Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Is the system really cleaned?

Started by Ekos1975 , Nov 19 2004 10:29 AM

  • Please log in to reply

#1
Ekos1975
Posted 19 November 2004 - 10:29 AM

Ekos1975

    New Member

  • Member
  • Pip
  • 4 posts
Hi. Today I ran in some troubles with my computer. I found two files in my startup (usb32.exe and default.scr) folder which shouldn't be there and in outlook and other places hyperlinks react as exe file so when click you are asked for an save location.

So after searching the web and this site I removed my virus scanner (norton enterprise) and installed panda 2004, and adware. After scanning it says nothing is found. Panda remove the above viruses/trojans. But my links still don't work.

Any other tools I should use?

thanks in advance

Edgar
  • 0

Advertisements

#2
admin
Posted 19 November 2004 - 10:36 AM

admin

    Founder Geek

  • Community Leader
  • 24,639 posts
Welcome to GTG Edgar. <_<

Let us take a closer look at what is running on your PC. We'll need you to use a free diagnostic tool (HiJackThis) and post a log back here with the results.

Click the HijackThis Guide in my signature, download it and follow the instructions in the guide.

Most of what it lists will be harmless or even essential, DO NOT delete or modify anything yet! Someone will be along to tell you what steps to take after you post the contents of the scan results.
  • 0

#3
Ekos1975
Posted 19 November 2004 - 10:56 AM

Ekos1975

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts
Here is the requested log, I already had the program, and found some things too, but didn't do anything yet. Oh the P is the drive were programs are installed, this to restore the system within minutes if required.

My findings for strange things:

GEARSec.exe
alg.exe
ypager.exe (yahoo messenger? not installed)
desktopx (desktopx is not installed)


Logfile of HijackThis v1.98.2
Scan saved at 17:50:25, on 2004-11-19
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
P:\Panda\Antivirus 2005\PavProt.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\Program Files\Messenger Plus!\MsgPlus.exe
P:\Cyber Link\Power DVD\PDVDServ.exe
P:\Panda\Antivirus 2005\APVXDWIN.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
P:\Executive\DkService.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\System32\GEARSec.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\nvsvc32.exe
P:\Panda\Antivirus 2005\Firewall\PavFires.exe
P:\Panda\Antivirus 2005\PavFnSvr.exe
P:\Panda\Antivirus 2005\Pavkre.exe
C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
P:\Panda\Antivirus 2005\pavsrv51.exe
P:\Panda\Antivirus 2005\prevsrv.exe
P:\Panda\Antivirus 2005\PsImSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
P:\Panda\Antivirus 2005\AVENGINE.EXE
P:\Symantec\V2i\Agent\PQV2iSvc.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\System32\alg.exe
P:\Panda\Antivirus 2005\WebProxy.exe
P:\Adobe\Adobe Photoshop CS\Photoshop.exe
T:\EKoster\Tmp\~e5d141.tmp
C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
T:\EKoster\Tmp\~e5d141.tmp
P:\Microsoft\Office\OFFICE11\OUTLOOK.EXE
P:\Microsoft\Office\OFFICE11\WINWORD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
P:\Administrative Tools\HijackThis.exe

O2 - BHO: (no name) - {FD3A6AB4-5527-4B52-90AF-F90CD3270861} - C:\WINDOWS\system32\inetconnect.dll (file missing)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - P:\Adobe\Adobe Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus!\MsgPlus.exe"
O4 - HKLM\..\Run: [RemoteControl] "p:\Cyber Link\Power DVD\PDVDServ.exe"
O4 - HKLM\..\Run: [Microsoft Security Hot Fix Update] "%SystemRoot%\mshotfix.exe"
O4 - HKLM\..\Run: [APVXDWIN] "P:\Panda\Antivirus 2005\APVXDWIN.EXE" /s
O4 - HKLM\..\RunOnce: [WIAWizardMenu] RUNDLL32.EXE C:\WINDOWS\system32\sti_ci.dll,WiaCreateWizardMenu
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus!\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DesktopX] "P:\Stardock\Desktop X\DesktopX.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O8 - Extra context menu item: E&xport to Microsoft Excel - res://P:\MICROS~1\Office\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - P:\MICROS~1\Office\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Messenger Addon - {FB5F1911-F110-11d2-BB9E-00C04F795683} - http://messenger.ipfox.com (file missing)
O9 - Extra 'Tools' menuitem: &Messenger Addon - {FB5F1911-F110-11d2-BB9E-00C04F795683} - http://messenger.ipfox.com (file missing)
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab
O16 - DPF: {E55E0E01-08D0-48BE-97F0-954B55CF23BE} - http://download.familytreelegends.com/ftl/one-click/3.21/Setup.cab

  • 0

#4
-=jonnyrotten=-
Posted 19 November 2004 - 01:08 PM

-=jonnyrotten=-

    Member 2k

  • Retired Staff
  • 2,678 posts
Gearsec.exe is a driver for CD-RW, released by GEAR software and used by iTunes and some other software

alg.exe is a part of the Microsoft Windows operating system. It is a core process for Microsoft Windows Internet Connection sharing and Internet connection firewall

I highly recommend uninstalling Messenger Plus! If you do not uninstall it then ignore the hijack this entries listed below and remove everything else.

You may wish to print out a copy of these instructions to follow while you complete this procedure.

Please save Hijack This in a permanent folder (i.e. C:\HJT). This ensures backups are saved and accessible.

Please go offline, close all browsers and any open Windows, making sure that only HijackThis is open. Scan and when it finishes, put an X in the boxes, only next to these following items, then click fix checked.

O2 - BHO: (no name) - {FD3A6AB4-5527-4B52-90AF-F90CD3270861} - C:\WINDOWS\system32\inetconnect.dll (file missing)
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus!\MsgPlus.exe"

O4 - HKLM\..\Run: [Microsoft Security Hot Fix Update] "%SystemRoot%\mshotfix.exe"
http://www.sophos.co...ojadclickx.html <<Trojan

O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus!\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [DesktopX] "P:\Stardock\Desktop X\DesktopX.exe"
O9 - Extra button: Messenger Addon - {FB5F1911-F110-11d2-BB9E-00C04F795683} - http://messenger.ipfox.com (file missing)
O9 - Extra 'Tools' menuitem: &Messenger Addon - {FB5F1911-F110-11d2-BB9E-00C04F795683} - http://messenger.ipfox.com (file missing)
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.c...utocomplete.cab

Please reboot into safe mode - How do I boot into "Safe" mode?.
Be sure you're able to view hidden files, and remove the following files in bold (if found):

C:\Program Files\Messenger Plus!
%SystemRoot%\mshotfix.exe
C:\Program Files\Yahoo!
P:\Stardock Try uninstalling desktopx first from control panel, add/remove programs

Reboot normally post fresh log. If it is clean I will then have a few more scanners and programs for you to use to clean up everything else left behind.

-=jonnyrotten=- <_<
  • 0

#5
Ekos1975
Posted 20 November 2004 - 04:38 AM

Ekos1975

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts
Hi. I did as mentioned. I first removed msn plus and then the keys. I went to save mode, but the folders where gone already. The thing I do first after every uninstall is seek for left overs.

the new log:

Logfile of HijackThis v1.98.2
Scan saved at 11:37:00, on 2004-11-20
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
P:\Panda\Antivirus 2005\PavProt.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
P:\Cyber Link\Power DVD\PDVDServ.exe
P:\Panda\Antivirus 2005\APVXDWIN.EXE
C:\WINDOWS\system32\ctfmon.exe
P:\Executive\DkService.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\System32\GEARSec.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\nvsvc32.exe
P:\Panda\Antivirus 2005\Firewall\PavFires.exe
P:\Panda\Antivirus 2005\PavFnSvr.exe
P:\Panda\Antivirus 2005\Pavkre.exe
C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
P:\Panda\Antivirus 2005\pavsrv51.exe
P:\Panda\Antivirus 2005\prevsrv.exe
P:\Panda\Antivirus 2005\PsImSvc.exe
C:\WINDOWS\System32\svchost.exe
P:\Panda\Antivirus 2005\AVENGINE.EXE
C:\WINDOWS\System32\wdfmgr.exe
P:\Symantec\V2i\Agent\PQV2iSvc.exe
C:\WINDOWS\System32\alg.exe
P:\Panda\Antivirus 2005\WebProxy.exe
P:\Microsoft\Office\OFFICE11\OUTLOOK.EXE
P:\Microsoft\Office\OFFICE11\WINWORD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
P:\Administrative Tools\HijackThis.exe

O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - P:\Adobe\Adobe Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [RemoteControl] "p:\Cyber Link\Power DVD\PDVDServ.exe"
O4 - HKLM\..\Run: [APVXDWIN] "P:\Panda\Antivirus 2005\APVXDWIN.EXE" /s
O4 - HKLM\..\RunOnce: [WIAWizardMenu] RUNDLL32.EXE C:\WINDOWS\system32\sti_ci.dll,WiaCreateWizardMenu
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://P:\MICROS~1\Office\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - P:\MICROS~1\Office\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {E55E0E01-08D0-48BE-97F0-954B55CF23BE} - http://download.familytreelegends.com/ftl/one-click/3.21/Setup.cab

  • 0

#6
-=jonnyrotten=-
Posted 20 November 2004 - 12:20 PM

-=jonnyrotten=-

    Member 2k

  • Retired Staff
  • 2,678 posts
Very nice, I just always have users remove the folders after uninstalling because alot of times the uninstall program does not remove the folder.

Congratulations! Your system is CLEAN <_<

How do you prevent spyware from being installed again? We strongly recommend installing SpywareBlaster (it's free for personal use) Click Here.

Prevent the installation of ActiveX-based spyware, adware, browser hijackers, dialers, and other potentially unwanted pests.
Block spyware/tracking cookies in Internet Explorer and Mozilla/Firefox.
Restrict the actions of potentially dangerous sites in Internet Explorer.
Consumes no system resources.

Download, run, check for updates, download updates, select all, protect against checked. All done. Check for updates every couple of weeks. If you have any errors running the program like a missing file see the link at the bottom of the javacool page.

It's also very important to keep your system up to date to avoid unnecessary security risks. Click Here to make sure that you have the latest patches for Windows.

These next two steps are optional, but will provide the greatest protection.
1. Use ANY browser besides Internet Explorer, almost every exploit is crafted to take advantage of an IE weakness. We usually recommend FireFox Posted Image.
2. Install Sun's Java. It's much more secure than Microsoft's Java Virtual Machine .

It's okay to delete the Hijack This folder if everything is working okay.

After doing all these, your system will be thoroughly protected from future threats. :D

How are things running now?

-=jonnyrotten=- :D
  • 0

#7
Ekos1975
Posted 21 November 2004 - 01:47 AM

Ekos1975

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts
Thanks for the help.

I already downloaded firefox a week ago and was testing it on the laptop. I'm going to install it know, next to internet explorer for some sites can't do with out. Sun java is already in use for I needed it for something, when MS didn't have theirs. Everything else is running fine (except that 350mb memory is in use which I need to check).

PS your links goes to version 4 of windows upate. It know has version 5.
  • 0

#8
admin
Posted 21 November 2004 - 02:31 PM

admin

    Founder Geek

  • Community Leader
  • 24,639 posts

PS your links goes to version 4 of windows upate. It know has version 5.

Thanks for pointing that out. <_< The link should be to the dynamic update site, and will be changed. :D
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP