[.:bob schmo:.]

Thanks so much, I also sent the email to the address you specified. Good luck and thanks with everything so far, I await the resolution eagerly.

[Advertisements]

Lets do this as well bob

Download the RKFiles.zip from here:
http://skads.org/special/rkfiles.zip
1. Reboot into safe mode
2. Open the C:\Antispyware\RKFiles folder
* Locate and double-click the RKFILES.BAT to run this tool.
* Sit back and wait untill its finished.
* When it is finally finished a text file will open.
* Save the contents of that text file.
Note: It should save by default to C:\Log.txt
3. Reboot back to Normal Mode.
4. Post the log

[Atribune]

Lets do this as well bob

Download the RKFiles.zip from here:
http://skads.org/special/rkfiles.zip
1. Reboot into safe mode
2. Open the C:\Antispyware\RKFiles folder
* Locate and double-click the RKFILES.BAT to run this tool.
* Sit back and wait untill its finished.
* When it is finally finished a text file will open.
* Save the contents of that text file.
Note: It should save by default to C:\Log.txt
3. Reboot back to Normal Mode.
4. Post the log

[Atribune]

oops double post

Edited by Atribune, 15 July 2005 - 04:50 PM.

[.:bob schmo:.]

How long should it take in safe mode, it's been going for a very long time...

Also, it can be run from the desktop right?

EDIT: Here are the results:

C:\Documents and Settings\Eric\Desktop

PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
Files Found in system Folder............
------------------------
C:\WINDOWS\system32\qz.dll: FSG!
C:\WINDOWS\system32\dfrg.msc: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAAAwGpEc213

Files Found in all users startup Folder............
------------------------
Files Found in all users windows Folder............
------------------------
C:\WINDOWS\sys1314.exe: FSG!
C:\WINDOWS\sys1345.exe: FSG!
C:\WINDOWS\sys137.exe: FSG!
C:\WINDOWS\sys1418.exe: FSG!
C:\WINDOWS\sys142.exe: FSG!
C:\WINDOWS\sys1420.exe: FSG!
C:\WINDOWS\sys1451.exe: FSG!
C:\WINDOWS\sys1455.exe: FSG!
C:\WINDOWS\sys1518.exe: FSG!
C:\WINDOWS\sys1521.exe: FSG!
C:\WINDOWS\sys1528.exe: FSG!
C:\WINDOWS\sys16.exe: FSG!
C:\WINDOWS\sys1737.exe: FSG!
C:\WINDOWS\sys176.exe: FSG!
C:\WINDOWS\sys1810.exe: FSG!
C:\WINDOWS\sys1819.exe: FSG!
C:\WINDOWS\sys1850.exe: FSG!
C:\WINDOWS\sys1852.exe: FSG!
C:\WINDOWS\sys2254.exe: FSG!
C:\WINDOWS\sys2324.exe: FSG!
C:\WINDOWS\sys2332.exe: FSG!
C:\WINDOWS\sys2637.exe: FSG!
C:\WINDOWS\sys266.exe: FSG!
C:\WINDOWS\sys2710.exe: FSG!
C:\WINDOWS\sys2812.exe: FSG!
C:\WINDOWS\sys2843.exe: FSG!
C:\WINDOWS\sys2846.exe: FSG!
C:\WINDOWS\sys4718.exe: FSG!
C:\WINDOWS\sys4749.exe: FSG!
C:\WINDOWS\sys4753.exe: FSG!
C:\WINDOWS\sys4931.exe: FSG!
C:\WINDOWS\sys4951.exe: FSG!
C:\WINDOWS\sys4957.exe: FSG!
C:\WINDOWS\sys4959.exe: FSG!
C:\WINDOWS\sys501.exe: FSG!
C:\WINDOWS\sys5010.exe: FSG!
C:\WINDOWS\sys5012.exe: FSG!
C:\WINDOWS\sys502.exe: FSG!
C:\WINDOWS\sys5034.exe: FSG!
C:\WINDOWS\sys5043.exe: FSG!
C:\WINDOWS\sys509.exe: FSG!
C:\WINDOWS\sys515.exe: FSG!
C:\WINDOWS\sys5532.exe: FSG!
C:\WINDOWS\sys563.exe: FSG!
C:\WINDOWS\sys566.exe: FSG!
C:\WINDOWS\sys714.exe: FSG!
C:\WINDOWS\sys745.exe: FSG!
C:\WINDOWS\sys753.exe: FSG!
Finished
bye


avpx32.sys is gone!

Edited by .:bob schmo:., 15 July 2005 - 05:24 PM.

[.:bob schmo:.]

Ok, I know this is a double post, but this would catch no ones attention since I've already edited the post above twice, and nobody would notice this.

Norton keeps popping up saying it found and removed a virus, tmpf00.exe from my system every once in a while. It is deleted, then its back, deleted, back, and so on. Any ideas?

Also, found this topic and a file associated to it (klo5.sys):

http://support.micro...kb;en-us;903251

Edited by .:bob schmo:., 15 July 2005 - 06:56 PM.

[Atribune]

Hi bob, Can you zip a couple of those files found with RKFiles and email them to the same address

Thanks Atri

[.:bob schmo:.]

Ok I sent them, also I'm not sure if you noticed, but apvx32.sys is gone, and I'm going to follow the steps on the microsoft website to try and remove those files. So far it hasn't woked, since my disc is newer than my actual os, but I have a workaround....

[Atribune]

Hi Bob,

I was referring to these files

C:\WINDOWS\sys5012.exe: FSG!
C:\WINDOWS\sys502.exe: FSG!
C:\WINDOWS\sys5034.exe: FSG!
C:\WINDOWS\sys5043.exe: FSG!
C:\WINDOWS\sys509.exe: FSG!
C:\WINDOWS\sys515.exe: FSG!
C:\WINDOWS\sys5532.exe: FSG!

[Atribune]

Delete the HSFix folder from before and then follow these instructions.

[*]First, download HSFix from here
[*]After it is downloaded, create a new folder on your desktop called "HSFix" and extract all the files into the newly created folder.
[*]Boot into safe mode: Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.
[*]Locate the HSFix folder on your desktop, open it, and double-click "hsfix.bat"
[*]A log will be produced which you can close out of.
[*]Restart your computer into normal mode and run at least one of the following free, online virus scans:
http://housecall.tre.../start_corp.asp
http://www.pandasoft...n_principal.htm
http://www3.ca.com/t...sinfo/scan.aspx
[*]Restart your computer one last time and post a new HijackThis log, as well as the HSFix log which is located at C:/hslog.txt
[/list]

Edited by Atribune, 16 July 2005 - 12:40 PM.

[Atribune]

Bob i now have the installer for the variant you have and successfully removed it with my last instructons.

[.:bob schmo:.]

Ok, I will try these, do you still want me to email you the files?

[Atribune]

Yes please. This will not remove the files i asked for we will get to that soon.

[.:bob schmo:.]

Ok, I've emailed them to you, and I'm in the process of using an online scanner. One question though, I have a file and process rundll32.exe and I did a search on it, and it is a virus? Can you confirm this and maybe give me removal instructions?

EDIT: Ok, finished scans, here are all logs:

Logfile of HijackThis v1.99.1
Scan saved at 2:39:02 PM, on 7/16/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\userinit.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\Eric\My Documents\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://pulse.clicdev.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [kmw_run.exe] kmw_run.exe
O4 - HKLM\..\Run: [D-Link AirPlus Xtreme G] C:\Program Files\D-Link\AirPlus Xtreme G\AirPlusCFG.exe
O4 - HKLM\..\Run: [ANIWZCSService] C:\Program Files\Alpha Networks\ANIWZCS Service\WZCSLDR.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [Gravis Xperience Driver Support] Grxp4exe.exe /init
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [WinPatrol] C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
O4 - HKLM\..\Run: [TraySantaCruz] C:\WINDOWS\system32\tbctray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [DesktopX] "C:\PROGRA~1\Stardock\OBJECT~1\DesktopX\DesktopX.exe"
O4 - HKCU\..\Run: [a-squared] "C:\Program Files\a2\a2guard.exe"
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Startup: PowerMenu.lnk = C:\Program Files\PowerMenu\PowerMenu.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Startup: Stardock ObjectDock.lnk = C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefender.com/scan8/oscan8.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1121061067941
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (ASquaredScanForm Element) - http://www.windowsecurity.com/trojanscan/axscan.cab
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: FileChecker - Created by javacool. - C:\Program Files\FileChecker\filechecker.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

Winlogon is gone! I'm not sure if it is clean though....

Horseserver Removal Tool v1.05
      by Atri
-
-
1. Registry Fix Started
-
   Registry fix complete
-
2. Deleted Services
-
klo5
[SC] OpenService FAILED 1060:

The specified service does not exist as an installed service.

qy
[SC] OpenService FAILED 1060:

The specified service does not exist as an installed service.

-
3. Finding files Located on system
-
klogini.dll
ps.a3d
klo5.sys
C:\WINDOWS\system32\qz.dll
C:\WINDOWS\system32\qy.sys
C:\WINDOWS\system32\p3.ini
C:\WINDOWS\system32\avpx32.dll
-
4. Deleting files that were found.
-
unable to remove ps.a3d
unable to remove C:\WINDOWS\system32\avpx32.dll
-
5. Checking for and Removing Winupdate
-
-
-

Of course, after I ran this, Norton found avpx32.exe and deleted it, and I ran this tool again, and it deleted ps.a3d, so it is gone too. There are still 3 .a3d files, not sure if that is bad, but just in case...

Edited by .:bob schmo:., 16 July 2005 - 03:50 PM.

[Atribune]

the a3d files can all go

I reinfected and cant fix now, so I dont think I have found everything yet.

Can you do a search for these files and let me know which ones are found.
redir2.a3d
avpx64.sys
avpx32.sys
qz.dll
qz.sys
qy.sys
avpx32.dll
redir.a3d
fltr.a3d
tndebase.dat
tnfl.a3d
p3.ini
klogini.dll
wmx.a3d
redir2.a3d

[.:bob schmo:.]

redir.a3d <<you put redir2.a3d twice, was this what you meant?
filtr.a3d
tnfl.a3d
klogini.dll <<in some SpyBot S&D folder

**found a p3.sys but not a p3.ini