Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

cannot remove three files

Started by tsuretie57 , May 21 2005 03:37 AM

  • This topic is locked This topic is locked

#31
tsuretie57
Posted 29 May 2005 - 03:54 AM

tsuretie57

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
Dear Don77

thanks for your attention, much appreciated !

I did all what you suggested, only "Run online virus scan : ActiveScan" didn't work because : "Browser not supported"? i don't know why ?

Here is my new HiJackThis log :

Logfile of HijackThis v1.99.1
Scan saved at 11:50:58, on 29-5-2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AVPersonal\AVWUPSRV.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\Program Files\AVPersonal\AVSched32.EXE
c:\windows\system32\ycuaih.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\David\Bureaublad\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [AVSCHED32] C:\Program Files\AVPersonal\AVSched32.EXE /min
O4 - HKLM\..\Run: [epykape] c:\windows\system32\ycuaih.exe
O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup
O4 - HKCU\..\Run: [BestPopUpKiller] C:\Program Files\BestPopUpKiller\BestPopupKiller.exe /startup
O4 - HKCU\..\Run: [EPSON Stylus COLOR 480SXU] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_AICN03.EXE /P25 "EPSON Stylus COLOR 480SXU" /O6 "USB001" /M "Stylus COLOR 480SXU"
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Program Files\AVPersonal\AVWUPSRV.EXE
O23 - Service: System Startup Service (SvcProc) - Unknown owner - c:\windows\SvcProc.exe
  • 0

Advertisements

#32
don77
Posted 29 May 2005 - 08:28 AM

don77

    Malware Expert

  • Retired Staff
  • 18,526 posts
that looks much better,

Please download the trial version of Ewido Security Suite here:
http://www.ewido.net/en/download/
Install it, and update the definitions to the newest files. Do NOT run a scan yet.

Please download Nailfix from here:
http://www.noidea.us...050515010747824
Unzip it to the desktop but please do NOT run it yet.

Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.

For additional help in booting into Safe Mode, see the following site:
http://www.pchell.co.../safemode.shtml


Once in Safe Mode, please double-click on Nailfix.cmd. Your desktop and icons will disappear and reappear, and a window should open and close very quickly --- this is normal.

Then please run Ewido, and run a full scan. Save the logfile from the scan.

Next please run HijackThis, click Scan, and check:

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - c:\windows\SvcProc.exe
Close all open windows except for HijackThis and click Fix Checked.

Restart your computer in normal mode,

Please go here
http://www.softpedia...Pack-SP1a.shtml
Download sp1 manually and install it.

If you get any error messages please let me know what it says,
Restart your computer
PLease post a new HijackThis log, as well as the log from the Ewido scan.
  • 0

#33
tsuretie57
Posted 29 May 2005 - 11:40 AM

tsuretie57

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
Thanks a lot Don 77 :
the Ewido link was ok but the Nailfix link didn't work : " The file you rquested does not exist in our database" but i downloaded the file manually (i hope, it was right to do so?)

When downloading Sp1 i recieved the error : " Setup cannot update your windows files because the language is different from the update language" Surely because i run a Dutch version and the download is in English.

So here is my Hijackthis scan :

Logfile of HijackThis v1.99.1
Scan saved at 19:31:30, on 29-5-2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\Program Files\AVPersonal\AVSched32.EXE
C:\Program Files\AVPersonal\AVWUPSRV.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\imapi.exe
C:\Documents and Settings\David\Bureaublad\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [AVSCHED32] C:\Program Files\AVPersonal\AVSched32.EXE /min
O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup
O4 - HKCU\..\Run: [BestPopUpKiller] C:\Program Files\BestPopUpKiller\BestPopupKiller.exe /startup
O4 - HKCU\..\Run: [EPSON Stylus COLOR 480SXU] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_AICN03.EXE /P25 "EPSON Stylus COLOR 480SXU" /O6 "USB001" /M "Stylus COLOR 480SXU"
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Program Files\AVPersonal\AVWUPSRV.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe

And the Ewido logfile :

--------------------------------------------------------
ewido security suite - Scan rapport
---------------------------------------------------------

+ Gemaakt op: 19:13:10, 29-5-2005
+ Rapport samenvatting: 869F98C5

+ Datum van de database: 29-5-2005
+ Versienummer van de scanner: v3.0

+ Duur: 26 min
+ Gescande bestanden: 38459
+ Snelheid: 24.25 Bestanden/Seconde
+ Geinfecteerde bestanden: 45
+ Verwijderde bestanden: 45
+ Bestanden in quarantaine gezet: 45
+ Bestanden die niet konden worden geopend: 0
+ Bestanden die niet konden worden schoongemaakt: 0

+ Binder: Ja
+ Crypter: Ja
+ Archieven: Ja

+ Gescande items:
C:\

+ Scan resultaten:
C:\Documents and Settings\David\Bureaublad\backups\backup-20050529-112210-731.dll -> Spyware.HotBar -> Schoongemaakt met een backup
C:\Program Files\AVPersonal\INFECTED\bsmapb.VIR -> Trojan.Agent.cp -> Schoongemaakt met een backup
C:\Program Files\AVPersonal\INFECTED\eszurk.VIR -> Trojan.Agent.cp -> Schoongemaakt met een backup
C:\Program Files\AVPersonal\INFECTED\fnwtov.VIR -> Trojan.Agent.cp -> Schoongemaakt met een backup
C:\Program Files\AVPersonal\INFECTED\gonskcu.VIR -> Trojan.Agent.cp -> Schoongemaakt met een backup
C:\Program Files\AVPersonal\INFECTED\jlerkvt.VIR -> Trojan.Agent.cp -> Schoongemaakt met een backup
C:\Program Files\AVPersonal\INFECTED\jlerkvt.VIR00 -> Trojan.Agent.cp -> Schoongemaakt met een backup
C:\Program Files\AVPersonal\INFECTED\jqrwei.VIR -> Trojan.Agent.cp -> Schoongemaakt met een backup
C:\Program Files\AVPersonal\INFECTED\kbtyvs.VIR -> Trojan.Agent.cp -> Schoongemaakt met een backup
C:\Program Files\AVPersonal\INFECTED\kbtyvs.VIR00 -> Trojan.Agent.cp -> Schoongemaakt met een backup
C:\Program Files\AVPersonal\INFECTED\kjqjvyn.VIR -> Trojan.Agent.cp -> Schoongemaakt met een backup
C:\Program Files\AVPersonal\INFECTED\kjqjvyn.VIR00 -> Trojan.Agent.cp -> Schoongemaakt met een backup
C:\Program Files\AVPersonal\INFECTED\lwgjtbc.VIR -> Trojan.Agent.cp -> Schoongemaakt met een backup
C:\Program Files\AVPersonal\INFECTED\orhkvw.VIR -> Trojan.Agent.cp -> Schoongemaakt met een backup
C:\Program Files\AVPersonal\INFECTED\qqpqktz.VIR -> Trojan.Agent.cp -> Schoongemaakt met een backup
C:\Program Files\AVPersonal\INFECTED\qxnoyho.VIR -> Trojan.Agent.cp -> Schoongemaakt met een backup
C:\Program Files\AVPersonal\INFECTED\vhbhlpx.VIR -> Trojan.Agent.cp -> Schoongemaakt met een backup
C:\Program Files\AVPersonal\INFECTED\xpsciii.VIR -> Trojan.Agent.cp -> Schoongemaakt met een backup
C:\Program Files\Mozilla Firefox\extensions\{2bafa858-4ff3-4207-822e-ef46d1b431de}\chrome\isearch.jar/content/isearch/isearch.js -> Spyware.ISearch.e -> Schoongemaakt met een backup
C:\WINDOWS\isrvs\isearch.xpi/chrome/isearch.jar/content/isearch/isearch.js -> Spyware.ISearch.e -> Schoongemaakt met een backup
C:\WINDOWS\isrvs\sysupd.dll -> TrojanDownloader.Ieser.a -> Schoongemaakt met een backup
C:\WINDOWS\svcproc.exe -> Trojan.Stervis.c -> Schoongemaakt met een backup
C:\WINDOWS\system32\drivers\delprot.sys -> Trojan.Delprot.a -> Schoongemaakt met een backup
C:\WINDOWS\system32\DrPMon.dll -> Trojan.Agent.db -> Schoongemaakt met een backup
C:\WINDOWS\system32\nsa17.dll -> Spyware.HotBar -> Schoongemaakt met een backup
C:\WINDOWS\system32\nsd24.dll -> Spyware.HotBar -> Schoongemaakt met een backup
C:\WINDOWS\system32\nsf25.dll -> Spyware.HotBar -> Schoongemaakt met een backup
C:\WINDOWS\system32\nsi25.dll -> Spyware.HotBar -> Schoongemaakt met een backup
C:\WINDOWS\system32\nsi2A.dll -> Spyware.HotBar -> Schoongemaakt met een backup
C:\WINDOWS\system32\nsi6.dll -> Spyware.HotBar -> Schoongemaakt met een backup
C:\WINDOWS\system32\nsk2C.dll -> Spyware.HotBar -> Schoongemaakt met een backup
C:\WINDOWS\system32\nsl3.dll -> Spyware.HotBar -> Schoongemaakt met een backup
C:\WINDOWS\system32\nsm2.dll -> Spyware.HotBar -> Schoongemaakt met een backup
C:\WINDOWS\system32\nsm28.dll -> Spyware.HotBar -> Schoongemaakt met een backup
C:\WINDOWS\system32\nso18.dll -> Spyware.HotBar -> Schoongemaakt met een backup
C:\WINDOWS\system32\nso7.dll -> Spyware.HotBar -> Schoongemaakt met een backup
C:\WINDOWS\system32\nsp32.dll -> Spyware.HotBar -> Schoongemaakt met een backup
C:\WINDOWS\system32\nsq1B.dll -> Spyware.HotBar -> Schoongemaakt met een backup
C:\WINDOWS\system32\nsq35.dll -> Spyware.HotBar -> Schoongemaakt met een backup
C:\WINDOWS\system32\nsu3.dll -> Spyware.HotBar -> Schoongemaakt met een backup
C:\WINDOWS\system32\nsv2C.dll -> Spyware.HotBar -> Schoongemaakt met een backup
C:\WINDOWS\system32\nsw46.dll -> Spyware.HotBar -> Schoongemaakt met een backup
C:\WINDOWS\system32\nsx2C.dll -> Spyware.HotBar -> Schoongemaakt met een backup
C:\WINDOWS\system32\nsy4F.dll -> Spyware.HotBar -> Schoongemaakt met een backup
C:\WINDOWS\ttyxdovoe.exe -> Spyware.BetterInternet -> Schoongemaakt met een backup


::Einde rapport


i hope we got it all right sofar
thanks a lot,
Filip
  • 0

#34
don77
Posted 29 May 2005 - 08:45 PM

don77

    Malware Expert

  • Retired Staff
  • 18,526 posts
Nice job your log is clean !
How is it running ?
Please use the following suggestion to help prevent reinfection

Download the following program, For keeping crap off your system to begin with
Prevent the installation of ActiveX-based spyware, adware, browser hijackers, dialers, and other potentially unwanted pests. Block spyware/tracking cookies in Internet Explorer and Mozilla/Firefox. Restrict the actions of potentially dangerous sites in Internet Explorer.
Download Spyware Blaster

Keep AD-Aware. and Spybot 1.3 handy, Check them for updates prior to running and run them weekly
Same with your Anti Virus,

For an added check run an online virus scan, you can use one of the 2 below,
TrendMicro's HouseCall
ActiveScan

Be sure and give the Temp folders a cleaning out now and then as well, Make sure after you clean your Temp files to empty out your Recycle bin as well.
For ease use the following program
Download and install Cleanup
Run "Cleanup" and when it has finished, Reboot

Important do this Now
Remeber to Check Windows for updates

Probably a good time to create a new restore point See Here Name it clean or something like that,
  • 0

#35
tsuretie57
Posted 30 May 2005 - 11:11 AM

tsuretie57

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
Thanks a lot Don77,

pc is working great again, i appreciate !!

If i can do something for you ounce, please let me know....

i don't know anything about computers but i do know something about nature, that's my job and my live. Plants and animals....these are my things. So if you have some problems with them, i'll be glad to help!

:-)

See you and thanks again !!

Filip
  • 0

#36
don77
Posted 30 May 2005 - 01:26 PM

don77

    Malware Expert

  • Retired Staff
  • 18,526 posts
Very welcome Filip

Glad I could help !

It was my pleasure,

Sense this topic has been resolved it will now be closed, Should you have any further problems or need it reopened please pm a member of the staff,
Please provide alink to this topic

Thanks
and good luck

Don
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP