Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

it started with PSGuard... [CLOSED]


  • This topic is locked This topic is locked

#1
scott leigh

scott leigh

    New Member

  • Member
  • Pip
  • 3 posts
Hey there

got a problem with PSguard...or at least thats what i think it is. I've done my utmost to sort this out by myself and now i can't even get Internet Explorer or my ISP browser to work.

I downloaded the following and did scans in safe mode after updating their definitions:
CWshredder, Ewido, MS Antispyware (beta), Xoftspy & Adaware, with an final scan by Panda.

Having run these Panda got rid of a virus but couldn't delete some of the adaware, MS Antispyware keeps finding some Admilli trojans and Ewido does the same.

Also i am unable to restore to an earlier restore point, keeps stating restore incomplete and returns to current setup.

Log file is below...

Logfile of HijackThis v1.99.1
Scan saved at 11:18:04, on 26/08/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\System32\Ati2evxx.exe
D:\WINDOWS\System32\cisvc.exe
D:\Program Files\ewido\security suite\ewidoctrl.exe
D:\Program Files\ewido\security suite\ewidoguard.exe
D:\PROGRA~1\Symantec\NORTON~1\GHOSTS~2.EXE
D:\WINDOWS\system32\slserv.exe
D:\WINDOWS\System32\snmp.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\system32\svchost.exe
D:\Program Files\Common Files\Real\Update_OB\realsched.exe
D:\Program Files\Microsoft AntiSpyware\gcasServ.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
D:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
D:\Program Files\SpeedswitchXP\SpeedswitchXP.exe
D:\WINDOWS\system32\cidaemon.exe
D:\Documents and Settings\Leigh\My Documents\My Received Files\av software\hijackthis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.philrees.net/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Class - {F575EAE8-CEAA-A155-BAC9-E707C7737E52} - D:\WINDOWS\system32\ieyy.dll (file missing)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKLM\..\Run: [PCSuiteTrayApplication] D:\PROGRA~1\Nokia\NOKIAP~1\TRAYAP~1.EXE
O4 - HKLM\..\Run: [TkBellExe] "D:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [atlsv32.exe] D:\WINDOWS\atlsv32.exe
O4 - HKLM\..\Run: [msud32.exe] D:\WINDOWS\system32\msud32.exe
O4 - HKLM\..\Run: [gcasServ] "D:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "D:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [Remote_Agent] "D:\Program Files\CyberLink Media Carnival\PowerVCR II\RemoteAgent.exe"
O4 - HKCU\..\Run: [SpeedswitchXP] D:\Program Files\SpeedswitchXP\SpeedswitchXP.exe
O9 - Extra button: BT Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - D:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {161A7465-FEEE-4B40-8A85-ED752B93F73E} - file://E:\IntraLaunch.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcaf...83/mcinsctl.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O16 - DPF: {9C024426-7859-4B2D-AB4C-B1E370AE7549} - http://us.mcafee.com...ScannerCtrl.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pdownloader.cab
O16 - DPF: {B7E76C25-791F-432E-BDB7-748D01A93FC2} (VacPro.int_ver30) - http://advnt01.com/d...r/int_ver30.CAB
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcaf...,20/mcgdmgr.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.app.../ITDetector.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcaf...514/mcfscan.cab
O16 - DPF: {F9043C85-F6F2-101A-A3C9-08002B2F49FB} (Microsoft Common Dialog Control, version 6.0) - file://D:\Program Files\OpenCube\Visual QuickMenu Pro\program\comdlg32.cab
O23 - Service: Ati HotKey Poller - Unknown owner - D:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ewido security suite control - ewido networks - D:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - D:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: GhostStartService - Symantec Corporation - D:\PROGRA~1\Symantec\NORTON~1\GHOSTS~2.EXE
O23 - Service: Pml Driver HPZ12 - HP - D:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SmartLinkService (SLService) - - D:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: YPCService - Yahoo! Inc. - D:\WINDOWS\system32\YPCSER~1.EXE

I am not an advanced user, so please be gentle, any help would be much appreciated and rewarded since i've lost 2 days trying to sort this out now and i'm starting to feel like i've been on a stag weekend to Amsterdam!

Many thanks

Scott
  • 0

Advertisements


#2
kool808

kool808

    Visiting Staff

  • Member
  • PipPipPipPip
  • 1,690 posts
Hello and welcome to Geeks to Go! :tazz: I'm kool808 and I will be helping you today.

I am working on your log. As soon as I made a good fix for this, I will post a reply. Thank you for your patience.

++++++++++++++++++++++ TRACK TOPIC REPLIES ++++++++++++++++++++++

Looking for your own topic? To track replies in your own topics, first you must be at the index of the Malware Removal Forum:
http://www.geekstogo.com/forum/Malware-Removal-HiJackThis-Logs-Go-Here-f37.html

Then at the bottom right of it you should be able to see several options, (see Figure 1) choose Topics: I Replied then click the Go button.

Posted Image

Figure 1

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
  • 0

#3
kool808

kool808

    Visiting Staff

  • Member
  • PipPipPipPip
  • 1,690 posts

Right click on the Microsoft AntiSpyware icon (looks like a target) and click on Security Agents Status (Enabled) and click on Disable Real-time Protection. To re enable it, you follow the same steps but click on Enable Real-time Protection.
(Note: We will re-ENABLE them later after your system is all clean and malware free.)


Read here with regard to XoftSpy - http://www.spywarewarrior.com/rogue_anti-spyware.htm#xos_note


Please SAVE THIS PAGE or secure a PRINT COPY of the instructions for reference.
++++++++++++++++++++++++++++++++++++++++++++
Download smitRem.exe and save the file to your desktop.
Double click on the file to extract it to it's own folder on the desktop.
Do NOT run it yet.

Please read Ewido Setup Instructions
Install it, and update the definitions to the newest files. Do NOT run a scan yet.

If you have not already installed Ad-Aware SE 1.06, follow these download and setup instructions, otherwise, check for updates:
Ad-Aware SE Setup
Do NOT run the scan yet!

Next, please reboot your computer in SafeMode by doing the following:
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
  • Instead of Windows loading as normal, a menu should appear
  • Select the first option, to run Windows in Safe Mode.
(How to boot in Safe Mode...)
===================================================
We will now fix the remaining problems with HijackThis. Please close all remaining windows, disconnect from the internet, open HijackThis then click SCAN. Please put a check on the following items listed below:

R3 - Default URLSearchHook is missing
O2 - BHO: Class - {F575EAE8-CEAA-A155-BAC9-E707C7737E52} - D:\WINDOWS\system32\ieyy.dll (file missing)
O16 - DPF: {161A7465-FEEE-4B40-8A85-ED752B93F73E} - file://E:\IntraLaunch.CAB
O16 - DPF: {B7E76C25-791F-432E-BDB7-748D01A93FC2} (VacPro.int_ver30) - http://advnt01.com/d...r/int_ver30.CAB

Make sure to double check the items you have selected,then click Fix Checked.
===================================================

Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.

The tool will create a log named smitfiles.txt in the root of your drive, eg; Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.


Open Ad-aware and do a full scan. Remove all it finds.


Run Ewido:
  • Click on scanner
  • Click Complete System Scan and the scan will begin.
  • During the scan it will prompt you to clean files, click OK
  • When it asks if you want to clean the first file, put a check in the lower left corner of the box that says "Perform action on all infections" then choose clean and click OK.
  • When the scan is finished, click the Save report button at the bottom of the screen.
  • Save the report to your desktop
Close Ewido

Next go to Control Panel click Display > Desktop > Customize Desktop > Website > Uncheck "Security Info" if present.

++++++++++++++++++++++
Be sure to View Hidden and System Files.

Through Windows Explorer, delete the following folder(s) or files(s) if they exist (in bold):
  • D:\WINDOWS\system32\ieyy.dll
Finally, Empty Recycle Bin

++++++++++++++++++++++
Reboot back into Windows and click the Panda ActiveScan shortcut, then do a full system scan. Make sure the autoclean box is checked!

Save the scan log and post it along with a new HijackThis Log, the contents of the smitfiles.txt log and the Ewido Log by using Add Reply.
Let us know if any problems persist.
  • 0

#4
scott leigh

scott leigh

    New Member

  • Topic Starter
  • Member
  • Pip
  • 3 posts
Hey Kool808

thanks alot for getting back to me so quickly, apologies for not getting back to you sooner but i'm having to rely on a mates computer at the moment to do all my communicating.

I'm pretty much there except i'm still having problems getting internet explorer to work. I've done everything you said up until running the pandascan, which i am unable to do, because everytime i open internet explorer it just closes down.

Hijackthis log file & smitfiles.txt log and the Ewido Log as follows:

Logfile of HijackThis v1.99.1
Scan saved at 12:06:36, on 30/08/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\System32\Ati2evxx.exe
D:\WINDOWS\System32\cisvc.exe
D:\Program Files\ewido\security suite\ewidoctrl.exe
D:\Program Files\ewido\security suite\ewidoguard.exe
D:\PROGRA~1\Symantec\NORTON~1\GHOSTS~2.EXE
D:\WINDOWS\system32\slserv.exe
D:\WINDOWS\System32\snmp.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\Common Files\Real\Update_OB\realsched.exe
D:\Program Files\Microsoft AntiSpyware\gcasServ.exe
D:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
D:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\SpeedswitchXP\SpeedswitchXP.exe
D:\PROGRA~1\Yahoo!\browser\ycommon.exe
D:\Program Files\Yahoo!\browser\ybrwicon.exe
D:\WINDOWS\system32\wuauclt.exe
D:\Documents and Settings\Leigh\My Documents\My Received Files\av software\hijackthis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.philrees.net/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKLM\..\Run: [PCSuiteTrayApplication] D:\PROGRA~1\Nokia\NOKIAP~1\TRAYAP~1.EXE
O4 - HKLM\..\Run: [TkBellExe] "D:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [atlsv32.exe] D:\WINDOWS\atlsv32.exe
O4 - HKLM\..\Run: [msud32.exe] D:\WINDOWS\system32\msud32.exe
O4 - HKLM\..\Run: [gcasServ] "D:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "D:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [Remote_Agent] "D:\Program Files\CyberLink Media Carnival\PowerVCR II\RemoteAgent.exe"
O4 - HKCU\..\Run: [SpeedswitchXP] D:\Program Files\SpeedswitchXP\SpeedswitchXP.exe
O9 - Extra button: BT Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - D:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcaf...83/mcinsctl.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O16 - DPF: {9C024426-7859-4B2D-AB4C-B1E370AE7549} - http://us.mcafee.com...ScannerCtrl.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pdownloader.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcaf...,20/mcgdmgr.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.app.../ITDetector.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcaf...514/mcfscan.cab
O16 - DPF: {F9043C85-F6F2-101A-A3C9-08002B2F49FB} (Microsoft Common Dialog Control, version 6.0) - file://D:\Program Files\OpenCube\Visual QuickMenu Pro\program\comdlg32.cab
O23 - Service: Ati HotKey Poller - Unknown owner - D:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ewido security suite control - ewido networks - D:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - D:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: GhostStartService - Symantec Corporation - D:\PROGRA~1\Symantec\NORTON~1\GHOSTS~2.EXE
O23 - Service: Pml Driver HPZ12 - HP - D:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SmartLinkService (SLService) - - D:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: YPCService - Yahoo! Inc. - D:\WINDOWS\system32\YPCSER~1.EXE


smitRem log file
version 2.3

by noahdfear

The current date is: 29/08/2005
The current time is: 22:24:28.67

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

ShudderLTD key present! Running LTDFix!

ShudderLTD key was successfully removed! :tazz:


Pre-run Files Present


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system32 folder ~~~

logfiles


~~~ Icons in System32 ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Post-run Files Present


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system32 folder ~~~



~~~ Icons in System32 ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~



~~~ Wininet.dll ~~~

CLEAN! :)

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 23:51:32, 29/08/2005
+ Report-Checksum: 4F570AEF

+ Scan result:

D:\WINDOWS\Downloaded Program Files\UWFX5LP_0001_0803NetInstaller.exe -> Not-A-Virus.Downloader.Agent.c : Cleaned with backup


::Report End

I had a look at the options in Internet explorer and did find a connection called 'SIXA' which i removed...that has not changed anything....couldi be missing a driver or something that cleaning got rid of?

many thanks and i look forward to your reply

cheers

Scott
  • 0

#5
kool808

kool808

    Visiting Staff

  • Member
  • PipPipPipPip
  • 1,690 posts
Please read this post completely, it may make it easier for you if you copy and paste this post to a new text document or print it for reference later.

This will likely be a few step process in removing the malware that has infected your system. I encourage you to stick with it and follow my directions as closely as possible so as to avoid complicating the problem further.

Please read the instructions for About:Buster then download it to a safe location where you can easily remember it.
Please Download the stand-alone version of CoolWebShredder
Download Cleanup.

Save all of these files somewhere you will remember like to the Desktop.

Run the CleanUp! installer. You dont need to do anything with it right now. Do NOT run it yet.

Update About:Buster
  • Unzip the contents of AboutBuster.zip and an AboutBuster directory will be created.
  • Navigate to the AboutBuster directory and double-click on AboutBuster.exe.
  • Click "OK" at the prompt with instructions.
  • Click "Update" and then "Check For Update" to begin the update process.
  • If any updates exist please download them by clicking "Download Update" then click the X to close that window.
  • Now close About:Buster
Update CWShredder
  • Open CWShredder and click I AGREE
  • Click Check For Update
  • Close CWShredder
Reboot in SAFE MODE. (How to boot in Safe Mode...)
================================================
Please close all remaining windows, disconnect from the internet, open HijackThis then click SCAN. Please put a check on the following items listed below:

O4 - HKLM\..\Run: [atlsv32.exe] D:\WINDOWS\atlsv32.exe
O4 - HKLM\..\Run: [msud32.exe] D:\WINDOWS\system32\msud32.exe
O9 - Extra button: BT Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - D:\WINDOWS\System32\shdocvw.dll

Make sure to double check the items you have selected, then click Fix Checked.
================================================

Please run about:buster by RubbeRDuckY:
  • Click Begin Removal.
  • Click Yes to allow it to shutdown explorer.exe.
  • It will begin to check your computer for malicious files. If it asks if you would like to do a second pass, allow it to do so.
  • When it has finished, click Save Log. Make sure you save it as I may need a copy of it later.
  • Reboot your computer into safe mode again
In the event you get an error message then do the following:
Start > Run then paste this in the dialog box

regsvr32 C:\Windows\System32\COMCTL32.OCX


Run about:buster again following the same instructions as above, this time without the restart at the end

Run about:buster again following the same instructions as above, this time without the restart at the end

Now run CWShredder. Click I Agree, then Fix and then Next, let it fix everything it asks about.

Now run CleanUp!. Click CleanUp and allow it to delete all the temporary files. Reboot your computer into normal windows.

Please run an on-line virus scan at Kaspersky Online Scan or if that doesnt work, you can have an On-line scan at this sites:
Trend Micro or Panda Scan or BitDefender.
(Please post the results of the scan(s) in your next reply)

After all that, please post back with how things went as well as the logs requested and a new HiJackThis log.

Good Luck!
  • 0

#6
scott leigh

scott leigh

    New Member

  • Topic Starter
  • Member
  • Pip
  • 3 posts
Hey Kool808

thanks again for helping out on this, so far so good...i followed your instructions and was able to use internet explorer to get onto Kaspersky without IE crashing, the virus scan found 10 viruses and 71 suspicious objects.

Logfile of HijackThis v1.99.1
Scan saved at 15:12:01, on 30/08/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\System32\Ati2evxx.exe
D:\WINDOWS\System32\cisvc.exe
D:\Program Files\ewido\security suite\ewidoctrl.exe
D:\Program Files\ewido\security suite\ewidoguard.exe
D:\PROGRA~1\Symantec\NORTON~1\GHOSTS~2.EXE
D:\WINDOWS\system32\slserv.exe
D:\WINDOWS\System32\snmp.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\Common Files\Real\Update_OB\realsched.exe
D:\Program Files\Microsoft AntiSpyware\gcasServ.exe
D:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
D:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
D:\Program Files\SpeedswitchXP\SpeedswitchXP.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\Internet Explorer\iexplore.exe
D:\WINDOWS\system32\cidaemon.exe
D:\Documents and Settings\Leigh\My Documents\My Received Files\av software\hijackthis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.philrees.net/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKLM\..\Run: [PCSuiteTrayApplication] D:\PROGRA~1\Nokia\NOKIAP~1\TRAYAP~1.EXE
O4 - HKLM\..\Run: [TkBellExe] "D:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [gcasServ] "D:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "D:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [Remote_Agent] "D:\Program Files\CyberLink Media Carnival\PowerVCR II\RemoteAgent.exe"
O4 - HKCU\..\Run: [SpeedswitchXP] D:\Program Files\SpeedswitchXP\SpeedswitchXP.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcaf...83/mcinsctl.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O16 - DPF: {9C024426-7859-4B2D-AB4C-B1E370AE7549} - http://us.mcafee.com...ScannerCtrl.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pdownloader.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcaf...,20/mcgdmgr.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.app.../ITDetector.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcaf...514/mcfscan.cab
O16 - DPF: {F9043C85-F6F2-101A-A3C9-08002B2F49FB} (Microsoft Common Dialog Control, version 6.0) - file://D:\Program Files\OpenCube\Visual QuickMenu Pro\program\comdlg32.cab
O23 - Service: Ati HotKey Poller - Unknown owner - D:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ewido security suite control - ewido networks - D:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - D:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: GhostStartService - Symantec Corporation - D:\PROGRA~1\Symantec\NORTON~1\GHOSTS~2.EXE
O23 - Service: Pml Driver HPZ12 - HP - D:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SmartLinkService (SLService) - - D:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: YPCService - Yahoo! Inc. - D:\WINDOWS\system32\YPCSER~1.EXE


AboutBuster 5.0 reference file 31
Scan started on [30/08/2005] at [14:03:28]
------------------------------------------------
Removed Stream! D:\WINDOWS\cdplayer.ini:zdhsho
Removed Stream! D:\WINDOWS\control.ini:kwkcdj
Removed Stream! D:\WINDOWS\KB828035.log:bgtnod
Removed Stream! D:\WINDOWS\KB835732.log:thmsin
Removed Stream! D:\WINDOWS\KB839645.log:miegly
Removed Stream! D:\WINDOWS\Rhododendron.bmp:gvosen
Removed Stream! D:\WINDOWS\_default.pif:izrabj
Removed Stream! D:\WINDOWS\_default.pif:lausxe
Removed Stream! D:\WINDOWS\_default.pif:uerhmv
------------------------------------------------
No Files Found!
------------------------------------------------
Scan was COMPLETED SUCCESSFULLY at 14:03:47


AboutBuster 5.0 reference file 31
Scan started on [30/08/2005] at [14:06:16]
------------------------------------------------
No Ads Found!
------------------------------------------------
No Files Found!
------------------------------------------------
Scan was COMPLETED SUCCESSFULLY at 14:06:35


AboutBuster 5.0 reference file 31
Scan started on [30/08/2005] at [14:06:46]
------------------------------------------------
No Ads Found!
------------------------------------------------
No Files Found!
------------------------------------------------
Scan was COMPLETED SUCCESSFULLY at 14:06:57

-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Tuesday, August 30, 2005 15:09:35
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky On-line Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 30/08/2005
Kaspersky Anti-Virus database records: 137582
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\
F:\
G:\

Scan Statistics:
Total number of scanned objects: 82329
Number of viruses found: 10
Number of infected objects: 71
Number of suspicious objects: 0
Duration of the scan process: 3026 sec

Infected Object Name - Virus Name
C:\System Volume Information\_restore{8629F9E5-819D-4952-93D6-711E46FF15CE}\RP194\A0032130.exe Infected: Trojan-Downloader.Win32.Small.gl
D:\System Volume Information\_restore{8629F9E5-819D-4952-93D6-711E46FF15CE}\RP193\A0031532.exe Infected: Trojan-Downloader.Win32.Dyfuca.dp
D:\System Volume Information\_restore{8629F9E5-819D-4952-93D6-711E46FF15CE}\RP194\A0032064.exe Infected: Trojan.Win32.Small.ev
D:\System Volume Information\_restore{8629F9E5-819D-4952-93D6-711E46FF15CE}\RP194\A0032067.pif:xxopew:$DATA Infected: Trojan-Downloader.Win32.Agen.tbq
D:\System Volume Information\_restore{8629F9E5-819D-4952-93D6-711E46FF15CE}\RP194\A0032071.exe Infected: Backdoor.Win32.Agent.bg
D:\System Volume Information\_restore{8629F9E5-819D-4952-93D6-711E46FF15CE}\RP194\A0032080.pif:nninj:$DATA Infected: Trojan-Downloader.Win32.Agen.tbq
D:\System Volume Information\_restore{8629F9E5-819D-4952-93D6-711E46FF15CE}\RP194\A0032080.pif:xxopew:$DATA Infected: Trojan-Downloader.Win32.Agen.tbq
D:\System Volume Information\_restore{8629F9E5-819D-4952-93D6-711E46FF15CE}\RP194\A0032103.exe Infected: Trojan.Win32.Agent.bi
D:\System Volume Information\_restore{8629F9E5-819D-4952-93D6-711E46FF15CE}\RP194\A0032104.exe Infected: Trojan.Win32.Agent.bi
D:\System Volume Information\_restore{8629F9E5-819D-4952-93D6-711E46FF15CE}\RP194\A0032105.exe Infected: Trojan.Win32.Agent.bi
D:\System Volume Information\_restore{8629F9E5-819D-4952-93D6-711E46FF15CE}\RP194\A0032106.exe Infected: Trojan.Win32.Agent.bi
D:\System Volume Information\_restore{8629F9E5-819D-4952-93D6-711E46FF15CE}\RP194\A0032107.exe Infected: Trojan.Win32.Agent.bi
D:\System Volume Information\_restore{8629F9E5-819D-4952-93D6-711E46FF15CE}\RP194\A0032108.exe Infected: Trojan.Win32.Agent.bi
D:\System Volume Information\_restore{8629F9E5-819D-4952-93D6-711E46FF15CE}\RP194\A0032109.exe Infected: Trojan.Win32.Agent.bi
D:\System Volume Information\_restore{8629F9E5-819D-4952-93D6-711E46FF15CE}\RP194\A0032110.exe Infected: Trojan.Win32.Agent.bi
D:\System Volume Information\_restore{8629F9E5-819D-4952-93D6-711E46FF15CE}\RP194\A0032111.exe Infected: Trojan.Win32.Agent.bi
D:\System Volume Information\_restore{8629F9E5-819D-4952-93D6-711E46FF15CE}\RP194\A0032112.exe Infected: Trojan.Win32.Agent.bi
D:\System Volume Information\_restore{8629F9E5-819D-4952-93D6-711E46FF15CE}\RP194\A0032113.exe Infected: Trojan.Win32.Agent.bi
D:\System Volume Information\_restore{8629F9E5-819D-4952-93D6-711E46FF15CE}\RP194\A0032114.exe Infected: Trojan-Downloader.Win32.Agen.tbq
D:\System Volume Information\_restore{8629F9E5-819D-4952-93D6-711E46FF15CE}\RP194\A0032115.exe Infected: Trojan.Win32.Small.ev
D:\System Volume Information\_restore{8629F9E5-819D-4952-93D6-711E46FF15CE}\RP194\A0032118.ini:wxulsg:$DATA Infected: Trojan.Win32.Agent.bi
D:\System Volume Information\_restore{8629F9E5-819D-4952-93D6-711E46FF15CE}\RP194\A0032118.ini:zdhsh:$DATA Infected: Trojan-Downloader.Win32.Agent.bc
D:\System Volume Information\_restore{8629F9E5-819D-4952-93D6-711E46FF15CE}\RP194\A0032119.ini:kwkcd:$DATA Infected: Trojan-Downloader.Win32.Agen.tbq
D:\System Volume Information\_restore{8629F9E5-819D-4952-93D6-711E46FF15CE}\RP194\A0032120.pif:dmgudr:$DATA Infected: Trojan-Downloader.Win32.Agent.bc
D:\System Volume Information\_restore{8629F9E5-819D-4952-93D6-711E46FF15CE}\RP194\A0032120.pif:fmtmc:$DATA Infected: Trojan-Downloader.Win32.Agent.bc
D:\System Volume Information\_restore{8629F9E5-819D-4952-93D6-711E46FF15CE}\RP194\A0032120.pif:kewta:$DATA Infected: Trojan-Downloader.Win32.Agent.bc
D:\System Volume Information\_restore{8629F9E5-819D-4952-93D6-711E46FF15CE}\RP194\A0032120.pif:ksaav:$DATA Infected: Trojan-Downloader.Win32.Agent.bc
D:\System Volume Information\_restore{8629F9E5-819D-4952-93D6-711E46FF15CE}\RP194\A0032120.pif:nninj:$DATA Infected: Trojan-Downloader.Win32.Agen.tbq
D:\System Volume Information\_restore{8629F9E5-819D-4952-93D6-711E46FF15CE}\RP194\A0032120.pif:vgzmo:$DATA Infected: Trojan-Downloader.Win32.Agen.tbq
D:\System Volume Information\_restore{8629F9E5-819D-4952-93D6-711E46FF15CE}\RP194\A0032120.pif:vldtr:$DATA Infected: Trojan-Downloader.Win32.Agen.tbq
D:\System Volume Information\_restore{8629F9E5-819D-4952-93D6-711E46FF15CE}\RP194\A0032120.pif:xxopew:$DATA Infected: Trojan-Downloader.Win32.Agen.tbq
D:\System Volume Information\_restore{8629F9E5-819D-4952-93D6-711E46FF15CE}\RP194\A0032131.exe Infected: Trojan-Downloader.Win32.Agen.tbq
D:\System Volume Information\_restore{8629F9E5-819D-4952-93D6-711E46FF15CE}\RP194\A0032132.exe Infected: Trojan.Win32.Agent.bi
D:\System Volume Information\_restore{8629F9E5-819D-4952-93D6-711E46FF15CE}\RP194\A0032133.exe Infected: Trojan-Downloader.Win32.Agen.tbq
D:\System Volume Information\_restore{8629F9E5-819D-4952-93D6-711E46FF15CE}\RP194\A0032134.exe Infected: Trojan.Win32.Agent.bi
D:\System Volume Information\_restore{8629F9E5-819D-4952-93D6-711E46FF15CE}\RP194\A0032135.exe Infected: Trojan.Win32.Agent.bi
D:\System Volume Information\_restore{8629F9E5-819D-4952-93D6-711E46FF15CE}\RP194\A0032136.ini:qnwfy:$DATA Infected: Trojan-Downloader.Win32.Agen.tbq
D:\System Volume Information\_restore{8629F9E5-819D-4952-93D6-711E46FF15CE}\RP194\A0032137.ini:wxulsg:$DATA Infected: Trojan.Win32.Agent.bi
D:\System Volume Information\_restore{8629F9E5-819D-4952-93D6-711E46FF15CE}\RP194\A0032137.ini:zdhsh:$DATA Infected: Trojan-Downloader.Win32.Agent.bc
D:\System Volume Information\_restore{8629F9E5-819D-4952-93D6-711E46FF15CE}\RP194\A0032138.ini:kwkcd:$DATA Infected: Trojan-Downloader.Win32.Agen.tbq
D:\System Volume Information\_restore{8629F9E5-819D-4952-93D6-711E46FF15CE}\RP194\A0032140.INI:qfqcsq:$DATA Infected: Trojan-Downloader.Win32.Agen.tbq
D:\System Volume Information\_restore{8629F9E5-819D-4952-93D6-711E46FF15CE}\RP194\A0032141.exe Infected: Trojan-Downloader.Win32.Small.bju
D:\System Volume Information\_restore{8629F9E5-819D-4952-93D6-711E46FF15CE}\RP194\A0032142.exe Infected: Trojan.Win32.Agent.bi
D:\System Volume Information\_restore{8629F9E5-819D-4952-93D6-711E46FF15CE}\RP194\A0032143.exe Infected: Trojan-Downloader.Win32.Agen.tbq
D:\System Volume Information\_restore{8629F9E5-819D-4952-93D6-711E46FF15CE}\RP194\A0032144.INI:vjacj:$DATA Infected: Trojan-Downloader.Win32.Agen.tbq
D:\System Volume Information\_restore{8629F9E5-819D-4952-93D6-711E46FF15CE}\RP194\A0032145.exe Infected: Trojan.Win32.Agent.bi
D:\System Volume Information\_restore{8629F9E5-819D-4952-93D6-711E46FF15CE}\RP194\A0032146.exe Infected: Trojan-Downloader.Win32.Agen.tbq
D:\System Volume Information\_restore{8629F9E5-819D-4952-93D6-711E46FF15CE}\RP194\A0032147.dll Infected: Trojan-Downloader.Win32.Agent.bc
D:\System Volume Information\_restore{8629F9E5-819D-4952-93D6-711E46FF15CE}\RP194\A0032148.exe Infected: Trojan.Win32.Agent.bi
D:\System Volume Information\_restore{8629F9E5-819D-4952-93D6-711E46FF15CE}\RP194\A0032151.exe Infected: Trojan-Downloader.Win32.Agen.tbq
D:\System Volume Information\_restore{8629F9E5-819D-4952-93D6-711E46FF15CE}\RP194\A0032152.dll Infected: Trojan-Downloader.Win32.Agent.bc
D:\System Volume Information\_restore{8629F9E5-819D-4952-93D6-711E46FF15CE}\RP194\A0032153.exe Infected: Trojan-Downloader.Win32.Agen.tbq
D:\System Volume Information\_restore{8629F9E5-819D-4952-93D6-711E46FF15CE}\RP194\A0032154.dll Infected: Trojan-Downloader.Win32.Agent.bc
D:\System Volume Information\_restore{8629F9E5-819D-4952-93D6-711E46FF15CE}\RP194\A0032155.dll Infected: Trojan-Downloader.Win32.Agent.bc
D:\System Volume Information\_restore{8629F9E5-819D-4952-93D6-711E46FF15CE}\RP194\A0032156.exe Infected: Trojan.Win32.Agent.bi
D:\System Volume Information\_restore{8629F9E5-819D-4952-93D6-711E46FF15CE}\RP194\A0032157.exe Infected: Trojan.Win32.Agent.bi
D:\System Volume Information\_restore{8629F9E5-819D-4952-93D6-711E46FF15CE}\RP194\A0032158.exe Infected: Trojan.Win32.Agent.bi
D:\System Volume Information\_restore{8629F9E5-819D-4952-93D6-711E46FF15CE}\RP194\A0032159.exe Infected: Trojan.Win32.Agent.bi
D:\System Volume Information\_restore{8629F9E5-819D-4952-93D6-711E46FF15CE}\RP194\A0032160.ini:novuo:$DATA Infected: Trojan-Downloader.Win32.Agent.bc
D:\System Volume Information\_restore{8629F9E5-819D-4952-93D6-711E46FF15CE}\RP194\A0032161.PRX:xpynk:$DATA Infected: Trojan-Downloader.Win32.Agen.tbq
D:\System Volume Information\_restore{8629F9E5-819D-4952-93D6-711E46FF15CE}\RP194\A0032162.pif:dmgudr:$DATA Infected: Trojan-Downloader.Win32.Agent.bc
D:\System Volume Information\_restore{8629F9E5-819D-4952-93D6-711E46FF15CE}\RP194\A0032162.pif:fmtmc:$DATA Infected: Trojan-Downloader.Win32.Agent.bc
D:\System Volume Information\_restore{8629F9E5-819D-4952-93D6-711E46FF15CE}\RP194\A0032162.pif:kewta:$DATA Infected: Trojan-Downloader.Win32.Agent.bc
D:\System Volume Information\_restore{8629F9E5-819D-4952-93D6-711E46FF15CE}\RP194\A0032162.pif:ksaav:$DATA Infected: Trojan-Downloader.Win32.Agent.bc
D:\System Volume Information\_restore{8629F9E5-819D-4952-93D6-711E46FF15CE}\RP194\A0032162.pif:nninj:$DATA Infected: Trojan-Downloader.Win32.Agen.tbq
D:\System Volume Information\_restore{8629F9E5-819D-4952-93D6-711E46FF15CE}\RP194\A0032162.pif:vgzmo:$DATA Infected: Trojan-Downloader.Win32.Agen.tbq
D:\System Volume Information\_restore{8629F9E5-819D-4952-93D6-711E46FF15CE}\RP194\A0032162.pif:vldtr:$DATA Infected: Trojan-Downloader.Win32.Agen.tbq
D:\System Volume Information\_restore{8629F9E5-819D-4952-93D6-711E46FF15CE}\RP194\A0032162.pif:xxopew:$DATA Infected: Trojan-Downloader.Win32.Agen.tbq
D:\System Volume Information\_restore{8629F9E5-819D-4952-93D6-711E46FF15CE}\RP194\A0032164.dll Infected: Trojan.Win32.Small.ev
D:\System Volume Information\_restore{8629F9E5-819D-4952-93D6-711E46FF15CE}\RP196\A0032180.dll Infected: Virus.Win32.Nsag.b
D:\WINDOWS\system32\in8PwrScrMs1086.dll Infected: Trojan-Dropper.Win32.Small.abd

Scan process completed.

I don't think Kaspersky removed any of the infected files so will i have to that manually?

thanks

Scott
  • 0

#7
kool808

kool808

    Visiting Staff

  • Member
  • PipPipPipPip
  • 1,690 posts
Very good, you did it very well. Your log looks much better. :tazz:

reboot to safe mode then delete this file:
D:\WINDOWS\system32\in8PwrScrMs1086.dll

empty recycle bin

reboot back to NORMAL MODE.

To reset your restore points, please note that you will need to log into your computer with an account which has full administrator access. You will know if the account has administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account.

(Windows XP)
1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

2. Reboot.

3. Turn ON System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.

How to Turn On and Turn Off System Restore in Windows XP, HERE

to verify you are clean , run another kaspersky scan, if all clean no need to post the results. Otherwise, if infected then post another log.

post back a new hijackthis log.
how is your system running?
  • 0

#8
kool808

kool808

    Visiting Staff

  • Member
  • PipPipPipPip
  • 1,690 posts
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP