Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Winfixer Problem


  • Please log in to reply

#16
Wizard

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
Download LQfix.zip:
http://users.pandora...atchy/LQfix.zip
Unzip it and save it to your desktop, don't use it yet!

Download WinPFind:
http://www.bleepingc...es/winpfind.php

Right Click the Zip Folder and Select "Extract All"

Don't use it yet!

Download Pocket KillBox from here:
http://www.atribune....llBox_beta_.exe

Highlight the list below and press Ctrl+C to Copy!

C:\Program Files\apsi\wtta.exe
C:\Program Files\apsi
C:\WINDOWS\SYSTEM32\DrPMon.dll
C:\WINDOWS\SYSTEM32\Searchx.htm
C:\WINDOWS\SYSTEM32\cache32dsrf4535dfs
C:\DOCUMENTS AND SETTINGS\OWNER\FAVORITES\Technology
C:\oLD_dATA\WINDOWS\Downloaded Program Files\ieatgpc.inf
C:\Program Files\Privacy Champion\pscan.exe
C:\Program Files\Privacy Champion
C:\WINDOWS\system32\qcdzse.exe
C:\WINDOWS\system32\Shex.exe
C:\WINDOWS\system32\udsngns.exe
C:\WINDOWS\Temp\ASHeuristic\wtta.exe.vir
C:\WINDOWS\Temp\ASHeuristic
C:\WINDOWS\system32\m190309.EXE
C:\WINDOWS\System32\sqnmmc.exe
C:\WINDOWS\ttupt.exe
C:\WINDOWS\dinst.exe
C:\WINDOWS\System32\ialetc.exe


Open Pocket Killbox-> Click File-> Click Paste from Clipboard!

Place a tick by Delete on Reboot-> Click the Red Circle to Delete!

Click Yes to the Prompts that follow and let Killbox Reboot the PC!

Restart in Safe Mode!

From the LQFix folder-> Doubleclick LQfix.bat that you saved on your desktop before.

A doswindow will open and close again, this is normal.

Open HijackThis and put a check by these but DO NOT hit the Fix Checked button yet!

R3 - Default URLSearchHook is missing

O2 - BHO: Band Class - {00F1D395-4744-40f0-A611-980F61AE2C59} - C:\WINDOWS\dsr.dll (file missing)

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [mscin] C:\WINDOWS\system32\m190309.EXE

O4 - HKLM\..\Run: [sqnmmc] C:\WINDOWS\System32\sqnmmc.exe

O4 - HKLM\..\Run: [ttupt] C:\WINDOWS\ttupt.exe

O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE

O4 - HKLM\..\Run: [Dinst] C:\WINDOWS\dinst.exe

O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u

O4 - HKLM\..\Run: [System service63] C:\WINDOWS\etb\pokapoka63.exe

O4 - HKCU\..\Run: [ialetc] C:\WINDOWS\System32\ialetc.exe

O4 - HKCU\..\Run: [Qym] C:\WINDOWS\System32\?hkntfs.exe

O4 - HKCU\..\Run: [PrivacyScanner] C:\Program Files\Privacy Champion\pscan.exe

O4 - HKCU\..\Run: [Notn] C:\Program Files\apsi\wtta.exe

Now Make sure ALL WINDOWS and BROWSERS are CLOSED and hit the Fix Checked Button!

From the WinPFind folder-> Doubleclick WinPFind.exe and Click "Start Scan"

It will scan the entire System, so please be patient!

One you see "Scan Complete"-> a log (WinPFind.txt) will be automatically generated in the WinPFind folder!

Restart Normal and have the PC scanned here to see how we did?
http://support.f-sec.../home/ols.shtml

Copy everything inside the quote box below (starting with dir) and paste it into notepad. Go up to "File > Save As" and click the drop-down box to change the "Save As Type" to "All Files". Save it as findfile.bat on your Desktop.

dir C:\WINDOWS\System32\?hkntfs.exe /a h > files.txt
notepad files.txt


Locate findfile.bat on your Desktop and double-click on it. It will open Notepad with some text in it. Please post the contents of that Notepad here along with a new HiJackThis log.

Post the reports from WinPFind and F-Secure as well!
  • 0

Advertisements


#17
gferman

gferman

    Member

  • Topic Starter
  • Member
  • PipPip
  • 20 posts
C:\!Submit\qcdzse.exe Trojan.Win32.Agent.gp

C:\!Submit\udsngns.exe Trojan.Win32.Agent.gp

C:\oLD_dATA\Program Files\Norton AntiVirus\Quarantine\05960F16 Email-Worm.Win32.NetSky.d

C:\oLD_dATA\Program Files\Norton AntiVirus\Quarantine\05AD34FC Email-Worm.Win32.NetSky.d

C:\oLD_dATA\Program Files\Norton AntiVirus\Quarantine\1BDE45B6 Email-Worm.Win32.Bagle.z

C:\oLD_dATA\Program Files\Norton AntiVirus\Quarantine\251448AF Email-Worm.Win32.Bagle.y

C:\oLD_dATA\Program Files\Norton AntiVirus\Quarantine\259A021C Email-Worm.Win32.Bagle.y

C:\oLD_dATA\Program Files\Norton AntiVirus\Quarantine\2E360959 Email-Worm.Win32.Bagle.af

C:\oLD_dATA\Program Files\Norton AntiVirus\Quarantine\2EAB70D7 Email-Worm.Win32.Bagle.af

C:\oLD_dATA\Program Files\Norton AntiVirus\Quarantine\382552E6 Email-Worm.Win32.NetSky.q

C:\oLD_dATA\Program Files\Norton AntiVirus\Quarantine\385074B7 Email-Worm.Win32.NetSky.q

C:\oLD_dATA\Program Files\Norton AntiVirus\Quarantine\44F63639 Password-protected-EXE

C:\oLD_dATA\Program Files\Norton AntiVirus\Quarantine\45377DF1 Password-protected-EXE

C:\oLD_dATA\Program Files\Norton AntiVirus\Quarantine\45996985 Password-protected-EXE

C:\oLD_dATA\Program Files\Norton AntiVirus\Quarantine\45A3677A Password-protected-EXE

C:\oLD_dATA\Program Files\Norton AntiVirus\Quarantine\4C0C30B0 Email-Worm.Win32.NetSky.d

C:\oLD_dATA\Program Files\Norton AntiVirus\Quarantine\4C1F2C9B Email-Worm.Win32.NetSky.d

C:\oLD_dATA\Program Files\Norton AntiVirus\Quarantine\53FF67F2 Email-Worm.Win32.Bagle.z

C:\oLD_dATA\Program Files\Norton AntiVirus\Quarantine\594A781F Email-Worm.Win32.Bagle.z

C:\oLD_dATA\Program Files\Norton AntiVirus\Quarantine\596871FF Email-Worm.Win32.Bagle.z

C:\oLD_dATA\Program Files\Norton AntiVirus\Quarantine\6D9B5294 Email-Worm.Win32.Bagle.z

C:\oLD_dATA\Program Files\Norton AntiVirus\Quarantine\6DB2787B Email-Worm.Win32.Bagle.z

C:\oLD_dATA\Program Files\Norton AntiVirus\Quarantine\7A3D4EB5 Email-Worm.Win32.Bagle.z

C:\oLD_dATA\Program Files\Norton AntiVirus\Quarantine\7A504AA0 Email-Worm.Win32.Bagle.z

C:\oLD_dATA\Program Files\Norton AntiVirus\Quarantine\7B153A8D Email-Worm.Win32.Bagle.y

C:\oLD_dATA\Program Files\Norton AntiVirus\Quarantine\7B4A5A53 Email-Worm.Win32.Bagle.y

C:\Program Files\Norton AntiVirus\Quarantine\007542CA Trojan-Downloader.Win32.Qoologic.n

C:\Program Files\Norton AntiVirus\Quarantine\007A4967.exe Trojan-Downloader.Win32.Qoologic.n

C:\Program Files\Norton AntiVirus\Quarantine\00801D5F.dll Trojan-Downloader.Win32.Qoologic.n

C:\Program Files\Norton AntiVirus\Quarantine\00801D5F.exe Trojan-Downloader.Win32.Qoologic.n

C:\Program Files\Norton AntiVirus\Quarantine\03400D24 Trojan-Downloader.Win32.Qoologic.n

C:\Program Files\Norton AntiVirus\Quarantine\03433721 Trojan-Downloader.Win32.Qoologic.n

C:\Program Files\Norton AntiVirus\Quarantine\03505F12.exe Trojan-Dropper.Win32.Agent.pb

C:\Program Files\Norton AntiVirus\Quarantine\0354090F.cpl Trojan-Downloader.Win32.Qoologic.p

C:\Program Files\Norton AntiVirus\Quarantine\0357330B Trojan-Downloader.Win32.Qoologic.n

C:\Program Files\Norton AntiVirus\Quarantine\04E1280C.dll Trojan-Downloader.Win32.Qoologic.aa

C:\Program Files\Norton AntiVirus\Quarantine\04E1280C.exe Trojan-Downloader.Win32.Small.abd

C:\Program Files\Norton AntiVirus\Quarantine\07F47C11.exe Trojan-Downloader.Win32.Delf.go

C:\Program Files\Norton AntiVirus\Quarantine\0D2F6F05.dll Trojan-Downloader.Win32.Qoologic.t

C:\Program Files\Norton AntiVirus\Quarantine\0D8E0FF9.exe Trojan-Downloader.Win32.Qoologic.aa

C:\Program Files\Norton AntiVirus\Quarantine\0FAA2B79.exe Trojan-Downloader.Win32.Qoologic.u

C:\Program Files\Norton AntiVirus\Quarantine\10A2631D.exe Trojan-Downloader.Win32.Qoologic.u

C:\Program Files\Norton AntiVirus\Quarantine\148B3DC3.exe Trojan-Dropper.Win32.Agent.gd

C:\Program Files\Norton AntiVirus\Quarantine\153D5C47.exe Trojan-Downloader.Win32.Qoologic.n

C:\Program Files\Norton AntiVirus\Quarantine\15410643.dll Trojan-Downloader.Win32.Qoologic.n

C:\Program Files\Norton AntiVirus\Quarantine\15443040.exe Trojan-Downloader.Win32.Qoologic.n

C:\Program Files\Norton AntiVirus\Quarantine\174C464E.com Trojan-Dropper.Win32.Agent.pb

C:\Program Files\Norton AntiVirus\Quarantine\174C464E.exe Trojan-Downloader.Win32.Qoologic.n

C:\Program Files\Norton AntiVirus\Quarantine\174F704B.cpl Trojan-Downloader.Win32.Qoologic.p

C:\Program Files\Norton AntiVirus\Quarantine\174F704B.dll Trojan-Downloader.Win32.Qoologic.p

C:\Program Files\Norton AntiVirus\Quarantine\17531A47 Trojan-Downloader.Win32.Adload.a

C:\Program Files\Norton AntiVirus\Quarantine\17564443.exe Trojan.Win32.Agent.ay

C:\Program Files\Norton AntiVirus\Quarantine\17596E40.exe Trojan-Downloader.Win32.Qoologic.n

C:\Program Files\Norton AntiVirus\Quarantine\19403EE6.exe Trojan-Downloader.Win32.Qoologic.u

C:\Program Files\Norton AntiVirus\Quarantine\194612DF.exe Trojan-Downloader.Win32.Qoologic.u

C:\Program Files\Norton AntiVirus\Quarantine\194D66D7.dll Trojan-Downloader.Win32.Qoologic.t

C:\Program Files\Norton AntiVirus\Quarantine\1CCC40CA.exe Trojan-Dropper.Win32.Agent.pb

C:\Program Files\Norton AntiVirus\Quarantine\1F4434EA.exe Trojan-Dropper.Win32.Agent.pb

C:\Program Files\Norton AntiVirus\Quarantine\1F475EE7.com Trojan-Dropper.Win32.Agent.pb

C:\Program Files\Norton AntiVirus\Quarantine\1F475EE7.exe Trojan-Dropper.Win32.Agent.pb

C:\Program Files\Norton AntiVirus\Quarantine\1F515CDC.exe Trojan-Downloader.Win32.Apropo.ag

C:\Program Files\Norton AntiVirus\Quarantine\1F6558C6.exe Trojan-Downloader.Win32.Qoologic.aa

C:\Program Files\Norton AntiVirus\Quarantine\1F7B7EAD.exe Trojan-Clicker.Win32.Agent.ei

C:\Program Files\Norton AntiVirus\Quarantine\20D25988.exe Trojan-Dropper.Win32.Agent.pb

C:\Program Files\Norton AntiVirus\Quarantine\2FAE6727.exe Trojan-Downloader.Win32.Apropo.ae

C:\Program Files\Norton AntiVirus\Quarantine\38667CAD.exe Trojan-Downloader.Win32.Qoologic.aa

C:\Program Files\Norton AntiVirus\Quarantine\38707AA3.exe Trojan-Downloader.Win32.Qoologic.aa

C:\Program Files\Norton AntiVirus\Quarantine\387A7898.dll Trojan-Downloader.Win32.Qoologic.aa

C:\Program Files\Norton AntiVirus\Quarantine\3B4E2767.dll Trojan-Downloader.Win32.Qoologic.n

C:\Program Files\Norton AntiVirus\Quarantine\3BE63310.exe Trojan-Dropper.Win32.Agent.pb

C:\Program Files\Norton AntiVirus\Quarantine\3BE95D0C.com Trojan-Dropper.Win32.Agent.pb

C:\Program Files\Norton AntiVirus\Quarantine\3BE95D0C.exe Trojan-Downloader.Win32.Qoologic.u

C:\Program Files\Norton AntiVirus\Quarantine\3BEC0708.exe Trojan-Downloader.Win32.Qoologic.u

C:\Program Files\Norton AntiVirus\Quarantine\3BF35B01.dll Trojan-Downloader.Win32.Qoologic.t

C:\Program Files\Norton AntiVirus\Quarantine\3BF35B01.exe Trojan-Downloader.Win32.Delmed.a

C:\Program Files\Norton AntiVirus\Quarantine\41A266B7.dll Trojan-Downloader.Win32.Qoologic.aa

C:\Program Files\Norton AntiVirus\Quarantine\422C1E12.sys Trojan.Win32.Kolweb.b

C:\Program Files\Norton AntiVirus\Quarantine\43E97ECD.exe Trojan-Dropper.Win32.Agent.pb

C:\Program Files\Norton AntiVirus\Quarantine\43EC28C9.com Trojan-Dropper.Win32.Agent.pb

C:\Program Files\Norton AntiVirus\Quarantine\43EC28C9.exe Trojan-Downloader.Win32.Qoologic.u

C:\Program Files\Norton AntiVirus\Quarantine\43F27CC2.exe Trojan.Win32.StartPage.nk

C:\Program Files\Norton AntiVirus\Quarantine\43FC7AB7.exe Trojan-Downloader.Win32.Qoologic.u

C:\Program Files\Norton AntiVirus\Quarantine\43FF24B4.exe Trojan.Win32.Kolweb.b

C:\Program Files\Norton AntiVirus\Quarantine\44034EB0.dll Trojan-Downloader.Win32.Qoologic.t

C:\Program Files\Norton AntiVirus\Quarantine\47B66AEC.exe Trojan-Dropper.Win32.Agent.pb

C:\Program Files\Norton AntiVirus\Quarantine\47BD3EE4.com Trojan-Dropper.Win32.Agent.pb

C:\Program Files\Norton AntiVirus\Quarantine\47CD2581 Trojan-Downloader.Win32.Qoologic.x

C:\Program Files\Norton AntiVirus\Quarantine\49983159.exe Trojan-Dropper.Win32.Agent.pb

C:\Program Files\Norton AntiVirus\Quarantine\499B5B56.exe Trojan-Dropper.Win32.Agent.pb

C:\Program Files\Norton AntiVirus\Quarantine\499E0552.com Trojan-Dropper.Win32.Agent.pb

C:\Program Files\Norton AntiVirus\Quarantine\499E0552.exe Trojan-Dropper.Win32.Agent.pb

C:\Program Files\Norton AntiVirus\Quarantine\49A80347.exe Trojan-Downloader.Win32.Qoologic.u

C:\Program Files\Norton AntiVirus\Quarantine\49AF5740.dll Trojan-Downloader.Win32.Qoologic.t

C:\Program Files\Norton AntiVirus\Quarantine\4C460434.exe Trojan.Win32.Kolweb.b

C:\Program Files\Norton AntiVirus\Quarantine\4C532C25.exe Trojan-Downloader.Win32.Qoologic.o

C:\Program Files\Norton AntiVirus\Quarantine\4C532C25.sys Trojan.Win32.Kolweb.b

C:\Program Files\Norton AntiVirus\Quarantine\4C565622.exe Trojan.Win32.Kolweb.b

C:\Program Files\Norton AntiVirus\Quarantine\4C5A001E.cpl Trojan-Downloader.Win32.Qoologic.p

C:\Program Files\Norton AntiVirus\Quarantine\4C5D2A1A.dll Trojan-Downloader.Win32.Qoologic.p

C:\Program Files\Norton AntiVirus\Quarantine\4C605417.dll Trojan-Downloader.Win32.Qoologic.t

C:\Program Files\Norton AntiVirus\Quarantine\4C7D42BA.exe Trojan-Downloader.Win32.Qoologic.u

C:\Program Files\Norton AntiVirus\Quarantine\4C8416B3.exe Trojan-Downloader.Win32.Qoologic.u

C:\Program Files\Norton AntiVirus\Quarantine\52B16116.exe Trojan-Dropper.Win32.Agent.pb

C:\Program Files\Norton AntiVirus\Quarantine\52B50B12.exe Trojan-Dropper.Win32.Agent.pb

C:\Program Files\Norton AntiVirus\Quarantine\52B8350E.exe Trojan-Downloader.Win32.Qoologic.u

C:\Program Files\Norton AntiVirus\Quarantine\52BB5F0B Trojan-Downloader.Win32.Small.abd

C:\Program Files\Norton AntiVirus\Quarantine\52BB5F0B.exe Trojan-Downloader.Win32.Small.bgl

C:\Program Files\Norton AntiVirus\Quarantine\52BE0907.exe Trojan-Spy.Win32.VB.eh

C:\Program Files\Norton AntiVirus\Quarantine\52C23304 Trojan-Downloader.Win32.Qoologic.v

C:\Program Files\Norton AntiVirus\Quarantine\52C23304.exe Trojan-Spy.Win32.VB.eh

C:\Program Files\Norton AntiVirus\Quarantine\52C5112A.exe Trojan-Downloader.Win32.Apropo.ag

C:\Program Files\Norton AntiVirus\Quarantine\52C55D00.dll Trojan-Downloader.Win32.Qoologic.t

C:\Program Files\Norton AntiVirus\Quarantine\5C330537.htm Exploit.HTML.Mht

C:\Program Files\Norton AntiVirus\Quarantine\5CF06F4D.exe Trojan-Dropper.Win32.Agent.pb

C:\Program Files\Norton AntiVirus\Quarantine\5D6E30EA.exe Trojan-Downloader.Win32.Qoologic.u

C:\Program Files\Norton AntiVirus\Quarantine\5EEE1D7E Trojan-Downloader.Win32.Qoologic.n

C:\Program Files\Norton AntiVirus\Quarantine\669A3787.exe Trojan-Dropper.Win32.Agent.pb

C:\Program Files\Norton AntiVirus\Quarantine\685753C6.exe Trojan-Dropper.Win32.Agent.pb

C:\Program Files\Norton AntiVirus\Quarantine\6AB000EA.exe Trojan-Dropper.Win32.Agent.pb

C:\Program Files\Norton AntiVirus\Quarantine\6C64529E.exe Trojan-Dropper.Win32.Agent.pb

C:\Program Files\Norton AntiVirus\Quarantine\6DC0300E.exe Trojan-Downloader.Win32.Agent.ro

C:\Program Files\Norton AntiVirus\Quarantine\6E262616.exe Trojan-Dropper.Win32.Agent.pb

C:\Program Files\Norton AntiVirus\Quarantine\70D30414.exe Trojan-Downloader.Win32.Qoologic.u

C:\Program Files\Norton AntiVirus\Quarantine\730F4B3D.com Trojan-Dropper.Win32.Agent.pb

C:\Program Files\Norton AntiVirus\Quarantine\730F4B3D.exe Trojan-Dropper.Win32.Agent.pb

C:\Program Files\Norton AntiVirus\Quarantine\73867C7D.exe Trojan-Clicker.Win32.Agent.ei

C:\Program Files\Norton AntiVirus\Quarantine\738D5075.exe Trojan-Dropper.Win32.Agent.pb

C:\Program Files\Norton AntiVirus\Quarantine\73907A72.exe Trojan-Downloader.Win32.Apropo.ag

C:\Program Files\Norton AntiVirus\Quarantine\7393246E.com Trojan-Dropper.Win32.Agent.pb

C:\Program Files\Norton AntiVirus\Quarantine\7393246E.exe Trojan-Downloader.Win32.Apropo.u

C:\Program Files\Norton AntiVirus\Quarantine\73A04C60.dll Trojan-Downloader.Win32.Qoologic.aa

C:\Program Files\Norton AntiVirus\Quarantine\73A04C60.exe Trojan-Downloader.Win32.Intexp.d

C:\Program Files\Norton AntiVirus\Quarantine\73AD7451.exe Trojan-Dropper.Win32.Agent.lu

C:\Program Files\Norton AntiVirus\Quarantine\73B4484A.exe Trojan-Downloader.Win32.Qoologic.aa

C:\Program Files\Norton AntiVirus\Quarantine\73C41A38.exe Trojan-Dropper.Win32.Small.qn

C:\Program Files\Norton AntiVirus\Quarantine\75C60482.exe Trojan-Downloader.Win32.Qoologic.u

C:\Program Files\Norton AntiVirus\Quarantine\77A00B6B.dll Trojan-Downloader.Win32.Qoologic.p

C:\Program Files\Norton AntiVirus\Quarantine\79B76214.exe Trojan-Downloader.Win32.Qoologic.aa

C:\Program Files\Norton AntiVirus\Quarantine\7A264201.exe Trojan-Downloader.Win32.Delf.go

C:\Program Files\Norton AntiVirus\Quarantine\7A2D15FA.exe Trojan.Win32.Kolweb.b

C:\Program Files\Norton AntiVirus\Quarantine\7A303FF6.exe Trojan-Downloader.Win32.Qoologic.u

C:\Program Files\Norton AntiVirus\Quarantine\7A3613EF.sys Trojan.Win32.Kolweb.b

C:\Program Files\Norton AntiVirus\Quarantine\7A3A3DEB.exe Trojan-Downloader.Win32.Qoologic.u

C:\Program Files\Norton AntiVirus\Quarantine\7A3D67E8.dll Trojan-Downloader.Win32.Qoologic.t

C:\Program Files\Norton AntiVirus\Quarantine\7A9406AF.exe Trojan-Downloader.Win32.Agent.am
  • 0

#18
gferman

gferman

    Member

  • Topic Starter
  • Member
  • PipPip
  • 20 posts
Volume in drive C is PRESARIO
Volume Serial Number is 746B-B1E0

Directory of C:\WINDOWS\system32

08/29/2002 08:00 AM 11,264 chkntfs.exe
07/21/2005 09:55 AM 401,408 ?hkntfs.exe
2 File(s) 412,672 bytes

Directory of C:\Documents and Settings\Owner\Desktop
  • 0

#19
Wizard

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
OK,Go into Safe Mode-> Double Check that Windows is Showing Hidden Files
http://www.bleepingc...ut62.html#winxp

Navigate to C:\Windows\System32

Once in the System32 folder,look for these 2

The good file will be

chkntfs.exe<- Created in 8/29/2002 08:00 AM

With a size of 11,264 bytes or 11 Kb

The bad file will look similar but the ? can be anything so look closely please!

?hkntfs.exe<- Created on 07/21/2005 09:55 AM

With a size of 401,408 bytes or 392 Kb

Get rid of that bad file and post back with a fresh HijackThis log!
  • 0

#20
gferman

gferman

    Member

  • Topic Starter
  • Member
  • PipPip
  • 20 posts
I could not find the second file. I did a search and did not find that way either.

Here is the Hijack this log:

Logfile of HijackThis v1.99.1
Scan saved at 8:13:23 AM, on 8/18/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Softex\OmniPass\Omniserv.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Softex\OmniPass\OPXPApp.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\edcnyfx.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\Nero\data\Xtras\mssysmgr.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\America Online 9.0\aoltray.exe
C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe
C:\Program Files\Intuit\QuickBooks Premier - Accountant Edition\Components\QBAgent\qbdagent2002.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Temp\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.canesport.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drs...esearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drs...esearch.cgi?id=
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.canesport.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drs...esearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drs...esearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.canesport.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drs...esearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drs...esearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: Band Class - {00F1D395-4744-40f0-A611-980F61AE2C59} - C:\WINDOWS\dsr.dll (file missing)
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [Dinst] C:\WINDOWS\dinst.exe
O4 - HKLM\..\Run: [ezrbrc] C:\WINDOWS\system32\edcnyfx.exe r
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Nero\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: QuickBooks 2002 Delivery Agent.lnk = C:\Program Files\Intuit\QuickBooks Premier - Accountant Edition\Components\QBAgent\qbdagent2002.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .mpg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .wav: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {24D1BDCE-D835-11D6-BF84-0050047EA0E7} (BlueStream_Flash Class) - http://www.rovion.co...rols/Rovion.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1116447252750
O16 - DPF: {670821E0-76D1-11D4-9F60-009027A966BF} (YouBet Secure Data Transfer Control) - http://racing.youbet...s/ybrequest.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1123635552875
O16 - DPF: {8EB3FF4E-86A1-4717-884D-7BA2D38272CB} (F-Secure Online Scanner) - http://support.f-sec...m/ols/fscax.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O16 - DPF: {C9DB5AF8-4C14-4A3E-90F8-DB49D6B4866D} (YBUICtrl.FloatWnd.1) - http://racing.youbet...ls/YBUICtrl.cab
O16 - DPF: {E9348280-2D74-4933-BE25-73D946926795} (DeviceEnum Class) - http://h20270.www2.h...cdetection3.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: OPXPGina - C:\Program Files\Softex\OmniPass\opxpgina.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Softex OmniPass Service (omniserv) - Unknown owner - C:\Program Files\Softex\OmniPass\Omniserv.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
  • 0

#21
Wizard

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
OK,Now we have to combat the Nail Infection!

Update Ewido with the Latest Definitions!

Delete the old LQFix you downloaded and Download the latest version,then link will be in the canned fix I am going to give you!

Please download this file: Nailfix Utility
Save it to your desktop.
DO NOT run it yet.

Download dsrfix.zip
Save it to your desktop.
  • Unzip dsrfix.zip and extract it to your desktop.
  • This will create a new folder on your desktop named dsrfix.
  • Do Not open that folder yet.
Please download APT and unzip the contents to a new folder on your desktop.
  • Open the folder you just created and click on apt.exe and search in the window for C:\WINDOWS\system32\edcnyfx.exe.
  • Open your C:\Windows\system32 folder and search for edcnyfx.exe.
    Don't delete it yet, just leave the system32 folder open so you can see the bad file.
  • In APT again, Select C:\WINDOWS\system32\edcnyfx.exe and Click Kill3
  • Then immediately delete edcnyfx.exe from your system32 folder.
Close APT.

To reboot into SafeMode with Windows XP, you can follow these steps from Microsoft:

Next, please reboot your computer in SafeMode by doing the following:
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, start tapping press F8 key.
  • Instead of Windows loading as normal, a menu should appear
  • Select the first option, to run Windows in Safe Mode.
Once in Safe Mode, please double-click on nailfix.exe.
Click "Next" in the setup, then make sure "Run Nailfix" is checked and click "Finish".
Your desktop and icons will disappear and reappear, and a window should open and close very quickly --- this is normal.

Now open ewido and do a scan of your system.
  • Click on scanner
  • Click on Complete System Scan and the scan will begin.
  • You will be prompted to clean the first infection.
  • Select "Perform action on all infections", then proceed.
  • Once the scan has completed, there will be a button located on the bottom of the screen named Save report
  • Click Save report.
  • Save the report .txt file to your desktop or a location where you can find it easily.
Now scan with HJT and place a checkmark next to each of the following items:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drs...esearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drs...esearch.cgi?id=
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.canesport.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drs...esearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drs...esearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.canesport.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drs...esearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drs...esearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe

O2 - BHO: Band Class - {00F1D395-4744-40f0-A611-980F61AE2C59} - C:\WINDOWS\dsr.dll (file missing)

O4 - HKLM\..\Run: [Dinst] C:\WINDOWS\dinst.exe

O4 - HKLM\..\Run: [ezrbrc] C:\WINDOWS\system32\edcnyfx.exe r

O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe

(add other entries here as well)

Close all open windows except for HJT, then click the Fix Checked button. Close HJT.

Now open the folder dsrfix on your desktop.
  • Double-Click on dsrfix.bat
  • A window will pop up briefly then close, this is normal.
Enable show hidden files and folders:

* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.
* Under the Hidden files and folders heading select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Click Yes to confirm.
* Click OK

Now using Windows Explorer find and remove the following folders/files

C:\WINDOWS\dinst <-- File

Now run the CleanUp program:

*IMPORTANT NOTE*
CleanUp deletes EVERYTHING out of your temp/temporary folders, it does not make backups.
If you have any documents or programs that are saved in any Temporary Folders, please make a backup of these before running CleanUp

Running CleanUp
  • Start CleanUp by double-clicking the icon on your desktop (or from the Start > All Programs menu).
  • When CleanUp starts go to the Options button (right side of CleanUp screen)
  • Move the arrow down to "Custom CleanUp!"
  • Now place a checkmark next to the following (Make sure nothing else is checked!):
    • Delete Cookies
      This is optional, if you leave the box checked it will remove all of your cookies, at this point removing cookies is a good idea
    • Empty Recycle Bins
    • Delete Prefetch files
    • Cleanup! All Users
  • Click OK
  • Then click on the CleanUp button. This will take a short while, let it do its thing.
  • When asked to reboot system select No
  • Close CleanUp
Finally, restart your computer back into Normal Mode and please post a new HJT log, as well as the ewido report log from the Ewido scan by using Add Reply
  • 0

#22
gferman

gferman

    Member

  • Topic Starter
  • Member
  • PipPip
  • 20 posts
---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 7:19:46 AM, 8/19/2005
+ Report-Checksum: 522C295D

+ Scan result:

C:\!Submit\qcdzse.exe -> Trojan.Agent.gp : Cleaned with backup
C:\!Submit\udsngns.exe -> Trojan.Agent.gp : Cleaned with backup
C:\Documents and Settings\Owner\Desktop\l2mfix\backup.zip/chyptdll.dll -> Spyware.Look2Me : Cleaned with backup
C:\Documents and Settings\Owner\Desktop\l2mfix\backup.zip/mdbsync.dll -> Spyware.Look2Me : Cleaned with backup
C:\Documents and Settings\Owner\Desktop\l2mfix\backup.zip/mfrdim.dll -> Spyware.Look2Me : Cleaned with backup
C:\Documents and Settings\Owner\Desktop\l2mfix\backup.zip/guard.tmp -> Spyware.Look2Me : Cleaned with backup
C:\Documents and Settings\Owner\Local Settings\Temp\1E54.tmp -> Trojan.Agent.gp : Cleaned with backup
C:\Documents and Settings\Owner\Local Settings\Temp\1E9C.tmp -> Trojan.Agent.gp : Cleaned with backup
C:\WINDOWS\dsr.exe -> Trojan.Imiserv.c : Cleaned with backup


::Report End




Logfile of HijackThis v1.99.1
Scan saved at 7:22:19 AM, on 8/19/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Softex\OmniPass\OPXPApp.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\PCHealth\HelpCtr\Binaries\HelpSvc.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Temp\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.canesport.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.canesport.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.canesport.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: Band Class - {00F1D395-4744-40f0-A611-980F61AE2C59} - C:\WINDOWS\dsr.dll (file missing)
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [Dinst] C:\WINDOWS\dinst.exe
O4 - HKLM\..\Run: [ezrbrc] C:\WINDOWS\system32\edcnyfx.exe r
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Nero\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: QuickBooks 2002 Delivery Agent.lnk = C:\Program Files\Intuit\QuickBooks Premier - Accountant Edition\Components\QBAgent\qbdagent2002.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .mpg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .wav: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {24D1BDCE-D835-11D6-BF84-0050047EA0E7} (BlueStream_Flash Class) - http://www.rovion.co...rols/Rovion.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1116447252750
O16 - DPF: {670821E0-76D1-11D4-9F60-009027A966BF} (YouBet Secure Data Transfer Control) - http://racing.youbet...s/ybrequest.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1123635552875
O16 - DPF: {8EB3FF4E-86A1-4717-884D-7BA2D38272CB} (F-Secure Online Scanner) - http://support.f-sec...m/ols/fscax.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O16 - DPF: {C9DB5AF8-4C14-4A3E-90F8-DB49D6B4866D} (YBUICtrl.FloatWnd.1) - http://racing.youbet...ls/YBUICtrl.cab
O16 - DPF: {E9348280-2D74-4933-BE25-73D946926795} (DeviceEnum Class) - http://h20270.www2.h...cdetection3.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: OPXPGina - C:\Program Files\Softex\OmniPass\opxpgina.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Softex OmniPass Service (omniserv) - Unknown owner - C:\Program Files\Softex\OmniPass\Omniserv.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
  • 0

#23
Wizard

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
If Spyware Doctor or Microsoft AntiSpyware are running,please disable them during this step!

Open HijackThis and put a check by these but DO NOT hit the Fix Checked button yet!

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe

O2 - BHO: Band Class - {00F1D395-4744-40f0-A611-980F61AE2C59} - C:\WINDOWS\dsr.dll (file missing)

O4 - HKLM\..\Run: [Dinst] C:\WINDOWS\dinst.exe

O4 - HKLM\..\Run: [ezrbrc] C:\WINDOWS\system32\edcnyfx.exe r

Now Make sure ALL WINDOWS and BROWSERS are CLOSED and hit the Fix Checked Button!

Install these 2 for some added security

SpywareBlaster:
http://www.javacools...areblaster.html
Update Immediatly!


WinHelp2002 Hosts File
http://www.mvps.org/...p2002/hosts.htm

Made Easy
http://www.mvps.org/...2002/hosts2.htm

Disable System Restore
http://service1.syma...src=sec_doc_nam

I think its safe to start removing some of the programs I had you download!

I would keep Ewido-> Spyware Blaster-> WinHelp2002 Hosts file!

Go ahead and Reconfigure Msconfig the way you like the PC to Start Up!

Post back and let me know how the PC is running?
  • 0

#24
gferman

gferman

    Member

  • Topic Starter
  • Member
  • PipPip
  • 20 posts
Right now we are looking pretty good. I cant thank you enough. PC is running good and I am no longer getting barrage of spyware. Hopefully it stays that way.Thank you again. You guys are the bext
  • 0

#25
Wizard

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
Lets see a HijackThis log to be sure all looks well!
  • 0

Advertisements


#26
gferman

gferman

    Member

  • Topic Starter
  • Member
  • PipPip
  • 20 posts
Logfile of HijackThis v1.99.1
Scan saved at 4:37:24 PM, on 8/20/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Softex\OmniPass\Omniserv.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Softex\OmniPass\OPXPApp.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\Nero\data\Xtras\mssysmgr.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\America Online 9.0\aoltray.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe
C:\Program Files\Intuit\QuickBooks Premier - Accountant Edition\Components\QBAgent\qbdagent2002.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Movie Maker\moviemk.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\America Online 9.0\waol.exe
C:\Program Files\America Online 9.0\shellmon.exe
C:\Program Files\Common Files\Aol\aoltpspd.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\Temp\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.canesport.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.canesport.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.canesport.com
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Nero\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: QuickBooks 2002 Delivery Agent.lnk = C:\Program Files\Intuit\QuickBooks Premier - Accountant Edition\Components\QBAgent\qbdagent2002.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .mpg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .wav: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {24D1BDCE-D835-11D6-BF84-0050047EA0E7} (BlueStream_Flash Class) - http://www.rovion.co...rols/Rovion.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1116447252750
O16 - DPF: {670821E0-76D1-11D4-9F60-009027A966BF} (YouBet Secure Data Transfer Control) - http://racing.youbet...s/ybrequest.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1123635552875
O16 - DPF: {8EB3FF4E-86A1-4717-884D-7BA2D38272CB} (F-Secure Online Scanner) - http://support.f-sec...m/ols/fscax.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O16 - DPF: {C9DB5AF8-4C14-4A3E-90F8-DB49D6B4866D} (YBUICtrl.FloatWnd.1) - http://racing.youbet...ls/YBUICtrl.cab
O16 - DPF: {E9348280-2D74-4933-BE25-73D946926795} (DeviceEnum Class) - http://h20270.www2.h...cdetection3.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{8F869453-70EC-4022-9751-4C1A097B990E}: NameServer = 205.188.146.145
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: OPXPGina - C:\Program Files\Softex\OmniPass\opxpgina.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Softex OmniPass Service (omniserv) - Unknown owner - C:\Program Files\Softex\OmniPass\Omniserv.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
  • 0

#27
Wizard

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
Go ahead and Renable System Restore!

Be sure to read through those 3 little black links to get some good ideas on how to avoid this in the future!

I do believe you are good to go!

Excellent Work!! :tazz:
  • 0

#28
gferman

gferman

    Member

  • Topic Starter
  • Member
  • PipPip
  • 20 posts
How do I reenable system restore?
  • 0

#29
Wizard

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
Just work the steps in reverse and uncheck the box!
http://service1.syma...src=sec_doc_nam
  • 0

#30
gferman

gferman

    Member

  • Topic Starter
  • Member
  • PipPip
  • 20 posts
This link didnt work.

I am confused on this one.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP