Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

popuper.exe virus plus various malware [CLOSED]

Started by sakman369 , May 20 2005 03:28 PM

  • This topic is locked This topic is locked

#1
sakman369
Posted 20 May 2005 - 03:28 PM

sakman369

    Member

  • Member
  • PipPip
  • 19 posts
hi everyone. first of all let me thank you for the wonderful job you guys are doing. im posting my activescan and hijack this logs. ive had trouble with a few of the issues for a while. again thanks a lot for your help. i await your reply

Logfile of HijackThis v1.99.1
Scan saved at 5:27:41 PM, on 5/20/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\javagq32.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\msole32.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\QuickTime\qttask.exe
C:\Documents and Settings\user1\Application Data\oooo.exe
C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Panicware\Pop-Up Stopper Free Edition\PSFree.exe
C:\WINDOWS\sdkxf32.exe
c:\progra~1\intern~1\iexplore.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Shareaza\Shareaza.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\user1\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\yyjny.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\yyjny.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\yyjny.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\yyjny.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\yyjny.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\yyjny.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\yyjny.dll/sp.html#28129
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: Shell=Explorer.exe, msmsgs.exe
O2 - BHO: (no name) - {094C8CED-58C8-2CD1-5207-27C140FB0531} - C:\WINDOWS\iepm32.dll
O2 - BHO: (no name) - {A0E42DCF-5616-B378-BA75-97FF635FC66C} - C:\WINDOWS\system32\atlvf.dll
O2 - BHO: (no name) - {C0E97C0D-2D4A-BFEF-29D3-ED9E3AF48637} - C:\WINDOWS\system32\msgi32.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll (file missing)
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [waysitedrawmfcd] C:\Documents and Settings\All Users\Application Data\Sign Ball Way Site\vc loud.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [sdkxf32.exe] C:\WINDOWS\sdkxf32.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Uiavjg] C:\WINDOWS\System32\w?nlogon.exe
O4 - HKCU\..\Run: [proxythe] C:\DOCUME~1\user1\APPLIC~1\COMPSI~1\FORDTHUNKGPL.exe
O4 - HKCU\..\Run: [MessengerPlus3] "\" /WinStart
O4 - HKCU\..\Run: [Ipwe] C:\Documents and Settings\user1\Application Data\oooo.exe
O4 - Global Startup: Image Transfer.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: Microsoft AntiSpyware helper - {40E3C65F-4E17-4F8F-BC9A-2B5A73AA53E7} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {40E3C65F-4E17-4F8F-BC9A-2B5A73AA53E7} - (no file) (HKCU)
O10 - Broken Internet access because of LSP provider 'c:\program files\newdotnet\newdotnet6_38.dll' missing
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.static.topconverting.com
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - Trusted Zone: *.static.topconverting.com (HKLM)
O15 - Trusted IP range: 206.161.124.130 (HKLM)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...ip/RdxIE601.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1100557798970
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Network Security Service ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\system32\javagq32.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

Edited by sakman369, 20 May 2005 - 03:29 PM.

  • 0

Advertisements

#2
sakman369
Posted 20 May 2005 - 03:30 PM

sakman369

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
active scan

Attached Files


  • 0

#3
Guest_usetobe_*
Posted 27 May 2005 - 01:14 AM

Guest_usetobe_*
  • Guest
Hi Sakman,

Sorry about the delay in getting to your post.

Do you still require assistance?

If so please post a fresh HJT log in this thread.

Let me know if your problems are now resolved

Regards,

Usetobe
  • 0

#4
sakman369
Posted 27 May 2005 - 07:29 AM

sakman369

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
Hi usetobe.

Thanks for your reply. I'm still experiencing the same problems, and would greatly appreciate your assistance. Here is my updated HJT log.


Logfile of HijackThis v1.99.1
Scan saved at 9:28:17 AM, on 5/27/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\msole32.exe
C:\WINDOWS\popuper.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\intmonp.exe
C:\WINDOWS\d3zq.exe
C:\WINDOWS\System32\w?nlogon.exe
C:\Program Files\Internet Explorer\iexplore.exe
c:\progra~1\intern~1\iexplore.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\system32\javagq32.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Documents and Settings\user1\Application Data\oooo.exe
C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Panicware\Pop-Up Stopper Free Edition\PSFree.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Documents and Settings\user1\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://wbcdxkftvutf....h1XmtTiL8p.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\vnpck.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\vnpck.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\vnpck.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\vnpck.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\vnpck.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\vnpck.dll/sp.html#37049
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: Shell=Explorer.exe, msmsgs.exe
O2 - BHO: (no name) - {9E0E94E6-F2FC-52E4-E589-519846F8629C} - C:\WINDOWS\atlmg32.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll (file missing)
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [waysitedrawmfcd] C:\Documents and Settings\All Users\Application Data\Sign Ball Way Site\vc loud.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [d3zq.exe] C:\WINDOWS\d3zq.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Uiavjg] C:\WINDOWS\System32\w?nlogon.exe
O4 - HKCU\..\Run: [proxythe] C:\DOCUME~1\user1\APPLIC~1\COMPSI~1\FORDTHUNKGPL.exe
O4 - HKCU\..\Run: [MessengerPlus3] "\" /WinStart
O4 - HKCU\..\Run: [Ipwe] C:\Documents and Settings\user1\Application Data\oooo.exe
O4 - Global Startup: Image Transfer.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: Microsoft AntiSpyware helper - {40E3C65F-4E17-4F8F-BC9A-2B5A73AA53E7} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {40E3C65F-4E17-4F8F-BC9A-2B5A73AA53E7} - (no file) (HKCU)
O10 - Broken Internet access because of LSP provider 'c:\program files\newdotnet\newdotnet6_38.dll' missing
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.static.topconverting.com
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - Trusted Zone: *.static.topconverting.com (HKLM)
O15 - Trusted IP range: 206.161.124.130 (HKLM)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...ip/RdxIE601.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1100557798970
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Network Security Service ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\system32\javagq32.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
  • 0

#5
Guest_usetobe_*
Posted 27 May 2005 - 08:34 AM

Guest_usetobe_*
  • Guest
Hi Sakman,

Please print out a copy of this to make it easier to follow as you will need to reboot your PC several times. Follow these instructions carefully, they may appear to be complicated but i am confident that with teamwork we will clear this up

Your log is really complex, as you have the remnants of three nasty infections all rolled up together. Smitfraud, CWS.

You MAY also have a LOP infection that often comes together with Messenger Plus. To remove it we will try the simple way first.

1. Go to Add/Remove programs. Double click on "Messenger Plus!" (or click on Remove)

2. The "Messenger Plus! - Setup" is now displayed. Click on the Uninstall button. Note: options displayed on the first screen are not related to the sponsor program.

3. The sponsor screen is now displayed (if you don't see it, search for it in your Task Bar). To prove that someone is currently reading the screen, you have to type the code that is displayed. Once you enter the code, press Uninstall.

4. If you entered the code properly, the program will ask you to confirm that you want to uninstall. You must answer "Yes" to this question, else, you won't have another chance of uninstalling.

5. To complete the uninstallation, follow the instructions that are displayed (the first one is to close all your Internet Explorer windows, that's very important). When everything is complete, restart your computer and, hopefully voila one nasty infection is gone.

You will still have messenger plus but without the LOP.

Now we can start on the real work....

So as not to make it too difficult for you we will tackle it in several steps.

A malicious .DLL file is disrupting the LSP chain on your computer. We need to get rid of it.

1. Please download LSPFix from here.
2. Run the LSPFix.exe that you have just finished downloading.
3. Check the I know what I'm doing box.
4. In the Keep box you may see one or more instances of newdotnet6_38.dll.
5. Select every instance of newdotnet6_38.dll and move each one to the Remove box by clicking the >> button.
6. When you are done click Finish>>.

Please right-click: HERE and go to Save As (in Internet Explorer it's "Save Target As") in order to download Grinler's reg file. Save it to your desktop.

Locate "smitfraud.reg" on your desktop and double-click it. When asked if you want to merge with the registry, click YES. Wait for the "merged successfully" prompt then follow the rest of the instructions below.

Go to Start > Control Panel > Add or Remove Programs and remove the following programs, if found:

Security IGuard
Virtual Maid
Search Maid

Exit Add/Remove Programs.

I need you to copy all of the Killbox file paths below and paste them into Notepad.

C:\wp.exe
C:\wp.bmp
C:\bsw.exe
C:\Windows\sites.ini
C:\Windows\popuper.exe
C:\Windows\System32\wldr.dll
C:\Windows\System32\helper.exe
C:\Windows\System32\intmon.exe
C:\Windows\System32\shnlog.exe
C:\Windows\System32\intmonp.exe
C:\Windows\System32\msmsgs.exe
C:\Windows\system32\msole32.exe
C:\Windows\System32\ole32vbs.exe

* Please download the Killbox*In the event you already have Killbox, this is a new version that I need you to download.

* Save it to your desktop.

* Please double-click Killbox.exe to run it.

* Select "Delete on Reboot".

* Open the Notepad file where you saved the file paths earlier and copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C

* Return to Killbox, go to the File menu, and choose "Paste from Clipboard".

* Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

If your computer does not restart automatically, please restart it manually.

We will need to download a few MORE tools that will help us in the removal of your problem.

Download about:buster by RubbeRDuckY HERE
Download CWShredder Here.
Download SpSeHjfix Here.
Download and install CleanUp! Here

Download a free 14 day trial of ewido from the link below. Install it and start it up. Follow the prompts to upgrade it, then close it down.

ewido

Set PC to show hidden files (click link if you do not know how)LINK

Save all of these files somewhere you will remember like to the Desktop.

Unzip SpSeHjfix to its own folder (ie c:\SpSeHjfix)

Run the CleanUp! installer. You dont need to do anything with it right now.

Update About:Buster
  • Unzip the contents of AboutBuster.zip and an AboutBuster directory will be created.
  • Navigate to the AboutBuster directory and double-click on AboutBuster.exe.
  • Click "OK" at the prompt with instructions.
  • Click "Update" and then "Check For Update" to begin the update process.
  • If any updates exist please download them by clicking "Download Update" then click the X to close that window.
  • Now close About:Buster
Update CWShredder
  • Open CWShredder and click I AGREE
  • Click Check For Update
  • Close CWShredder
Click Start > Run > and type in:

services.msc

Click OK.

In the services window find Network Security Service ( 11Fßä#·ºÄÖ`I).
Rightclick and choose "Properties". On the "General" tab under "Service Status" click the "Stop" button to stop the service. Beside "Startup Type" in the dropdown menu select "Disabled". Click Apply then OK. Exit the Services utility.

Boot into Safe Mode:
Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

Please run about:buster by RubbeRDuckY:
  • Click Start and then OK to allow AboutBuster to scan for Alternate Data Streams.
  • Click Yes to allow it to shutdown explorer.exe.
  • It will begin to check your computer for malicious files. If it asks if you would like to do a second pass, allow it to do so.
  • When it has finished, click Save Log. Make sure you save it as I may need a copy of it later.
  • Reboot your computer into safe mode again
Run about:buster again following the same instructions as above, this time without the restart at the end

Now run CWShredder. Click I Agree, then Fix and then Next, let it fix everything it asks about.

Now run SpSeHjfix. A log will be saved in the same folder that you put the exe into. Please post the results of that log in your next reply.

Warning Note: On a few occasions it has been reported that after using the SPSEHjfix you cannot open Internet Explorer. To fix this, go into Control Panel >Internet Options >Programs & press reset web settings, then you can set your home page to what you want on the general tab.

Using Windows Explorer, delete the following, if found, (please do NOT try to find them by "search" because they will not show up that way)

FOLDERS to delete (in bold) if found:

C:\Program Files\Search Maid
C:\Program Files\Virtual Maid
C:\Windows\System32\Log Files
C:\Program Files\Security IGuard

Make sure all programs and windows are closed. Run HiJackThis and place a check next to the following items, if found

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://wbcdxkftvutf....h1XmtTiL8p.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\vnpck.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\vnpck.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\vnpck.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\vnpck.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\vnpck.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\vnpck.dll/sp.html#37049
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: Shell=Explorer.exe, msmsgs.exe
O2 - BHO: (no name) - {9E0E94E6-F2FC-52E4-E589-519846F8629C} - C:\WINDOWS\atlmg32.dll
O4 - HKLM\..\Run: [waysitedrawmfcd] C:\Documents and Settings\All Users\Application Data\Sign Ball Way Site\vc loud.exe
O4 - HKLM\..\Run: [d3zq.exe] C:\WINDOWS\d3zq.exe
O4 - HKCU\..\Run: [proxythe] C:\DOCUME~1\user1\APPLIC~1\COMPSI~1\FORDTHUNKGPL.exe
O4 - HKCU\..\Run: [MessengerPlus3] "\" /WinStart
O4 - HKCU\..\Run: [Ipwe] C:\Documents and Settings\user1\Application Data\oooo.exe
O9 - Extra button: Microsoft AntiSpyware helper - {40E3C65F-4E17-4F8F-BC9A-2B5A73AA53E7} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {40E3C65F-4E17-4F8F-BC9A-2B5A73AA53E7} - (no file) (HKCU)
O10 - Broken Internet access because of LSP provider 'c:\program files\newdotnet\newdotnet6_38.dll' missing
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.static.topconverting.com
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - Trusted Zone: *.static.topconverting.com (HKLM)
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...ip/RdxIE601.cab
O23 - Service: Network Security Service ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\system32\javagq32.exe

then click FIX CHECKED

Now using windows explorer locate and delete the following if found:

C:\WINDOWS\system32\vnpck.dll <<<----with anything after that
C:\WINDOWS\atlmg32.dll
C:\Documents and Settings\All Users\Application Data\Sign Ball Way Site\vc loud.exe
C:\WINDOWS\d3zq.exe
C:\DOCUME~1\user1\APPLIC~1\COMPSI~1\FORDTHUNKGPL.exe
C:\Documents and Settings\user1\Application Data\oooo.exe
c:\program files\newdotnet\newdotnet6_38.dll
C:\WINDOWS\system32\javagq32.exe

Next restart HJT and click on Misc Tools button, then select Delete an NT service

In the popup box paste the following into the box. IT IS IMPORTANT THAT THERE IS A SPACE BEFORE THE FIRST NUMBER 1 OR IT WON'T WORK

11Fßä#·ºÄÖ`I

Now run CleanUp!. Click CleanUp and allow it to delete all the temporary files.

Please run an on-line virus scan at Kaspersky OnLine Scan or if that doesnt work, you can use TrendMicro or BitDefender. (Please post the results of the scan(s) in your next reply)

Now run Ewido. click on the Scanner button, Select drives if you have more than one and then start. grab a cup of coffee, sandwiches, book as this may take some time. Once the first problem is detected ensure you tick the box for all (bottom left) and allow it to continue.

At the end of the scan, it may ask if you would like to delete anything found in archive or zipped files, OK that request, then click on save report. SAVE to the default location, it will then generate a text file. Copy that to post in this thread.

Reboot into normal mode.

1.) Download The Hoster Press "Restore Original Hosts" and press "OK". Exit Program.

2.) Right-Click HERE and Save As to download DelDomains.inf to your desktop.
To use: RIGHT-CLICK DelDomains.inf on your desktop and select: Install (no need to restart)
Note: This will remove all entries in the "Trusted Zone" and "Ranges" also.

Now rescan with HJT and post the log back, together with the other requested logs
  • 0

#6
sakman369
Posted 27 May 2005 - 08:40 AM

sakman369

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
Thank you for your quick reply. I knew it was in bad shape but not this bad! I will print out your instructions immediately and get to work on them. Thanks again for all your help
  • 0

#7
sakman369
Posted 27 May 2005 - 01:06 PM

sakman369

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
Hi.

Well i seem to have a run into a couple of problems. i followed your instructions word for word and had the following issues. i dont know how important they are but heres what didnt go to plan


1) messenger plus was not found on the control panel for me to remove. i did, however, find a messenger plus 3 folder under programs files and deleted that

2) virtual maid, security iguard, search maid were not found

3) i cut and pasted the phrase with the symbols in the delete nt service pop up box of hjt, with the space before the first number as you instruted, and got a message saying registry key not found. i tried this several times and got the same reply every time

4)i ran trendmicro and the result was 337 infected files, none of which were cleanable, so instead a used the delete option, and confirmation came tha they were all deleted. unfortunately, there was no way of saving a log of the results

5)i ran ewido in safe made, and after scanning 98.7% i got an error message and the program shut down. it was the standard windows message with the option of sending a report etc... i dont know if this is of any help, but the file that was being scanned when the crash occured was c:/windows/system32/javaqp.dll

at this point i dont know wether i should continue with your remaining instructions, exit safe mode or rescan with ewido. i await your further instructions.

thanks for your help and time
  • 0

#8
Guest_usetobe_*
Posted 27 May 2005 - 01:13 PM

Guest_usetobe_*
  • Guest
Hi Sakman,

We frequently run into these problems, none are insurmountable and as i said in my first post you had remnants of all these infections , i anticipated several sections to be missing, but to be certain that they were not lurking about i asked you to carry out the full remove proceedure.

We can continue on.

Please try to rescan with ewido, it frequently crashes and then works the next time. In the event of a further crash, try to run it with your PC in normal mode instead of SAFE MODE.

Then carry out a fresh scan with HJT and we can see what remains
  • 0

#9
sakman369
Posted 27 May 2005 - 02:02 PM

sakman369

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
Hello.


I ran ewido again in safe mode and it worked. my computer seems to be fine. I really cannot thank you enough. here are the ewido and hjt logs as you requested



------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 3:47:03 PM, 5/27/2005
+ Report-Checksum: 827EC50B

+ Date of database: 5/27/2005
+ Version of scan engine: v3.0

+ Duration: 27 min
+ Scanned Files: 44444
+ Speed: 26.88 Files/Second
+ Infected files: 51
+ Removed files: 51
+ Files put in quarantine: 51
+ Files that could not be opened: 0
+ Files that could not be cleaned: 0

+ Binder: Yes
+ Crypter: Yes
+ Archives: Yes

+ Scanned items:
C:\

+ Scan result:
C:\WINDOWS\system32\javanw32.dll -> TrojanDownloader.Agent.kd -> Cleaned with backup
C:\WINDOWS\system32\javaqp.dll -> TrojanDownloader.Agent.bc -> Cleaned with backup
C:\WINDOWS\system32\javarx.dll -> TrojanDownloader.Agent.bc -> Cleaned with backup
C:\WINDOWS\system32\mfcxy32.dll -> TrojanDownloader.Agent.bc -> Cleaned with backup
C:\WINDOWS\system32\msdc32.dll -> TrojanDownloader.Agent.bc -> Cleaned with backup
C:\WINDOWS\system32\msed32.dll -> TrojanDownloader.Agent.kd -> Cleaned with backup
C:\WINDOWS\system32\mseg.dll -> TrojanDownloader.Agent.bc -> Cleaned with backup
C:\WINDOWS\system32\mshv32.dll -> TrojanDownloader.Agent.bc -> Cleaned with backup
C:\WINDOWS\system32\msjr32.dll -> TrojanDownloader.Agent.bc -> Cleaned with backup
C:\WINDOWS\system32\mspj32.dll -> TrojanDownloader.Agent.bc -> Cleaned with backup
C:\WINDOWS\system32\mssv32.dll -> TrojanDownloader.Agent.bc -> Cleaned with backup
C:\WINDOWS\system32\netam32.dll -> TrojanDownloader.Agent.bc -> Cleaned with backup
C:\WINDOWS\system32\netiy.dll -> TrojanDownloader.Agent.bc -> Cleaned with backup
C:\WINDOWS\system32\netmp32.dll -> TrojanDownloader.Agent.kd -> Cleaned with backup
C:\WINDOWS\system32\netnx.dll -> TrojanDownloader.Agent.bc -> Cleaned with backup
C:\WINDOWS\system32\netob32.dll -> TrojanDownloader.Agent.bc -> Cleaned with backup
C:\WINDOWS\system32\ntiv.dll -> TrojanDownloader.Agent.bc -> Cleaned with backup
C:\WINDOWS\system32\ntiz32.dll -> TrojanDownloader.Agent.bc -> Cleaned with backup
C:\WINDOWS\system32\ntke32.dll -> TrojanDownloader.Agent.bc -> Cleaned with backup
C:\WINDOWS\system32\ntxc.dll -> TrojanDownloader.Agent.bc -> Cleaned with backup
C:\WINDOWS\system32\ntze32.dll -> TrojanDownloader.Agent.bc -> Cleaned with backup
C:\WINDOWS\system32\ntzw.dll -> TrojanDownloader.Agent.bc -> Cleaned with backup
C:\WINDOWS\system32\ooyxn.dll -> Spyware.OneMoreSearch.a -> Cleaned with backup
C:\WINDOWS\system32\sdkaj.dll -> TrojanDownloader.Agent.bc -> Cleaned with backup
C:\WINDOWS\system32\sdkan.dll -> TrojanDownloader.Agent.bc -> Cleaned with backup
C:\WINDOWS\system32\sdkej32.dll -> TrojanDownloader.Agent.bc -> Cleaned with backup
C:\WINDOWS\system32\sdkls.dll -> TrojanDownloader.Agent.bc -> Cleaned with backup
C:\WINDOWS\system32\sdkmb32.dll -> TrojanDownloader.Agent.bc -> Cleaned with backup
C:\WINDOWS\system32\sdkmd32.dll -> TrojanDownloader.Agent.bc -> Cleaned with backup
C:\WINDOWS\system32\sdkmi.dll -> TrojanDownloader.Agent.bc -> Cleaned with backup
C:\WINDOWS\system32\sysdg32.dll -> TrojanDownloader.Agent.bc -> Cleaned with backup
C:\WINDOWS\system32\sysfw32.dll -> TrojanDownloader.Agent.bc -> Cleaned with backup
C:\WINDOWS\system32\sysgk32.dll -> TrojanDownloader.Agent.bc -> Cleaned with backup
C:\WINDOWS\system32\sysse32.dll -> TrojanDownloader.Agent.bc -> Cleaned with backup
C:\WINDOWS\system32\syswu32.dll -> TrojanDownloader.Agent.bc -> Cleaned with backup
C:\WINDOWS\system32\wincn32.dll -> TrojanDownloader.Agent.kd -> Cleaned with backup
C:\WINDOWS\system32\winiz32.dll -> TrojanDownloader.Agent.bc -> Cleaned with backup
C:\WINDOWS\system32\winmg.dll -> TrojanDownloader.Agent.bc -> Cleaned with backup
C:\WINDOWS\system32\winmq32.dll -> TrojanDownloader.Agent.bc -> Cleaned with backup
C:\WINDOWS\system32\winor32.dll -> TrojanDownloader.Agent.bc -> Cleaned with backup
C:\WINDOWS\system32\wintg32.dll -> TrojanDownloader.Agent.bc -> Cleaned with backup
C:\WINDOWS\wftcc.dll -> Spyware.OneMoreSearch.a -> Cleaned with backup
C:\WINDOWS\winfi32.dll -> TrojanDownloader.Agent.kd -> Cleaned with backup
C:\WINDOWS\winma32.dll -> TrojanDownloader.Agent.bc -> Cleaned with backup
C:\WINDOWS\winnn.dll -> TrojanDownloader.Agent.bc -> Cleaned with backup
C:\WINDOWS\winnv32.dll -> TrojanDownloader.Agent.bc -> Cleaned with backup
C:\WINDOWS\winqj32.dll -> TrojanDownloader.Agent.bc -> Cleaned with backup
C:\WINDOWS\winsc32.dll -> TrojanDownloader.Agent.bc -> Cleaned with backup
C:\WINDOWS\winwz32.dll -> TrojanDownloader.Agent.bc -> Cleaned with backup
C:\WINDOWS\winyi.dll -> TrojanDownloader.Agent.bc -> Cleaned with backup
C:\WINDOWS\winzd32.dll -> TrojanDownloader.Agent.bc -> Cleaned with backup


file of HijackThis v1.99.1
Scan saved at 3:54:08 PM, on 5/27/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\wuauclt.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\w?nlogon.exe
C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\user1\Desktop\HijackThis.exe

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll (file missing)
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Uiavjg] C:\WINDOWS\System32\w?nlogon.exe
O4 - Global Startup: Image Transfer.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.../kavwebscan.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1100557798970
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Workstation NetLogon Service ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\system32\ntvw32.exe" /s (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe




I just have one more request. How can i ensure that these things dont happen again? should i keep all the programs you asked me to download? also im running on xp service pack 1. when i tried to install service pack 2 a few weeks ago, my computer caught the infamous drwatson postmortem dubugger problem, which i assume was a result of the viruses that were already infecting my hard drive. would you recommend i install it now? any other measures?


thanks again
  • 0

#10
Guest_usetobe_*
Posted 27 May 2005 - 02:23 PM

Guest_usetobe_*
  • Guest
Hi SAKMAN,

We are not quite finished just yet. Once i have your log clean i will give you my prevention advice and you will also be able to upgrade to SP2.

We need to hit something in several different ways.

Click Start > Run > and type in:

services.msc

Click OK.

In the services window find Network Security Service ( 11Fßä#·ºÄÖ`I).
Rightclick and choose "Properties". On the "General" tab under "Service Status" click the "Stop" button to stop the service. Beside "Startup Type" in the dropdown menu select "Disabled". Click Apply then OK. Exit the Services utility.

Then click on Start > Run> and copy and paste in sc delete 11Fßä#·ºÄÖ`I.
Then click ok, hopefully you will get a success message.

Please reboot into SAFE MODE again, rescan with HJT and check ther following if present:

O4 - HKCU\..\Run: [Uiavjg] C:\WINDOWS\System32\w?nlogon.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
G(G) O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O23 - Service: Workstation NetLogon Service ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\system32\ntvw32.exe" /s (file missing)

Ensure n windows open and FIX CHECKED.

Ensure PC set up to show hidden file, locate and delete the following if present

C:\WINDOWS\System32\w?nlogon.exe

Reboot normally, rescan with HJT and post the log back

Edited by usetobe, 27 May 2005 - 02:25 PM.

  • 0

Advertisements

#11
sakman369
Posted 27 May 2005 - 02:36 PM

sakman369

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
Hi usetobe,


The problem is when i run services.msc , Network Security Service is no longer there. also, running sc delete 11Fßä#·ºÄÖ`I gives me no reply
  • 0

#12
Guest_usetobe_*
Posted 27 May 2005 - 02:39 PM

Guest_usetobe_*
  • Guest
Ok rescan with HJT in normal mode. The file relating to the service is missing so it is just debris that is left and no danger, but i still like to try to remove all trace
  • 0

#13
sakman369
Posted 27 May 2005 - 02:43 PM

sakman369

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
Here is the updated HJT log after attempting to fix the three entries you mentioned



file of HijackThis v1.99.1
Scan saved at 4:42:22 PM, on 5/27/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\w?nlogon.exe
C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\user1\Desktop\HijackThis.exe

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll (file missing)
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Global Startup: Image Transfer.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.../kavwebscan.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1100557798970
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Workstation NetLogon Service ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\system32\ntvw32.exe" /s (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
  • 0

#14
Guest_usetobe_*
Posted 27 May 2005 - 02:55 PM

Guest_usetobe_*
  • Guest
Hi SAKMAN,

These last one's are persistant ;) I'm getting angry with them now :tazz:

Please type this one again, again you need to copy and paste it as i have put an extra space in just in case it was that.

click on Start > Run> and copy and paste in

sc delete 11Fßä#·ºÄÖ`I

Then click ok, hopefully you will get a success message.

Then Launch Notepad, and copy/paste the box below into a new text file. Save it as FindFile.bat and save it on your Desktop.

dir c:\WINDOWS\system32\w?nlogon.exe /a h > files.txt
notepad files.txt

Locate FindFile.bat on your Desktop and double-click on it. It will open Notepad with some text in it. Please post the text here.
  • 0

#15
sakman369
Posted 27 May 2005 - 03:02 PM

sakman369

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
Hi usetobe,


This thing really is persistent :tazz: , it still doesnt work. With regards to findfile.bat, i did as you instructed and this is the text that cam up :


Volume in drive C has no label.
Volume Serial Number is B0F7-9497

Directory of c:\WINDOWS\system32

05/26/2004 09:38 PM 483,328 winlogon.exe
05/25/2005 09:17 AM 430,080 w?nlogon.exe
2 File(s) 913,408 bytes

Directory of C:\Documents and Settings\user1\Desktop


Thanks
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP