Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

First log, multiple problems


  • Please log in to reply

#1
eabush

eabush

    New Member

  • Member
  • Pip
  • 7 posts
Hello
Well I have painstakingly followed the start here thread and done all the steps to the best of my ability. My biggest problem at the moment is that after running Pandascan and TrojanHunter today, I am having problems once I boot up in normal mode. It appears to boot up fine, but once I'm there I seem to be locked up. The only thing I can access is ctrl-alt-delete and the taskmanager. I can't click on any icons or the taskbar, all I get is an hourglass. So needless to say I'm currently running in Safe mode with Networking.
My other issue is that I have been unable to do any security updates at Microsoft. It gives me an error message saying I'm not able to view this page but I am unable to troubleshoot the error code anywhere on their website. I have email into them and am awaiting their response. This is my 16 yr old's laptop and of course has not had ANY security updates that I can find. Oh and his CD drive isn't working :tazz: .
So, here's my log. I can see some pretty obvious issues with it, but don't plan on doing anything without the advice of someone who has a clue more than me :) Thanks so much in advance for ANY assistance!!!!!

Logfile of HijackThis v1.99.1
Scan saved at 5:48:05 PM, on 10/11/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.c...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.surveymon...p?u=14332742466
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [PSof1] C:\WINDOWS\System32\PSof1.exe
O4 - HKLM\..\Run: [System service62] C:\WINDOWS\etb\pokapoka62.exe
O4 - HKLM\..\Run: [AutoLoadero0qe1ONKUIPO] "C:\WINDOWS\System32\uicay.exe"
O4 - HKLM\..\Run: [MedGS] C:\WINDOWS\System32\medgs1.exe
O4 - HKLM\..\Run: [o79U34Q] uicay.exe
O4 - HKLM\..\Run: [opr] C:\WINDOWS\System32\opr.exe
O4 - HKLM\..\Run: [System service65] C:\WINDOWS\etb\pokapoka65.exe
O4 - HKLM\..\Run: [zsgemcz] C:\WINDOWS\zsgemcz.EXE
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1127352231\EE\AOLHostManager.exe
O4 - HKLM\..\Run: [Windows Incontext] C:\DOCUME~1\Admin\LOCALS~1\Temp\InSearch.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\Run: [rundll32] rundll32.exe url.dll,FileProtocolHandler .xrg
O4 - HKLM\..\RunServices: [SchedulingAgent] C:\WINDOWS\System32\mstask.exe
O4 - HKCU\..\RunOnce: [CleanUp!] C:\Program Files\CleanUp!\Cleanup.exe /WindowsRestart
O4 - Global Startup: RtlWake.lnk = ?
O4 - Global Startup: Wireless Lan Utility.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {2ED9BC2B-4DF1-472E-9B5E-55477D2C97F5} (Microsoft Data Collection Control) - https://support.micr...ActiveX/odc.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1128038425202
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1128985411355
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {BAC01377-73DD-4796-854D-2A8997E3D68A} (Yahoo! Photos Easy Upload Tool Class) - http://us.dl1.yimg.c...ropper1_4us.cab
O16 - DPF: {E427A57F-1A94-0BFC-6D7A-6DC214946AD4} - ms-its:mhtml:file://c:\\nosuch.mht!http://users.perfhos...chm::/index.exe
O21 - SSODL: HGPcBzh - {1033769A-BA99-DC30-1960-7E5451AFBE1F} - C:\WINDOWS\System32\fizh.dll (file missing)
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Windows Overlay Components - Unknown owner - C:\WINDOWS\wabsrdx.exe (file missing)
  • 0

Advertisements


#2
Armodeluxe

Armodeluxe

    Member 2k

  • Retired Staff
  • 2,744 posts
Hi eabush, welcome to GeeksToGo

You have too many infections there. Let's start to clean them up.

Please print these instructions for use in safe mode.

Please download miekiemoes' LQfix batch here:
http://users.telenet...tools/LQfix.zip
Unzip it to the desktop but don't run it yet.

Update your Ewido for latest definitions:
  • Launch ewido, there should be a big E icon on your desktop, double-click it.
  • On the left hand side of the main screen click update
  • Click on Start
  • The update will start and a progress bar will show the updates being installed
  • After the updates are installed, exit Ewido
Reboot your computer into Safe Mode (without networking). You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight Safe Mode, then hit enter.

Once in Safe Mode:

First, locate on your desktop LQfix.bat and run it.

Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu).
Set the program up as follows:
Click "Options..."
Move the arrow down to "Custom CleanUp!"
Put a check next to the following (Make sure nothing else is checked!):
  • Empty Recycle Bins
  • Delete Cookies
  • Delete Prefetch files
  • Cleanup! All Users
Click OK
Press the CleanUp! button to start the program.

If Cleanup! asks if you want to reboot, click NO

Open Ewido
  • Click on scanner
  • Click Complete System Scan
  • Let the program scan the machine
While the scan is in progress you will be prompted to clean the first infected file it finds. Choose "remove", then put a check next to "Perform action on all infections" in the left corner of the box so you don't have to sit and watch Ewido the whole time. Click OK.

Once the scan has completed, there will be a button located on the bottom of the screen named Save report
  • Click Save report
  • Save the report to your desktop
  • Exit Ewido
Open HijackThis and click Scan. Put a check next to these:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.surveymon...p?u=14332742466
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O4 - HKLM\..\Run: [PSof1] C:\WINDOWS\System32\PSof1.exe
O4 - HKLM\..\Run: [AutoLoadero0qe1ONKUIPO] "C:\WINDOWS\System32\uicay.exe"
O4 - HKLM\..\Run: [MedGS] C:\WINDOWS\System32\medgs1.exe
O4 - HKLM\..\Run: [o79U34Q] uicay.exe
O4 - HKLM\..\Run: [opr] C:\WINDOWS\System32\opr.exe
O4 - HKLM\..\Run: [zsgemcz] C:\WINDOWS\zsgemcz.EXE
O4 - HKLM\..\Run: [Windows Incontext] C:\DOCUME~1\Admin\LOCALS~1\Temp\InSearch.exe
O16 - DPF: {E427A57F-1A94-0BFC-6D7A-6DC214946AD4} - ms-its:mhtml:file://c:\\nosuch.mht!http://users.perfhos...chm::/index.exe
O21 - SSODL: HGPcBzh - {1033769A-BA99-DC30-1960-7E5451AFBE1F} - C:\WINDOWS\System32\fizh.dll (file missing)


Close all other windows except HijackThis and click Fix Checked.

b]Reconfigure Windows XP to show hidden files:[/b]
Click Start. Open My Computer.
Select the Tools menu and click Folder Options. Select the View Tab.

Under the Hidden files and folders heading select "Show hidden files and folders".
Uncheck the "Hide protected operating system files (recommended)" option.
Uncheck the "Hide file extensions for known file types" option.
Click Yes to confirm. Click OK.

Now locate and delete these files if found:

C:\WINDOWS\System32\PSof1.exe
C:\WINDOWS\System32\uicay.exe
C:\WINDOWS\System32\medgs1.exe
C:\WINDOWS\System32\opr.exe
C:\WINDOWS\zsgemcz.EXE
C:\DOCUMENTS AND SETTINGS\Admin\LOCAL SETTINGS\Temp\InSearch.exe
C:\nosuch.mht
C:\WINDOWS\System32\fizh.dll
C:\WINDOWS\wabsrdx.exe

Go to Start > Run and type "Services.msc" (without quotes) then hit Ok
Scroll down and find the below service:

Windows Overlay Components

When you find it, double-click on it. In the next window that opens, under the General tab click the Stop button, then click the drop-down box to change the Startup Type to Disabled. Now hit Apply and then Ok.

Open HiJackThis, click on "None of the above, just start the program". Now, click on the "Config" button (bottom right), then click on "Misc Tools", then click on "Delete an NT Service" a window will pop up. Enter the below item into that field (make sure there are NO spaces before or after the name):

Windows Overlay Components

Click OK.

It should pull up information about the service, then ask if you want to reboot. Click YES.

After that, reboot. See if you can get into normal mode now. Whether you can or not, post a new HijackThis log and the Ewido log.
  • 0

#3
eabush

eabush

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Hello
First let me say than you so much for your help! Second, I apologize for the delay in reposting, it's been a busy weekend. I am able to boot up into normal mode, but know that I still have issues as my cpu usage is running around 100%, and I got slammed with pop ups as soon as I opened IE. I suspect it's something called "sgenie.exe" as things improve after i end it in the task manager. Also as I was doing the HJT fixes, a few things did not show up as they had in my original log, so I only fixed those that I could find according to your instructions.

Logfile of HijackThis v1.99.1
Scan saved at 10:03:10 PM, on 10/16/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\WINDOWS\System32\atievxx.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\sgenie.exe
C:\WINDOWS\.xrg
C:\PROGRA~1\COMMON~1\AOL\112735~1\EE\AOLHOS~1.EXE
C:\PROGRA~1\COMMON~1\AOL\112735~1\EE\AOLServiceHost.exe
C:\Program Files\InstallShield Software Corporation\802.11b Wireless Lan Utility\RtlWake.exe
C:\Program Files\Wireless LAN Utility\WlanUtility.exe
C:\Program Files\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapp...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.c...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1127352231\EE\AOLHostManager.exe
O4 - HKLM\..\Run: [rundll32] rundll32.exe url.dll,FileProtocolHandler .xrg
O4 - HKLM\..\RunServices: [SchedulingAgent] C:\WINDOWS\System32\mstask.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [CustomHK] C:\WINDOWS\System32\sgenie.exe
O4 - HKCU\..\Run: [Registry Cleaner] "C:\Program Files\TPT Registry_Cleaner (Trial)\regclean.exe"
O4 - HKCU\..\Run: [rundll32] rundll32.exe url.dll,FileProtocolHandler .xrg
O4 - Global Startup: RtlWake.lnk = ?
O4 - Global Startup: Wireless Lan Utility.lnk = ?
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1128038425202
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1128985411355
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {BAC01377-73DD-4796-854D-2A8997E3D68A} (Yahoo! Photos Easy Upload Tool Class) - http://us.dl1.yimg.c...ropper1_4us.cab
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe

Ewido scan:
---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 9:13:50 PM, 10/16/2005
+ Report-Checksum: 3D4E6692

+ Scan result:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WinTools -> Spyware.WebSearch : Error during cleaning
C:\WINDOWS\system32\APD123.exe -> Spyware.Pacer : Cleaned with backup


::Report End


Erin
  • 0

#4
Armodeluxe

Armodeluxe

    Member 2k

  • Retired Staff
  • 2,744 posts
It's looking much better than the first time :tazz:

Open HijackThis and click Scan.

Put a check next to these:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapp...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
O4 - HKLM\..\Run: [rundll32] rundll32.exe url.dll,FileProtocolHandler .xrg
O4 - HKCU\..\Run: [CustomHK] C:\WINDOWS\System32\sgenie.exe
O4 - HKCU\..\Run: [rundll32] rundll32.exe url.dll,FileProtocolHandler .xrg


Close all other windows except HijackThis and click Fix Checked.

Boot into safe mode and delete these files:

C:\WINDOWS\System32\sgenie.exe
C:\WINDOWS\.xrg

Create a Startup List
  • Open HiJackThis
  • Click on the "Config..." button on the bottom right
  • Click on the tab "Misc Tools"
  • Check off the 2 boxes next to the Box that says "Generate StartupList log"
  • Click on the button "Generate StartupList log". It will be saved in the same folder with HijackThis.
  • Copy and paste the StartupList from the notepad into your next post
Reboot back to normal mode.

Go here to make an online scan:

http://www.pandasoft.../activescan.htm

- Once you are on the Panda site click the Scan your PC button
- A new window will open...click the Check Now button
- Enter your Country
- Enter your State/Province
- Enter your e-mail address and click send
- Select either Home User or Company
- Click the big Scan Now button
- If it wants to install an ActiveX component allow it
- It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
- When download is complete, click on Local Disks to start the scan
- When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.

Then post a new HijackThis log, the Startup List and the Panda Report.
  • 0

#5
eabush

eabush

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
OMG...I owe you an apology...I am soooo sorry that I have not responded. I have been checking every day for your response, but I was not actually checking the actual thread, just doing a search and seeing if there were any responses, and apparently misread it...I thought the 3 in the "reply" column, was actually 3 "posts", if u know what I mean, so I thought I was waiting for your response. I'm so sorry.
I will work on your above recommendations as soon as I get home from work tomorrow. I do need to ask, tho...I discovered tonite that suddenly I am unable to connect to the internet on the laptop. I have not tried starting in safe mode with networking as I did b4 yet....not sure exactly what the problem is. It says I have a network connection, but get the "page cannot be displayed" message. Should I run the Winsockxpfix again? I have tried rebooting the computer as well as the wireless router, without success. Tomorrow, when I get home I'll check in here on my main computer, follow your above recommendations, and try to connect and post a log if I can. Again, I sincerely apologize for not responding sooner.
  • 0

#6
Armodeluxe

Armodeluxe

    Member 2k

  • Retired Staff
  • 2,744 posts
Try this for the internet connection:


Before doing this write down all the settings, Note that not all system/setups even have these settings, While some connection service's will require them.

These instruction's are basicly for home users.

In the windows control panel. If you are using Windows XP's Category View, select the Network and Internet Connections category otherwise double click on Network Connections. Then right click on your default connection, usually local area connection for cable and dsl, and left click on properties. Click the Networking tab. Double-click on the Internet Protocol (TCP/IP) item and select the radio dial that says Obtain DNS servers automatically

Press OK twice to get out of the properties screen and reboot if it asks.
That option might not be avaiable one some systems
Next Go start run type cmd and hit OK
type
ipconfig /flushdns
then hit enter, type exit hit enter
(that space between g and / is needed)

see if it works after that..
  • 0

#7
eabush

eabush

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Ok, I've followed your instructions up to the pandascan, and I followed your instructions regarding the internet connection, but I'm not able to connect. Well, let me clarify that...it APPEARS that I have a net connection, says that I'm connected, but with IE I get "cannot find server" and if I attempt to repair the connection, it says that renewing the IP address has failed. I tried booting into safe mode with networking and it says the wireless network connection is unavailable. I'm stumped. I also followed the troubleshooter and did ipconfig /release--the dns suffix was blank as well as the default gateway. When I proceeded with renew the error message I got said this: unable to contact your dhcp server. request has timed out. I have no idea what this means. It says that my wireless internet connection is enabled and working. The other thing that has me stumped is that I haven't really done anything with the laptop between the time I posted my last HJT log and the other nite when I read your next instructions, which was when I first noticed I wasn't able to get online with it. Should I attempt a system restore? I'm sorry that my problems seem to be mushrooming, but at least I can say that it seems to be running a bit better, with the exception of the net connection. :tazz:
  • 0

#8
eabush

eabush

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Just an update to my above post. My internet connection is now fixed and it apparently had nothing to do with this computer. We had to reset our wireless router and reinstall the software on our main computer. Now that I am back up, I will go ahead and finish your last recommendations. I think I will start over at the beginning as "sgenie" seems to have reappeared in the task manager. Will repost as soon as I can!
  • 0

#9
eabush

eabush

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Ok, so here I am. Hopefully I have everything that you requested. Pandascan was brutal :tazz:

HJT:
Logfile of HijackThis v1.99.1
Scan saved at 11:23:53 PM, on 10/22/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\WINDOWS\System32\atievxx.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\mstray.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\Program Files\InstallShield Software Corporation\802.11b Wireless Lan Utility\RtlWake.exe
C:\Program Files\Wireless LAN Utility\WlanUtility.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\COMMON~1\AOL\112735~1\EE\AOLHOS~1.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\COMMON~1\AOL\112735~1\EE\AOLServiceHost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.c...//www.yahoo.com
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1127352231\EE\AOLHostManager.exe
O4 - HKLM\..\Run: [mstray] C:\WINDOWS\mstray.exe
O4 - HKLM\..\RunServices: [SchedulingAgent] C:\WINDOWS\System32\mstask.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Registry Cleaner] "C:\Program Files\TPT Registry_Cleaner (Trial)\regclean.exe"
O4 - HKCU\..\Run: [mstray] C:\WINDOWS\mstray.exe
O4 - Global Startup: RtlWake.lnk = ?
O4 - Global Startup: Wireless Lan Utility.lnk = ?
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1128038425202
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1128985411355
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {BAC01377-73DD-4796-854D-2A8997E3D68A} (Yahoo! Photos Easy Upload Tool Class) - http://us.dl1.yimg.c...ropper1_4us.cab
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe


startup:
Start
Incident Status Location

Adware:adware/cws.searchmeup Reported C:\WINDOWS\SYSTEM32\bose.ico
Spyware:spyware/safesurf Reported C:\WINDOWS\SYSTEM32\InstallerV3.exe
Adware:adware/afaenhance Reported C:\WINDOWS\SYSTEM\QBUninstaller.exe
Adware:adware/bookedspace Reported C:\WINDOWS\cfgmgr52.ini
Adware:adware program Reported C:\WINDOWS\SYSTEM32\cache32dsrf4535dfs
Adware:adware/wintools Reported Windows Registry
Spyware:Cookie/Allthatsearch Reported C:\Documents and Settings\Admin\Cookies\admin@10102[1].txt
Spyware:Cookie/YieldManager Reported C:\Documents and Settings\Admin\Cookies\admin@ad.yieldmanager[2].txt
Spyware:Cookie/Hbmediapro Reported C:\Documents and Settings\Admin\Cookies\admin@adopt.hbmediapro[2].txt
Spyware:Cookie/adultfriendfinderReported C:\Documents and Settings\Admin\Cookies\admin@adultfriendfinder[1].txt
Spyware:Cookie/SearchingBooth Reported C:\Documents and Settings\Admin\Cookies\admin@aycm5[2].txt
Spyware:Cookie/nCase Reported C:\Documents and Settings\Admin\Cookies\admin@BassMan[2].txt
Spyware:Cookie/Allthatsearch Reported C:\Documents and Settings\Admin\Cookies\admin@BigBlue[1].txt
Spyware:Cookie/nCase Reported C:\Documents and Settings\Admin\Cookies\admin@Kiddo[1].txt
Spyware:Cookie/DomainSponsor Reported C:\Documents and Settings\Admin\Cookies\admin@landing.domainsponsor[1].txt
Virus:Exploit/ByteVerify Reported C:\Documents and Settings\Admin\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\a.jar-22be6520-75cfc68e.RB0[a.class]
Virus:Exploit/ByteVerify Reported C:\Documents and Settings\Admin\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\a.jar-22be6520-75cfc68e.RB0[Dummy.class]
Virus:Exploit/ByteVerify Reported C:\Documents and Settings\Admin\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\a.jar-22be6520-75cfc68e.RB0[VerifierBug.class]
Virus:Trj/Classloader.I Reported C:\Documents and Settings\Admin\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-65695b65-14756821.RB0[b.class]
Virus:Exploit/BytVerify Reported C:\Documents and Settings\Admin\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-65695b65-14756821.RB0[c.class]
Virus:Exploit/BytVerify Reported C:\Documents and Settings\Admin\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-65695b65-14756821.RB0[a.class]
Virus:Trj/Downloader.DIS Reported C:\Documents and Settings\Admin\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-65695b65-14756821.RB0[d.class]
Virus:Exploit/BytVerify Reported C:\Documents and Settings\Admin\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-65695b65-14756821.zip[a.class]
Virus:Trj/Downloader.EGM Reported C:\Documents and Settings\Admin\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\Counters.jar-333fe01c-6328504c.RB0[web.exe]
Spyware:Cookie/Allthatsearch Reported C:\Documents and Settings\Admin\Cookies\admin@10102[1].txt
Spyware:Cookie/YieldManager Reported C:\Documents and Settings\Admin\Cookies\admin@ad.yieldmanager[2].txt
Spyware:Cookie/Hbmediapro Reported C:\Documents and Settings\Admin\Cookies\admin@adopt.hbmediapro[2].txt
Spyware:Cookie/adultfriendfinderReported C:\Documents and Settings\Admin\Cookies\admin@adultfriendfinder[1].txt
Spyware:Cookie/SearchingBooth Reported C:\Documents and Settings\Admin\Cookies\admin@aycm5[2].txt
Spyware:Cookie/nCase Reported C:\Documents and Settings\Admin\Cookies\admin@BassMan[2].txt
Spyware:Cookie/Allthatsearch Reported C:\Documents and Settings\Admin\Cookies\admin@BigBlue[1].txt
Spyware:Cookie/nCase Reported C:\Documents and Settings\Admin\Cookies\admin@Kiddo[1].txt
Spyware:Cookie/DomainSponsor Reported C:\Documents and Settings\Admin\Cookies\admin@landing.domainsponsor[1].txt
Virus:Trj/Downloader.BYN Reported C:\Documents and Settings\Admin\Local Settings\Temporary Internet Files\Content.IE5\4HI7KHE7\trk_0031[1].exe
Adware:Adware/Popuper Reported C:\Documents and Settings\Admin\Local Settings\Temporary Internet Files\Content.IE5\OPQRSPQR\mstray[1].exe
Adware:Adware/Pacimedia Reported C:\Documents and Settings\Admin\Local Settings\Temporary Internet Files\Content.IE5\SXEVWHYN\pcs_0031[1].exe
Virus:VBS/Psyme.C Reported C:\Documents and Settings\Admin\Local Settings\Temporary Internet Files\Content.IE5\SXEVWHYN\TRACK31[1].CHM[track31.htm]
Adware:Adware/PopupSearches Reported C:\Program Files\Yahoo!\YPSR\Quarantine\ppq33.tmp
Spyware:Cookie/Zedo Reported C:\Program Files\Yahoo!\YPSR\Quarantine\ppqE.tmp
Adware:Adware/Popuper Reported C:\WINDOWS\mstray.exe
Spyware:Spyware/BetterInet Reported C:\WINDOWS\system\QBUninstaller.exe
Spyware:Spyware/SafeSurf Reported C:\WINDOWS\system32\InstallerV3.exe
Spyware:Spyware/SafeSurf Reported C:\WINDOWS\system32\richedtr.dll

panda:


Incident Status Location

Adware:adware/cws.searchmeup Reported C:\WINDOWS\SYSTEM32\bose.ico
Spyware:spyware/safesurf Reported C:\WINDOWS\SYSTEM32\InstallerV3.exe
Adware:adware/afaenhance Reported C:\WINDOWS\SYSTEM\QBUninstaller.exe
Adware:adware/bookedspace Reported C:\WINDOWS\cfgmgr52.ini
Adware:adware program Reported C:\WINDOWS\SYSTEM32\cache32dsrf4535dfs
Adware:adware/wintools Reported Windows Registry
Spyware:Cookie/Allthatsearch Reported C:\Documents and Settings\Admin\Cookies\admin@10102[1].txt
Spyware:Cookie/YieldManager Reported C:\Documents and Settings\Admin\Cookies\admin@ad.yieldmanager[2].txt
Spyware:Cookie/Hbmediapro Reported C:\Documents and Settings\Admin\Cookies\admin@adopt.hbmediapro[2].txt
Spyware:Cookie/adultfriendfinderReported C:\Documents and Settings\Admin\Cookies\admin@adultfriendfinder[1].txt
Spyware:Cookie/SearchingBooth Reported C:\Documents and Settings\Admin\Cookies\admin@aycm5[2].txt
Spyware:Cookie/nCase Reported C:\Documents and Settings\Admin\Cookies\admin@BassMan[2].txt
Spyware:Cookie/Allthatsearch Reported C:\Documents and Settings\Admin\Cookies\admin@BigBlue[1].txt
Spyware:Cookie/nCase Reported C:\Documents and Settings\Admin\Cookies\admin@Kiddo[1].txt
Spyware:Cookie/DomainSponsor Reported C:\Documents and Settings\Admin\Cookies\admin@landing.domainsponsor[1].txt
Virus:Exploit/ByteVerify Reported C:\Documents and Settings\Admin\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\a.jar-22be6520-75cfc68e.RB0[a.class]
Virus:Exploit/ByteVerify Reported C:\Documents and Settings\Admin\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\a.jar-22be6520-75cfc68e.RB0[Dummy.class]
Virus:Exploit/ByteVerify Reported C:\Documents and Settings\Admin\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\a.jar-22be6520-75cfc68e.RB0[VerifierBug.class]
Virus:Trj/Classloader.I Reported C:\Documents and Settings\Admin\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-65695b65-14756821.RB0[b.class]
Virus:Exploit/BytVerify Reported C:\Documents and Settings\Admin\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-65695b65-14756821.RB0[c.class]
Virus:Exploit/BytVerify Reported C:\Documents and Settings\Admin\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-65695b65-14756821.RB0[a.class]
Virus:Trj/Downloader.DIS Reported C:\Documents and Settings\Admin\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-65695b65-14756821.RB0[d.class]
Virus:Exploit/BytVerify Reported C:\Documents and Settings\Admin\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-65695b65-14756821.zip[a.class]
Virus:Trj/Downloader.EGM Reported C:\Documents and Settings\Admin\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\Counters.jar-333fe01c-6328504c.RB0[web.exe]
Spyware:Cookie/Allthatsearch Reported C:\Documents and Settings\Admin\Cookies\admin@10102[1].txt
Spyware:Cookie/YieldManager Reported C:\Documents and Settings\Admin\Cookies\admin@ad.yieldmanager[2].txt
Spyware:Cookie/Hbmediapro Reported C:\Documents and Settings\Admin\Cookies\admin@adopt.hbmediapro[2].txt
Spyware:Cookie/adultfriendfinderReported C:\Documents and Settings\Admin\Cookies\admin@adultfriendfinder[1].txt
Spyware:Cookie/SearchingBooth Reported C:\Documents and Settings\Admin\Cookies\admin@aycm5[2].txt
Spyware:Cookie/nCase Reported C:\Documents and Settings\Admin\Cookies\admin@BassMan[2].txt
Spyware:Cookie/Allthatsearch Reported C:\Documents and Settings\Admin\Cookies\admin@BigBlue[1].txt
Spyware:Cookie/nCase Reported C:\Documents and Settings\Admin\Cookies\admin@Kiddo[1].txt
Spyware:Cookie/DomainSponsor Reported C:\Documents and Settings\Admin\Cookies\admin@landing.domainsponsor[1].txt
Virus:Trj/Downloader.BYN Reported C:\Documents and Settings\Admin\Local Settings\Temporary Internet Files\Content.IE5\4HI7KHE7\trk_0031[1].exe
Adware:Adware/Popuper Reported C:\Documents and Settings\Admin\Local Settings\Temporary Internet Files\Content.IE5\OPQRSPQR\mstray[1].exe
Adware:Adware/Pacimedia Reported C:\Documents and Settings\Admin\Local Settings\Temporary Internet Files\Content.IE5\SXEVWHYN\pcs_0031[1].exe
Virus:VBS/Psyme.C Reported C:\Documents and Settings\Admin\Local Settings\Temporary Internet Files\Content.IE5\SXEVWHYN\TRACK31[1].CHM[track31.htm]
Adware:Adware/PopupSearches Reported C:\Program Files\Yahoo!\YPSR\Quarantine\ppq33.tmp
Spyware:Cookie/Zedo Reported C:\Program Files\Yahoo!\YPSR\Quarantine\ppqE.tmp
Adware:Adware/Popuper Reported C:\WINDOWS\mstray.exe
Spyware:Spyware/BetterInet Reported C:\WINDOWS\system\QBUninstaller.exe
Spyware:Spyware/SafeSurf Reported C:\WINDOWS\system32\InstallerV3.exe
Spyware:Spyware/SafeSurf Reported C:\WINDOWS\system32\richedtr.dll
  • 0

#10
Armodeluxe

Armodeluxe

    Member 2k

  • Retired Staff
  • 2,744 posts
You posted the Panda scan twice instead of Startup List. That's ok, I'll ask for a new one, so delete that old one first so that you don't post the old one..

Please print these instructions for use in safe mode.

Open HijackThis and click Scan. Put a check next to these:

O4 - HKLM\..\Run: [mstray] C:\WINDOWS\mstray.exe
O4 - HKCU\..\Run: [mstray] C:\WINDOWS\mstray.exe


Close all other windows except HijackThis and click Fix Checked.

Boot into safe mode by tapping the F8 key just before Windows starts to load.

1. Click Start > Control Panel.

2. Double-click the Java icon (coffee cup) in the control panel. It will say "Java Plug-in" under the icon

3. Under Temporary Internet Files, click the Delete Files button.

There are three options on this window to clear the cache - leave ALL 3 checked.
1. Downloaded Applets
2. Downloaded Applications
3. Other Files


4. Click OK on Delete Temporary Files window.
Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.

5. Click OK to leave the Java Control Panel.

Then go to Start>Run and type: cleanmgr

Run the Disk Cleanup utility after putting a check next to these:

Temporary Files
Temporary Internet Files
Recycle Bin


After that, run Cleanup! to make sure all temp files are swiped out.

Then navigate to and delete these files and folders in bold:

C:\WINDOWS\SYSTEM32\bose.ico
C:\WINDOWS\SYSTEM32\InstallerV3.exe
C:\WINDOWS\SYSTEM\QBUninstaller.exe
C:\WINDOWS\cfgmgr52.ini
C:\WINDOWS\SYSTEM32\cache32dsrf4535dfs
C:\WINDOWS\mstray.exe
C:\WINDOWS\system32\richedtr.dll
  • Open HiJackThis
  • Click on the "Config..." button on the bottom right
  • Click on the tab "Misc Tools"
  • Check off the 2 boxes next to the Box that says "Generate StartupList log"
  • Click on the button "Generate StartupList log". It will be saved in the same folder with HijackThis.
  • Copy and paste the StartupList from the notepad into your next post
Reboot back to normal mode. Let's run one more scan to make sure of cleaning.

Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make sure that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
So post me the Kaspersky results and the Startup List.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP