Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Psguard [CLOSED]


  • This topic is locked This topic is locked

#16
Excal

Excal

    Malware Slayer Extraordinaire!

  • Retired Staff
  • 12,739 posts

DOWNLOAD PROGRAMS


Please download the Killbox.
Unzip it to the desktop but do NOT run it yet.


THE FIX


Please read this post completely, it may make it easier for you if you copy and paste this post to a new text document or print it for reference later.

1. Click this link to be sure you can view hidden files.

2. Ensure you are NOT connected to the internet.

3. Reboot into safe mode.

Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

4. Go to Start->Run and type in services.msc and hit OK. Then look for Remote Procedure Call (RPC) Helper and double click on it. Click on the Stop button and under Startup type, choose Disabled.

5. Open up and run Ewido:
  • Click on scanner
  • Click Complete System Scan and the scan will begin.
  • During the scan when it ask if you want to clean the first file, put a check in the lower left corner of the box that says "Perform action on all infections" then choose clean and click OK
  • When the scan is finished, look at the bottom of the screen and click the Save report button.
  • Save the report to your desktop
Close Ewido

6. Close all browsers, windows and unneeded programs.

7. Open HiJack and do a scan.

8. Put a Check next to the following items:

R3 - Default URLSearchHook is missing
O2 - BHO: Class - {CC3BA8EE-0F8E-BB35-0653-B020878669DC} - C:\WINDOWS\applm32.dll
O2 - BHO: Class - {D0F03457-32E5-5715-6CDD-72C94F05ABBE} - C:\WINDOWS\system32\netrs.dll
O4 - HKLM\..\Run: [ieyf32.exe] C:\WINDOWS\ieyf32.exe
O4 - HKLM\..\RunOnce: [crcy32.exe] C:\WINDOWS\crcy32.exe
O23 - Service: Remote Procedure Call (RPC) Helper ( 11F#`I) - Unknown owner - C:\WINDOWS\system32\iptb32.exe (file missing)


9. click the Fix Checked box

10. Please remove the following folders using Windows Explorer (if present):

C:\Documents and Settings\Russ\Favorites\SITES ABOUT
C:\Documents and Settings\Russ\Application Data\Lycos


11. Please run Killbox.
  • Select "Delete on Reboot".
  • Copy the file names below to the clipboard by highlighting them and pressing Control-C:

    C:\WINDOWS\SYSTEM32\addor32.exe
    C:\WINDOWS\SYSTEM32\in10b6s.dll
    C:\WINDOWS\SYSTEM32\sdkas32.exe
    C:\WINDOWS\SYSTEM32\WebRebates_Auto_InstallSilent.exe
    C:\WINDOWS\msps.exe
    C:\WINDOWS\system32\appvd.exe
    C:\WINDOWS\system32\atlxn.exe
    C:\WINDOWS\system32\d3ft.exe
    C:\WINDOWS\system32\iezset.exe
    C:\WINDOWS\system32\mfcmf.exe
    C:\WINDOWS\system32\msdipo.dll
    C:\WINDOWS\system32\msfaol.dll
    C:\WINDOWS\system32\msfdje.gif
    C:\WINDOWS\system32\mshpeb.dll
    C:\WINDOWS\system32\msiaih.dll
    C:\WINDOWS\system32\msnapl.dll
    C:\WINDOWS\system32\msvp.exe
    C:\WINDOWS\system32\netoj32.exe
    C:\WINDOWS\system32\ntkl.exe
    C:\WINDOWS\system32\ntvs32.exe
    C:\WINDOWS\system32\ntww.exe
    C:\WINDOWS\system32\sdkuo32.exe
    C:\WINDOWS\system32\sysft32.exe
    C:\WINDOWS\system32\syszx.exe
    C:\WINDOWS\wuxfs.dll
    C:\WINDOWS\ieyf32.exe
    C:\WINDOWS\crcy32.exe


  • Return to Killbox, go to the File menu, and choose "Paste from Clipboard".
  • Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.
12. Reboot into normal mode

13. Run the program CleanUp!

14. please run this online virus scan: ActiveScan - Save the results from the scan!

15. Please post the Active scan log and a fresh HiJackThis log. Let me know how your computer is running.
  • 0

Advertisements


#17
Goingcrazy

Goingcrazy

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
Excal,

I did exactly as you instructed in your last post, but when I run HJT, it seems like the same stuff keeps showing up. My Norton program told me that Appfi.exe was trying to access the internet also. I also continue to get a pop up that impersonates a Windows alert saying that my computer is infected with a virus and to click yes to learn about how to remove it- it is just an ad for some spyware program though. I don't know what to do anymore.

Thanks for helping me out!

Here are the reports:

Logfile of HijackThis v1.99.1
Scan saved at 12:49:45 PM, on 9/24/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton Personal Firewall\NISUM.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Norton Personal Firewall\NISSERV.EXE
C:\Program Files\Norton Personal Firewall\SymProxySvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Norton Personal Firewall\IAMAPP.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\appfi.exe
C:\Program Files\Common Files\Mobipocket Shared\webcomp.exe
C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
C:\Program Files\Palm\Hotsync.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\netyo.exe
C:\Documents and Settings\Russ\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\xpmmp.dll/sp.html#58582
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\xpmmp.dll/sp.html#58582
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\xpmmp.dll/sp.html#58582
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\xpmmp.dll/sp.html#58582
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\xpmmp.dll/sp.html#58582
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\xpmmp.dll/sp.html#58582
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\xpmmp.dll/sp.html#58582
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Class - {1F204D3D-B7CB-18CA-6ED8-FB07E3983F5F} - C:\WINDOWS\nethg32.dll
O2 - BHO: Class - {AC9C4885-7656-D10D-70A9-3D0592AAE898} - C:\WINDOWS\atlvs32.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [iamapp] C:\Program Files\Norton Personal Firewall\IAMAPP.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\Run: [appfi.exe] C:\WINDOWS\system32\appfi.exe
O4 - HKLM\..\RunOnce: [netyo.exe] C:\WINDOWS\netyo.exe
O4 - HKLM\..\RunServicesOnce: [washindex] C:\Program Files\Washer\washidx.exe "Russ"
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [Mobipocket Web Companion] C:\Program Files\Common Files\Mobipocket Shared\webcomp.exe -m
O4 - Startup: palmOne Registration.lnk = C:\Program Files\Palm\register.exe
O4 - Global Startup: DataViz Inc Messenger.lnk = C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\Palm\Hotsync.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {2976BDAD-30FD-4ADD-B6AD-DF7BC54767FA} (AMI Conferencing Control 6.0) - https://smilpacs.shc...iconference.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com...kup/qdiagcc.cab
O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - http://www.maricopa....in/mgaxctrl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1126240418565
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1126240973550
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/.../GrooveAX28.cab
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - https://showeb207.sh...tall/msxml4.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O16 - DPF: {B91AEDBE-93DF-4017-8BB3-F1C300C0EC51} (InstallShield Setup Player 2K2) - http://entryware.net...disk1/setup.exe
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {D98F5BFB-D1E2-428F-B415-64DE948DE12D} (AMI Pictorial Control CWeb 2.0) - https://showeb207.sh...l/amiviewer.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg...ntrol_v1-32.cab
O16 - DPF: {F9FC6CCD-DCDE-4F9B-96C9-1D4DBD33D798} (AMI ViewApp Control 6.0 (SPA10)) - https://smilpacs.shc...l/amiviewer.cab
O23 - Service: Network Security Service ( 11F#`I) - Unknown owner - C:\WINDOWS\crcy32.exe" /s (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINDOWS\System32\ImapiRox.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Personal Firewall Service (NISSERV) - Symantec Corporation - C:\Program Files\Norton Personal Firewall\NISSERV.EXE
O23 - Service: Norton Personal Firewall Accounts Manager (NISUM) - Symantec Corporation - C:\Program Files\Norton Personal Firewall\NISUM.EXE
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Norton Personal Firewall Proxy Service (SymProxySvc) - Symantec Corporation - C:\Program Files\Norton Personal Firewall\SymProxySvc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe


Panda Active Scan:

Incident Status Location

Virus:Trj/Downloader.ERZ Disinfected Operating system
Adware:adware/navipromo No disinfected C:\WINDOWS\SYSTEM32\sdkmj32.exe
Spyware:spyware/petro-line No disinfected C:\Documents and Settings\Russ\Favorites\SITES ABOUT\Ab scissor.url
Adware:adware/searchaid No disinfected C:\Documents and Settings\Russ\Favorites\Only sex website.url
Adware:adware/sidesearch No disinfected C:\Documents and Settings\Russ\Application Data\Lycos
Adware:adware/cws.homesearchasisstantNo disinfected Windows Registry
Adware:Adware/SearchAid No disinfected C:\!Submit\appvd.exe
Adware:Adware/SearchAid No disinfected C:\!Submit\atlxn.exe
Virus:Trj/Downloader.ERZ Disinfected C:\!Submit\crcy32.exe
Adware:Adware/SearchAid No disinfected C:\!Submit\d3ft.exe
Adware:Adware/eZula No disinfected C:\!Submit\iezset.exe
Adware:Adware/SearchAid No disinfected C:\!Submit\mfcmf.exe
Spyware:Spyware/ClientMan No disinfected C:\!Submit\msdipo.dll
Spyware:Spyware/ClientMan No disinfected C:\!Submit\msfaol.dll
Spyware:Spyware/Omi No disinfected C:\!Submit\msfdje.gif
Spyware:Spyware/Omi No disinfected C:\!Submit\mshpeb.dll
Spyware:Spyware/ClientMan No disinfected C:\!Submit\msiaih.dll
Spyware:Spyware/Omi No disinfected C:\!Submit\msnapl.dll
Adware:Adware/SearchAid No disinfected C:\!Submit\msps.exe
Adware:Adware/SearchAid No disinfected C:\!Submit\msvp.exe
Adware:Adware/SearchAid No disinfected C:\!Submit\netoj32.exe
Adware:Adware/SearchAid No disinfected C:\!Submit\ntkl.exe
Adware:Adware/SearchAid No disinfected C:\!Submit\ntww.exe
Adware:Adware/CWS.HomeSearchAsisstantNo disinfected C:\!Submit\sdkuo32.exe
Adware:Adware/SearchAid No disinfected C:\!Submit\syszx.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\addtx.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\atlkn.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\crwq.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\d3gs32.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\iegd.exe
Adware:Adware/CWS.HomeSearchAsisstantNo disinfected C:\WINDOWS\ieov32.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\javaet.exe
Virus:Trj/Downloader.ERZ Disinfected C:\WINDOWS\mfcix32.exe
Adware:Adware/CWS.HomeSearchAsisstantNo disinfected C:\WINDOWS\msmz.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\sdktf32.exe
Virus:Trj/Downloader.ERZ Disinfected C:\WINDOWS\sysjw.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\system32\appll32.exe
Virus:Trj/Downloader.EYC Disinfected C:\WINDOWS\system32\atlgr32.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\system32\d3yg32.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\system32\d3yz.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\system32\iear32.exe
Virus:Trj/Downloader.ERZ Disinfected C:\WINDOWS\system32\ieqg32.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\system32\ieys32.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\system32\mfcxs.exe
Virus:Trj/Downloader.ERZ Disinfected C:\WINDOWS\winnf.exe
Adware:Adware/Startpage.VQ No disinfected C:\WINDOWS\xpmmp.dll
  • 0

#18
Excal

Excal

    Malware Slayer Extraordinaire!

  • Retired Staff
  • 12,739 posts
Well we seem to have gotten rid of a lot of it, but we also have some that has returned.

Lets try this.

were u able to find this service? Remote Procedure Call (RPC) Helper


THE FIX


Please read this post completely, it may make it easier for you if you copy and paste this post to a new text document or print it for reference later.

1. Click this link to be sure you can view hidden files.

2. Ensure you are NOT connected to the internet.

3. Reboot into safe mode.

Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

4. Go to Start->Run and type in services.msc and hit OK. Then look for Network Security Service ( 11F#`I) and double click on it. Click on the Stop button and under Startup type, choose Disabled.

5. Open up and run Ewido:
  • Click on scanner
  • Click Complete System Scan and the scan will begin.
  • During the scan when it ask if you want to clean the first file, put a check in the lower left corner of the box that says "Perform action on all infections" then choose clean and click OK
  • When the scan is finished, look at the bottom of the screen and click the Save report button.
  • Save the report to your desktop
Close Ewido

6. Close all browsers, windows and unneeded programs.

7. Open HiJack and do a scan.

8. Put a Check next to the following items:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\xpmmp.dll/sp.html#58582
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\xpmmp.dll/sp.html#58582
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\xpmmp.dll/sp.html#58582
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\xpmmp.dll/sp.html#58582
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\xpmmp.dll/sp.html#58582
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\xpmmp.dll/sp.html#58582
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\xpmmp.dll/sp.html#58582
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {1F204D3D-B7CB-18CA-6ED8-FB07E3983F5F} - C:\WINDOWS\nethg32.dll
O2 - BHO: Class - {AC9C4885-7656-D10D-70A9-3D0592AAE898} - C:\WINDOWS\atlvs32.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [appfi.exe] C:\WINDOWS\system32\appfi.exe
O4 - HKLM\..\RunOnce: [netyo.exe] C:\WINDOWS\netyo.exe
O23 - Service: Network Security Service ( 11F#`I) - Unknown owner - C:\WINDOWS\crcy32.exe" /s (file missing)


9. click the Fix Checked box

10. Please remove the following folders using Windows Explorer (if present):

C:\Documents and Settings\Russ\Favorites\SITES ABOUT
C:\Documents and Settings\Russ\Favorites\Only sex website.url
C:\Documents and Settings\Russ\Application Data\Lycos


11. Please run Killbox.
  • Select "Delete on Reboot".
  • Copy the file names below to the clipboard by highlighting them and pressing Control-C:

    C:\!Submit\appvd.exe
    C:\!Submit\atlxn.exe
    C:\!Submit\crcy32.exe
    C:\!Submit\d3ft.exe
    C:\!Submit\iezset.exe
    C:\!Submit\mfcmf.exe
    C:\!Submit\msdipo.dll
    C:\!Submit\msfaol.dll
    C:\!Submit\msfdje.gif
    C:\!Submit\mshpeb.dll
    C:\!Submit\msiaih.dll
    C:\!Submit\msnapl.dll
    C:\!Submit\msps.exe
    C:\!Submit\msvp.exe
    C:\!Submit\netoj32.exe
    C:\!Submit\ntkl.exe
    C:\!Submit\ntww.exe
    C:\!Submit\sdkuo32.exe
    C:\!Submit\syszx.exe
    C:\WINDOWS\addtx.exe
    C:\WINDOWS\atlkn.exe
    C:\WINDOWS\crwq.exe
    C:\WINDOWS\d3gs32.exe
    C:\WINDOWS\iegd.exe
    C:\WINDOWS\ieov32.exe
    C:\WINDOWS\javaet.exe
    C:\WINDOWS\msmz.exe
    C:\WINDOWS\netyo.exe
    C:\WINDOWS\sdktf32.exe
    C:\WINDOWS\SYSTEM32\sdkmj32.exe
    C:\WINDOWS\system32\appll32.exe
    C:\WINDOWS\system32\appfi.exe
    C:\WINDOWS\system32\d3yg32.exe
    C:\WINDOWS\system32\d3yz.exe
    C:\WINDOWS\system32\iear32.exe
    C:\WINDOWS\system32\ieys32.exe
    C:\WINDOWS\system32\mfcxs.exe
    C:\WINDOWS\xpmmp.dll
    C:\WINDOWS\crcy32.exe


  • Return to Killbox, go to the File menu, and choose "Paste from Clipboard".
  • Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.
12. Please run about:buster by RubbeRDuckY:
  • Click Begin Removal.
  • It will begin to check your computer for malicious files.
  • AboutBuster will finish and open a new page. Follow the instructions for protection on that page.
  • Shut down AboutBuster. A log should have been created.Please Save this log and copy it in your next post.
13. Scan with AdAware and let it remove any bad files found.

14. Run the program CleanUp! (do not reboot yet)

15. Now run CWShredder. Click I Agree, then Fix and then Next, let it fix everything it asks about. Reboot your computer into normal windows.

16. Reboot into normal mode and please run this online virus scan: ActiveScan - Save the results from the scan!

17. Delete Bad Service:
  • Open HiJackThis
  • Click on the configure button on the bottom right
  • Click on the tab "Misc Tools"
  • click on "delete an NT service"
  • Copy and paste this in the box: 11F#`I <===Notice that there is a space before the first 1, make sure thats in there when entering it in the box
  • Click "ok", then reboot
18. Please post the Active scan log, Ewido log and a fresh HiJackThis log. Let me know how your computer is running.
  • 0

#19
Goingcrazy

Goingcrazy

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
Excal,

When I look in services.msc, I do not find the "Network Security Service..." file even though it comes up on my HJT report. I do find "Remote Procedure Call (RPC) Locator", but not "Helper." I disabled the "Locator" one last time.
Any advice before I run through all of those steps again?

Thanks
  • 0

#20
Excal

Excal

    Malware Slayer Extraordinaire!

  • Retired Staff
  • 12,739 posts
Just go ahead and run thru it as I listed please.


Thanks,

:tazz:

Excal
  • 0

#21
Goingcrazy

Goingcrazy

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
Excal,

I finally think we are making progress. I think psguard and about:blank browser viruses are gone. My microsoft antivirus scan finally says 0 viruses, but the Panda scan still finds some. Here are the reports.


PANDA Active Scan:

Incident Status Location

Adware:adware/navipromo No disinfected C:\WINDOWS\SYSTEM32\sdkqh32.exe
Adware:adware/p2pnetworking No disinfected Windows Registry
Adware:Adware/SearchAid No disinfected C:\!Submit\addtx.exe
Adware:Adware/SearchAid No disinfected C:\!Submit\appll32.exe
Adware:Adware/SearchAid No disinfected C:\!Submit\atlkn.exe
Adware:Adware/SearchAid No disinfected C:\!Submit\crwq.exe
Adware:Adware/SearchAid No disinfected C:\!Submit\d3gs32.exe
Adware:Adware/SearchAid No disinfected C:\!Submit\d3yg32.exe
Adware:Adware/SearchAid No disinfected C:\!Submit\d3yz.exe
Adware:Adware/SearchAid No disinfected C:\!Submit\iear32.exe
Adware:Adware/SearchAid No disinfected C:\!Submit\iegd.exe
Adware:Adware/CWS.HomeSearchAsisstantNo disinfected C:\!Submit\ieov32.exe
Adware:Adware/SearchAid No disinfected C:\!Submit\ieys32.exe
Adware:Adware/SearchAid No disinfected C:\!Submit\javaet.exe
Adware:Adware/SearchAid No disinfected C:\!Submit\mfcxs.exe
Adware:Adware/CWS.HomeSearchAsisstantNo disinfected C:\!Submit\msmz.exe
Adware:Adware/SearchAid No disinfected C:\!Submit\sdktf32.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\apidc.exe
Virus:Trj/Downloader.ERZ Disinfected C:\WINDOWS\ievq32.exe
Virus:Trj/Downloader.ERZ Disinfected C:\WINDOWS\ntob.exe
Virus:Trj/Downloader.ERZ Disinfected C:\WINDOWS\system32\d3am32.exe
Virus:Trj/Downloader.ERZ Disinfected C:\WINDOWS\system32\ntbd.exe
EWIDO Log:

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 10:58:03 PM, 9/27/2005
+ Report-Checksum: 39BD1C5D

+ Date of database: 6/19/2005
+ Version of scan engine: v3.0

+ Duration: 46 min
+ Scanned Files: 46641
+ Speed: 16.88 Files/Second
+ Infected files: 2
+ Removed files: 2
+ Files put in quarantine: 2
+ Files that could not be opened: 0
+ Files that could not be cleaned: 0

+ Binder: Yes
+ Crypter: Yes
+ Archives: No

+ Scanned items:
C:\

+ Scan result:
C:\Documents and Settings\Russ\Cookies\russ@bluestreak[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Russ\Cookies\russ@cgi-bin[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup


::Report End

HJT Log:

Logfile of HijackThis v1.99.1
Scan saved at 9:16:58 PM, on 9/28/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton Personal Firewall\NISUM.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Norton Personal Firewall\NISSERV.EXE
C:\Program Files\Norton Personal Firewall\SymProxySvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Norton Personal Firewall\IAMAPP.EXE
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Mobipocket Shared\webcomp.exe
C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Palm\Hotsync.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Russ\Desktop\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [iamapp] C:\Program Files\Norton Personal Firewall\IAMAPP.EXE
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\RunServicesOnce: [washindex] C:\Program Files\Washer\washidx.exe "Russ"
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [Mobipocket Web Companion] C:\Program Files\Common Files\Mobipocket Shared\webcomp.exe -m
O4 - Startup: palmOne Registration.lnk = C:\Program Files\Palm\register.exe
O4 - Global Startup: DataViz Inc Messenger.lnk = C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\Palm\Hotsync.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {2976BDAD-30FD-4ADD-B6AD-DF7BC54767FA} (AMI Conferencing Control 6.0) - https://smilpacs.shc...iconference.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com...kup/qdiagcc.cab
O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - http://www.maricopa....in/mgaxctrl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1126240418565
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1126240973550
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/.../GrooveAX28.cab
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - https://showeb207.sh...tall/msxml4.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O16 - DPF: {B91AEDBE-93DF-4017-8BB3-F1C300C0EC51} (InstallShield Setup Player 2K2) - http://entryware.net...disk1/setup.exe
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {D98F5BFB-D1E2-428F-B415-64DE948DE12D} (AMI Pictorial Control CWeb 2.0) - https://showeb207.sh...l/amiviewer.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg...ntrol_v1-32.cab
O16 - DPF: {F9FC6CCD-DCDE-4F9B-96C9-1D4DBD33D798} (AMI ViewApp Control 6.0 (SPA10)) - https://smilpacs.shc...l/amiviewer.cab
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINDOWS\System32\ImapiRox.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Personal Firewall Service (NISSERV) - Symantec Corporation - C:\Program Files\Norton Personal Firewall\NISSERV.EXE
O23 - Service: Norton Personal Firewall Accounts Manager (NISUM) - Symantec Corporation - C:\Program Files\Norton Personal Firewall\NISUM.EXE
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Norton Personal Firewall Proxy Service (SymProxySvc) - Symantec Corporation - C:\Program Files\Norton Personal Firewall\SymProxySvc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

Thank you very much
  • 0

#22
Excal

Excal

    Malware Slayer Extraordinaire!

  • Retired Staff
  • 12,739 posts
There appears to only be two files left. The !Submit ones are the ones in the kill box folder, so we are going to delete that whole folder.

Reboot into safe mode.

Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode

Please remove the following folders using Windows Explorer (if present):

C:\!Submit

Go to start>run and type in CMD, then hit ok

Type the following:

cd C:\

then enter>

cd windows

then enter>

attrib -r -s -h apidc.exe

then enter>

del apidc.exe

then enter>

cd system32

then enter>

attrib -r -s -h sdkqh32.exe

then enter>

del sdkqh32.exe

Reboot into normal mode and please run this online virus scan: ActiveScan - Save the results from the scan!

Please post the Active scan log and a fresh HiJackThis log. Let me know how your computer is running.
  • 0

#23
Goingcrazy

Goingcrazy

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
My computer is running better, but the Active scan still finds spyware. Here are the logs.


HJT:

Logfile of HijackThis v1.99.1
Scan saved at 9:40:33 PM, on 10/1/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\alg.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton Personal Firewall\NISUM.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Norton Personal Firewall\SymProxySvc.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Norton Personal Firewall\NISSERV.EXE
C:\Program Files\Norton Personal Firewall\IAMAPP.EXE
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Common Files\Mobipocket Shared\webcomp.exe
C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
C:\Program Files\Palm\Hotsync.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\America Online 8.0\waol.exe
C:\Program Files\America Online 8.0\shellmon.exe
C:\Program Files\America Online 8.0\aolwbspd.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Russ\Desktop\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [iamapp] C:\Program Files\Norton Personal Firewall\IAMAPP.EXE
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\RunServicesOnce: [washindex] C:\Program Files\Washer\washidx.exe "Russ"
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [Mobipocket Web Companion] C:\Program Files\Common Files\Mobipocket Shared\webcomp.exe -m
O4 - Startup: palmOne Registration.lnk = C:\Program Files\Palm\register.exe
O4 - Global Startup: DataViz Inc Messenger.lnk = C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\Palm\Hotsync.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {2976BDAD-30FD-4ADD-B6AD-DF7BC54767FA} (AMI Conferencing Control 6.0) - https://smilpacs.shc...iconference.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com...kup/qdiagcc.cab
O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - http://www.maricopa....in/mgaxctrl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1126240418565
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1126240973550
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/.../GrooveAX28.cab
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - https://showeb207.sh...tall/msxml4.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O16 - DPF: {B91AEDBE-93DF-4017-8BB3-F1C300C0EC51} (InstallShield Setup Player 2K2) - http://entryware.net...disk1/setup.exe
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {D98F5BFB-D1E2-428F-B415-64DE948DE12D} (AMI Pictorial Control CWeb 2.0) - https://showeb207.sh...l/amiviewer.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg...ntrol_v1-32.cab
O16 - DPF: {F9FC6CCD-DCDE-4F9B-96C9-1D4DBD33D798} (AMI ViewApp Control 6.0 (SPA10)) - https://smilpacs.shc...l/amiviewer.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{AD6218E7-4111-41A4-A125-FE8D163B9891}: NameServer = 205.188.146.145
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINDOWS\System32\ImapiRox.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Personal Firewall Service (NISSERV) - Symantec Corporation - C:\Program Files\Norton Personal Firewall\NISSERV.EXE
O23 - Service: Norton Personal Firewall Accounts Manager (NISUM) - Symantec Corporation - C:\Program Files\Norton Personal Firewall\NISUM.EXE
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Norton Personal Firewall Proxy Service (SymProxySvc) - Symantec Corporation - C:\Program Files\Norton Personal Firewall\SymProxySvc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe



Active Scan:

Incident Status Location

Adware:adware/navipromo No disinfected C:\WINDOWS\SYSTEM32\sdkqh32.exe
Adware:adware/block-checker No disinfected Windows Registry
Adware:Adware/SearchAid No disinfected C:\RECYCLER\S-1-5-21-789336058-839522115-1144902440-1004\Dc2\addtx.exe
Adware:Adware/SearchAid No disinfected C:\RECYCLER\S-1-5-21-789336058-839522115-1144902440-1004\Dc2\appll32.exe
Adware:Adware/SearchAid No disinfected C:\RECYCLER\S-1-5-21-789336058-839522115-1144902440-1004\Dc2\atlkn.exe
Adware:Adware/SearchAid No disinfected C:\RECYCLER\S-1-5-21-789336058-839522115-1144902440-1004\Dc2\crwq.exe
Adware:Adware/SearchAid No disinfected C:\RECYCLER\S-1-5-21-789336058-839522115-1144902440-1004\Dc2\d3gs32.exe
Adware:Adware/SearchAid No disinfected C:\RECYCLER\S-1-5-21-789336058-839522115-1144902440-1004\Dc2\d3yg32.exe
Adware:Adware/SearchAid No disinfected C:\RECYCLER\S-1-5-21-789336058-839522115-1144902440-1004\Dc2\d3yz.exe
Adware:Adware/SearchAid No disinfected C:\RECYCLER\S-1-5-21-789336058-839522115-1144902440-1004\Dc2\iear32.exe
Adware:Adware/SearchAid No disinfected C:\RECYCLER\S-1-5-21-789336058-839522115-1144902440-1004\Dc2\iegd.exe
Adware:Adware/CWS.HomeSearchAsisstantNo disinfected C:\RECYCLER\S-1-5-21-789336058-839522115-1144902440-1004\Dc2\ieov32.exe
Adware:Adware/SearchAid No disinfected C:\RECYCLER\S-1-5-21-789336058-839522115-1144902440-1004\Dc2\ieys32.exe
Adware:Adware/SearchAid No disinfected C:\RECYCLER\S-1-5-21-789336058-839522115-1144902440-1004\Dc2\javaet.exe
Adware:Adware/SearchAid No disinfected C:\RECYCLER\S-1-5-21-789336058-839522115-1144902440-1004\Dc2\mfcxs.exe
Adware:Adware/CWS.HomeSearchAsisstantNo disinfected C:\RECYCLER\S-1-5-21-789336058-839522115-1144902440-1004\Dc2\msmz.exe
Adware:Adware/SearchAid No disinfected C:\RECYCLER\S-1-5-21-789336058-839522115-1144902440-1004\Dc2\sdktf32.exe

I think we are almost there.

Thanks
  • 0

#24
Excal

Excal

    Malware Slayer Extraordinaire!

  • Retired Staff
  • 12,739 posts
Go ahead and run cleanup and that shouls get rid of those files.

I think we youmight have missed the second part of the my last instructions which listed that last file. C:\WINDOWS\SYSTEM32\sdkqh32.exe

If you could follow those one more time, that would be great :)

:tazz:

Excal
  • 0

#25
Goingcrazy

Goingcrazy

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
Excal,

So here are the logs after the last set of instructions.

Active:

Incident Status Location

Adware:adware/navipromo No disinfected C:\WINDOWS\SYSTEM32\sdkvo32.exe
Adware:adware/block-checker No disinfected Windows Registry
HJT:

Logfile of HijackThis v1.99.1
Scan saved at 5:05:49 PM, on 10/2/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\alg.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton Personal Firewall\NISUM.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Norton Personal Firewall\IAMAPP.EXE
C:\Program Files\Norton Personal Firewall\SymProxySvc.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Mobipocket Shared\webcomp.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
C:\Program Files\Palm\Hotsync.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Norton Personal Firewall\NISSERV.EXE
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\America Online 8.0\waol.exe
C:\Program Files\America Online 8.0\shellmon.exe
C:\Program Files\America Online 8.0\aolwbspd.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
C:\Documents and Settings\Russ\Desktop\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [iamapp] C:\Program Files\Norton Personal Firewall\IAMAPP.EXE
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\RunServicesOnce: [washindex] C:\Program Files\Washer\washidx.exe "Russ"
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [Mobipocket Web Companion] C:\Program Files\Common Files\Mobipocket Shared\webcomp.exe -m
O4 - Startup: palmOne Registration.lnk = C:\Program Files\Palm\register.exe
O4 - Global Startup: DataViz Inc Messenger.lnk = C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\Palm\Hotsync.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {2976BDAD-30FD-4ADD-B6AD-DF7BC54767FA} (AMI Conferencing Control 6.0) - https://smilpacs.shc...iconference.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com...kup/qdiagcc.cab
O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - http://www.maricopa....in/mgaxctrl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1126240418565
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1126240973550
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/.../GrooveAX28.cab
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - https://showeb207.sh...tall/msxml4.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O16 - DPF: {B91AEDBE-93DF-4017-8BB3-F1C300C0EC51} (InstallShield Setup Player 2K2) - http://entryware.net...disk1/setup.exe
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {D98F5BFB-D1E2-428F-B415-64DE948DE12D} (AMI Pictorial Control CWeb 2.0) - https://showeb207.sh...l/amiviewer.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg...ntrol_v1-32.cab
O16 - DPF: {F9FC6CCD-DCDE-4F9B-96C9-1D4DBD33D798} (AMI ViewApp Control 6.0 (SPA10)) - https://smilpacs.shc...l/amiviewer.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{AD6218E7-4111-41A4-A125-FE8D163B9891}: NameServer = 205.188.146.145
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINDOWS\System32\ImapiRox.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Personal Firewall Service (NISSERV) - Symantec Corporation - C:\Program Files\Norton Personal Firewall\NISSERV.EXE
O23 - Service: Norton Personal Firewall Accounts Manager (NISUM) - Symantec Corporation - C:\Program Files\Norton Personal Firewall\NISUM.EXE
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Norton Personal Firewall Proxy Service (SymProxySvc) - Symantec Corporation - C:\Program Files\Norton Personal Firewall\SymProxySvc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

Thank you very much, I think we're about there!!!
Are there things I should do on a regular basis to periodically clean the computer up and to check for spyware and viruses?

I really appreciate your computer know-how.
  • 0

Advertisements


#26
Excal

Excal

    Malware Slayer Extraordinaire!

  • Retired Staff
  • 12,739 posts
AcK!

Go ahead into safe mode and get this last file.

C:\WINDOWS\SYSTEM32\sdkvo32.exe

then do another active scan please

When thisis clean, i will give u a whole list of things to help better secure your computer :)

:tazz:

Excal
  • 0

#27
Excal

Excal

    Malware Slayer Extraordinaire!

  • Retired Staff
  • 12,739 posts
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP