Bt2net and PSGuard Virus [RESOLVED]
#46
Posted 15 July 2005 - 04:33 PM
#47
Posted 15 July 2005 - 04:41 PM
Download the RKFiles.zip from here:
http://skads.org/special/rkfiles.zip
1. Reboot into safe mode
2. Open the C:\Antispyware\RKFiles folder
* Locate and double-click the RKFILES.BAT to run this tool.
* Sit back and wait untill its finished.
* When it is finally finished a text file will open.
* Save the contents of that text file.
Note: It should save by default to C:\Log.txt
3. Reboot back to Normal Mode.
4. Post the log
#48
Posted 15 July 2005 - 04:50 PM
Edited by Atribune, 15 July 2005 - 04:50 PM.
#49
Posted 15 July 2005 - 05:10 PM
Also, it can be run from the desktop right?
EDIT: Here are the results:
C:\Documents and Settings\Eric\Desktop
PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
Files Found in system Folder............
------------------------
C:\WINDOWS\system32\qz.dll: FSG!
C:\WINDOWS\system32\dfrg.msc: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAAAwGpEc213
Files Found in all users startup Folder............
------------------------
Files Found in all users windows Folder............
------------------------
C:\WINDOWS\sys1314.exe: FSG!
C:\WINDOWS\sys1345.exe: FSG!
C:\WINDOWS\sys137.exe: FSG!
C:\WINDOWS\sys1418.exe: FSG!
C:\WINDOWS\sys142.exe: FSG!
C:\WINDOWS\sys1420.exe: FSG!
C:\WINDOWS\sys1451.exe: FSG!
C:\WINDOWS\sys1455.exe: FSG!
C:\WINDOWS\sys1518.exe: FSG!
C:\WINDOWS\sys1521.exe: FSG!
C:\WINDOWS\sys1528.exe: FSG!
C:\WINDOWS\sys16.exe: FSG!
C:\WINDOWS\sys1737.exe: FSG!
C:\WINDOWS\sys176.exe: FSG!
C:\WINDOWS\sys1810.exe: FSG!
C:\WINDOWS\sys1819.exe: FSG!
C:\WINDOWS\sys1850.exe: FSG!
C:\WINDOWS\sys1852.exe: FSG!
C:\WINDOWS\sys2254.exe: FSG!
C:\WINDOWS\sys2324.exe: FSG!
C:\WINDOWS\sys2332.exe: FSG!
C:\WINDOWS\sys2637.exe: FSG!
C:\WINDOWS\sys266.exe: FSG!
C:\WINDOWS\sys2710.exe: FSG!
C:\WINDOWS\sys2812.exe: FSG!
C:\WINDOWS\sys2843.exe: FSG!
C:\WINDOWS\sys2846.exe: FSG!
C:\WINDOWS\sys4718.exe: FSG!
C:\WINDOWS\sys4749.exe: FSG!
C:\WINDOWS\sys4753.exe: FSG!
C:\WINDOWS\sys4931.exe: FSG!
C:\WINDOWS\sys4951.exe: FSG!
C:\WINDOWS\sys4957.exe: FSG!
C:\WINDOWS\sys4959.exe: FSG!
C:\WINDOWS\sys501.exe: FSG!
C:\WINDOWS\sys5010.exe: FSG!
C:\WINDOWS\sys5012.exe: FSG!
C:\WINDOWS\sys502.exe: FSG!
C:\WINDOWS\sys5034.exe: FSG!
C:\WINDOWS\sys5043.exe: FSG!
C:\WINDOWS\sys509.exe: FSG!
C:\WINDOWS\sys515.exe: FSG!
C:\WINDOWS\sys5532.exe: FSG!
C:\WINDOWS\sys563.exe: FSG!
C:\WINDOWS\sys566.exe: FSG!
C:\WINDOWS\sys714.exe: FSG!
C:\WINDOWS\sys745.exe: FSG!
C:\WINDOWS\sys753.exe: FSG!
Finished
bye
avpx32.sys is gone!
Edited by .:bob schmo:., 15 July 2005 - 05:24 PM.
#50
Posted 15 July 2005 - 06:22 PM
Norton keeps popping up saying it found and removed a virus, tmpf00.exe from my system every once in a while. It is deleted, then its back, deleted, back, and so on. Any ideas?
Also, found this topic and a file associated to it (klo5.sys):
http://support.micro...kb;en-us;903251
Edited by .:bob schmo:., 15 July 2005 - 06:56 PM.
#51
Posted 16 July 2005 - 07:33 AM
Thanks Atri
#52
Posted 16 July 2005 - 12:12 PM
#53
Posted 16 July 2005 - 12:24 PM
I was referring to these files
C:\WINDOWS\sys5012.exe: FSG!
C:\WINDOWS\sys502.exe: FSG!
C:\WINDOWS\sys5034.exe: FSG!
C:\WINDOWS\sys5043.exe: FSG!
C:\WINDOWS\sys509.exe: FSG!
C:\WINDOWS\sys515.exe: FSG!
C:\WINDOWS\sys5532.exe: FSG!
#54
Posted 16 July 2005 - 12:28 PM
[*]First, download HSFix from here
[*]After it is downloaded, create a new folder on your desktop called "HSFix" and extract all the files into the newly created folder.
[*]Boot into safe mode: Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.
[*]Locate the HSFix folder on your desktop, open it, and double-click "hsfix.bat"
[*]A log will be produced which you can close out of.
[*]Restart your computer into normal mode and run at least one of the following free, online virus scans:
http://housecall.tre.../start_corp.asp
http://www.pandasoft...n_principal.htm
http://www3.ca.com/t...sinfo/scan.aspx
[*]Restart your computer one last time and post a new HijackThis log, as well as the HSFix log which is located at C:/hslog.txt
[/list]
Edited by Atribune, 16 July 2005 - 12:40 PM.
#55
Posted 16 July 2005 - 01:12 PM
#56
Posted 16 July 2005 - 01:45 PM
#57
Posted 16 July 2005 - 02:40 PM
#58
Posted 16 July 2005 - 03:13 PM
EDIT: Ok, finished scans, here are all logs:
Logfile of HijackThis v1.99.1 Scan saved at 2:39:02 PM, on 7/16/2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\userinit.exe C:\WINDOWS\Explorer.EXE C:\Documents and Settings\Eric\My Documents\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://pulse.clicdev.com/ O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll O4 - HKLM\..\Run: [kmw_run.exe] kmw_run.exe O4 - HKLM\..\Run: [D-Link AirPlus Xtreme G] C:\Program Files\D-Link\AirPlus Xtreme G\AirPlusCFG.exe O4 - HKLM\..\Run: [ANIWZCSService] C:\Program Files\Alpha Networks\ANIWZCS Service\WZCSLDR.exe O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe" O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe O4 - HKLM\..\Run: [Gravis Xperience Driver Support] Grxp4exe.exe /init O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe" O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [WinPatrol] C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe O4 - HKLM\..\Run: [TraySantaCruz] C:\WINDOWS\system32\tbctray.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook O4 - HKCU\..\Run: [DesktopX] "C:\PROGRA~1\Stardock\OBJECT~1\DesktopX\DesktopX.exe" O4 - HKCU\..\Run: [a-squared] "C:\Program Files\a2\a2guard.exe" O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE O4 - Startup: PowerMenu.lnk = C:\Program Files\PowerMenu\PowerMenu.exe O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe O4 - Startup: Stardock ObjectDock.lnk = C:\Program Files\Stardock\ObjectDock\ObjectDock.exe O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing) O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing) O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefender.com/scan8/oscan8.cab O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1121061067941 O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (ASquaredScanForm Element) - http://www.windowsecurity.com/trojanscan/axscan.cab O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: FileChecker - Created by javacool. - C:\Program Files\FileChecker\filechecker.exe O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
Winlogon is gone! I'm not sure if it is clean though....
Horseserver Removal Tool v1.05 by Atri - - 1. Registry Fix Started - Registry fix complete - 2. Deleted Services - klo5 [SC] OpenService FAILED 1060: The specified service does not exist as an installed service. qy [SC] OpenService FAILED 1060: The specified service does not exist as an installed service. - 3. Finding files Located on system - klogini.dll ps.a3d klo5.sys C:\WINDOWS\system32\qz.dll C:\WINDOWS\system32\qy.sys C:\WINDOWS\system32\p3.ini C:\WINDOWS\system32\avpx32.dll - 4. Deleting files that were found. - unable to remove ps.a3d unable to remove C:\WINDOWS\system32\avpx32.dll - 5. Checking for and Removing Winupdate - - -
Of course, after I ran this, Norton found avpx32.exe and deleted it, and I ran this tool again, and it deleted ps.a3d, so it is gone too. There are still 3 .a3d files, not sure if that is bad, but just in case...
Edited by .:bob schmo:., 16 July 2005 - 03:50 PM.
#59
Posted 16 July 2005 - 04:23 PM
I reinfected and cant fix now, so I dont think I have found everything yet.
Can you do a search for these files and let me know which ones are found.
redir2.a3d
avpx64.sys
avpx32.sys
qz.dll
qz.sys
qy.sys
avpx32.dll
redir.a3d
fltr.a3d
tndebase.dat
tnfl.a3d
p3.ini
klogini.dll
wmx.a3d
redir2.a3d
#60
Posted 16 July 2005 - 05:05 PM
filtr.a3d
tnfl.a3d
klogini.dll <<in some SpyBot S&D folder
**found a p3.sys but not a p3.ini
Similar Topics
0 user(s) are reading this topic
0 members, 0 guests, 0 anonymous users