Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Antivirus Gold- HiJackThis log- PLEASE HELP

Started by KristinJohnson , Jun 26 2005 07:29 PM

  • Please log in to reply

#1
KristinJohnson
Posted 26 June 2005 - 07:29 PM

KristinJohnson

    New Member

  • Member
  • Pip
  • 1 posts
Hello, I have a virus that is being caused by the Antivirus Gold software. My desktop screen is all black and says that I have a virus. It instructs me to click a link for removal instructions which brings me to the Antivirus Gold website. Also, if I am unactive a webiste viewer message pops on my screen that says "This call is not free, this call involves calling a premium number, the cost is international rate." Finally, my homepage keeps on being reset to SearchPortal Info http://www.search-paga.com/ even after I change it.

PLEASE HELP!! Thank you in advance!

Logfile of HijackThis v1.99.1
Scan saved at 7:57:25 PM, on 6/26/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\svchost.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\inet20037\winlogon.exe
C:\Program Files\Common Files\InterVideo\FastTVSync\FastTVSync.exe
C:\PROGRA~1\PESTPA~1\PPControl.exe
C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
C:\WINNT\system32\LVCOMSX.EXE
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINNT\winsocks5.exe
C:\WINNT\system32\gglib.exe
C:\Program Files\AIM\aim.exe
C:\PROGRA~1\AWS\WEATHE~1\Weather.EXE
C:\WINNT\system32\ctfmon.exe
C:\WINNT\system32\hookdump.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINNT\system32\wuauclt.exe
C:\Program Files\InterVideo\DVD5R\SchSvr.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\ACT\SideACT.exe
C:\Program Files\Ulead Systems\Ulead Photo Express 3.0 SE\CalCheck.exe
C:\Palm\HOTSYNC.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINNT\system32\DllHost.exe
C:\Program Files\FlashGet\flashget.exe
C:\WINNT\system32\cleanmgr.exe
C:\WINNT\system32\cleanmgr.exe
C:\WINNT\system32\cleanmgr.exe
C:\WINNT\system32\rundll32.exe
C:\Documents and Settings\Administrator\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =

http://www.search-paga.com/10087/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =

http://yahoo.sbc.com/dsl
R3 - Default URLSearchHook is missing
F3 - REG:win.ini: run=C:\WINNT\inet20037\winlogon.exe
O1 - Hosts: 255.255.255.255 ar.atwola.com atdmt.com avp.ch avp.com avp.ru awaps.net

ca.com dispatch.mcafee.com download.mcafee.com download.microsoft.com

downloads.microsoft.com engine.awaps.net f-secure.com ftp.f-secure.com

ftp.sophos.com go.microsoft.com liveupdate.symantec.com mast.mcafee.com mcafee.com

msdn.microsoft.com my-etrust.com nai.com networkassociates.com office.microsoft.com

phx.corporate-ir.net secure.nai.com securityresponse.symantec.com

service1.symantec.com sophos.com spd.atdmt.com support.microsoft.com symantec.com

update.symantec.com updates.symantec.com us.mcafee.com vil.nai.com viruslist.ru

windowsupdate.microsoft.com www.avp.ch www.avp.com www.avp.ru www.awaps.net

www.ca.com www.f-secure.com www.kaspersky.ru www.mcafee.com www.my-etrust.com

www.nai.com www.networkassociates.com www.sophos.com www.symantec.com

www.trendmicro.com www.viruslist.com www.viruslist.ru www3.ca.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program

Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Loader Class - {2E246FAE-8420-11D9-870D-000C2917DE7F} -

C:\WINDOWS\SYSTEM\Loader.dll (file missing)
O2 - BHO: (no name) - {5321E378-FFAD-4999-8C62-03CA8155F0B3} - (no file)
O2 - BHO: (no name) - {A0269420-A638-4509-889C-8FC3CC85DA7E} -

C:\WINNT\drexinit.dll
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} -

C:\PROGRA~1\FlashGet\jccatch.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} -

c:\program files\google\googletoolbar1.dll (file missing)
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467}

- C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} -

C:\PROGRA~1\FlashGet\fgiebar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program

files\google\googletoolbar1.dll (file missing)
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program

Files\AIM Toolbar\AIMBar.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [FastTVSync] "C:\Program Files\Common

Files\InterVideo\FastTVSync\FastTVSync.exe"
O4 - HKLM\..\Run: [STOPzilla] "C:\Program Files\STOPzilla!\Stopzilla.exe" /autorun
O4 - HKLM\..\Run: [PestPatrol Control Center] C:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\Run: [LVCOMSX] C:\WINNT\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint

Manager\ViewMgr.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe"

-atboottime
O4 - HKLM\..\Run: [xp_system] C:\WINNT\inet20037\winlogon.exe
O4 - HKLM\..\Run: [Security iGuard] C:\Program Files\Security iGuard\Security

iGuard.exe
O4 - HKLM\..\Run: [Microsoft standard protector] C:\WINNT\winsocks5.exe
O4 - HKLM\..\Run: [vmtuner] gglib.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe

-quiet
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\Weather.EXE 1
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [Intel system tool] C:\WINNT\system32\hookdump.exe
O4 - HKCU\..\Run: [xp_system] C:\WINNT\inet20037\winlogon.exe
O4 - Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
O4 - Global Startup: AdwareFilter Background Protection.lnk = C:\Program

Files\AdwareFilter\adwarefilter.exe
O4 - Global Startup: InterVideo Scheduler server.lnk = C:\Program

Files\InterVideo\DVD5R\SchSvr.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program

Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft

Office\Office10\OSA.EXE
O4 - Global Startup: SideACT!.lnk = C:\Program Files\ACT\SideACT.exe
O4 - Global Startup: Ulead Photo Express 3.0 SE Calendar Checker.lnk = C:\Program

Files\Ulead Systems\Ulead Photo Express 3.0 SE\CalCheck.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM

Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Google Search - res://C:\Program

Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program

Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward Links - res://C:\Program

Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program

Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Download All by FlashGet - C:\Program

Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program

Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel -

res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program

Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program

Files\Google\GoogleToolbar1.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program

Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program

Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} -

C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5}

- C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program

Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger -

{4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program

Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program

Files\AIM\aim.exe
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} -

C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} -

C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: Microsoft AntiSpyware helper -

{24F0D7B5-9CA3-427E-8424-F556B3073AC7} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper -

{24F0D7B5-9CA3-427E-8424-F556B3073AC7} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper -

{57C90F61-E916-48DF-8196-EC7AA7238E38} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper -

{57C90F61-E916-48DF-8196-EC7AA7238E38} - (no file) (HKCU)
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} -

C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper -

{F4624192-CFFF-4913-B2AE-99C4DE8804F1} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper -

{F4624192-CFFF-4913-B2AE-99C4DE8804F1} - (no file) (HKCU)
O16 - DPF: {09C6CAC0-936E-40A0-BC26-707480103DC3} -

http://www.uproar.co...pside_web18.cab
O16 - DPF: {5AA5A569-F96F-4628-A528-8B3698F558BB} (HS_live Control) -

http://install.homes...ive/HS_live.cab
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS

Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Iomega App Services - Iomega Corporation -

C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: ZESOFT - Unknown owner - C:\WINNT\zeta.exe (file missing)
  • 0

Advertisements

#2
Wizard
Posted 26 June 2005 - 09:39 PM

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
Hi KristinJohnson and Welcome to GeekstoGo!

Please locate these files and send them to me!

C:\WINNT\winsocks5.exe

C:\WINNT\drexinit.dll

C:\WINNT\system32\gglib.exe

To send them,Right Click the Desktop and Select New>>Compressed(Zipped)Folder

Place a copy of each file in the Zip Folder and email them here>>[email protected]

Now delete that Zip Folder!

We are going to have to download quite a few programs to assist us in this cleaning!

So Right Click the Desktop and Select New>> Select Folder>> Name it whatever you like!

Please Copy these Instructions to Notepad and Save them to your Desktop,You must not be connected to the Internet once you are in Safe Mode!

Use this tutorial by Calamity Jane to get us Started!
http://forums.subrat...?showtopic=3466

Please follow these directions exactly as they are laid out for them to be effective!

I will add some Instructions for Safe Mode to help you along!

Download Ewido Security Suite, install then from within the program check for updates BUT dont scan yet
Ewido Security Suite:
http://www.ewido.net/en/download/

When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu". When you run ewido for the first time, you will get a warning "Database could not be found!". Click OK.
We will fix this in a moment.

From the main Ewido screen, Click on Update in the left menu, then click the Start Update button.

After the Update finishes (the status bar at the bottom will display "Update successful"), Now close the program.

If you have problems updating see here
http://www.ewido.net...wnload/updates/

Download and Install CleanUp! 4.0
http://downloads.ste...p/CleanUp40.exe

Download RegScrubXP v.3.25
http://www.majorgeek...wnload2048.html

Restart Normal and Download smitRem.zip and save the file to your desktop.
Right click on the file and extract it to it's own folder on the desktop.

Go to Start > Control Panel > Add or Remove Programs and remove the following programs, if found:

Security IGuard
Virtual Maid
Search Maid
PSGuard
AdwareDelete
AdwareFilter

Making sure all updates needed are done,Reboot into SAFE MODE(Tap F8 when restarting)
Here is a link on how to boot into Safe Mode:
http://service1.syma...src=sec_doc_nam

Once in Safe Mode,Physically Disconnect from the Internet!

Open but dont run or Minimize Kaspersky and Ewido

Right Click the Task,Bar near the clock and Select Task Manager

Now remember when you end Explorer.exe,the TaskBar and the Desktop are going to Disappear!!

So locate the Processes Tab and go through the list(Click Image Name to Alphabetize the list) Locate these and if they exist,Right Click or Highlight and Select "End Process"!!

hookdump.exe
gglib.exe
winsocks5.exe
winlogon.exe<< if it doesnt end process dont worry about it!
rundll32.exe
Explorer.EXE

Scan the PC with Kaspersky and Delete all it Finds and Close it out!

Scan with Ewido>when prompted>Select to clean and place a check by the box to use this action for all infections!

Once it completes,Click the tab to Save the report and Save it to your Desktop for easy access!

Close out Ewido!

In the Task Manager>> Click File>> Click New Task (Run...)>> Copy&Paste the below bold text and Click OK!

C:\WINNT\explorer.exe

Now Open up CleanUp! and Microsoft AntiSpyware

Scan the PC with Microsoft AntiSpyware and Delete all it Finds!

Run CleanUp!

Click "Cleanup" and it will Scan and Remove all available Temp files>Click "Close">Click "No" to Logoff!

Now locate and open RegScrubXP and Click "RegScrubXP finds Problems"

Let it scan the System and when it completes Click "Select all Problems" and "Fix Selected Problems"

Open and Run Hoster once more just as before!

Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.

Run MSCONFIG and enable everything in the startup area. To get to MSCONFIG, click on Start -> Run -> type in MSCONFIG -> click OK!

Under the "General" Tab
Make Sure Normal Startup is Checked!!

Click Apply>>OK>>Follow the Prompts to Restart!!

Restart Normal and have the PC Scanned here
Panda Active Scan

Post back with a fresh HijackThis log and the Reports from Ewido and Panda!

Edited by Cretemonster, 26 June 2005 - 09:46 PM.

  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP