Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Web Nexus spyware - Unable to get rid of it [RESOLVED]

Started by ay090 , Aug 27 2005 04:45 PM

This topic is locked

#1
ay090

Posted 27 August 2005 - 04:45 PM

New Member

Member
8 posts

Hello,

I have browsed some of the Web Nexus topics on this forum and followed the removal instructions with no success. Attached is the log from my Hijackthis run. Out of the processes listed here, glxd4d.exe is the only one that looks suspicious. I tried to delete this using KillBox after logging in safe mode with system restore turned off. As soon as I login in normal mode, this files re-appears and I see popups with both IE and Firefox. I greatly appreciate your help in fixing this problem.

Thank you,
-A.

Logfile of HijackThis v1.99.1
Scan saved at 6:33:18 PM, on 8/27/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Nhksrv.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Zone Labs\Integrity Client\iclient.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Verizon Online\Verizon Online Control Pad\VerizonControlPad.exe
C:\Program Files\Verizon Online\Verizon Online Control Pad\UIEngines\FlashUIEngine\cpskin.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\TEMP\AntiSpyware\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://wpad/wpad.dat
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\Integrity Client\iclient.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\System32\glxd4d.exe reg_run
O17 - HKLM\System\CCS\Services\Tcpip\..\{1CC4EE7A-C4C8-4C34-8DCC-9E7F8ADB0516}: NameServer = 151.203.0.85 151.202.0.85
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINDOWS\System32\ImapiRox.exe
O23 - Service: MyDesktopService (MyDesktopWindows) - Unknown owner - C:\WINDOWS\orclobi\MyDesktop\MyDesktopService.exe (file missing)
O23 - Service: Netropa NHK Server (Nhksrv) - Unknown owner - C:\WINDOWS\Nhksrv.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe

Edited by ay090, 27 August 2005 - 07:33 PM.

#2
ay090

Posted 27 August 2005 - 07:53 PM

New Member

Topic Starter
Member
8 posts

Based on the instructions from another thread with similar problem, I downloaded WinPFind and Track qoo. Here are the reports generated by these scripts:

================== WinPFind.txt =========================
WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

»»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Product Name: Microsoft Windows XP Current Build: Service Pack 1 Current Build Number: 2600
Internet Explorer Version: 6.0.2800.1106

»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»

Checking %SystemDrive% folder...

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...
abetterinternet.com 7/10/2005 10:41:14 AM 10992 C:\WINDOWS\ojrkh.dll
web-nex 7/10/2005 10:41:14 AM 10992 C:\WINDOWS\ojrkh.dll
ad-w-a-r-e.com 7/10/2005 10:41:14 AM 10992 C:\WINDOWS\ojrkh.dll

Checking %System% folder...
PEC2 8/18/2001 8:00:00 AM 41397 C:\WINDOWS\SYSTEM32\DFRG.MSC
69.59.186.63 8/27/2005 9:31:56 PM 46080 C:\WINDOWS\SYSTEM32\jsfgkdg.dll
209.66.67.134 8/27/2005 9:31:56 PM 46080 C:\WINDOWS\SYSTEM32\jsfgkdg.dll
web-nex 8/27/2005 9:31:56 PM 46080 C:\WINDOWS\SYSTEM32\jsfgkdg.dll
winsync 8/27/2005 9:31:56 PM 46080 C:\WINDOWS\SYSTEM32\jsfgkdg.dll
UPX! 1/13/2005 9:41:48 PM 11254 C:\WINDOWS\SYSTEM32\locate.com
69.59.186.63 8/27/2005 9:31:58 PM 10240 C:\WINDOWS\SYSTEM32\njrbo.dll
209.66.67.134 8/27/2005 9:31:58 PM 10240 C:\WINDOWS\SYSTEM32\njrbo.dll
web-nex 8/27/2005 9:31:58 PM 10240 C:\WINDOWS\SYSTEM32\njrbo.dll
winsync 8/27/2005 9:31:58 PM 10240 C:\WINDOWS\SYSTEM32\njrbo.dll
Umonitor 8/29/2002 6:41:10 AM 631808 C:\WINDOWS\SYSTEM32\rasdlg.dll
winsync 8/18/2001 8:00:00 AM 1309184 C:\WINDOWS\SYSTEM32\WBDBASE.DEU

Checking %System%\Drivers folder and sub-folders...

Items found in C:\WINDOWS\SYSTEM32\drivers\ETC\HOSTS

Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
7/10/2005 10:09:10 AM H 0 C:\WINDOWS\INF\oem18.inf
8/16/2005 7:48:48 PM H 528 C:\WINDOWS\SYSTEM32\vsconfig.xml
7/8/2005 9:18:48 PM H 4212 C:\WINDOWS\SYSTEM32\zllictbl.dat
8/27/2005 9:40:42 PM H 8192 C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT.LOG
8/27/2005 9:40:58 PM H 1024 C:\WINDOWS\SYSTEM32\CONFIG\SAM.LOG
8/27/2005 9:40:46 PM H 16384 C:\WINDOWS\SYSTEM32\CONFIG\SECURITY.LOG
8/27/2005 9:41:52 PM H 110592 C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE.LOG
8/27/2005 9:40:48 PM H 937984 C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM.LOG
7/5/2005 2:05:16 PM HS 388 C:\WINDOWS\SYSTEM32\Microsoft\Protect\S-1-5-18\User\9b0b151c-521b-4288-9059-23cc84bda323
7/5/2005 2:05:16 PM HS 24 C:\WINDOWS\SYSTEM32\Microsoft\Protect\S-1-5-18\User\Preferred

Checking for CPL files...
Microsoft Corporation 8/18/2001 8:00:00 AM 66048 C:\WINDOWS\SYSTEM32\ACCESS.CPL
Microsoft Corporation 8/29/2002 6:41:28 AM 578560 C:\WINDOWS\SYSTEM32\appwiz.cpl
7/15/2005 7:03:10 PM 28672 C:\WINDOWS\SYSTEM32\conres.cpl
Microsoft Corporation 8/29/2002 6:41:28 AM 129024 C:\WINDOWS\SYSTEM32\desk.cpl
Microsoft Corporation 8/18/2001 8:00:00 AM 150016 C:\WINDOWS\SYSTEM32\HDWWIZ.CPL
Microsoft Corporation 8/29/2002 6:41:28 AM 292352 C:\WINDOWS\SYSTEM32\inetcpl.cpl
Microsoft Corporation 8/29/2002 6:41:28 AM 121856 C:\WINDOWS\SYSTEM32\intl.cpl
Microsoft Corporation 8/29/2002 6:41:28 AM 65536 C:\WINDOWS\SYSTEM32\joy.cpl
Sun Microsystems, Inc. 12/6/2004 10:31:48 PM 49265 C:\WINDOWS\SYSTEM32\jpicpl32.cpl
Microsoft Corporation 8/18/2001 8:00:00 AM 187904 C:\WINDOWS\SYSTEM32\MAIN.CPL
Microsoft Corporation 8/18/2001 8:00:00 AM 559616 C:\WINDOWS\SYSTEM32\MMSYS.CPL
Microsoft Corporation 8/18/2001 8:00:00 AM 35840 C:\WINDOWS\SYSTEM32\NCPA.CPL
Microsoft Corporation 8/18/2001 8:00:00 AM 256000 C:\WINDOWS\SYSTEM32\NUSRMGR.CPL
Microsoft Corporation 8/18/2001 8:00:00 AM 36864 C:\WINDOWS\SYSTEM32\ODBCCP32.CPL
Microsoft Corporation 8/18/2001 8:00:00 AM 109056 C:\WINDOWS\SYSTEM32\POWERCFG.CPL
Apple Computer, Inc. 9/23/2004 8:57:44 PM 323072 C:\WINDOWS\SYSTEM32\QuickTime.cpl
Microsoft Corporation 8/29/2002 6:41:28 AM 268288 C:\WINDOWS\SYSTEM32\sysdm.cpl
Microsoft Corporation 8/18/2001 8:00:00 AM 28160 C:\WINDOWS\SYSTEM32\TELEPHON.CPL
Microsoft Corporation 8/18/2001 8:00:00 AM 90112 C:\WINDOWS\SYSTEM32\TIMEDATE.CPL
Microsoft Corporation 5/26/2005 4:16:30 AM 174360 C:\WINDOWS\SYSTEM32\wuaucpl.cpl
Microsoft Corporation 8/29/2002 6:41:28 AM 292352 C:\WINDOWS\SYSTEM32\DLLCACHE\inetcpl.cpl
Microsoft Corporation 8/29/2002 4:41:00 AM 208896 C:\WINDOWS\SYSTEM32\DLLCACHE\joy.cpl

»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»

Checking files in %ALLUSERSPROFILE%\Startup folder...
11/15/2001 9:31:16 AM HS 84 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\DESKTOP.INI
8/24/2005 8:30:44 PM 91648 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\knut.exe

Checking files in %ALLUSERSPROFILE%\Application Data folder...
11/15/2001 9:23:32 AM HS 62 C:\Documents and Settings\All Users\Application Data\DESKTOP.INI
4/17/2004 9:27:18 PM 7 C:\Documents and Settings\All Users\Application Data\DirectCDUserName.txt

Checking files in %USERPROFILE%\Startup folder...
11/15/2001 9:31:16 AM HS 84 C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\DESKTOP.INI

Checking files in %USERPROFILE%\Application Data folder...
11/15/2001 9:23:32 AM HS 62 C:\Documents and Settings\Administrator\Application Data\DESKTOP.INI

»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
=

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
{BCC150FD-F567-4D59-BA0B-2957BEE9E239} =
{DE769299-6DF7-456E-B765-CC8872ABDBB0} =
{C5CB9D68-BC5C-47E1-92B6-6AB213AAD6AC} =
{F3BAA6BE-3123-4B5A-AC92-AACF71AFE957} = C:\WINDOWS\system32\nsobjapi.dll
{3226D5E2-EE3B-418B-9AB8-5FE71505A7EA} =

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\LDVPMenu
{BDA77241-42F6-11d0-85E2-00AA001FE28C} = C:\Program Files\Common Files\Symantec Shared\SSC\vpshell2.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\nfsqtkqt
{1174ac1a-860b-4ef8-89da-a192639232ea} = C:\WINDOWS\System32\njrbo.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinRAR
=
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinZip
{E0D79300-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WinZip\wzshlext.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Yahoo! Mail
{5464D816-CF16-4784-B9F3-75C0DB52B499} = C:\PROGRA~1\Yahoo!\Common\ymmapi.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin = %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\LDVPMenu
{BDA77241-42F6-11d0-85E2-00AA001FE28C} = C:\Program Files\Common Files\Symantec Shared\SSC\vpshell2.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinRAR
=
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinZip
{E0D79300-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WinZip\wzshlext.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\WinRAR
=
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\WinZip
{E0D79300-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WinZip\wzshlext.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{6EC11407-5B2E-4E25-8BDF-77445B52AB37}
=

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4528BBE0-4E08-11D5-AD55-00010333D0AD}
&Yahoo! Messenger = C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
&Tip of the Day = %SystemRoot%\System32\shdocvw.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{FE54FA40-D68C-11d2-98FA-00C0F0318AFE}
Real.com = C:\WINDOWS\System32\Shdocvw.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478}
Media Band = %SystemRoot%\System32\browseui.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E64-B078-11D0-89E4-00C04FC9E26E}
Explorer Band = %SystemRoot%\System32\shdocvw.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
gcasServ "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
Zone Labs Client "C:\Program Files\Zone Labs\Integrity Client\iclient.exe"
TkBellExe "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
winsync C:\WINDOWS\System32\glxd4d.exe reg_run
MSConfig C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
IMAIL Installed = 1
MAPI Installed = 1
MSFS Installed = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
{BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} =
{0DF44EAA-FF21-4412-828E-260A8728E7F1} =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings\PICSRules

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
dontdisplaylastusername 0
legalnoticecaption
legalnoticetext
shutdownwithoutlogon 1
undockwithoutlogon 1

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoDriveTypeAutoRun 145

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
PostBootReminder {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
CDBurn {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll
SysTray {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\System32\stobject.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\SYSTEM32\Userinit.exe,
Shell = Explorer.exe
System =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
= crypt32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
= cryptnet.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
= cscdll.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
= sclgntfy.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
= WlNotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
= wlnotify.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
Debugger = ntsd -d

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
AppInit_DLLs

»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
WinPFind v1.3.1 - Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 8/27/2005 9:47:11 PM

================== Track qoo Report =======================
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"gcasServ"="\"C:\\Program Files\\Microsoft AntiSpyware\\gcasServ.exe\""
"Zone Labs Client"="\"C:\\Program Files\\Zone Labs\\Integrity Client\\iclient.exe\""
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"winsync"="C:\\WINDOWS\\System32\\glxd4d.exe reg_run"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

-----------------
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers

Subkey --- LDVPMenu
{BDA77241-42F6-11d0-85E2-00AA001FE28C}
C:\Program Files\Common Files\Symantec Shared\SSC\vpshell2.dll

Subkey --- nfsqtkqt
{1174ac1a-860b-4ef8-89da-a192639232ea}
C:\WINDOWS\System32\njrbo.dll

Subkey --- Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03}
C:\WINDOWS\System32\cscui.dll

Subkey --- Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936}
C:\WINDOWS\system32\SHELL32.dll

Subkey --- Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46}
C:\WINDOWS\system32\SHELL32.dll

Subkey --- WinRAR

Subkey --- WinZip
{E0D79300-84BE-11CE-9641-444553540000}
C:\PROGRA~1\WinZip\wzshlext.dll

Subkey --- Yahoo! Mail
{5464D816-CF16-4784-B9F3-75C0DB52B499}
C:\PROGRA~1\Yahoo!\Common\ymmapi.dll

Subkey --- {a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin
C:\WINDOWS\system32\SHELL32.dll

=====================

HKEY_CLASSES_ROOT\Folder\shellex\ColumnHandlers

Subkey --- {0D2E74C4-3C34-11d2-A27E-00C04FC30871}
C:\WINDOWS\system32\SHELL32.dll

Subkey --- {24F14F01-7B1C-11d1-838f-0000F80461CF}
C:\WINDOWS\system32\SHELL32.dll

Subkey --- {24F14F02-7B1C-11d1-838f-0000F80461CF}
C:\WINDOWS\system32\SHELL32.dll

Subkey --- {66742402-F9B9-11D1-A202-0000F81FEDEE}
C:\WINDOWS\system32\SHELL32.dll

Subkey --- {6EC11407-5B2E-4E25-8BDF-77445B52AB37}

==============================
C:\Documents and Settings\All Users\Start Menu\Programs\Startup

DESKTOP.INI
knut.exe
==============================
C:\Documents and Settings\Arvind\Start Menu\Programs\Startup

DESKTOP.INI
knut.exe
DESKTOP.INI
==============================
C:\WINDOWS\SYSTEM32 cpl files

ACCESS.CPL Microsoft Corporation
appwiz.cpl Microsoft Corporation
conres.cpl
desk.cpl Microsoft Corporation
HDWWIZ.CPL Microsoft Corporation
inetcpl.cpl Microsoft Corporation
intl.cpl Microsoft Corporation
joy.cpl Microsoft Corporation
jpicpl32.cpl Sun Microsystems, Inc.
MAIN.CPL Microsoft Corporation
MMSYS.CPL Microsoft Corporation
NCPA.CPL Microsoft Corporation
NUSRMGR.CPL Microsoft Corporation
ODBCCP32.CPL Microsoft Corporation
POWERCFG.CPL Microsoft Corporation
QuickTime.cpl Apple Computer, Inc.
sysdm.cpl Microsoft Corporation
TELEPHON.CPL Microsoft Corporation
TIMEDATE.CPL Microsoft Corporation
wuaucpl.cpl Microsoft Corporation

#3
ay090

Posted 01 September 2005 - 05:56 PM

New Member

Topic Starter
Member
8 posts

Hello,

Could you please take a look at the latest set of logs (hijackThis, WinPFind and Track qoo) attached and help me out ?

Thank you,
-A

--------------------------------------------------------
Logfile of HijackThis v1.99.1
Scan saved at 7:46:59 PM, on 9/1/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Nhksrv.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Zone Labs\Integrity Client\iclient.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Download\AntiSpyware\HijackThis\HijackThis.exe

O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\Integrity Client\iclient.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\System32\glxd4d.exe reg_run
O9 - Extra button: (no name) - {9E248641-0E24-4DDB-9A1F-705087832AD6} - (no file)
O9 - Extra 'Tools' menuitem: Java - {9E248641-0E24-4DDB-9A1F-705087832AD6} - (no file)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = us.oracle.com
O17 - HKLM\Software\..\Telephony: DomainName = us.oracle.com
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINDOWS\System32\ImapiRox.exe
O23 - Service: MyDesktopService (MyDesktopWindows) - Unknown owner - C:\WINDOWS\orclobi\MyDesktop\MyDesktopService.exe (file missing)
O23 - Service: Netropa NHK Server (Nhksrv) - Unknown owner - C:\WINDOWS\Nhksrv.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe

-------------------------------------------------------------------------------

Attached Files

WinPFind.Txt 15.82KB 91 downloads
Report.txt 3.42KB 129 downloads

#4
loophole

Posted 01 September 2005 - 09:59 PM

Malware Expert

Retired Staff
9,798 posts

Hello ay090 :tazz:

Welcome to Geeks to Go
I am working on your log and will have a fix posted for you soon.

#5
loophole

Posted 01 September 2005 - 10:27 PM

Malware Expert

Retired Staff
9,798 posts

Hello ay090 :tazz:

Thank you for your patience

Download Pocket KillBox from here. There is a Direct Download and a description of what the Program does inside this link.

Please open Notepad, and copy/paste the code in the box below into a new text file. Save it as KillQoo.reg (set Filetype to "All Files") and save it on your Desktop.

REGEDIT4

[-HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\nfsqtkqt]

Open Pocket Killbox and Copy & Paste the entries below into the "Full Path of File to Delete"

C:\WINDOWS\SYSTEM32\jsfgkdg.dll
C:\WINDOWS\SYSTEM32\njrbo.dll
C:\WINDOWS\SYSTEM32\vgactl.cpl
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\knut.exe
C:\WINDOWS\system32\nsobjapi.dll
C:\WINDOWS\System32\glxd4d.exe

As you Paste each entry into Killbox,place a tick by any of these Selections available

"Delete on Reboot"
"Unregister .dll before Deleting"

Click the Red Circle with the White X in the Middle to Delete!

Restart in Safe Mode and Run those files through Killbox once more to be sure nothing survived.

This time place a tick by any of these selections available

"Standard File Kill"
"End Explorer Shell while Killing File"
"Unregister .dll before Deleting"

Now Locate and DoubleClick KillQoo.reg-> Allow it to merge into the Registry!

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

O4 - HKLM\..\Run: [winsync] C:\WINDOWS\System32\glxd4d.exe reg_run

Now close all windows other than HiJackThis, then click Fix Checked.

Restart back in Normal Mode and Post a fresh HijackThis log!

Thanks

#6
ay090

Posted 02 September 2005 - 05:12 PM

New Member

Topic Starter
Member
8 posts

Thanks loophole,

My system already looks better. Here is the new HijackThis log. I am also attaching the other two logs just in case.

Thanks again,
-A

===============================================
Logfile of HijackThis v1.99.1
Scan saved at 6:58:45 PM, on 9/2/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Nhksrv.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Zone Labs\Integrity Client\iclient.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Download\AntiSpyware\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://wpad/wpad.dat
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\Integrity Client\iclient.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = us.oracle.com
O17 - HKLM\Software\..\Telephony: DomainName = us.oracle.com
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINDOWS\System32\ImapiRox.exe
O23 - Service: MyDesktopService (MyDesktopWindows) - Unknown owner - C:\WINDOWS\orclobi\MyDesktop\MyDesktopService.exe (file missing)
O23 - Service: Netropa NHK Server (Nhksrv) - Unknown owner - C:\WINDOWS\Nhksrv.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe

Attached Files

WinPFind.Txt 14.87KB 93 downloads
Report.txt 3.25KB 94 downloads

#7
loophole

Posted 02 September 2005 - 09:20 PM

Malware Expert

Retired Staff
9,798 posts

Good

Now lets go after all the stuff thats not visible in the Hijack log

please run this online virus scan:
ActiveScan

Copy the results of the ActiveScan and paste them here with a new hijack log

#8
ay090

Posted 03 September 2005 - 07:07 AM

New Member

Topic Starter
Member
8 posts

Loophole,

The active scan log is attached

Thanks,
-A.

Incident Status Location

Adware:Adware/QoolShown No disinfected C:\!Submit\glxd4d.exe
Adware:Adware/QoolShown No disinfected C:\!Submit\jsfgkdg.dll
Spyware:Spyware/SafeSurf No disinfected C:\Documents and Settings\Aravind\Local Settings\Temp\asfjkk32.tmp
Spyware:Spyware/SafeSurf No disinfected C:\Documents and Settings\Aravind\Local Settings\Temp\ExtractDLL.dll
Spyware:Spyware/SurfSideKick No disinfected C:\Documents and Settings\Aravind\Local Settings\Temp\i7E.tmp
Spyware:Spyware/SafeSurf No disinfected C:\Documents and Settings\Aravind\Local Settings\Temp\thin_installer.exe
Spyware:Spyware/BargainBuddy No disinfected C:\Documents and Settings\Aravind\Local Settings\Temporary Internet Files\Content.IE5\5VE2VHLP\marketing32[1].html
Spyware:Spyware/BargainBuddy No disinfected C:\Documents and Settings\Aravind\Local Settings\Temporary Internet Files\Content.IE5\S5QRKPEF\CA4XQ301.HTM
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Aravind\Local Settings\Temporary Internet Files\Content.IE5\ST0EV23P\classload[1].jar[GetAccess.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Aravind\Local Settings\Temporary Internet Files\Content.IE5\ST0EV23P\classload[1].jar[InsecureClassLoader.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Aravind\Local Settings\Temporary Internet Files\Content.IE5\ST0EV23P\classload[1].jar[Dummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Aravind\Local Settings\Temporary Internet Files\Content.IE5\ST0EV23P\classload[1].jar[Installer.class]
Spyware:Spyware/BargainBuddy No disinfected C:\Documents and Settings\Aravind\Local Settings\Temporary Internet Files\Content.IE5\ST0EV23P\marketing37[1].html
Adware:Adware/Pacimedia No disinfected C:\Documents and Settings\Arvind\Local Settings\Temporary Internet Files\Content.IE5\DCS7XDKP\pcs_0002[1].exe
Adware:Adware/StartPage.BR No disinfected C:\Program Files\Adware Away\ad.dll
Adware:Adware/AdBehavior No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\38044001-5923-4169-A70D-91F8CB\2B340FAD-24F3-4C4C-BD68-7E4C61
Adware:Adware/AdBehavior No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\4CC94830-0783-4123-8374-EC77B1\80EDE19C-948E-4079-8E45-102614
Adware:Adware/ClkOptimizer No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\50955463-B42E-4EF1-B373-9EA48F\26B206E7-1BAE-49AC-82CE-65EA0B
Adware:Adware/ClkOptimizer No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\58C98DBA-9882-42D0-A20D-B5A3CC\B6D8B294-7083-444B-BDF3-3F7DB2
Adware:Adware/ClkOptimizer No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\877E2B5A-4500-48ED-893B-97FEC9\D00B64A6-295D-4DF5-A130-C7D8EF
Adware:Adware/ClkOptimizer No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\8A156EBC-601F-4918-BC32-875924\43FD8D90-1BF1-49F7-A8CE-128272
Adware:Adware/ClkOptimizer No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\9C818DA1-AE74-4CCC-9A22-C3606D\C920B243-DF8C-4EF2-8CB4-CAF1FC
Virus:Trj/Qoologic.G Disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\9D96C34F-F926-403B-A50C-785E9E\4D1C58D4-162C-478F-8C09-0BC1DC
Virus:Trj/Qoologic.G Disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\9D96C34F-F926-403B-A50C-785E9E\669E85C8-5C00-45EA-922F-802283
Virus:Trj/Qoologic.G Disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\9D96C34F-F926-403B-A50C-785E9E\7A79E851-FF7F-4292-802C-1A3E67
Virus:Trj/Qoologic.H Disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\9D96C34F-F926-403B-A50C-785E9E\9F55BFFC-440B-4EEC-9CF1-EA5440
Adware:Adware/ClkOptimizer No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\9D96C34F-F926-403B-A50C-785E9E\C59CC5D8-8822-48C9-943E-43334A
Adware:Adware/ClkOptimizer No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\9D96C34F-F926-403B-A50C-785E9E\E37D73B2-DF59-4C80-BAFE-50D5F3
Adware:Adware/Pacimedia No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\B02E0917-463D-4F14-8142-62D1A4\83CEF2EF-7169-42BE-8AFD-C18DBB
Adware:Adware/ClkOptimizer No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\C04BD6D4-3A4A-4979-9D89-ECDE4E\36AF63AE-9E07-48FE-81C0-876C1F
Adware:Adware/ClkOptimizer No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\F925E527-2C2A-4F3D-9258-9768F1\07DB401E-A414-4C59-9C4D-0D625C
Adware:Adware/ClkOptimizer No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\FB3EF126-AB59-47B5-B53A-56D4FC\8EFFF998-4AB5-4143-9C4A-B3CC35
Spyware:Spyware/ISTBar No disinfected C:\Program Files\Windows Media Player\wmplayer.exe.tmp
Virus:Bck/Agent.JK Disinfected C:\Recycled\Q330995.exe
Virus:Trj/Downloader.EFG Disinfected C:\RECYCLER\S-1-5-21-3403473811-1376643981-488748980-500\Dc1.dll
Adware:Adware/QoolShown No disinfected C:\RECYCLER\S-1-5-21-3403473811-1376643981-488748980-500\Dc2.exe
Adware:Adware/QoolShown No disinfected C:\RECYCLER\S-1-5-21-3403473811-1376643981-488748980-500\Dc3.dll
Adware:Adware/QoolShown No disinfected C:\RECYCLER\S-1-5-21-3403473811-1376643981-488748980-500\Dc4.exe
Adware:adware/bookedspace No disinfected C:\WINDOWS\cfgmgr52.ini
Spyware:Spyware/BetterInet No disinfected C:\WINDOWS\INF\banner.inf
Virus:Trojan Horse Disinfected C:\WINDOWS\madise.dll
Adware:Adware/QoolShown No disinfected C:\WINDOWS\pss\knut.exeCommon Startup
Virus:Trj/Clicker.FV Disinfected C:\WINDOWS\SYSTEM\usaofvsg.exe
Adware:Adware/QoolShown No disinfected C:\WINDOWS\SYSTEM32\apgvb.dat
Virus:W32/Sasser.ftp Disinfected C:\WINDOWS\SYSTEM32\cmd.ftp
Adware:Adware/QoolShown No disinfected C:\WINDOWS\SYSTEM32\nbxorqo.exe
Adware:Adware/BigTrafficNet No disinfected C:\WINDOWS\System320nsp710

Attached Files

Activescan.txt 14.91KB 102 downloads

Edited by ay090, 03 September 2005 - 10:13 AM.

#9
loophole

Posted 03 September 2005 - 05:04 PM

Malware Expert

Retired Staff
9,798 posts

Hello ay090

Lets see if we can finish thing off

Empty your recycle bin

Download and install CleanUp! Here
but do not run it yet.
*NOTE* Cleanup deletes EVERYTHING out of temp/temporary folders and does not make backups

Now open pocketkillbox Select the option "Delete on reboot".
Now highlight and 'copy' (Ctrl + C) the entire list of filepaths below:
Click 'File' on the killbox menu at the top and choose 'Paste from clipboard'
The entire list should now be in the "Full Path of File to Delete"
field.To check, click on the dropdown-arrow next to that field.
If you expand it, these lines should all be there

C:\!Submit\glxd4d.exe
C:\!Submit\jsfgkdg.dll
C:\WINDOWS\cfgmgr52.ini
C:\WINDOWS\INF\banner.inf
C:\WINDOWS\pss
C:\WINDOWS\SYSTEM\usaofvsg.exe
C:\WINDOWS\SYSTEM32\apgvb.dat
C:\WINDOWS\SYSTEM32\nbxorqo.exe
C:\WINDOWS\System320nsp710

Then press the red button with a white X in it.
Killbox will tell you that all listed files will be deleted on next reboot, click YES.When it asks if you would like to Reboot now, click YES. You will be rebooting into safemode

Please reboot into safe mode Safe mode(continually tap the F8 key while your system is starting, select Safe Mode from the menu).

Now run Cleanup

Reboot and post a new log and tell me how your computer is running now.

Thanks :tazz:

Edited by loophole, 03 September 2005 - 05:05 PM.

#10
ay090

Posted 04 September 2005 - 08:49 AM

New Member

Topic Starter
Member
8 posts

Loophole,

Here is the latest ActiveScan report. Thanks for taking the extra time.

-A

Incident Status Location

Adware:Adware/StartPage.BR No disinfected C:\Program Files\Adware Away\ad.dll
Adware:Adware/AdBehavior No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\38044001-5923-4169-A70D-91F8CB\2B340FAD-24F3-4C4C-BD68-7E4C61
Adware:Adware/AdBehavior No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\4CC94830-0783-4123-8374-EC77B1\80EDE19C-948E-4079-8E45-102614
Adware:Adware/ClkOptimizer No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\50955463-B42E-4EF1-B373-9EA48F\26B206E7-1BAE-49AC-82CE-65EA0B
Adware:Adware/ClkOptimizer No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\58C98DBA-9882-42D0-A20D-B5A3CC\B6D8B294-7083-444B-BDF3-3F7DB2
Adware:Adware/ClkOptimizer No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\877E2B5A-4500-48ED-893B-97FEC9\D00B64A6-295D-4DF5-A130-C7D8EF
Adware:Adware/ClkOptimizer No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\8A156EBC-601F-4918-BC32-875924\43FD8D90-1BF1-49F7-A8CE-128272
Adware:Adware/ClkOptimizer No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\9C818DA1-AE74-4CCC-9A22-C3606D\C920B243-DF8C-4EF2-8CB4-CAF1FC
Adware:Adware/ClkOptimizer No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\9D96C34F-F926-403B-A50C-785E9E\C59CC5D8-8822-48C9-943E-43334A
Adware:Adware/ClkOptimizer No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\9D96C34F-F926-403B-A50C-785E9E\E37D73B2-DF59-4C80-BAFE-50D5F3
Adware:Adware/Pacimedia No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\B02E0917-463D-4F14-8142-62D1A4\83CEF2EF-7169-42BE-8AFD-C18DBB
Adware:Adware/ClkOptimizer No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\C04BD6D4-3A4A-4979-9D89-ECDE4E\36AF63AE-9E07-48FE-81C0-876C1F
Adware:Adware/ClkOptimizer No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\F925E527-2C2A-4F3D-9258-9768F1\07DB401E-A414-4C59-9C4D-0D625C
Adware:Adware/ClkOptimizer No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\FB3EF126-AB59-47B5-B53A-56D4FC\8EFFF998-4AB5-4143-9C4A-B3CC35

#11
loophole

Posted 04 September 2005 - 11:50 AM

Malware Expert

Retired Staff
9,798 posts

Hello

Uninstall Adware away

Then delete this folder C:\Program Files\Adware Away

The rest of the stuff are items that microsoft anyispyware has in its quarantine and are harmless.

You should be good to go.

How is the computer running now?

#12
ay090

Posted 04 September 2005 - 03:30 PM

New Member

Topic Starter
Member
8 posts

Loophole,

The computer is running fine now. I have not seen any nexus pop-ups in the past 3 days.

Thanks,
-A

#13
loophole

Posted 04 September 2005 - 06:33 PM

Malware Expert

Retired Staff
9,798 posts

Glad to hear it

your system is clean :tazz:

Here are some tips, to reduce the potential for spyware infection in the future, I strongly recommend installing the following applications:

Detect and Remove Programs:

How to use Ad-Aware to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Ad-Aware.
How to use Spybot to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Spybot. Similar to Ad-Aware, I strongly recommend both to catch most spyware.

Prevention Programs:

Spywareblaster <= SpywareBlaster will prevent spyware from being installed.
Spywareguard <= SpywareGuard offers realtime protection from spyware installation attempts.
IE/Spyad <= IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
Google Toolbar <= Get the free google toolbar to help stop pop up windows.

Other necessary Programs:

AntiVirus Program<= An AntiVirus program is a must! Whether it is a free version like AVG or Anti-Vir, or a shareware version like Norton or Kapersky, this is a must have.
Firewall<= A firewall is definatley a must have. Two good free versions are Sygate and ZoneLabs.
More Secure Browser<= Internet Explorer is not the most secure and best browser. There are safer and better alternatives available. I recommend Firefox, however Opera and SlimBrowsers are good as well.

And also see TonyKlein's good advice
So how did I get infected in the first place? and Spyware Aid's spyware article: Spyware, Adware, Malware: What it is, how it got on my computer, how to get rid of it, and how to prevent it.

#14
loophole

Posted 10 September 2005 - 12:29 AM

Malware Expert

Retired Staff
9,798 posts

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :tazz:

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.