Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

AVGold Virus [RESOLVED]


  • This topic is locked This topic is locked

#16
Kristy

Kristy

    Visiting Consultant

  • Member
  • PipPipPipPip
  • 1,099 posts
Looks like we're getting there.

*Please dowload: RegSeeker.
*Click on "Clean The Registry" in the left panel.
*Check all boxes (make sure the backup box in the lower left corner is selected!).
*After it runs, click "Select All" on the bottom, then right-click on any selected item in the window and select "Delete Selected Items".
*Click "Quit RegSeeker".

Now, open any of your installed programs, and make sure that everything opens ok. If so, reboot, then go back and run the RegSeeker again, do the same thing again if anything is found. When RegSeeker finds nothing else, then it's clean!

Let me know if your computer is working any better after that. Also, rescan with Panda and post the log from it here.

~Kristy :tazz:
  • 0

Advertisements


#17
elvergudo

elvergudo

    Member

  • Topic Starter
  • Member
  • PipPip
  • 18 posts
Kristy,

Did what you said. The regseeker keeps finding the same 24 files. I cannot delete them.

My Task Mgr still is not working properly. I have to close the program with CTRL ALT F4

I also ran a virus scan with Panda Active scan and it still has 2 virus's

Here is the Active Scan file


Incident Status Location

Adware:Adware/MyWay No disinfected Windows Registry
Adware:Adware/Antivirus-gold No disinfected C:\!Submit\screen.html
  • 0

#18
Kristy

Kristy

    Visiting Consultant

  • Member
  • PipPipPipPip
  • 1,099 posts
Would you be able to copy and paste the files that it is not deleting?

~Kristy
  • 0

#19
elvergudo

elvergudo

    Member

  • Topic Starter
  • Member
  • PipPip
  • 18 posts
This is what comes up when I hit CTRL C and then Paste it here.

Incident Status
Location

Adware:Adware/MyWay No disinfected Windows Registry
Adware:Adware/Antivirus-gold No disinfected C:\!Submit\screen.html
  • 0

#20
Kristy

Kristy

    Visiting Consultant

  • Member
  • PipPipPipPip
  • 1,099 posts
What about what the regseeker is not getting rid of? Can you copy and paste that please?

~Kristy :tazz:
  • 0

#21
elvergudo

elvergudo

    Member

  • Topic Starter
  • Member
  • PipPip
  • 18 posts
Regseeker is not getting rid of it

the same 24 items keep coming up after I delete them and go into the restart

Since I cannot copy and paste them. So I will type them all for you

Here is what they say

HKEY_CURRENT_USER
Software\Local AppWizard-Generated Applications
Obsolete entry

HKEY_LOCAL_MACHINE
SOFTWARE\XGI Tech
Obsolete entry

HKEY_USERS
S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
Desktop C:\Documents and Settings\LocalService\Desktop
File or Path does not exist

HKEY_USERS
S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
Favorites C:\Documents and Settings\LocalService\Favorites
File or Path does not exist

HKEY_USERS
S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
NetHood C:\Documents and Settings\LocalService\NetHood
File or Path does not exist

HKEY_USERS
S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
Personal C:\Documents and Settings\LocalService\My Documents
File or Path does not exist

HKEY_USERS
S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
PrintHood C:\Documents and Settings\LocalService\PrintHood
File or Path does not exist

HKEY_USERS
S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
Recent C:\Documents and Settings\LocalService\Recent
File or Path does not exist

HKEY_USERS
S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
SendTo C:\Documents and Settings\LocalService\SendTo
File or Path does not exist

HKEY_USERS
S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
Start Menu C:\Documents and Settings\LocalService\Start Menu
File or Path does not exist

HKEY_USERS
S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
Templates C:\Documents and Settings\LocalService\Templates
File or Path does not exist

HKEY_USERS
S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
Programs C:\Documents and Settings\LocalService\Programs
File or Path does not exist

HKEY_USERS
S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
Startup C:\Documents and Settings\LocalService\Favorites\Programs\Startup
File or Path does not exist

HKEY_USERS
S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
Desktop C:\Documents and Settings\LocalService\Desktop
File or Path does not exist

HKEY_USERS
S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
Favorites C:\Documents and Settings\LocalService\Favorites
File or Path does not exist

HKEY_USERS
S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
NetHood C:\Documents and Settings\LocalService\NetHood
File or Path does not exist

HKEY_USERS
S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
Personal C:\Documents and Settings\LocalService\My Documents
File or Path does not exist

HKEY_USERS
S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
PrintHood C:\Documents and Settings\LocalService\PrintHood
File or Path does not exist

HKEY_USERS
S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
Recent C:\Documents and Settings\LocalService\Recent
File or Path does not exist

HKEY_USERS
S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
SendTo C:\Documents and Settings\LocalService\SendTo
File or Path does not exist

HKEY_USERS
S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
Start Menu C:\Documents and Settings\LocalService\Start Menu
File or Path does not exist

HKEY_USERS
S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
Templates C:\Documents and Settings\LocalService\Templates
File or Path does not exist

HKEY_USERS
S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
Programs C:\Documents and Settings\LocalService\Programs
File or Path does not exist

HKEY_USERS
S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
Startup C:\Documents and Settings\LocalService\Programs\Startup
File or Path does not exist
  • 0

#22
Kristy

Kristy

    Visiting Consultant

  • Member
  • PipPipPipPip
  • 1,099 posts
Let's try the AVGold fix again. If you have problems with it, just do the parts you can.

Copy the part in bold below into notepad and save it as AVGoldfix.reg
Set Filetype to All Files and save it somewhere easy to find. We will use it later.

REGEDIT4

[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\1]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"Intel system tool"=-

[-HKEY_LOCAL_MACHINE\SOFTWARE\AntivirusGold]


*Click Here to download Killbox by Option^Explicit.
*Extract the program to your desktop and double-click on its folder, then double-click on Killbox.exe to start the program.
*In the killbox program, select the Delete on Reboot option.
*Copy the file names below to the clipboard by highlighting them and pressing Control-C:
C:\Windows\System32\hookdump.exe
C:\Windows\System32\winnook.exe
C:\Windows\desktop.html
C:\Windows\screen.html

*Return to Killbox, go to the File menu, and choose "Paste from Clipboard".
*Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt if you get one.
*If the computer does not reboot by itself, do it manually.

While your computer is restarting, tap the F8 key continually until a menu appears. Use your up arrow key to highlight Safe Mode, then hit enter.

Doubleclick the AVGoldfix.reg we made earlier.
And (still in safe mode) use the DiskCleanup Tool to empty all your Temp folders.

Delete the entire folder C:\Program Files\AntiVirusGold

In the Control Panel click Display > Desktop > Customize desktop > Website > Uncheck "Security Info"

Then boot back to normal, run HijackThis and post a new log.

~Kristy :tazz:
  • 0

#23
elvergudo

elvergudo

    Member

  • Topic Starter
  • Member
  • PipPip
  • 18 posts
Kristy,

Did What you said Did the Killbox Copied the following and Paste from clipboard. But not one of these went into the box so that I could delete them.

C:\Windows\System32\hookdump.exe
C:\Windows\System32\winnook.exe
C:\Windows\desktop.html
C:\Windows\screen.html

Then I ran the AVGoldfix.reg in SafeMode
I did not see C:\Program Files\AntiVirusGold BUT I Did find C:\Program Files\XGI and I Deleted it.

I also Went to Control Panel click Display > Desktop > Customize desktop > Website > Uncheck "Security Info"

BUT I did not find Security Info


Here is my new Hijack This Log

Logfile of HijackThis v1.99.1
Scan saved at 10:52:14 PM, on 7/15/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Gilbert Mejia\Desktop\AVGOLDFIX\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
O2 - BHO: Norton Internet Security - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MMTray] C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .3gp: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin4.dll
O12 - Plugin for .wav: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....204&clcid=0x409
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcaf...90/mcinsctl.cab
O16 - DPF: {5F0C30E4-1E72-4DCC-85E5-57810F1CA97B} (McUpdatePortalFactory Class) - http://www.amiuptoda...pdatePortal.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zon...ro.cab32846.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcaf...,23/mcgdmgr.cab
O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zon...ot.cab31267.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
  • 0

#24
Kristy

Kristy

    Visiting Consultant

  • Member
  • PipPipPipPip
  • 1,099 posts
Hello elvergudo,

You may wish to print out a copy of these instructions to follow while you complete this procedure.

Please save Hijack This in a permanent folder (i.e. C:\HJT). This ensures backups are saved and accessible.

Next please run HijackThis, click Scan, and check:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =


Close all open windows except for HijackThis and click Fix Checked.

Please reboot into safe mode (continually tap the F8 key while your system is starting, select Safe Mode from the menu).

Be sure you're able to view hidden files, and remove the following files/folders in bold (if found):

C:\Windows\System32\hookdump.exe
C:\Windows\System32\winnook.exe
C:\Windows\desktop.html
C:\Windows\screen.html


Empty your recycle bin, and reboot normally.

If you would please, rescan with HijackThis, and Panda and post fresh logs in this same topic, and let us know how your system's working. ;)

~Kristy :tazz:
  • 0

#25
elvergudo

elvergudo

    Member

  • Topic Starter
  • Member
  • PipPip
  • 18 posts
Kristy,

Did what you said

Did not find

C:\Windows\System32\hookdump.exe
C:\Windows\System32\winnook.exe
C:\Windows\desktop.html
C:\Windows\screen.html


Here is the Hijack Log

Logfile of HijackThis v1.99.1
Scan saved at 11:45:35 PM, on 7/15/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Symantec Shared\AdBlocking\NSMdtr.exe
C:\Documents and Settings\Gilbert Mejia\Desktop\AVGOLDFIX\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
O2 - BHO: Norton Internet Security - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MMTray] C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .3gp: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin4.dll
O12 - Plugin for .wav: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....204&clcid=0x409
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcaf...90/mcinsctl.cab
O16 - DPF: {5F0C30E4-1E72-4DCC-85E5-57810F1CA97B} (McUpdatePortalFactory Class) - http://www.amiuptoda...pdatePortal.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zon...ro.cab32846.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcaf...,23/mcgdmgr.cab
O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zon...ot.cab31267.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

Here is the ActiveScan

Incident Status Location

Adware:adware/myway No disinfected HKEY_CLASSES_ROOT\CLSID\{66FC8717-EFA7-4546-8C4A-E224F3A80C76}
Adware:adware/brilliantdigitalNo disinfected HKEY_CLASSES_ROOT\Interface\{48E59292-9880-11CF-9754-00AA00C00908}
Adware:Adware/Antivirus-gold No disinfected C:\!Submit\screen.html
Possible Virus. No disinfected C:\Program Files\The Cleaner\MooLive.exe
  • 0

Advertisements


#26
Kristy

Kristy

    Visiting Consultant

  • Member
  • PipPipPipPip
  • 1,099 posts
Did you set it so hidden files will show?

~Kristy
  • 0

#27
elvergudo

elvergudo

    Member

  • Topic Starter
  • Member
  • PipPip
  • 18 posts
yes

and it came up with a warning asking me if i still wanted to prceed
  • 0

#28
Kristy

Kristy

    Visiting Consultant

  • Member
  • PipPipPipPip
  • 1,099 posts
Ok, it's getting late here. So I will post back to you tomorrow.

~Kristy
  • 0

#29
Kristy

Kristy

    Visiting Consultant

  • Member
  • PipPipPipPip
  • 1,099 posts
Hello elvergudo,

You may wish to print out these instructions to make them easier to follow.

Please download WebRoot SpySweeper from HERE (It's a 2 week trial):
  • Click the Free Trial link on the right - next to "SpySweeper for Home Computers" to download the program.
  • Install it.
  • Once the program is installed, it will open.
  • It will prompt you to update to the latest definitions, click Yes.
  • Once the definitions are installed, click Sweep Now on the left side.
  • Click the Start button.
  • When it's done scanning, click the Next button.
  • Make sure everything has a check next to it, then click the Next button.
  • It will remove all of the items found.
  • Click Session Log in the upper right corner, copy everything in that window.
  • Click the Summary tab and click Finish.
  • Paste the contents of the session log you copied into your next reply.
Next, boot into safemode.

Be sure you're able to view hidden files, and remove the following files/folders in bold (if found):

C:\!Submit\screen.html
C:\Program Files\The Cleaner\MooLive.exe(If you don't know what this is, delete it as well)


Empty your recycle bin, and reboot normally.

Reply back with the log from the scan, and let me know how your computer is working now.

~Kristy :tazz:
  • 0

#30
elvergudo

elvergudo

    Member

  • Topic Starter
  • Member
  • PipPip
  • 18 posts
Kristy,

I did what you said

Here is the spysweeper log

********
10:34 PM: |··· Start of Session, Saturday, July 16, 2005 ···|
10:34 PM: Spy Sweeper started
10:34 PM: Sweep initiated using definitions version 505
10:34 PM: Starting Memory Sweep
10:36 PM: Memory Sweep Complete, Elapsed Time: 00:02:23
10:36 PM: Starting Registry Sweep
10:37 PM: Found Trojan Horse: antivirus gold
10:37 PM: HKCR\appid\cerberus.exe\ (1 subtraces) (ID = 4364402)
10:37 PM: HKCR\appid\{70f17c8c-1744-41b6-9d07-575db448dcc5}\ (1 subtraces) (ID = 4364403)
10:37 PM: HKCR\cerberus.enginelistener.1\ (3 subtraces) (ID = 4364404)
10:37 PM: HKCR\cerberus.enginelistener\ (5 subtraces) (ID = 4364405)
10:37 PM: HKCR\cerberus.scanner.1\ (3 subtraces) (ID = 4364406)
10:37 PM: HKCR\cerberus.scanner\ (5 subtraces) (ID = 4364407)
10:37 PM: HKCR\cerberus.threatcollection.1\ (3 subtraces) (ID = 4364408)
10:37 PM: HKCR\cerberus.threatcollection\ (5 subtraces) (ID = 4364409)
10:37 PM: HKCR\clsid\{020b1227-417d-4682-9ac3-61f43cb5b6b1}\ (9 subtraces) (ID = 4364410)
10:37 PM: HKCR\clsid\{3d00a39c-655b-428b-aeb2-2fba03dcc49c}\ (8 subtraces) (ID = 4364411)
10:37 PM: HKCR\clsid\{5f6bbd8a-18cf-4d55-8b4c-c9b4c9328dfe}\ (8 subtraces) (ID = 4364412)
10:37 PM: HKCR\clsid\{8c56b6ce-c53f-44c4-9bdc-a9bc1711d05a}\ (8 subtraces) (ID = 4364413)
10:37 PM: HKCR\clsid\{8ee6bf73-b370-4d13-9126-eb0071178f2e}\ (8 subtraces) (ID = 4364414)
10:37 PM: HKCR\clsid\{9bb7e700-4e48-476d-b75c-6f47606be988}\ (8 subtraces) (ID = 4364415)
10:37 PM: HKCR\clsid\{20a3d913-30ef-4e69-b3f7-93b3f1fb9d5c}\ (9 subtraces) (ID = 4364416)
10:37 PM: HKCR\clsid\{97f56e12-c706-4aeb-9ffb-133c05ee5d38}\ (9 subtraces) (ID = 4364417)
10:37 PM: HKCR\clsid\{408f660a-9465-44a3-b557-8709dfd992bc}\ (8 subtraces) (ID = 4364418)
10:37 PM: HKCR\clsid\{125494b2-acad-414c-98b9-452f3ef7703a}\ (9 subtraces) (ID = 4364419)
10:37 PM: HKCR\clsid\{cbcaca58-1aee-4600-8cf0-e8b30bff1535}\ (9 subtraces) (ID = 4364420)
10:37 PM: HKCR\clsid\{d6d64cdf-0363-4261-b723-29a3af365e1d}\ (8 subtraces) (ID = 4364421)
10:37 PM: HKCR\engine.backup.1\ (3 subtraces) (ID = 4364422)
10:37 PM: HKCR\engine.backup\ (5 subtraces) (ID = 4364423)
10:37 PM: HKCR\engine.ignorelist.1\ (3 subtraces) (ID = 4364424)
10:37 PM: HKCR\engine.ignorelist\ (5 subtraces) (ID = 4364425)
10:37 PM: HKCR\engine.log.1\ (3 subtraces) (ID = 4364426)
10:37 PM: HKCR\engine.log\ (5 subtraces) (ID = 4364427)
10:37 PM: HKCR\engine.logrecord.1\ (3 subtraces) (ID = 4364428)
10:37 PM: HKCR\engine.logrecord\ (5 subtraces) (ID = 4364429)
10:37 PM: HKCR\engine.paths.1\ (3 subtraces) (ID = 4364430)
10:37 PM: HKCR\engine.paths\ (5 subtraces) (ID = 4364431)
10:37 PM: HKCR\engine.quarantine.1\ (3 subtraces) (ID = 4364432)
10:37 PM: HKCR\engine.quarantine\ (5 subtraces) (ID = 4364433)
10:37 PM: HKCR\engine.runas.1\ (3 subtraces) (ID = 4364434)
10:37 PM: HKCR\engine.runas\ (5 subtraces) (ID = 4364435)
10:37 PM: HKCR\engine.searchitem.1\ (3 subtraces) (ID = 4364436)
10:37 PM: HKCR\engine.searchitem\ (5 subtraces) (ID = 4364437)
10:37 PM: HKCR\engine.threat.1\ (3 subtraces) (ID = 4364438)
10:37 PM: HKCR\engine.threat\ (5 subtraces) (ID = 4364439)
10:37 PM: HKLM\software\classes\appid\cerberus.exe\ (1 subtraces) (ID = 4364441)
10:37 PM: HKLM\software\classes\appid\{70f17c8c-1744-41b6-9d07-575db448dcc5}\ (1 subtraces) (ID = 4364442)
10:37 PM: HKLM\software\classes\cerberus.enginelistener.1\ (3 subtraces) (ID = 4364443)
10:37 PM: HKLM\software\classes\cerberus.enginelistener\ (5 subtraces) (ID = 4364444)
10:37 PM: HKLM\software\classes\cerberus.scanner.1\ (3 subtraces) (ID = 4364445)
10:37 PM: HKLM\software\classes\cerberus.scanner\ (5 subtraces) (ID = 4364446)
10:37 PM: HKLM\software\classes\cerberus.threatcollection.1\ (3 subtraces) (ID = 4364447)
10:37 PM: HKLM\software\classes\cerberus.threatcollection\ (5 subtraces) (ID = 4364448)
10:37 PM: HKLM\software\classes\clsid\{020b1227-417d-4682-9ac3-61f43cb5b6b1}\ (9 subtraces) (ID = 4364450)
10:37 PM: HKLM\software\classes\clsid\{3d00a39c-655b-428b-aeb2-2fba03dcc49c}\ (8 subtraces) (ID = 4364451)
10:37 PM: HKLM\software\classes\clsid\{5f6bbd8a-18cf-4d55-8b4c-c9b4c9328dfe}\ (8 subtraces) (ID = 4364452)
10:37 PM: HKLM\software\classes\clsid\{8c56b6ce-c53f-44c4-9bdc-a9bc1711d05a}\ (8 subtraces) (ID = 4364453)
10:37 PM: HKLM\software\classes\clsid\{8ee6bf73-b370-4d13-9126-eb0071178f2e}\ (8 subtraces) (ID = 4364454)
10:37 PM: HKLM\software\classes\clsid\{9bb7e700-4e48-476d-b75c-6f47606be988}\ (8 subtraces) (ID = 4364455)
10:37 PM: HKLM\software\classes\clsid\{20a3d913-30ef-4e69-b3f7-93b3f1fb9d5c}\ (9 subtraces) (ID = 4364456)
10:37 PM: HKLM\software\classes\clsid\{97f56e12-c706-4aeb-9ffb-133c05ee5d38}\ (9 subtraces) (ID = 4364457)
10:37 PM: HKLM\software\classes\clsid\{408f660a-9465-44a3-b557-8709dfd992bc}\ (8 subtraces) (ID = 4364458)
10:37 PM: HKLM\software\classes\clsid\{125494b2-acad-414c-98b9-452f3ef7703a}\ (9 subtraces) (ID = 4364459)
10:37 PM: HKLM\software\classes\clsid\{cbcaca58-1aee-4600-8cf0-e8b30bff1535}\ (9 subtraces) (ID = 4364460)
10:37 PM: HKLM\software\classes\clsid\{d6d64cdf-0363-4261-b723-29a3af365e1d}\ (8 subtraces) (ID = 4364461)
10:37 PM: HKLM\software\classes\engine.backup.1\ (3 subtraces) (ID = 4364462)
10:37 PM: HKLM\software\classes\engine.backup\ (5 subtraces) (ID = 4364463)
10:37 PM: HKLM\software\classes\engine.ignorelist.1\ (3 subtraces) (ID = 4364464)
10:37 PM: HKLM\software\classes\engine.ignorelist\ (5 subtraces) (ID = 4364465)
10:37 PM: HKLM\software\classes\engine.log.1\ (3 subtraces) (ID = 4364466)
10:37 PM: HKLM\software\classes\engine.log\ (5 subtraces) (ID = 4364467)
10:37 PM: HKLM\software\classes\engine.logrecord.1\ (3 subtraces) (ID = 4364468)
10:37 PM: HKLM\software\classes\engine.logrecord\ (5 subtraces) (ID = 4364469)
10:37 PM: HKLM\software\classes\engine.paths.1\ (3 subtraces) (ID = 4364470)
10:37 PM: HKLM\software\classes\engine.paths\ (5 subtraces) (ID = 4364471)
10:37 PM: HKLM\software\classes\engine.quarantine.1\ (3 subtraces) (ID = 4364472)
10:37 PM: HKLM\software\classes\engine.quarantine\ (5 subtraces) (ID = 4364473)
10:37 PM: HKLM\software\classes\engine.runas.1\ (3 subtraces) (ID = 4364474)
10:37 PM: HKLM\software\classes\engine.runas\ (5 subtraces) (ID = 4364475)
10:37 PM: HKLM\software\classes\engine.searchitem.1\ (3 subtraces) (ID = 4364476)
10:37 PM: HKLM\software\classes\engine.searchitem\ (5 subtraces) (ID = 4364477)
10:37 PM: HKLM\software\classes\engine.threat.1\ (3 subtraces) (ID = 4364478)
10:37 PM: HKLM\software\classes\engine.threat\ (5 subtraces) (ID = 4364479)
10:37 PM: Found Adware: cws_analyzeie
10:37 PM: HKCR\clsid\{60d75c7f-d119-4a89-b3b3-d8aa07ef3300}\ (ID = 4377830)
10:37 PM: HKLM\software\classes\clsid\{60d75c7f-d119-4a89-b3b3-d8aa07ef3300}\ (ID = 4377852)
10:37 PM: Found Adware: instafinder
10:37 PM: HKU\WRSS_Profile_S-1-5-21-2366997589-1562546304-2584548655-501\software\instafink\ (26 subtraces) (ID = 4389737)
10:37 PM: Found Adware: psguard desktop hijacker
10:37 PM: HKLM\software\microsoft\windows\currentversion\uninstall\internet update\ (3 subtraces) (ID = 4398274)
10:37 PM: HKLM\software\psguard.com\ (1 subtraces) (ID = 4398275)
10:37 PM: Registry Sweep Complete, Elapsed Time:00:00:14
10:37 PM: Starting Cookie Sweep
10:37 PM: Cookie Sweep Complete, Elapsed Time: 00:00:00
10:37 PM: Starting File Sweep
10:38 PM: screen.html (ID = 4090481)
10:39 PM: File Sweep Complete, Elapsed Time: 00:01:53
10:39 PM: Full Sweep has completed. Elapsed time 00:04:36
10:39 PM: Traces Found: 510
10:46 PM: Removal process initiated
10:46 PM: Quarantining All Traces: antivirus gold
10:46 PM: Quarantining All Traces: cws_analyzeie
10:46 PM: Quarantining All Traces: instafinder
10:46 PM: Quarantining All Traces: psguard desktop hijacker
10:46 PM: Removal process completed. Elapsed time 00:00:12
********
10:34 PM: |··· Start of Session, Saturday, July 16, 2005 ···|
10:34 PM: Spy Sweeper started
10:34 PM: Warning: Hosts File Shield unable to read from hosts file. Access violation at address 7C910370 in module 'ntdll.dll'. Read of address 000000D0
10:34 PM: |··· End of Session, Saturday, July 16, 2005 ···|

I deleted the whole file of C:\!Submit
C:\Program Files\The Cleaner\MooLive.exe(If you don't know what this is, delete it as well)




My Task Mgr is still the same :tazz:

I still have to press ALT F4
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP