[Jarsk8er]

Logfile of HijackThis v1.99.1
Scan saved at 10:57:53 AM, on 7/2/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\dial.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\palmOne\HOTSYNC.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\unzipped\hijackthis\HijackThis.exe

O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [Installer] C:\dial.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - Startup: HotSync Manager.lnk = C:\Program Files\palmOne\HOTSYNC.EXE
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windup...e/bridge-c5.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe

[Advertisements]

Hi Jarsk8er and welcome to GeeksToGo! My name is Excal and I will be helping you.

I apologize for the delay getting to your log, the helpers here are very busy.
If you still need help, please post a fresh Hijack log, in this thread, so I can help you with your Malware Problems.

If you have resolved this issue please let us know.



Excal

[Excal]

Hi Jarsk8er and welcome to GeeksToGo! My name is Excal and I will be helping you.

I apologize for the delay getting to your log, the helpers here are very busy.
If you still need help, please post a fresh Hijack log, in this thread, so I can help you with your Malware Problems.

If you have resolved this issue please let us know.



Excal

[Jarsk8er]

Logfile of HijackThis v1.99.1
Scan saved at 7:32:39 PM, on 7/8/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\dial.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\palmOne\HOTSYNC.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\iTunes\iTunes.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\unzipped\hijackthis\HijackThis.exe

O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [Installer] C:\dial.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Startup: HotSync Manager.lnk = C:\Program Files\palmOne\HOTSYNC.EXE
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windup...e/bridge-c5.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe



There you go that is a brand new fresh one just done right now. Thank You and the time frame is not a problem unless my computer melts down from this which is not the case. =) Thank You again and i appreciate any help.

[Excal]

Hi Jarsk8er,

Please go here and upload

C:\dial.exe

then please post the results in your next reply.

Run this online virus scan: ActiveScan - Save the results from the scan and post it in your next reply.


Thanks,



Excal

[Jarsk8er]

Last file scanned at least one scanner reported something about: Win32.Trojan.CD_Argen in do_mau.rar, detected by:

Scanner Malware name
AntiVir TR/CD.Argen
ArcaVir X
Avast Win32:CDDoor
AVG Antivirus X
BitDefender Trojan.CD.Argen.A
ClamAV X
Dr.Web X
F-Prot Antivirus X
Fortinet X
Kaspersky Anti-Virus Trojan.Win32.CD_Argen
NOD32 X
Norman Virus Control X
UNA X
VBA32 Win32.Trojan.CD_Argen


You're free to (mis)interpret these automated, flawed statistics at your own discretion.

85172 files (51417 of those unique) have been uploaded & scanned since 07/Jun/2005, the day of the last database purge.
14400 of those 51417 files contained a virus or any other form of malware.




Incident Status Location

Adware:Adware/PurityScan No disinfected C:\dial.exe
Adware:Adware/SAHAgent No disinfected C:\WINDOWS\system32\SahImages
Adware:Adware/BlazeFind No disinfected C:\DOCUME~1\Jared\LOCALS~1\Temp\Installer?.exe
Adware:Adware/WUpd No disinfected C:\WINDOWS\Downloaded Program Files\MediaAccX.dll
Adware:Adware/PurityScan No disinfected C:\dial.exe
Adware:Adware/MediaTickets No disinfected C:\Documents and Settings\Jared\Local Settings\Temp\temp.fr7BB6
Adware:Adware/WUpd No disinfected C:\Documents and Settings\Jared\Local Settings\Temporary Internet Files\Content.IE5\PF33REZS\index3[1].htm
Adware:Adware/PurityScan No disinfected C:\Documents and Settings\Jared\mt-uninstaller.exe
Adware:Adware/WUpd No disinfected C:\unzipped\hijackthis\backups\backup-20050701-111213-323.dll
Adware:Adware/SAHAgent No disinfected C:\WINDOWS\4r0af482.exe
Adware:Adware/WUpd No disinfected C:\WINDOWS\Downloaded Program Files\MediaAccX.dll
Adware:Adware/SAHAgent No disinfected C:\WINDOWS\system32\7qhc9rqd.exe
Virus:Trj/Agent.ZV Disinfected C:\WINDOWS\SysUpdate.exe

[Excal]

Hi Jarsk8er,

Did you by chance fix some things on your own in HiJackThis? Can you remember what they were?

I noticed that your HiJackthis.exe is running from your unziped folder, make sure to save HijackThis in its own folder (i.e. C:\HJT). DO NOT run it from within a zip manager (Winzip), as no backups will be saved.


DOWNLOAD PROGRAMS

Download and install CleanUp! Here*NOTE* Cleanup deletes EVERYTHING out of temp/temporary folders and does not make backups.
We will use this program later.


THE FIX

Please read this post completely, it may make it easier for you if you copy and paste this post to a new text document or print it for reference later.

1. Click this link to be sure you can view hidden files.

2. Ensure you are NOT connected to the internet.

3. Reboot into safe mode.

Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

4. Close all browsers, windows and unneeded programs.

5. Open HiJack and do a scan.

6. Put a Check next to the following items:

O4 - HKLM\..\Run: [Installer] C:\dial.exe

7. click the Fix Checked box

8. Please remove the following folders using Windows Explorer (if present):

C:\WINDOWS\system32\SahImages

9. Please remove just the files from the following paths using Windows Explorer (if present):

C:\dial.exe
C:\WINDOWS\Downloaded Program Files\MediaAccX.dll
C:\Documents and Settings\Jared\mt-uninstaller.exe
C:\WINDOWS\4r0af482.exe
C:\WINDOWS\system32\7qhc9rqd.exe
C:\WINDOWS\SysUpdate.exe

10. Run the program CleanUp!

11. Please post a fresh HiJackThis log. Let me know how your computer is running.

Edited by Excal, 09 July 2005 - 07:40 PM.

[Jarsk8er]

Logfile of HijackThis v1.99.1
Scan saved at 11:21:13 AM, on 7/15/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\palmOne\HOTSYNC.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\hijackthis\HijackThis.exe
C:\Program Files\Mozilla Firefox\firefox.exe

O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Startup: HotSync Manager.lnk = C:\Program Files\palmOne\HOTSYNC.EXE
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windup...e/bridge-c5.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe



It fixed the only proglem I could see w/ my computer. I was getting an internet explorer pop-up when i first started up my computer and that did not happen this time. Why was i not able to delete the dial.exe while i was in safe mode but i was able to delete all the other files that were essentially linked to it? Thanks for the help. =)

[Excal]

Did it give u an error when you tried to delete dial.exe? or was it just not there?


Open HiJackthis and do a scan. Check the following items:

O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windup...e/bridge-c5.cab

click CHECK FIXED.

• Please click this link to download Silent Runners.
• Save it to the desktop.
• Run Silent Runner's by doubleclicking the "Silent Runners" icon on your desktop.
• You will see a text file appear on the desktop - it's not done yet, just let it run (it won't appear to be doing anything!)
• Once you receive the prompt "All Done!", double-click on the new text file on the desktop and copy that entire log and paste it here.
  
  
• NOTE* If you receive any warning message about scripts, please choose to allow the script to run.
  For some time it will look like nothing is happening. Just keep waiting.
  
• Once it's done it will create a log. A window will come up telling you when it's saved. Please post that log here

[Excal]

Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.