Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Can't stop pop-ups [RESOLVED]

Started by Tonesterh , Jul 05 2005 03:05 PM

  • This topic is locked This topic is locked

#1
Tonesterh
Posted 05 July 2005 - 03:05 PM

Tonesterh

    Member

  • Member
  • PipPip
  • 22 posts
Cleaning all of my computers and cant seem to clear this one. Please look at my log and advise. Thanks



Logfile of HijackThis v1.99.1
Scan saved at 3:57:36 PM, on 7/5/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\tsmgr.exe
C:\program files\tvs\tvs_b.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\America Online 9.0\aoltray.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\mqsvc.exe
C:\WINDOWS\System32\mqtgsvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
c:\windows\system32\zqjqyk.exe
C:\HJT\HijackThis.exe

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
F2 - REG:system.ini: UserInit=c:\windows\system32\userinit.exe
O2 - BHO: (no name) - {0AD937E7-2F37-4873-A05E-548A67EF1D0E} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: FlashTEnhancer Ext - {D7E588AB-A5D9-4422-B313-22A3470F9700} - c:\Program Files\Ftk\ftk.dll (file missing)
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MSN Manager] C:\WINDOWS\system32\tsmgr.exe
O4 - HKLM\..\Run: [tr] C:\documents and settings\pat\local settings\temp\tr.exe
O4 - HKLM\..\Run: [WinTools] C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe
O4 - HKLM\..\Run: [3TFECJW2RNH4YZ] C:\WINDOWS\System32\Ovbl73H.exe
O4 - HKLM\..\Run: [S1vw] C:\documents and settings\pat\local settings\temp\S1vw.exe
O4 - HKLM\..\Run: [e3943625ed43] C:\WINDOWS\System32\ntlanman.exe
O4 - HKLM\..\Run: [Ljbmrl] C:\Program Files\Ekgmn\Dqic.exe
O4 - HKLM\..\Run: [tvs_b] C:\program files\tvs\tvs_b.exe
O4 - HKLM\..\Run: [3224bd9542a2] C:\WINDOWS\System32\umpnpmgr.exe
O4 - HKLM\..\Run: [cxin] C:\DOCUME~1\Pat\LOCALS~1\Temp\~MySetup.exe
O4 - HKLM\..\Run: [vidctrl] C:\WINDOWS\System32\vidctrl\vidctrl.exe
O4 - HKLM\..\Run: [2TDYN#33SYHFJS] C:\WINDOWS\system32\Cjp9g.exe
O4 - HKLM\..\Run: [FtkCPY] "C:\Program Files\Common Files\Java\ftkcpy.exe"
O4 - HKLM\..\Run: [otnznd] c:\windows\system32\zqjqyk.exe r
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {5C7F15E1-F31A-44FD-AA1A-2EC63AAFFD3A} - http://www.atelys.com/src/Speedup.ocx
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1119758350258
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.c...utocomplete.cab
O23 - Service: AOL Connectivity Service (AOL ACS) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe (file missing)
O23 - Service: AutoComplete Service (Autocomplete) - Internet Washer - C:\PROGRA~1\SYSTEM~1\autocomp.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe (file missing)
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
  • 0

Advertisements

#2
Excal
Posted 10 July 2005 - 06:26 PM

Excal

    Malware Slayer Extraordinaire!

  • Retired Staff
  • 12,739 posts
Hi Tonesterh and welcome to GeeksToGo! My name is Excal and I will be helping you.

I apologize for the delay getting to your log, the helpers here are very busy.
If you still need help, please post a fresh Hijack log, in this thread, so I can help you with your Malware Problems.

If you have resolved this issue please let us know.

:tazz:

Excal
  • 0

#3
Tonesterh
Posted 10 July 2005 - 09:12 PM

Tonesterh

    Member

  • Topic Starter
  • Member
  • PipPip
  • 22 posts
Logfile of HijackThis v1.99.1
Scan saved at 10:03:45 PM, on 7/10/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\tsmgr.exe
C:\program files\tvs\tvs_b.exe
c:\windows\system32\imurte.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\America Online 9.0\aoltray.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\mqsvc.exe
C:\WINDOWS\System32\mqtgsvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\HJT\HijackThis.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
F2 - REG:system.ini: UserInit=c:\windows\system32\userinit.exe
O2 - BHO: (no name) - {0AD937E7-2F37-4873-A05E-548A67EF1D0E} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: FlashTEnhancer Ext - {D7E588AB-A5D9-4422-B313-22A3470F9700} - c:\Program Files\Ftk\ftk.dll
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MSN Manager] C:\WINDOWS\system32\tsmgr.exe
O4 - HKLM\..\Run: [tr] C:\documents and settings\pat\local settings\temp\tr.exe
O4 - HKLM\..\Run: [WinTools] C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe
O4 - HKLM\..\Run: [3TFECJ 2RNH4YZ] C: WINDOWS\System32\Ovbl73H.exe
O4 - HKLM\..\Run: [S1vw] C:\documents and settings\pat\local settings\temp\S1vw.exe
O4 - HKLM\..\Run: [e3943625ed43] C:\WINDOWS\System32\ntlanman.exe
O4 - HKLM\..\Run: [Ljbmrl] C:\Program Files\Ekgmn\Dqic.exe
O4 - HKLM\..\Run: [tvs_b] C:\program files\tvs\tvs_b.exe
O4 - HKLM\..\Run: [3224bd9542a2] C:\WINDOWS\System32\umpnpmgr.exe
O4 - HKLM\..\Run: [cxin] C:\DOCUME~1\Pat\LOCALS~1\Temp\~MySetup.exe
O4 - HKLM\..\Run: [vidctrl] C:\WINDOWS\System32\vidctrl\vidctrl.exe
O4 - HKLM\..\Run: [2TDYN#33SYHFJS] C:\WINDOWS\system32\Cjp9g.exe
O4 - HKLM\..\Run: [FtkCPY] "C:\Program Files\Common Files\Java\ftkcpy.exe"
O4 - HKLM\..\Run: [ciwpueu] c:\windows\system32\imurte.exe r
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {5C7F15E1-F31A-44FD-AA1A-2EC63AAFFD3A} - http://www.atelys.com/src/Speedup.ocx
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1119758350258
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.c...utocomplete.cab
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: AutoComplete Service (Autocomplete) - Internet Washer - C:\PROGRA~1\SYSTEM~1\autocomp.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe (file missing)
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
  • 0

#4
Excal
Posted 10 July 2005 - 11:29 PM

Excal

    Malware Slayer Extraordinaire!

  • Retired Staff
  • 12,739 posts
Hi and welcome to GeeksToGo! My name is Excal and I will be helping you.

I can see that you have some malware issues. This maybe a few step process in removing it. I encourage you to stick with it and follow my directions as closely as possible so as to avoid complicating the problem further.


DOWNLOAD PROGRAMS

Please download the trial version of Ewido Security Suite Here
Install it, and update the definitions to the newest files. Do NOT run a scan yet. (if you already have, please just update)

Please download Nailfix from Here
click nailfix.exe and choose install, a new folder will be created on your desktop named nailfixplease do NOT run it yet.

Download and install CleanUp! Here*NOTE* Cleanup deletes EVERYTHING out of temp/temporary folders and does not make backups.
We will use this program later.

First, we need to remove the pepper trojan. Download this file, run, and let terminate (it'll just blink briefly on your screen and won't appeared to have done much--this is normal): http://www.geekstogo...=download&id=18


THE FIX

Please read this post completely, it may make it easier for you if you copy and paste this post to a new text document or print it for reference later.

1. Click this link to be sure you can view hidden files.

2. Ensure you are NOT connected to the internet.

3. Reboot into safe mode.

Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

4. Go to Start->Run and type in services.msc and hit OK. Then look for System Startup Service (SvcProc) and double click on it. Click on the Stop button and under Startup type, choose Disabled. (if present)

5. Go into Hijack This->Config->Misc. Tools->Open process manager. Select the following and click “Kill process” for each one (If they still exist)

C:\WINDOWS\Nail.exe

6. Once in Safe Mode, please double-click on
Nailfix.cmd Your desktop and icons will disappear and reappear, and a window should open and close very quickly --- this is normal.

7. Now open and run Ewido:
  • Click on scanner
  • Click Complete System Scan and the scan will begin.
  • During the scan when it ask if you want to clean the first file, put a check in the lower left corner of the box that says "Perform action on all infections" then choose clean and click OK
  • When the scan is finished, look at the bottom of the screen and click the Save report button.
  • Save the report to your desktop
Close Ewido

8. Close all browsers, windows and unneeded programs.

9. Open HiJack and do a scan.

10. Put a Check next to the following items:

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: (no name) - {0AD937E7-2F37-4873-A05E-548A67EF1D0E} - (no file)
O2 - BHO: FlashTEnhancer Ext - {D7E588AB-A5D9-4422-B313-22A3470F9700} - c:\Program Files\Ftk\ftk.dll
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [tr] C:\documents and settings\pat\local settings\temp\tr.exe
O4 - HKLM\..\Run: [WinTools] C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe
O4 - HKLM\..\Run: [3TFECJ 2RNH4YZ] C: WINDOWS\System32\Ovbl73H.exe
O4 - HKLM\..\Run: [S1vw] C:\documents and settings\pat\local settings\temp\S1vw.exe
O4 - HKLM\..\Run: [e3943625ed43] C:\WINDOWS\System32\ntlanman.exe
O4 - HKLM\..\Run: [Ljbmrl] C:\Program Files\Ekgmn\Dqic.exe
O4 - HKLM\..\Run: [tvs_b] C:\program files\tvs\tvs_b.exe
O4 - HKLM\..\Run: [3224bd9542a2] C:\WINDOWS\System32\umpnpmgr.exe
O4 - HKLM\..\Run: [cxin] C:\DOCUME~1\Pat\LOCALS~1\Temp\~MySetup.exe
O4 - HKLM\..\Run: [vidctrl] C:\WINDOWS\System32\vidctrl\vidctrl.exe
O4 - HKLM\..\Run: [2TDYN#33SYHFJS] C:\WINDOWS\system32\Cjp9g.exe
O4 - HKLM\..\Run: [FtkCPY] "C:\Program Files\Common Files\Java\ftkcpy.exe"
O4 - HKLM\..\Run: [ciwpueu] c:\windows\system32\imurte.exe r
O16 - DPF: {5C7F15E1-F31A-44FD-AA1A-2EC63AAFFD3A} - http://www.atelys.com/src/Speedup.ocx
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe (file missing)

11. click the Fix Checked box

12. Please remove these entries from Add/Remove Programs in the Control Panel(if present):

WinTools

13. Please remove the following folders using Windows Explorer (if present):

c:\Program Files\Ftk
C:\PROGRAM Files\COMMON Files\WinTools
C:\Program Files\Ekgmn
C:\program files\tvs
C:\WINDOWS\System32\vidctrl


14. Please remove just the files from the following paths using Windows Explorer (if present):

C:\WINDOWS\Nail.exe
C: WINDOWS\System32\Ovbl73H.exe
C:\WINDOWS\System32\ntlanman.exe
C:\WINDOWS\System32\umpnpmgr.exe
C:\WINDOWS\system32\Cjp9g.exe
C:\Program Files\Common Files\Java\ftkcpy.exe
c:\windows\system32\imurte.exe
C:\WINDOWS\svcproc.exe

15. Run the program CleanUp!

16. Reboot into normal mode and please run this online virus scan: ActiveScan - Save the results from the scan!

17. Please post an Active scan log , Ewido Scan log and a fresh HiJackThis log. Let me know how your computer is running.
  • 0

#5
Tonesterh
Posted 13 July 2005 - 06:04 AM

Tonesterh

    Member

  • Topic Starter
  • Member
  • PipPip
  • 22 posts
Seems to be clean, I dont have any more pop-ups. I will report back in a day or two.

Here are my logs. Let me know if you see something I missed. Thanks

Logfile of HijackThis v1.99.1
Scan saved at 10:24:28 PM, on 7/12/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\explorer.exe
C:\HJT\HijackThis.exe

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
F2 - REG:system.ini: UserInit=c:\windows\system32\userinit.exe
O2 - BHO: (no name) - {0AD937E7-2F37-4873-A05E-548A67EF1D0E} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: FlashTEnhancer Ext - {D7E588AB-A5D9-4422-B313-22A3470F9700} - c:\Program Files\Ftk\ftk.dll (file missing)
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MSN Manager] C:\WINDOWS\system32\tsmgr.exe
O4 - HKLM\..\Run: [tr] C:\documents and settings\pat\local settings\temp\tr.exe
O4 - HKLM\..\Run: [WinTools] C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe
O4 - HKLM\..\Run: [3TFECJW2RNH4YZ] C:\WINDOWS\System32\Ovbl73H.exe
O4 - HKLM\..\Run: [S1vw] C:\documents and settings\pat\local settings\temp\S1vw.exe
O4 - HKLM\..\Run: [e3943625ed43] C:\WINDOWS\System32\ntlanman.exe
O4 - HKLM\..\Run: [Ljbmrl] C:\Program Files\Ekgmn\Dqic.exe
O4 - HKLM\..\Run: [tvs_b] C:\program files\tvs\tvs_b.exe
O4 - HKLM\..\Run: [3224bd9542a2] C:\WINDOWS\System32\umpnpmgr.exe
O4 - HKLM\..\Run: [cxin] C:\DOCUME~1\Pat\LOCALS~1\Temp\~MySetup.exe
O4 - HKLM\..\Run: [vidctrl] C:\WINDOWS\System32\vidctrl\vidctrl.exe
O4 - HKLM\..\Run: [2TDYN#33SYHFJS] C:\WINDOWS\system32\Cjp9g.exe
O4 - HKLM\..\Run: [FtkCPY] "C:\Program Files\Common Files\Java\ftkcpy.exe"
O4 - HKLM\..\Run: [iiiwmf] c:\windows\system32\vjbrjnl.exe r
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {5C7F15E1-F31A-44FD-AA1A-2EC63AAFFD3A} - http://www.atelys.com/src/Speedup.ocx
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1119758350258
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.c...utocomplete.cab
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: AutoComplete Service (Autocomplete) - Internet Washer - C:\PROGRA~1\SYSTEM~1\autocomp.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe



---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 10:22:44 PM, 7/12/2005
+ Report-Checksum: 6D377FB2

+ Scan result:

HKLM\SOFTWARE\Classes\UnawareObj.UnawareObj -> Spyware.FlashTrack : Cleaned with backup
HKLM\SOFTWARE\Classes\UnawareObj.UnawareObj\CurVer -> Spyware.FlashTrack : Cleaned with backup
C:\Program Files\spsr\etts.exe -> Spyware.PurityScan : Cleaned with backup
C:\Documents and Settings\Pat\Local Settings\Temp\1D.tmp\thnall1ac.exe -> Adware.BetterInternet : Cleaned with backup
C:\Documents and Settings\Pat\Cookies\pat@2o7[1].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\Pat\Cookies\pat@centrport[1].txt -> Spyware.Cookie.Centrport : Cleaned with backup
C:\System Volume Information\_restore{60AFB83F-2851-48CA-A836-8A05EBD5A4F2}\RP488\A0153838.exe -> Spyware.Delfin : Cleaned with backup
C:\System Volume Information\_restore{60AFB83F-2851-48CA-A836-8A05EBD5A4F2}\RP488\A0153839.exe -> Worm.Klez.H : Cleaned with backup
C:\System Volume Information\_restore{60AFB83F-2851-48CA-A836-8A05EBD5A4F2}\RP488\A0153840.EXE -> Worm.Klez.H : Cleaned with backup
C:\System Volume Information\_restore{60AFB83F-2851-48CA-A836-8A05EBD5A4F2}\RP488\A0153841.EXE -> Worm.Klez.H : Cleaned with backup
C:\System Volume Information\_restore{60AFB83F-2851-48CA-A836-8A05EBD5A4F2}\RP488\A0153842.EXE -> Worm.Klez.H : Cleaned with backup
C:\System Volume Information\_restore{60AFB83F-2851-48CA-A836-8A05EBD5A4F2}\RP488\A0153843.EXE -> Worm.Klez.H : Cleaned with backup
C:\System Volume Information\_restore{60AFB83F-2851-48CA-A836-8A05EBD5A4F2}\RP488\A0153844.exe -> Trojan.Small.cy : Cleaned with backup
C:\System Volume Information\_restore{60AFB83F-2851-48CA-A836-8A05EBD5A4F2}\RP488\A0153845.dll -> Spyware.FlashEnhancer : Cleaned with backup
C:\System Volume Information\_restore{60AFB83F-2851-48CA-A836-8A05EBD5A4F2}\RP488\A0153846.exe -> TrojanDownloader.Small.adq : Cleaned with backup
C:\System Volume Information\_restore{60AFB83F-2851-48CA-A836-8A05EBD5A4F2}\RP488\A0153847.exe -> TrojanDropper.Small.kz : Cleaned with backup
C:\System Volume Information\_restore{60AFB83F-2851-48CA-A836-8A05EBD5A4F2}\RP488\A0153848.exe -> TrojanDownloader.VB.em : Cleaned with backup
C:\System Volume Information\_restore{60AFB83F-2851-48CA-A836-8A05EBD5A4F2}\RP488\A0153849.exe -> TrojanDownloader.VB.em : Cleaned with backup
C:\System Volume Information\_restore{60AFB83F-2851-48CA-A836-8A05EBD5A4F2}\RP488\A0153850.dll -> TrojanDownloader.Qoologic.a : Cleaned with backup
C:\System Volume Information\_restore{60AFB83F-2851-48CA-A836-8A05EBD5A4F2}\RP488\A0153851.exe -> TrojanDownloader.VB.em : Cleaned with backup
C:\System Volume Information\_restore{60AFB83F-2851-48CA-A836-8A05EBD5A4F2}\RP488\A0153852.exe -> TrojanDownloader.VB.em : Cleaned with backup
C:\System Volume Information\_restore{60AFB83F-2851-48CA-A836-8A05EBD5A4F2}\RP488\A0153853.exe -> TrojanDownloader.VB.em : Cleaned with backup
C:\System Volume Information\_restore{60AFB83F-2851-48CA-A836-8A05EBD5A4F2}\RP488\A0153854.exe -> Spyware.F1Organizer : Cleaned with backup
C:\System Volume Information\_restore{60AFB83F-2851-48CA-A836-8A05EBD5A4F2}\RP488\A0153855.exe -> TrojanDownloader.VB.em : Cleaned with backup
C:\System Volume Information\_restore{60AFB83F-2851-48CA-A836-8A05EBD5A4F2}\RP488\A0153856.exe -> TrojanDownloader.VB.em : Cleaned with backup
C:\System Volume Information\_restore{60AFB83F-2851-48CA-A836-8A05EBD5A4F2}\RP488\A0153857.exe -> Spyware.IEDriver : Cleaned with backup
C:\System Volume Information\_restore{60AFB83F-2851-48CA-A836-8A05EBD5A4F2}\RP488\A0153858.exe -> TrojanDownloader.VB.em : Cleaned with backup
C:\System Volume Information\_restore{60AFB83F-2851-48CA-A836-8A05EBD5A4F2}\RP488\A0153859.exe -> TrojanDownloader.Agent.ed : Cleaned with backup
C:\System Volume Information\_restore{60AFB83F-2851-48CA-A836-8A05EBD5A4F2}\RP488\A0153860.exe -> TrojanDownloader.VB.em : Cleaned with backup
C:\System Volume Information\_restore{60AFB83F-2851-48CA-A836-8A05EBD5A4F2}\RP488\A0153861.exe -> Spyware.UrlSpy : Cleaned with backup
C:\System Volume Information\_restore{60AFB83F-2851-48CA-A836-8A05EBD5A4F2}\RP488\A0153862.exe -> Spyware.UrlSpy : Cleaned with backup
C:\System Volume Information\_restore{60AFB83F-2851-48CA-A836-8A05EBD5A4F2}\RP488\A0153863.exe -> Spyware.DelphinMediaViewer : Cleaned with backup
C:\System Volume Information\_restore{60AFB83F-2851-48CA-A836-8A05EBD5A4F2}\RP488\A0153864.exe -> TrojanDownloader.VB.em : Cleaned with backup
C:\System Volume Information\_restore{60AFB83F-2851-48CA-A836-8A05EBD5A4F2}\RP488\A0153865.exe -> TrojanDownloader.VB.em : Cleaned with backup
C:\System Volume Information\_restore{60AFB83F-2851-48CA-A836-8A05EBD5A4F2}\RP488\A0153866.exe -> Spyware.AproposMedia : Cleaned with backup
C:\System Volume Information\_restore{60AFB83F-2851-48CA-A836-8A05EBD5A4F2}\RP488\A0153867.exe -> Spyware.BlazeFind : Cleaned with backup
C:\System Volume Information\_restore{60AFB83F-2851-48CA-A836-8A05EBD5A4F2}\RP488\A0153868.exe -> Spyware.F1Organizer : Cleaned with backup
C:\System Volume Information\_restore{60AFB83F-2851-48CA-A836-8A05EBD5A4F2}\RP488\A0153869.exe -> Spyware.F1Organizer : Cleaned with backup
C:\System Volume Information\_restore{60AFB83F-2851-48CA-A836-8A05EBD5A4F2}\RP488\A0153870.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{60AFB83F-2851-48CA-A836-8A05EBD5A4F2}\RP488\A0153871.exe -> Trojan.Imiserv.c : Cleaned with backup
C:\System Volume Information\_restore{60AFB83F-2851-48CA-A836-8A05EBD5A4F2}\RP488\A0153872.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{60AFB83F-2851-48CA-A836-8A05EBD5A4F2}\RP488\A0153873.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{60AFB83F-2851-48CA-A836-8A05EBD5A4F2}\RP488\A0153878.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{60AFB83F-2851-48CA-A836-8A05EBD5A4F2}\RP488\A0153883.dll -> Spyware.FlashEnhancer : Cleaned with backup
C:\System Volume Information\_restore{60AFB83F-2851-48CA-A836-8A05EBD5A4F2}\RP488\A0153888.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{60AFB83F-2851-48CA-A836-8A05EBD5A4F2}\RP488\A0153945.DLL -> Spyware.FlashEnhancer : Cleaned with backup
C:\System Volume Information\_restore{60AFB83F-2851-48CA-A836-8A05EBD5A4F2}\RP488\A0153946.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{60AFB83F-2851-48CA-A836-8A05EBD5A4F2}\RP488\A0153952.dll -> Spyware.FlashEnhancer : Cleaned with backup
C:\System Volume Information\_restore{60AFB83F-2851-48CA-A836-8A05EBD5A4F2}\RP488\A0153953.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{60AFB83F-2851-48CA-A836-8A05EBD5A4F2}\RP488\A0153961.dll -> Spyware.FlashEnhancer : Cleaned with backup
C:\System Volume Information\_restore{60AFB83F-2851-48CA-A836-8A05EBD5A4F2}\RP488\A0153964.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{60AFB83F-2851-48CA-A836-8A05EBD5A4F2}\RP477\A0145135.exe -> TrojanDownloader.OneClickSearch.k : Cleaned with backup
C:\System Volume Information\_restore{60AFB83F-2851-48CA-A836-8A05EBD5A4F2}\RP477\A0145472.exe -> TrojanDownloader.Apropo.ac : Cleaned with backup


::Report End


___________________________________________________________________

Incident Status Location

Virus:Trj/Downloader.IU Disinfected Operating system
Adware:Adware/eZula No disinfected C:\WINDOWS\system32\sysfile.dll
Adware:Adware/MyWay No disinfected Windows Registry
Adware:Adware/nCase No disinfected C:\WINDOWS\system32\FLEOK
Adware:Adware/FlashTrack No disinfected Windows Registry
Adware:Adware/PortalScan No disinfected C:\Program Files\Common Files\slmss
Adware:Adware/CWS No disinfected Windows Registry
Adware:Adware/BookedSpace No disinfected C:\WINDOWS\bsx32
Adware:Adware/WinTools No disinfected Windows Registry
Adware:Adware/Sqwire No disinfected C:\WINDOWS\system32\tsuninst.exe
Spyware:Spyware/TVMedia No disinfected C:\Documents and Settings\Pat\Application Data\tvm*.dll
Adware:Adware/DelFinMedia No disinfected Windows Registry
Adware:Adware/SideSearch No disinfected C:\Documents and Settings\Pat\Application Data\Lycos
Adware:Adware/IEDriver No disinfected C:\WINDOWS\system32\Searchx.htm
Adware:Adware/IPInsight No disinfected C:\WINDOWS\alchem.???
Adware:Adware/SideFind No disinfected Windows Registry
Adware:Adware/DealHelper No disinfected C:\WINDOWS\dhdom??.bin
Adware:Adware/IEPlugin No disinfected Windows Registry
Spyware:Spyware/RXToolbar No disinfected C:\WINDOWS\system32\RxBarSetup.dll
Adware:Adware/BroadcastPC No disinfected C:\Program Files\Common Files\Java\tvs_inst.exe
Adware:Adware/BroadcastPC No disinfected C:\Program Files\Common Files\Java\tvs_re_inst.exe
Virus:W32/Klez.I Disinfected C:\Program Files\Plus!\Themeexe.W98
Spyware:Spyware/Omi No disinfected C:\WINDOWS\system32\mshpeb.dll
Adware:Adware/IEDriver No disinfected C:\WINDOWS\system32\Searchx.htm
Spyware:Spyware/Omi No disinfected C:\WINDOWS\system32\mscif.exe
Adware:Adware/IEDriver No disinfected C:\WINDOWS\system32\cabinet7.exe
Spyware:Spyware/Omi No disinfected C:\WINDOWS\system32\msnapl.dll
Spyware:Spyware/RXToolbar No disinfected C:\WINDOWS\system32\RxBarSetup.dll
Adware:Adware/PurityScan No disinfected C:\WINDOWS\system32\jlkfeb.dll
Adware:Adware/ValueAd No disinfected C:\WINDOWS\system32\bpdf.exe
Adware:Adware/eZula No disinfected C:\WINDOWS\system32\sysfile.dll
Adware:Adware/BookedSpace No disinfected C:\WINDOWS\system32\book.dll
Adware:Adware/BookedSpace No disinfected C:\WINDOWS\system32\book2.dll
Adware:Adware/PortalScan No disinfected C:\WINDOWS\system32\winupdt.bin
Adware:Adware/Sqwire No disinfected C:\WINDOWS\system32\tsuninst.exe
Adware:Adware/PurityScan No disinfected C:\WINDOWS\system32\Shex.exe
Spyware:Spyware/ClientMan No disinfected C:\WINDOWS\system32\msfaol.dll
Spyware:Spyware/ClientMan No disinfected C:\WINDOWS\system32\msiaih.dll
Virus:Trj/Imk.A Disinfected C:\WINDOWS\system32\msnimk.gif
Spyware:Spyware/ClientMan No disinfected C:\WINDOWS\system32\mseggo.gif
Spyware:Spyware/ClientMan No disinfected C:\WINDOWS\system32\msglji.gif
Spyware:Spyware/Omi No disinfected C:\WINDOWS\system32\msfdje.gif
Virus:Trj/Siboco.A Disinfected C:\WINDOWS\system32\second.exe
Adware:Adware/IPInsight No disinfected C:\WINDOWS\inf\alchem.inf
Adware:Adware/IPInsight No disinfected C:\WINDOWS\alchem.ini
Adware:Adware/DealHelper No disinfected C:\WINDOWS\dhdom1.bin
Adware:Adware/DealHelper No disinfected C:\WINDOWS\dhdomp1.bin
Adware:Adware/DealHelper No disinfected C:\WINDOWS\dsearch1.bin
Spyware:Spyware/ShopNav No disinfected C:\WINDOWS\unist2.exe
Virus:Trj/Subsearch.G Disinfected C:\Documents and Settings\All Users\Application Data\IEService\v28.exe
Spyware:Spyware/TVMedia No disinfected C:\Documents and Settings\Pat\Application Data\tvmknwrd.dll
  • 0

#6
Excal
Posted 13 July 2005 - 06:42 AM

Excal

    Malware Slayer Extraordinaire!

  • Retired Staff
  • 12,739 posts
Hi Tonesterh,

Some of the steps seem the same, and they are. Please follow the instructions again carefully. If you do not understand anything, please ask before the fix so i can clarify it for you. Thanks :tazz:


First, we need to remove the pepper trojan. Download this file, run, and let terminate (it'll just blink briefly on your screen and won't appeared to have done much--this is normal): http://www.geekstogo...=download&id=18



THE FIX

Please read this post completely, it may make it easier for you if you copy and paste this post to a new text document or print it for reference later.

1. Go to My Computer >Tools >Folder Options >View tab and make sure that Show hidden files and folders is enabled. Also make sure that the System Files and Folders are showing / visible. Uncheck the Hide protected operating system files option.

2. Ensure you are NOT connected to the internet.

3. Reboot into safe mode.

Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

4. Go into Hijack This->Config->Misc. Tools->Open process manager. Select the following and click “Kill process” for each one (If they still exist)

C:\WINDOWS\Nail.exe
c:\windows\system32\vjbrjnl.exe

5. Once in Safe Mode, please double-click on
Nailfix.cmd Your desktop and icons will disappear and reappear, and a window should open and close very quickly --- this is normal.

6. Now open and run Ewido:
  • Click on scanner
  • Click Complete System Scan and the scan will begin.
  • During the scan when it ask if you want to clean the first file, put a check in the lower left corner of the box that says "Perform action on all infections" then choose clean and click OK
  • When the scan is finished, look at the bottom of the screen and click the Save report button.
  • Save the report to your desktop
Close Ewido

7. Close all browsers, windows and unneeded programs.

8. Open HiJack and do a scan.

9. Put a Check next to the following items:

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: (no name) - {0AD937E7-2F37-4873-A05E-548A67EF1D0E} - (no file)
O2 - BHO: FlashTEnhancer Ext - {D7E588AB-A5D9-4422-B313-22A3470F9700} - c:\Program Files\Ftk\ftk.dll (file missing)
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [MSN Manager] C:\WINDOWS\system32\tsmgr.exe
O4 - HKLM\..\Run: [tr] C:\documents and settings\pat\local settings\temp\tr.exe
O4 - HKLM\..\Run: [WinTools] C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe
O4 - HKLM\..\Run: [3TFECJW2RNH4YZ] C:\WINDOWS\System32\Ovbl73H.exe
O4 - HKLM\..\Run: [S1vw] C:\documents and settings\pat\local settings\temp\S1vw.exe
O4 - HKLM\..\Run: [e3943625ed43] C:\WINDOWS\System32\ntlanman.exe
O4 - HKLM\..\Run: [Ljbmrl] C:\Program Files\Ekgmn\Dqic.exe
O4 - HKLM\..\Run: [tvs_b] C:\program files\tvs\tvs_b.exe
O4 - HKLM\..\Run: [3224bd9542a2] C:\WINDOWS\System32\umpnpmgr.exe
O4 - HKLM\..\Run: [cxin] C:\DOCUME~1\Pat\LOCALS~1\Temp\~MySetup.exe
O4 - HKLM\..\Run: [vidctrl] C:\WINDOWS\System32\vidctrl\vidctrl.exe
O4 - HKLM\..\Run: [2TDYN#33SYHFJS] C:\WINDOWS\system32\Cjp9g.exe
O4 - HKLM\..\Run: [FtkCPY] "C:\Program Files\Common Files\Java\ftkcpy.exe"
O4 - HKLM\..\Run: [iiiwmf] c:\windows\system32\vjbrjnl.exe r

10. click the Fix Checked box

11. Please remove these entries from Add/Remove Programs in the Control Panel(if present):

tvs_b

12. Please remove the following folders using Windows Explorer (if present):

C:\WINDOWS\system32\FLEOK
C:\Program Files\Common Files\slmss
C:\WINDOWS\bsx32
C:\Documents and Settings\Pat\Application Data\Lycos
c:\Program Files\Ftk
C:\Program Files\Ekgmn
C:\PROGRAM FILES\COMMON FILES\WinTools
C:\program files\tvs
C:\WINDOWS\System32\vidctrl

13. Please remove just the files from the following paths using Windows Explorer (if present):

C:\WINDOWS\system32\Cjp9g.exe
C:\WINDOWS\System32\umpnpmgr.exe
C:\WINDOWS\System32\ntlanman.exe
C:\WINDOWS\System32\Ovbl73H.exe
C:\WINDOWS\system32\RxBarSetup.dll
C:\WINDOWS\system32\mshpeb.dll
C:\WINDOWS\system32\Searchx.htm
C:\WINDOWS\system32\mscif.exe
C:\WINDOWS\system32\cabinet7.exe
C:\WINDOWS\system32\msnapl.dll
C:\WINDOWS\system32\RxBarSetup.dll
C:\WINDOWS\system32\jlkfeb.dll
C:\WINDOWS\system32\bpdf.exe
C:\WINDOWS\system32\sysfile.dll
C:\WINDOWS\system32\book.dll
C:\WINDOWS\system32\book2.dll
C:\WINDOWS\system32\winupdt.bin
C:\WINDOWS\system32\Searchx.htm
C:\WINDOWS\system32\tsmgr.exe
C:\WINDOWS\system32\tsuninst.exe
C:\WINDOWS\system32\Shex.exe
C:\WINDOWS\system32\msfaol.dll
C:\WINDOWS\system32\msiaih.dll
C:\WINDOWS\system32\msnimk.gif
C:\WINDOWS\system32\mseggo.gif
C:\WINDOWS\system32\msglji.gif
C:\WINDOWS\system32\msfdje.gif
C:\WINDOWS\system32\second.exe
C:\WINDOWS\inf\alchem.inf
C:\WINDOWS\alchem.ini
C:\WINDOWS\dhdom1.bin
C:\WINDOWS\dhdomp1.bin
C:\WINDOWS\dsearch1.bin
C:\WINDOWS\unist2.exe
C:\WINDOWS\alchem.inf
C:\Documents and Settings\Pat\Application Data\tvm*.dll
C:\Documents and Settings\All Users\Application Data\IEService\v28.exe
C:\Documents and Settings\Pat\Application Data\tvmknwrd.dll
C:\Program Files\Common Files\Java\ftkcpy.exe
C:\Program Files\Common Files\Java\tvs_inst.exe
C:\Program Files\Common Files\Java\tvs_re_inst.exe
C:\Program Files\Plus!\Themeexe.W98

14. Run the program CleanUp!

15. Reboot into normal mode and please run this online virus scan: ActiveScan - Save the results from the scan!

16. Please post an Active scan log , Ewido Scan log and a fresh HiJackThis log. Let me know how your computer is running.

Edited by Excal, 13 July 2005 - 06:43 AM.

  • 0

#7
Tonesterh
Posted 15 July 2005 - 09:43 PM

Tonesterh

    Member

  • Topic Starter
  • Member
  • PipPip
  • 22 posts
Here are my logs. Computer seems to be running ok. Was wondering about the stuff Activescan found. See if I got everything this time.


----------------------------------------------------------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 9:36:45 PM, on 7/15/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\America Online 9.0\aoltray.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\mqsvc.exe
C:\WINDOWS\System32\mqtgsvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HJT\HijackThis.exe

F2 - REG:system.ini: UserInit=c:\windows\system32\userinit.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1119758350258
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.c...utocomplete.cab
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: AutoComplete Service (Autocomplete) - Internet Washer - C:\PROGRA~1\SYSTEM~1\autocomp.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

-----------------------------------------------------------------------------------------------
---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 9:35:53 PM, 7/15/2005
+ Report-Checksum: 7377F091

+ Scan result:

No infected objects found.


-----------------------------------------------------------------------------------------------


Incident Status Location

Adware:adware/portalscan No disinfected C:\PROGRAM FILES\System Soap Pro
Spyware:spyware/dyfuca No disinfected HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\ROTUE
Adware:adware/sidefind No disinfected HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\TSL INSTALLER
Adware:adware/blazefind No disinfected HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\WINDOWS SA
Adware:adware/wintools No disinfected HKEY_LOCAL_MACHINE\SYSTEM\CONTROLSET001\ENUM\ROOT\LEGACY_TBPSSVC
Adware:adware/flashtrack No disinfected HKEY_CLASSES_ROOT\UNAWAREOBJ.UNAWAREOBJ.1
Adware:adware/ieplugin No disinfected HKEY_CLASSES_ROOT\WBHO.BAND.1
Adware:adware/delfinmedia No disinfected HKEY_LOCAL_MACHINE\SOFTWARE\CXIN
Adware:adware/sidesearch No disinfected HKEY_LOCAL_MACHINE\SOFTWARE\LYCOS
Adware:adware/mywebsearch No disinfected HKEY_CLASSES_ROOT\CLSID\{147A976E-EEE1-4377-8EA7-4716E4CDD239}
Adware:adware/funweb No disinfected HKEY_CLASSES_ROOT\CLSID\{9AFB8248-617F-460D-9366-D71CDEDA3179}
Spyware:spyware/istbar No disinfected HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\APP MANAGEMENT\ARPCACHE\ISTSVC
Adware:adware/memorywatcher No disinfected HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\APP MANAGEMENT\ARPCACHE\MEMORYWATCHER
Adware:adware/cws No disinfected HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\INTERNET EXPLORER\MAIN\START PAGE_BAK
Adware:adware/ncase No disinfected HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\INTERNET EXPLORER\MAIN\SEARCH BAR_BAK
Adware:adware/iedriver No disinfected HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\INTERNET EXPLORER\EXTENSIONS\CMDMAPPING\{120E090D-9136-4B78-8258-F0B44B4BD2AC}
Adware:adware/fastfind No disinfected HKEY_CLASSES_ROOT\Interface\{5A4E1627-8677-41F7-B78C-4CACDF5B12FF}
Adware:adware/brilliantdigitalNo disinfected HKEY_CLASSES_ROOT\Interface\{48E59292-9880-11CF-9754-00AA00C00908}
Adware:adware/myway No disinfected HKEY_LOCAL_MACHINE\software\classes\CLSID\{9AFB8248-617F-460d-9366-D71CDEDA3179}
Spyware:spyware/bargainbuddy No disinfected HKEY_CLASSES_ROOT\Interface\{71a27036-c7d8-11d2-bef8-525400dfb47a}
  • 0

#8
Excal
Posted 15 July 2005 - 10:46 PM

Excal

    Malware Slayer Extraordinaire!

  • Retired Staff
  • 12,739 posts
Please remove the following folders using Windows Explorer (if present):

C:\PROGRAM FILES\System Soap Pro


Launch Notepad, and copy/paste the box below into a new text file. Save it as fixme.reg (make sure that Save as Type is set at "All Files") on your Desktop. Ensure there is no space at above REGEDIT 4.


REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\ROTUE]

[-HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\TSL INSTALLER]

[-HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\WINDOWS SA]

[-HKEY_LOCAL_MACHINE\SYSTEM\CONTROLSET001\ENUM\ROOT\LEGACY_TBPSSVC]

[-HKEY_CLASSES_ROOT\UNAWAREOBJ.UNAWAREOBJ.1]

[-HKEY_CLASSES_ROOT\WBHO.BAND.1]

[-HKEY_LOCAL_MACHINE\SOFTWARE\CXIN]

[-HKEY_LOCAL_MACHINE\SOFTWARE\LYCOS]

[-HKEY_CLASSES_ROOT\CLSID\{147A976E-EEE1-4377-8EA7-4716E4CDD239}]

[-HKEY_CLASSES_ROOT\CLSID\{9AFB8248-617F-460D-9366-D71CDEDA3179}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\APP MANAGEMENT\ARPCACHE\ISTSVC]

[-HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\APP MANAGEMENT\ARPCACHE\MEMORYWATCHER]

[-HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\INTERNET EXPLORER\MAIN\START PAGE_BAK]

[-HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\INTERNET EXPLORER\MAIN\SEARCH BAR_BAK]

[-HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\INTERNET EXPLORER\EXTENSIONS\CMDMAPPING\{120E090D-9136-4B78-8258-F0B44B4BD2AC}]

[-HKEY_CLASSES_ROOT\Interface\{5A4E1627-8677-41F7-B78C-4CACDF5B12FF}]

[-HKEY_CLASSES_ROOT\Interface\{48E59292-9880-11CF-9754-00AA00C00908}]

[-HKEY_LOCAL_MACHINE\software\classes\CLSID\{9AFB8248-617F-460d-9366-D71CDEDA3179}]

[-HKEY_CLASSES_ROOT\Interface\{71a27036-c7d8-11d2-bef8-525400dfb47a}]


Locate fixme.reg on your Desktop and double-click on it. You will receive a prompt similar to: "Do you wish to merge the information into the registry?". Answer "Yes" and wait for a message to appear similar to "Merged Successfully".
  • Open HiJackThis
  • Click on the configure button on the bottom right
  • Click on the tab "Misc Tools"
  • click on "delete an NT service"
  • Copy and paste this in: SvcProc
  • Click "ok", then reboot
Post back let me know how everything went, and how your computer is running.


Thanks,

:tazz:

Excal
  • 0

#9
Tonesterh
Posted 19 July 2005 - 05:30 PM

Tonesterh

    Member

  • Topic Starter
  • Member
  • PipPip
  • 22 posts
SvcProc was not found in HJT. Is there something else I need to do?
  • 0

#10
Excal
Posted 19 July 2005 - 10:10 PM

Excal

    Malware Slayer Extraordinaire!

  • Retired Staff
  • 12,739 posts
Everything looks good! Is everything still running good?

:tazz:

Excal
  • 0

#11
Tonesterh
Posted 20 July 2005 - 09:32 PM

Tonesterh

    Member

  • Topic Starter
  • Member
  • PipPip
  • 22 posts
Seems to be running just fine. Thanks for all your help.
  • 0

#12
Excal
Posted 20 July 2005 - 09:35 PM

Excal

    Malware Slayer Extraordinaire!

  • Retired Staff
  • 12,739 posts
Great job, it appears your computer is clean :tazz:

Ensure you rehide your “hidden files and folders” back to the way they were.

Now that your system is Malware Free, it is important to reset your system Restore. Click Here to learn how to.

Might I suggest the following Free Spyware programs, if you don't already have them, for added security, you can download them at the following links. These programs work great for detection:

Ad-aware SE
Spybot S&D
Microsoft Anti-Spyware


If you are unhappy with your current antivirus and want to replace it or if you dont already have one, I suggest one of these free programs:
*Note - do not use more than one anti-virus program as it will more than likely cause conflict.

AVG
Avast
AntiVir


The following free programs are great for prevention:

SpywareBlaster 3.4
Spywareguard
IE/Spyad

A Firewall is a must! Here are 3 good free versions:
(do not have more than one firewall running on your system)

Sygate
Kerio
ZoneLabs

There are other options other than Internet Explorer for a browser, which some say have better security. Two of them are:

Firefox
Opera

If you decide to keep Internet Explorer, This site is a great source for tightening up security on It's settings.

Make sure that you keep your Operating System and IE updated with the latest Critical Security Updates from Microsoft...they usually come out once a month, on the 2nd Tuesday of each month.

Be sure and give the Temp folders a cleaning out now and then as well, Make sure after you clean your Temp files to empty out your Recycle bin as well.
For ease use the following program:

Cleanup
Run "Cleanup" and when it has finished, Reboot

To help prevent future spyware installations/infections, please read the Anti-Spyware Tutorial and use the tools provided. Also read How I got Infected
  • 0

#13
Excal
Posted 04 August 2005 - 07:24 PM

Excal

    Malware Slayer Extraordinaire!

  • Retired Staff
  • 12,739 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :tazz:

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP