Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

inappropriate popups on Kids COmputer [RESOLVED]

Started by kimerskine , Sep 05 2005 11:11 AM

  • This topic is locked This topic is locked

#1
kimerskine
Posted 05 September 2005 - 11:11 AM

kimerskine

    Member

  • Member
  • PipPip
  • 50 posts
When I signed on to "clean" my kid's computer there were these very graphic popups. The computer has also been running incredible slow and they, being children dont like to wait :tazz: so they click all over. They also can't spell :) so I am quite sure we have down loaded tons of bad stuff.

I have run all the first steps listed for first time users and seem to have removed tons of stuff, however when i went back on this morning, there was new stuff :) so I am now onto this. I think I am doing something wrong as I have gotten no response... HELP please...

I have pasted the Hijack Post here...

Logfile of HijackThis v1.99.1
Scan saved at 12:58:07 PM, on 9/5/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Softex\OmniPass\Omniserv.exe
C:\Program Files\Softex\OmniPass\OPXPApp.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\ghmd.exe
C:\WINDOWS\ghmd.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\ps2.exe
C:\WINDOWS\SM1BG.EXE
C:\Program Files\Pinnacle\Shared Files\Programs\USBTip\USBTip.exe
C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\PROGRA~1\COMMON~1\AOL\111318~1\EE\AOLHOS~1.EXE
C:\WINDOWS\System32\msiexec.exe
C:\PROGRA~1\COMMON~1\AOL\111318~1\EE\AOLServiceHost.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Linksys\WMP11 Config Utility\WMP11CFG.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us8.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us8.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://us8.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.linksys.com/
O1 - Hosts: localhost 127.0.0.1
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O3 - Toolbar: (no name) - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - (no file)
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [SM1BG] C:\WINDOWS\SM1BG.EXE
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\System32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [USBToolTip] "C:\Program Files\Pinnacle\Shared Files\Programs\USBTip\USBTip.exe"
O4 - HKLM\..\Run: [USB2Check] RUNDLL32.EXE "C:\WINDOWS\System32\PCLECoInst.dll",CheckUSBController
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [Security iGuard] C:\Program Files\Security iGuard\Security iGuard.exe
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1113182202\EE\AOLHostManager.exe
O4 - HKLM\..\Run: [ControlPanel] C:\WINDOWS\System32\popcorn72.exe rundll.dll,LoadMouseProfile
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKCU\..\Run: [WareOut] "C:\Program Files\WareOut\WareOut.exe"
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe
O4 - Global Startup: Wireless PCI Card Configuration Utility.lnk = C:\Program Files\Linksys\WMP11 Config Utility\WMP11CFG.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Microsoft AntiSpyware helper - {9A9F3003-5386-48AF-AC83-8C8D88C39485} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {9A9F3003-5386-48AF-AC83-8C8D88C39485} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {BFC62934-D501-4231-9A21-F0B93C3FECC1} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {BFC62934-D501-4231-9A21-F0B93C3FECC1} - (no file) (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://www.geekstogo.com
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1125308550625
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1125308525812
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O20 - AppInit_DLLs: e8g7zebx18olludll.dll.dll.dll.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: OPXPGina - C:\Program Files\Softex\OmniPass\opxpgina.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\\aolserv.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Softex OmniPass Service (omniserv) - Unknown owner - C:\Program Files\Softex\OmniPass\Omniserv.exe

I hope you can help... I am about to ban the kids on the computer at all!!!

Edited by kimerskine, 05 September 2005 - 07:39 PM.

  • 0

Advertisements

#2
skate_punk_21
Posted 06 September 2005 - 03:56 PM

skate_punk_21

    Malware Removal Expert

  • Retired Staff
  • 1,049 posts
Please print out or save this page to your desktop in order to assist you when carrying out the following instructions.

Notes
LOL I dont think banning will be necessary just yet - we will address potential security measures when i deem your log clean! :tazz:

At this point i would like you to UPDATE Ewido Security Suite but DO not run a scan just yet...


Boot Into Safe Mode
Restart your computer and boot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work.


View Hidden Files and Folders
Go to My Computer >Tools >Folder Options >View tab and make sure that Show hidden files and folders is enabled. Also make sure that the System Files and Folders are showing / visible. Uncheck the Hide protected operating system files option.


Potential Uninstallations
Click > Start > Control Panel > Add / Remove Programs and uninstall the following programs:

Security IGuard
WareOut


Run Downloaded Programs
Run Ewido Security Suite
  • Click on scanner
  • Click on Complete System Scan and the scan will begin.
  • You will be prompted to clean the first infection.
  • Select "Perform action on all infections", then proceed.
  • Once the scan has completed, there will be a button located on the bottom of the screen named Save report
  • Click Save report.
  • Save the report .txt file to your desktop or a location where you can find it easily.
Close ewido security suite.


Start HijackThis Fix
Open Hijack This and click on Scan. Check the following entries (make sure you do not miss any)

O1 - Hosts: localhost 127.0.0.1
O3 - Toolbar: (no name) - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - (no file)
O4 - HKLM\..\Run: [Security iGuard] C:\Program Files\Security iGuard\Security iGuard.exe
O4 - HKLM\..\Run: [ControlPanel] C:\WINDOWS\System32\popcorn72.exe rundll.dll,LoadMouseProfile
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKCU\..\Run: [WareOut] "C:\Program Files\WareOut\WareOut.exe"
O9 - Extra button: Microsoft AntiSpyware helper - {9A9F3003-5386-48AF-AC83-8C8D88C39485} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {9A9F3003-5386-48AF-AC83-8C8D88C39485} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {BFC62934-D501-4231-9A21-F0B93C3FECC1} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {BFC62934-D501-4231-9A21-F0B93C3FECC1} - (no file) (HKCU)
O20 - AppInit_DLLs: e8g7zebx18olludll.dll.dll.dll.dll

Please remember to close all other windows, including browsers then click Fix checked.


File/Folder Deletions
Delete the following Files indicated in RED and Folders indicated in BLUE if they still exist.

C:\Program Files\Security iGuard\
C:\WINDOWS\System32\popcorn72.exe
ALCXMNTR.EXE <--search for and delete via "Start | Search"
C:\Program Files\WareOut\
e8g7zebx18olludll.dll.dll.dll.dll <--search for and delete via "Start | Search"
C:\WINDOWS\ghmd.exe <--UNless you know what this is Delete it

Reboot your system in Normal Mode.


Further Scanning
Please run a Scan at the Following site
Panda ActiveScan

Make sure that you choose the "fix" or "clean" option when available
at the end of this scan you will be given then option to save a log from the scan -SAVE THAT LOG- and post it here

Please post a fresh HijackThis log & the Ewido Log, as well as the Log from Panda so that we can check if your system is clean.

Edited by skate_punk_21, 06 September 2005 - 03:57 PM.

  • 0

#3
kimerskine
Posted 06 September 2005 - 10:19 PM

kimerskine

    Member

  • Topic Starter
  • Member
  • PipPip
  • 50 posts
I did everything you said, though when I log on in Normal mode I get a screen that has a huge warning all across it saying my computer may be infected. When I go to try to run Panda Active it seems to get hung up and doesn't work, so i try to stop it but that doesn't work... In the mean time here is my new hijack This log

Logfile of HijackThis v1.99.1
Scan saved at 12:15:26 AM, on 9/7/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Softex\OmniPass\Omniserv.exe
C:\Program Files\Softex\OmniPass\OPXPApp.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\popuper.exe
C:\WINDOWS\system32\intmonp.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\ps2.exe
C:\WINDOWS\SM1BG.EXE
C:\Program Files\Pinnacle\Shared Files\Programs\USBTip\USBTip.exe
C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\PROGRA~1\COMMON~1\AOL\111318~1\EE\AOLHOS~1.EXE
C:\PROGRA~1\COMMON~1\AOL\111318~1\EE\AOLServiceHost.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Linksys\WMP11 Config Utility\WMP11CFG.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us8.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us8.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://us8.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.linksys.com/
F2 - REG:system.ini: Shell=Explorer.exe, msmsgs.exe
O1 - Hosts: localhost 127.0.0.1
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [SM1BG] C:\WINDOWS\SM1BG.EXE
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\System32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [USBToolTip] "C:\Program Files\Pinnacle\Shared Files\Programs\USBTip\USBTip.exe"
O4 - HKLM\..\Run: [USB2Check] RUNDLL32.EXE "C:\WINDOWS\System32\PCLECoInst.dll",CheckUSBController
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1113182202\EE\AOLHostManager.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [RegSvr32] C:\WINDOWS\system32\msmsgs.exe
O4 - HKLM\..\Run: [PSGuard] C:\Program Files\PSGuard\PSGuard.exe
O4 - HKCU\..\Run: [WareOut] "C:\Program Files\WareOut\WareOut.exe"
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe
O4 - Global Startup: Wireless PCI Card Configuration Utility.lnk = C:\Program Files\Linksys\WMP11 Config Utility\WMP11CFG.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Microsoft AntiSpyware helper - {9A9F3003-5386-48AF-AC83-8C8D88C39485} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {9A9F3003-5386-48AF-AC83-8C8D88C39485} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {BFC62934-D501-4231-9A21-F0B93C3FECC1} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {BFC62934-D501-4231-9A21-F0B93C3FECC1} - (no file) (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://www.geekstogo.com
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1125308550625
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1125308525812
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: OPXPGina - C:\Program Files\Softex\OmniPass\opxpgina.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\\aolserv.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Softex OmniPass Service (omniserv) - Unknown owner - C:\Program Files\Softex\OmniPass\Omniserv.exe

and Ewido log:

--------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 11:02:39 PM, 9/6/2005
+ Report-Checksum: 3CC9684E

+ Scan result:

C:\Temporary Internet Files\Content.IE5\0BZH2FHH\ani[1].anr -> TrojanDownloader.Ani.c : Cleaned with backup
C:\Temporary Internet Files\Content.IE5\0BZH2FHH\[bleep][1].html -> Not-A-Virus.Exploit.HTML.Mht : Cleaned with backup
C:\Temporary Internet Files\Content.IE5\0BZH2FHH\count[1].htm -> TrojanDownloader.Inor.a : Cleaned with backup
C:\Temporary Internet Files\Content.IE5\4WSVP0KG\adv645[1].htm -> TrojanDownloader.Inor.a : Cleaned with backup
C:\Temporary Internet Files\Content.IE5\4WSVP0KG\exploit[1].htm -> Not-A-Virus.Exploit.HTML.Mht : Cleaned with backup
C:\Temporary Internet Files\Content.IE5\4WSVP0KG\root[1].htm -> TrojanDownloader.Inor.a : Cleaned with backup
C:\Temporary Internet Files\Content.IE5\6VAZY92R\BlackBox[1].class -> Trojan.Java.ClassLoader.f : Cleaned with backup
C:\Temporary Internet Files\Content.IE5\B317RXKS\friday[1].htm -> TrojanDownloader.VBS.Psyme.ap : Cleaned with backup
C:\Temporary Internet Files\Content.IE5\EHCJI1I5\adv778[1].htm -> TrojanDownloader.Inor.a : Cleaned with backup
C:\Temporary Internet Files\Content.IE5\EHCJI1I5\Dummy[1].class -> Trojan.ClassLoader.Dummy.d : Cleaned with backup
C:\Temporary Internet Files\Content.IE5\QPVWTCFQ\loader[1].jar/Counter.class -> Trojan.ClassLoader.h : Cleaned with backup
C:\Temporary Internet Files\Content.IE5\QPVWTCFQ\loader[1].jar/Parser.class -> Trojan.Java.ClassLoader.Dummy.a : Cleaned with backup
C:\Temporary Internet Files\Content.IE5\R3PF9ROM\sploit[2].anr -> TrojanDownloader.Ani.c : Cleaned with backup
C:\Temporary Internet Files\Content.IE5\ST0NTUVL\adv730[1].htm -> TrojanDownloader.Inor.a : Cleaned with backup
C:\Temporary Internet Files\Content.IE5\SXOBOVWJ\VerifierBug[1].class -> Trojan.Byteverify : Cleaned with backup


::Report End


I also now have an Icon on my desk top called PSGuard Software

Sorry I can't get active panda going. :tazz:
  • 0

#4
skate_punk_21
Posted 06 September 2005 - 10:42 PM

skate_punk_21

    Malware Removal Expert

  • Retired Staff
  • 1,049 posts
Downloads
Download smitRem.exe and save the file to your desktop.
Double click on the file to extract it to it's own folder on the desktop.

If you have not already installed Ad-Aware SE 1.06, follow these download and setup instructions, otherwise, check for updates:
Ad-Aware SE Setup
Don't run it yet!

Next, please reboot your computer in SafeMode by doing the following:
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
  • Instead of Windows loading as normal, a menu should appear
  • Select the first option, to run Windows in Safe Mode.
View Hidden Files and Folders
Go to My Computer >Tools >Folder Options >View tab and make sure that Show hidden files and folders is enabled. Also make sure that the System Files and Folders are showing / visible. Uncheck the Hide protected operating system files option.


Start HijackThis Fix
Open Hijack This and click on Scan. Check the following entries (make sure you do not miss any)

F2 - REG:system.ini: Shell=Explorer.exe, msmsgs.exe
O1 - Hosts: localhost 127.0.0.1
O4 - HKLM\..\Run: [RegSvr32] C:\WINDOWS\system32\msmsgs.exe
O4 - HKLM\..\Run: [PSGuard] C:\Program Files\PSGuard\PSGuard.exe
O4 - HKCU\..\Run: [WareOut] "C:\Program Files\WareOut\WareOut.exe"
O9 - Extra button: Microsoft AntiSpyware helper - {9A9F3003-5386-48AF-AC83-8C8D88C39485} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {9A9F3003-5386-48AF-AC83-8C8D88C39485} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {BFC62934-D501-4231-9A21-F0B93C3FECC1} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {BFC62934-D501-4231-9A21-F0B93C3FECC1} - (no file) (HKCU)

Please remember to close all other windows, including browsers then click Fix checked.


File/Folder Deletions
Delete the following Files indicated in RED and Folders indicated in BLUE if they still exist.

C:\WINDOWS\system32\msmsgs.exe
C:\Program Files\PSGuard\
C:\Program Files\WareOut\


Run Downloaded Programs
Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.

The tool will create a log named smitfiles.txt in the root of your drive, eg; Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.


Open Ad-aware and do a full scan. Remove all it finds.


Next go to Control Panel click Display > Desktop > Customize Desktop > Web > Uncheck "Security Info" if present.

Further Scanning
Please run a Scan at the Following site
Panda ActiveScan

Make sure that you choose the "fix" or "clean" option when available
at the end of this scan you will be given then option to save a log from the scan -SAVE THAT LOG- and post it here

post it along with a new HijackThis Log, and the contents of the smitfiles.txt - by using Add Reply.
Let us know if any problems persist.
  • 0

#5
kimerskine
Posted 07 September 2005 - 09:35 AM

kimerskine

    Member

  • Topic Starter
  • Member
  • PipPip
  • 50 posts
Here you go... My Son appears to have made a different user so I also ran all your information on his user in safe mode...

Here is the HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 11:30:59 AM, on 9/7/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Softex\OmniPass\Omniserv.exe
C:\Program Files\Softex\OmniPass\OPXPApp.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\ps2.exe
C:\WINDOWS\SM1BG.EXE
C:\Program Files\Pinnacle\Shared Files\Programs\USBTip\USBTip.exe
C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\COMMON~1\AOL\111318~1\EE\AOLHOS~1.EXE
C:\PROGRA~1\COMMON~1\AOL\111318~1\EE\AOLServiceHost.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\Program Files\Linksys\WMP11 Config Utility\WMP11CFG.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us8.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us8.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://us8.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.linksys.com/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [SM1BG] C:\WINDOWS\SM1BG.EXE
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\System32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [USBToolTip] "C:\Program Files\Pinnacle\Shared Files\Programs\USBTip\USBTip.exe"
O4 - HKLM\..\Run: [USB2Check] RUNDLL32.EXE "C:\WINDOWS\System32\PCLECoInst.dll",CheckUSBController
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1113182202\EE\AOLHostManager.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe
O4 - Global Startup: Wireless PCI Card Configuration Utility.lnk = C:\Program Files\Linksys\WMP11 Config Utility\WMP11CFG.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://www.geekstogo.com
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1125308550625
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1125308525812
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: OPXPGina - C:\Program Files\Softex\OmniPass\opxpgina.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\\aolserv.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Softex OmniPass Service (omniserv) - Unknown owner - C:\Program Files\Softex\OmniPass\Omniserv.exe

and the smitfiles.txt:

smitRem log file
version 2.3

by noahdfear

The current date is: Wed 09/07/2005
The current time is: 8:03:36.46

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

ShudderLTD key present! Running LTDFix!

ShudderLTD key was successfully removed! :tazz:


Pre-run Files Present


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system32 folder ~~~

wppp.html
intmonp.exe
logfiles


~~~ Icons in System32 ~~~



~~~ Windows directory ~~~

uninstIU.exe
sites.ini
popuper.exe


~~~ Drive root ~~~

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Post-run Files Present


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system32 folder ~~~



~~~ Icons in System32 ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~



~~~ Wininet.dll ~~~

CLEAN! :)
and activescan... it did work just took a long time...

Incident Status Location

Adware:adware/dloader No disinfected C:\WINDOWS\SYSTEM32\msblank.html
Adware:adware/cws.searchmeup No disinfected C:\new.exe
Adware:adware/sbsoft No disinfected C:\WINDOWS\rdt.ini
Adware:adware/picsplace No disinfected C:\DriverLoad
Adware:adware/aurora No disinfected Windows Registry
Possible Virus. No disinfected C:\WINDOWS\13103.exe
Possible Virus. No disinfected C:\WINDOWS\13630.exe
Possible Virus. No disinfected C:\WINDOWS\17043.exe
Possible Virus. No disinfected C:\WINDOWS\17587.exe
Possible Virus. No disinfected C:\WINDOWS\20619.exe
Possible Virus. No disinfected C:\WINDOWS\2970.exe
Possible Virus. No disinfected C:\WINDOWS\34297.exe
Possible Virus. No disinfected C:\WINDOWS\34887.exe
Possible Virus. No disinfected C:\WINDOWS\38016.exe
Possible Virus. No disinfected C:\WINDOWS\40138.exe
Possible Virus. No disinfected C:\WINDOWS\43511.exe
Possible Virus. No disinfected C:\WINDOWS\45654.exe
Possible Virus. No disinfected C:\WINDOWS\51308.exe
Possible Virus. No disinfected C:\WINDOWS\51389.exe
Possible Virus. No disinfected C:\WINDOWS\5609.exe
Possible Virus. No disinfected C:\WINDOWS\57212.exe
Possible Virus. No disinfected C:\WINDOWS\58102.exe
Possible Virus. No disinfected C:\WINDOWS\59237.exe
Possible Virus. No disinfected C:\WINDOWS\6195.exe
Possible Virus. No disinfected C:\WINDOWS\64333.exe
Possible Virus. No disinfected C:\WINDOWS\6439.exe
Possible Virus. No disinfected C:\WINDOWS\6448.exe
Possible Virus. No disinfected C:\WINDOWS\65.exe
Possible Virus. No disinfected C:\WINDOWS\68541.exe
Possible Virus. No disinfected C:\WINDOWS\70876.exe
Possible Virus. No disinfected C:\WINDOWS\73331.exe
Possible Virus. No disinfected C:\WINDOWS\76005.exe
Possible Virus. No disinfected C:\WINDOWS\76152.exe
Possible Virus. No disinfected C:\WINDOWS\79523.exe
Possible Virus. No disinfected C:\WINDOWS\80627.exe
Possible Virus. No disinfected C:\WINDOWS\81672.exe
Possible Virus. No disinfected C:\WINDOWS\84172.exe
Possible Virus. No disinfected C:\WINDOWS\84584.exe
Possible Virus. No disinfected C:\WINDOWS\85885.exe
Possible Virus. No disinfected C:\WINDOWS\90297.exe
Possible Virus. No disinfected C:\WINDOWS\90521.exe
Possible Virus. No disinfected C:\WINDOWS\ibs314.exe
Hope this helps...

:)
  • 0

#6
skate_punk_21
Posted 07 September 2005 - 01:28 PM

skate_punk_21

    Malware Removal Expert

  • Retired Staff
  • 1,049 posts
take these files:
C:\WINDOWS\2970.exe
C:\WINDOWS\34297.exe
C:\WINDOWS\34887.exe
C:\WINDOWS\38016.exe
C:\WINDOWS\40138.exe

Please Visit Jotti.org and submit the aforementioned files for testing by clicking "Browse," navigating to the correct file, Clicking "Open," then "Submit."
Copy and paste the Results back here with your next post when you are finished.

I think if the majority of these come out "dirty" they will all have to go!
we will address all the bad files at the same time...

Edited by skate_punk_21, 07 September 2005 - 01:29 PM.

  • 0

#7
kimerskine
Posted 07 September 2005 - 01:45 PM

kimerskine

    Member

  • Topic Starter
  • Member
  • PipPip
  • 50 posts
I cannot thank you enough... :tazz: I really feel as if i am making progress... i do have a ? Once i get this clean... and I will... How do I keep it safe for the kids?

I think you were right... here are the results:

File: 2970.exe
Status: INFECTED/MALWARE
MD5 287cc74e4b77ae13a941594c886d276a
Packers detected: UPX

did you need this stuff too?

AntiVir Found TR/Dldr.Delf.DD.10
ArcaVir Found Trojan.Downloader.Delf.Dd
Avast Found Win32:Trojan-gen.
AVG Antivirus Found Downloader.Small.43.BP
BitDefender Found Trojan.Downloader.Delf.DD
ClamAV Found Dialer-339
Dr.Web Found Trojan.DownLoader.2989
F-Prot Antivirus Found W32/Downloader.HAM
Fortinet Found W32/Delf.DD-tr
Kaspersky Anti-Virus Found Trojan-Downloader.Win32.Delf.dd
NOD32 Found probably a variant of Win32/TrojanDownloader.Delf.DG (probable variant)
Norman Virus Control Found W32/DLoader.ESA
UNA Found nothing
VBA32 Found Trojan-Downloader.Win32.Delf.dd

next:

Service load: 0% 100%

File: 34297.exe
Status: INFECTED/MALWARE (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database)
MD5 287cc74e4b77ae13a941594c886d276a
Packers detected: UPX

AntiVir Found TR/Dldr.Delf.DD.10
ArcaVir Found Trojan.Downloader.Delf.Dd
Avast Found Win32:Trojan-gen.
AVG Antivirus Found Downloader.Small.43.BP
BitDefender Found Trojan.Downloader.Delf.DD
ClamAV Found Dialer-339
Dr.Web Found Trojan.DownLoader.2989
F-Prot Antivirus Found W32/Downloader.HAM
Fortinet Found W32/Delf.DD-tr
Kaspersky Anti-Virus Found Trojan-Downloader.Win32.Delf.dd
NOD32 Found probably a variant of Win32/TrojanDownloader.Delf.DG (probable variant)
Norman Virus Control Found W32/DLoader.ESA
UNA Found nothing
VBA32 Found Trojan-Downloader.Win32.Delf.dd

next:

Service load: 0% 100%

File: 34887.exe
Status: INFECTED/MALWARE (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database)
MD5 287cc74e4b77ae13a941594c886d276a
Packers detected: UPX
Scanner results
AntiVir Found TR/Dldr.Delf.DD.10
ArcaVir Found Trojan.Downloader.Delf.Dd
Avast Found Win32:Trojan-gen.
AVG Antivirus Found Downloader.Small.43.BP
BitDefender Found Trojan.Downloader.Delf.DD
ClamAV Found Dialer-339
Dr.Web Found Trojan.DownLoader.2989
F-Prot Antivirus Found W32/Downloader.HAM
Fortinet Found W32/Delf.DD-tr
Kaspersky Anti-Virus Found Trojan-Downloader.Win32.Delf.dd
NOD32 Found probably a variant of Win32/TrojanDownloader.Delf.DG (probable variant)
Norman Virus Control Found W32/DLoader.ESA
UNA Found nothing
VBA32 Found Trojan-Downloader.Win32.Delf.dd

next:

Service load: 0% 100%

File: 38016.exe
Status: INFECTED/MALWARE (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database)
MD5 287cc74e4b77ae13a941594c886d276a
Packers detected: UPX
Scanner results
AntiVir Found TR/Dldr.Delf.DD.10
ArcaVir Found Trojan.Downloader.Delf.Dd
Avast Found Win32:Trojan-gen.
AVG Antivirus Found Downloader.Small.43.BP
BitDefender Found Trojan.Downloader.Delf.DD
ClamAV Found Dialer-339
Dr.Web Found Trojan.DownLoader.2989
F-Prot Antivirus Found W32/Downloader.HAM
Fortinet Found W32/Delf.DD-tr
Kaspersky Anti-Virus Found Trojan-Downloader.Win32.Delf.dd
NOD32 Found probably a variant of Win32/TrojanDownloader.Delf.DG (probable variant)
Norman Virus Control Found W32/DLoader.ESA
UNA Found nothing
VBA32 Found Trojan-Downloader.Win32.Delf.dd

And last:

Service load: 0% 100%

File: 40138.exe
Status: INFECTED/MALWARE (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database)
MD5 287cc74e4b77ae13a941594c886d276a
Packers detected: UPX
Scanner results
AntiVir Found TR/Dldr.Delf.DD.10
ArcaVir Found Trojan.Downloader.Delf.Dd
Avast Found Win32:Trojan-gen.
AVG Antivirus Found Downloader.Small.43.BP
BitDefender Found Trojan.Downloader.Delf.DD
ClamAV Found Dialer-339
Dr.Web Found Trojan.DownLoader.2989
F-Prot Antivirus Found W32/Downloader.HAM
Fortinet Found W32/Delf.DD-tr
Kaspersky Anti-Virus Found Trojan-Downloader.Win32.Delf.dd
NOD32 Found probably a variant of Win32/TrojanDownloader.Delf.DG (probable variant)
Norman Virus Control Found W32/DLoader.ESA
UNA Found nothing
VBA32 Found Trojan-Downloader.Win32.Delf.dd


Go for it!!!
  • 0

#8
skate_punk_21
Posted 07 September 2005 - 04:46 PM

skate_punk_21

    Malware Removal Expert

  • Retired Staff
  • 1,049 posts
theres lotsa files to get rid of here so being the super cool dude that i am I will make a little tool for ya! Download the attachmentAT THE BOTTOM, and save it to your desktop. Rename it to killem.bat. DO NOT RUN IT YET

Boot into safe mode (just in case the files to remove are running and are hidden somewhere) then double click the file to run it. If you get an error about some 16-bit applications blah blah blah, copy "AUTOEXEC.NT" from C:\windows\repair into C:\windows\system32

Now you are done!! reboot back to normal mode and read through the following preventative measures...
______
This should have been the last of your problems. Your Log is clean and we've addressed everything for the panda scan.
as you requested (mind you i do this at the end of every cleaning) here are several preventative measures you can take to prevent reinfection
______

Congratulations Your Log is Clean!!

If you are still having trouble, please dont continue with these instructions just yet. LET ME KNOW!

Otherwise, we have a few clean up items to deal with.

1. System Restore
Now that we know your system is clean, we want to purge any potentially infected restore points. To do that, complete the following:

Turn off System Restore by Clicking Start > right-click My Computer and then click Properties. Click the System Restore tab > Check "Turn off System Restore" or "Turn off System Restore on all drives". Click Apply. When turning off System Restore, the existing restore points will be deleted. Click Yes to do this. Click OK.

To re-enable this function - simply uncheck this same box, and click "apply" and "ok"


2. Reset Hidden Files & Folders
Go to My Computer >Tools >Folder Options >View tab and make sure that Show hidden files and folders is UNchecked. Also make sure that the System Files and Folders are invisible. CHECK the Hide protected operating system files option.


Also Consider...
  • SpywareBlaster to help prevent spyware from installing in the first place.
  • SpywareGuard to catch and block spyware before it can execute.
  • IESpy-Ad to block access to malicious websites so you cannot be redirected to them from an infected site or email.
You should also have a good firewall. Here are 3 free ones available for personal use:How is she running now? Any further problems? If not, Good work, and Happy Computing!

Please reply once more so we know you have read these measures.

Edited by skate_punk_21, 07 September 2005 - 04:49 PM.

  • 0

#9
kimerskine
Posted 07 September 2005 - 07:38 PM

kimerskine

    Member

  • Topic Starter
  • Member
  • PipPip
  • 50 posts
:tazz: :) :)

Looks great. I have installed what you said as well as AVG Virus protection. Do you need to see a Hijack this log?

Where can i look to find out what settings I should use on my Internet Options?

You are the best... Let's keep our fingers crossed!!!

Thank You!!! :) :ph34r: :ph34r:
  • 0

#10
skate_punk_21
Posted 07 September 2005 - 08:03 PM

skate_punk_21

    Malware Removal Expert

  • Retired Staff
  • 1,049 posts
no more logs needed.

SECURING INTERNET EXPLORER
From within Internet Explorer click on the Tools menu and then click on Internet Options.

* Select the Security tab
o Click once on the Internet icon so it becomes highlighted.
o Select Custom Level .
+ Change 'Download signed ActiveX controls' to Prompt
+ Change 'Download unsigned ActiveX controls' to Disable
+ Change 'Initialize and script ActiveX controls not marked as safe' to Disable
+ Change 'Installation of desktop items' to Prompt
+ Change 'Launching programs and files in an IFRAME' to Prompt
+ Change 'Navigate sub-frames across different domains' to Prompt
+ When all these changes have been made, click on the OK button.
o If it prompts you as to whether or not you want to save the settings, press the Yes button.
* Select OK to exit the Internet Properties page.
- And you should be good from here, the first few reccomendations are almost crucial for security as they prevent certain KNOWN BAD downloads.

One last possibility, Firefox - Use this alternate browser. Whilst Internet Explorer is not a bad browser, almost every exploit crafted is targeted to take advantage of an IE weakness.

Thats all!! :tazz:
Good luck and Enjoy

Edited by skate_punk_21, 07 September 2005 - 08:08 PM.

  • 0

#11
skate_punk_21
Posted 29 September 2005 - 08:41 PM

skate_punk_21

    Malware Removal Expert

  • Retired Staff
  • 1,049 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :tazz:

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP