\HijackThis\HijackThis.exe

N1 - Netscape 4: user_pref("browser.startup.homepage", "C:\\Program Files\\Netscape\\Communicator\\Program\\blank.htm"); (C:\Program Files\Netscape\Users\jason\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [VetTray] C:\Vet\VetTray.exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [SiS Windows KeyHook] C:\WINDOWS\System32\keyhook.exe
O4 - HKLM\..\Run: [Security iGuard] C:\Program Files\Security iGuard\Security iGuard.exe
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\SYSTEM32\PSDrvCheck.exe
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\TRAYAP~1.EXE
O4 - HKLM\..\Run: [InstaFinderK] C:\Program Files\INSTAFINK\InstaFinderK_inst.exe
O4 - HKLM\..\Run: [EPSON Stylus Photo R310 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3F2.EXE /P30 "EPSON Stylus Photo R310 Series" /O6 "USB001" /M "Stylus Photo R310"
O4 - HKLM\..\Run: [DataLayer] C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE
O4 - HKCU\..\Run: [WindowsFY] c:\wp.exe
O4 - HKCU\..\Run: [Handy Backup 4.1] C:\Program Files\Novosoft\Handy Backup\hbagent.exe -logon
O4 - HKCU\..\Run: [180ClientStubInstall] "C:\WINDOWS\stubinstaller5356.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: Undelete 4 Professional Edition Registration.lnk = C:\Program Files\Executive Software\Undelete\ESIRegister.exe
O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\SYSTEM32\sistray.exe
O4 - Global Startup: EPSON CardMonitor.lnk = C:\Program Files\EPSON\EPSON CardMonitor\EPSON CardMonitor1.2.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Download with &DAP - C:\INTERN~1\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - D:\PROGRA~1\DAP\dapextie2.htm
O9 - Extra button: vWebServer Script Debugger - {B478FE8F-57ED-4e12-BB32-6B6D6635872C} - C:\WINDOWS\SYSTEM32\vDebugBand.dll
O9 - Extra 'Tools' menuitem: vWebServer Script Debugger - {B478FE8F-57ED-4e12-BB32-6B6D6635872C} - C:\WINDOWS\SYSTEM32\vDebugBand.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\fltmgr.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\fltmgr.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\fltmgr.dll
O12 - Plugin for .mid: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .png: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll
O12 - Plugin for .swf: C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\npswf32.dll
O12 - Plugin for .tif: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll
O12 - Plugin for .vbs: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .wav: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1117441058203
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {E36C5562-C4E0-4220-BCB2-1C671E3A5916} (Seagate SeaTools English Online) - http://www.seagate.c.../npseatools.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{ADA6880F-43F6-42F0-9F05-2FD2849C5864}: NameServer = 69.50.176.156,195.225.176.31
O17 - HKLM\System\CCS\Services\Tcpip\..\{D229C121-B898-474B-8887-E9C73B0E6F09}: NameServer = 69.50.176.156,195.225.176.31
O23 - Service: CA ISafe (CAISafe) - Computer Associates International, Inc. - C:\Vet\isafe.exe
O23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: Sygate Personal Firewall Pro (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Executive Software Undelete (UndeleteService) - Executive Software International - C:\Program Files\Executive Software\Undelete\UdServe.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Vet\VetMsg.exe
  • 0

#21
therock247uk
Posted 01 June 2005 - 07:40 AM

therock247uk

    Expert

  • Expert
  • 14,672 posts
  • MVP
1. Make sure your PC is set to show all hidden files and folders go here for instructions on how to do this. http://www.xtra.co.n...1916458,00.html

2. Boot into safemode to do this keep tapping F8 on your keyboard while your PC is starting up you will get a menu select safemode.

3. While in safemode open Hijackthis and click scan. Then tick and fix the following in Hijackthis with all windows closed except Hijackthis.

O4 - HKLM\..\Run: [Security iGuard] C:\Program Files\Security iGuard\Security iGuard.exe
O4 - HKLM\..\Run: [InstaFinderK] C:\Program Files\INSTAFINK\InstaFinderK_inst.exe
O4 - HKCU\..\Run: [WindowsFY] c:\wp.exe
O4 - HKCU\..\Run: [180ClientStubInstall] "C:\WINDOWS\stubinstaller5356.exe"

4. Delete the folders. (if present)

C:\Program Files\Security iGuard
C:\Program Files\INSTAFINK

5. Delete the files. (if present)

c:\wp.exe
C:\WINDOWS\stubinstaller5356.exe

6. Reboot

7. A malicious .DLL file is disrupting the LSP chain on your computer. We need to get rid of it.

1. Please download LSPFix from here.
2. Run the LSPFix.exe that you have just finished downloading.
3. Check the I know what I'm doing box.
4. In the Keep box you should see one or more instances of fltmgr.dll.
5. Select every instance of fltmgr.dll and move each one to the Remove box by clicking the >> button.
6. When you are done click Finish>>.

8. Then post a new Hijackthis log here in a reply.
  • 0

#22
frogger
Posted 02 June 2005 - 04:47 AM

frogger

    Member

  • Topic Starter
  • Member
  • PipPip
  • 32 posts
Hi Again. Hopefully we are getting there. For my guide is this a prettty bad case of virus attack for my PC.

Frogger

Logfile of HijackThis v1.99.1
Scan saved at 8:46:20 PM, on 02/06/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Vet\isafe.exe
C:\WINDOWS\system32\crypserv.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Executive Software\Undelete\UdServe.exe
C:\Vet\VetMsg.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Vet\VetTray.exe
C:\WINDOWS\System32\keyhook.exe
C:\PROGRA~1\Nokia\NOKIAP~1\TRAYAP~1.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3F2.EXE
C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE
C:\WINDOWS\SYSTEM32\sistray.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE
C:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\System32\svchost.exe
C:\Internet Tools\HijackThis\HijackThis.exe

N1 - Netscape 4: user_pref("browser.startup.homepage", "C:\\Program Files\\Netscape\\Communicator\\Program\\blank.htm"); (C:\Program Files\Netscape\Users\jason\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [VetTray] C:\Vet\VetTray.exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [SiS Windows KeyHook] C:\WINDOWS\System32\keyhook.exe
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\SYSTEM32\PSDrvCheck.exe
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\TRAYAP~1.EXE
O4 - HKLM\..\Run: [EPSON Stylus Photo R310 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3F2.EXE /P30 "EPSON Stylus Photo R310 Series" /O6 "USB001" /M "Stylus Photo R310"
O4 - HKLM\..\Run: [DataLayer] C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE
O4 - HKCU\..\Run: [Handy Backup 4.1] C:\Program Files\Novosoft\Handy Backup\hbagent.exe -logon
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: Undelete 4 Professional Edition Registration.lnk = C:\Program Files\Executive Software\Undelete\ESIRegister.exe
O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\SYSTEM32\sistray.exe
O4 - Global Startup: EPSON CardMonitor.lnk = C:\Program Files\EPSON\EPSON CardMonitor\EPSON CardMonitor1.2.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Download with &DAP - C:\INTERN~1\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - D:\PROGRA~1\DAP\dapextie2.htm
O9 - Extra button: vWebServer Script Debugger - {B478FE8F-57ED-4e12-BB32-6B6D6635872C} - C:\WINDOWS\SYSTEM32\vDebugBand.dll
O9 - Extra 'Tools' menuitem: vWebServer Script Debugger - {B478FE8F-57ED-4e12-BB32-6B6D6635872C} - C:\WINDOWS\SYSTEM32\vDebugBand.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .mid: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .png: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll
O12 - Plugin for .swf: C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\npswf32.dll
O12 - Plugin for .tif: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll
O12 - Plugin for .vbs: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .wav: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1117441058203
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {E36C5562-C4E0-4220-BCB2-1C671E3A5916} (Seagate SeaTools English Online) - http://www.seagate.c.../npseatools.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{ADA6880F-43F6-42F0-9F05-2FD2849C5864}: NameServer = 69.50.176.156,195.225.176.31
O17 - HKLM\System\CCS\Services\Tcpip\..\{D229C121-B898-474B-8887-E9C73B0E6F09}: NameServer = 69.50.176.156,195.225.176.31
O23 - Service: CA ISafe (CAISafe) - Computer Associates International, Inc. - C:\Vet\isafe.exe
O23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: Sygate Personal Firewall Pro (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Executive Software Undelete (UndeleteService) - Executive Software International - C:\Program Files\Executive Software\Undelete\UdServe.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Vet\VetMsg.exe
  • 0

#23
therock247uk
Posted 02 June 2005 - 01:39 PM

therock247uk

    Expert

  • Expert
  • 14,672 posts
  • MVP
Your log is clean :tazz:

Here are some tips, to reduce the potential for spyware infection in the future, I strongly recommend installing the following applications:
  • Spywareblaster <= SpywareBlaster will prevent spyware from being installed.
  • Spywareguard <= SpywareGuard offers realtime protection from spyware installation attempts.
  • How to use Ad-Aware to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Ad-Aware.
  • How to use Spybot to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Spybot. Similar to Ad-Aware, I strongly recommend both to catch most spyware.
To protect yourself further:
  • IE/Spyad <= IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
  • MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
  • Google Toolbar <= Get the free google toolbar to help stop pop up windows.
I also suggest that you delete any files from "temp", "tmp" folders. In Internet Explorer, click on "Tools" => "Internet Options" => "Delete Files" and select the box that says "Delete All Offline Content" and click on "OK" twice. Also, empty the recycle bin by right clicking on it and selecting "Empty Recycle Bin". These steps should be done on a regular basis.

Credit to PGPhantom for canned speech.
  • 0

#24
therock247uk
Posted 15 June 2005 - 09:18 AM

therock247uk

    Expert

  • Expert
  • 14,672 posts
  • MVP
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :tazz:

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP