Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Win32.P2P-Worm Alcan.a help

Started by gpsugy , Nov 01 2005 09:17 PM

  • This topic is locked This topic is locked

#46
gpsugy
Posted 10 December 2005 - 01:02 PM

gpsugy

    Member

  • Topic Starter
  • Member
  • PipPip
  • 86 posts
hi. i'm using spybot s&d right now, and i have tried to update it. the problem was that, all of the updates had a "!!! bad checksum !" status after i tried to update them. i have no idea of what to do. by the way, the location i used was see-cure #1 (Europe). i didn't really understand y u said select the location that is closest to me, because all but one location had (Europe) next to it. sorry for not understanding.
  • 0

Advertisements

#47
gpsugy
Posted 10 December 2005 - 01:03 PM

gpsugy

    Member

  • Topic Starter
  • Member
  • PipPip
  • 86 posts
never mind, i switched locations to (World) this time, and it now works.
  • 0

#48
gpsugy
Posted 10 December 2005 - 02:39 PM

gpsugy

    Member

  • Topic Starter
  • Member
  • PipPip
  • 86 posts
hi. i am almost finished with your steps, but i have one major problem with ewido right now. if i try to run the program, it does not show up on my desktop. i only see it on my desktop toolbar, and i can't maximize it. the only thing i can do is close it, making an "end now" window appear. i have tried many times to try to make it work, even in safe mode. there are times it does show up, but it is extremely slow, making my whole computer slow down. i tried to uninstall ewido and install it again, so i went to control panel and add/remove programs. i clicked "remove" for ewido, but an error message (NSIS error) popped up, saying something about that the program is corrupted or incomplete, due to a "damaged disk, virus, or a failed download.

Edited by gpsugy, 10 December 2005 - 02:44 PM.

  • 0

#49
joshuacat
Posted 10 December 2005 - 02:47 PM

joshuacat

    Visiting Staff

  • Member
  • PipPipPip
  • 188 posts
Okay, post a fresh HijackThis log. Did the AntiVir scan detect and delete a lot of viruses when you ran it yesterday? Did you have problems removing any? Did Ad-Aware and SpyBot come up clean?
How are things working now?

Thanks,
  • 0

#50
gpsugy
Posted 10 December 2005 - 03:18 PM

gpsugy

    Member

  • Topic Starter
  • Member
  • PipPip
  • 86 posts
ok.i will answer your questions. my AntiVir found quite a lot, but not a lot of viruses, not that i can completely remember, but today it scanned none. problems? not really, although every now and then a window popped up asking me if i wanted to delete a file or virus, althought i'm not sure. i'm sorry, i cannot completely remember. ad-aware and spybot showed quite a bit of things. things r working the same right now. although i have retrieved 5 more GB on both my C drive and D drive than when u told me to do these things. things r quite fast, i supposed. but i have already said that before. also, i can now open my taskmanager using ctrl+alt+delete. that is all that i can tell you, sorry. this is my hijackthis log:

Logfile of HijackThis v1.99.1
Scan saved at 4:12:28 PM, on 12/10/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\AVPersonal\AVGNT.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AVPersonal\AVGUARD.EXE
C:\Program Files\AVPersonal\AVWUPSRV.EXE
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Documents and Settings\Ghang Family\Desktop\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe"
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AVGCtrl] "C:\Program Files\AVPersonal\AVGNT.EXE" /min
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Search the Web - C:\WINDOWS\Web\Ers_src.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: ppctlcab - http://www.pestscan....er/ppctlcab.cab
O16 - DPF: RaptisoftGameLoader - http://www.miniclip....tgameloader.cab
O16 - DPF: {00001016-A15C-11D4-97A4-0050BF0FBE67} (NetmarbleStarter16 Class) - http://www.netmarble...NMStarter16.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnote...ad/mnviewer.cab
O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} (yucsetreg Class) - C:\Program Files\Yahoo!\common\yucconfig.dll
O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F98} (CR64Loader Object) - http://www.miniclip....pGameLoader.dll
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zon...er.cab30149.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan....r/axscanner.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitd...can8/oscan8.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/.../GrooveAX27.cab
O16 - DPF: {85AF9A98-3423-45E4-8BAD-85645F16AC31} (P3 Bugs VoD Loader Class) - http://player.bugs.c.../mv/p3bvset.cab
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - http://www.spgame.co...game/msxml4.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab30149.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {9BED3AC7-E6D4-43E7-B8A1-1FA502F639E1} (XTools Control) - http://player.bugs.c...l/mv/XTools.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX/kdx.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalci...illama/ampx.cab
O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\Program Files\AVPersonal\AVGUARD.EXE
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Program Files\AVPersonal\AVWUPSRV.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Power Manager (PowerManager) - Unknown owner - C:\WINDOWS\svchost.exe (file missing)
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE

i can never stop saying this, but Thanks. :tazz:
  • 0

#51
joshuacat
Posted 10 December 2005 - 03:58 PM

joshuacat

    Visiting Staff

  • Member
  • PipPipPip
  • 188 posts
Okay, looks better. Let's try the Panda Active scan again to see if we can get some of the leftover files.

Please run this online scan.

ActiveScan <====save the scan log and add it to your reply

Post back again with the scan log from the Panda Active scan and a fresh HiJackThis log.
  • 0

#52
gpsugy
Posted 10 December 2005 - 05:12 PM

gpsugy

    Member

  • Topic Starter
  • Member
  • PipPip
  • 86 posts
hi. i've finished your instructions, but i have something to say. using the AntiVir guard, i have seen the warning window pop up several times. the warning was for the "Windows virus W32/Jeefo", or something similar to that. i keep clicking delete file, but that same warning comes up every once in a while. i just wanted u to know, if it could help u.

ok, here is my hijack this log:

Logfile of HijackThis v1.99.1
Scan saved at 6:09:47 PM, on 12/10/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\AVPersonal\AVGNT.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AVPersonal\AVGUARD.EXE
C:\Program Files\AVPersonal\AVWUPSRV.EXE
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Documents and Settings\Ghang Family\Desktop\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe"
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AVGCtrl] "C:\Program Files\AVPersonal\AVGNT.EXE" /min
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Search the Web - C:\WINDOWS\Web\Ers_src.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: ppctlcab - http://www.pestscan....er/ppctlcab.cab
O16 - DPF: RaptisoftGameLoader - http://www.miniclip....tgameloader.cab
O16 - DPF: {00001016-A15C-11D4-97A4-0050BF0FBE67} (NetmarbleStarter16 Class) - http://www.netmarble...NMStarter16.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnote...ad/mnviewer.cab
O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} (yucsetreg Class) - C:\Program Files\Yahoo!\common\yucconfig.dll
O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F98} (CR64Loader Object) - http://www.miniclip....pGameLoader.dll
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zon...er.cab30149.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan....r/axscanner.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitd...can8/oscan8.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/.../GrooveAX27.cab
O16 - DPF: {85AF9A98-3423-45E4-8BAD-85645F16AC31} (P3 Bugs VoD Loader Class) - http://player.bugs.c.../mv/p3bvset.cab
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - http://www.spgame.co...game/msxml4.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab30149.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {9BED3AC7-E6D4-43E7-B8A1-1FA502F639E1} (XTools Control) - http://player.bugs.c...l/mv/XTools.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX/kdx.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalci...illama/ampx.cab
O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\Program Files\AVPersonal\AVGUARD.EXE
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Program Files\AVPersonal\AVWUPSRV.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Power Manager (PowerManager) - Unknown owner - C:\WINDOWS\svchost.exe (file missing)
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE

and my activescan log:


Incident Status Location

Adware:adware/virtualbouncer Not disinfected C:\WINDOWS\SYSTEM32\INNERADINSTALL.LOG
Adware:adware/look2me Not disinfected C:\WINDOWS\DOWNLOADED PROGRAM FILES\ActiveX.ocx
Spyware:spyware/surfsidekick Not disinfected C:\Documents and Settings\Ghang Family\Local Settings\Temporary Internet Files\Ssk.log
Adware:adware/tvmedia Not disinfected C:\Documents and Settings\Ghang Family\Application Data\tvmknwrd.dll
Adware:adware/ncase Not disinfected C:\WINDOWS\salmau.dat
Adware:adware/seeqbar Not disinfected Windows Registry
Adware:Adware/Exact.BargainBuddyNot disinfected C:\temp\bb_auto_wider.swf
Adware:Adware/Exact.BargainBuddyNot disinfected C:\temp\bb_click_wider.swf
Adware:Adware/Exact.BargainBuddyNot disinfected C:\temp\logo.gif
Virus:Trj/Iconz.A Not disinfected C:\WINDOWS\iconz3.exe
Adware:Adware/Veevo Not disinfected C:\WINDOWS\system32\KDP397d.dll
Spyware:Spyware/Overpro Not disinfected C:\WINDOWS\Temp\nsdtmp09.dll

Edited by gpsugy, 11 December 2005 - 03:52 PM.

  • 0

#53
joshuacat
Posted 10 December 2005 - 07:52 PM

joshuacat

    Visiting Staff

  • Member
  • PipPipPip
  • 188 posts
gpsugy: The Panda Active scan log looks a lot better. Remember, that you could not post that log that last time I had you run a scan. I think we almost have the worst of these infection(s) behind us.

After reviewing your log I see a few items that require our attention. Please print out the instructions here (or save it in Notepad) so that you can follow along more easily.

1.) Start HijackThis and click the Scan button to perform a scan. Look for the following items and click in the checkbox in front of each item to select it:

O23 - Service: Power Manager (PowerManager) - Unknown owner - C:\WINDOWS\svchost.exe (file missing)

Now close ALL open windows except HijackThis and click the Fix Checked button to finish the repair.


2.) Please download the Killbox by Option^Explicit.
  • Save it to your desktop.
  • Please double-click Killbox.exe to run it.
  • Select
    • "Delete on Reboot
    • then Click on the "All Files" button.
  • Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C

    C:\WINDOWS\SYSTEM32\INNERADINSTALL.LOG
    C:\WINDOWS\DOWNLOADED PROGRAM FILES\ActiveX.ocx
    C:\Documents and Settings\Ghang Family\Local Settings\Temporary Internet Files\Ssk.log
    C:\Documents and Settings\Ghang Family\Application Data\tvmknwrd.dll
    C:\WINDOWS\salmau.dat
    C:\temp\bb_auto_wider.swf
    C:\temp\bb_click_wider.swf
    C:\temp\logo.gif
    C:\WINDOWS\iconz3.exe
    C:\WINDOWS\system32\KDP397d.dll
    C:\WINDOWS\Temp\nsdtmp09.dll
    C:\WINDOWS\svchost.exe

  • Return to Killbox, go to the File menu, and choose "Paste from Clipboard".
  • Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "OK" at any PendingRenameOperations prompt.
If your computer does not restart automatically, please restart it manually.


3.) Download: CCleaner (freeware)
http://www.majorgeek...wnload4191.html
Once installed, run CCleaner click the Windows [tab]
Select the following:
Posted Image
Next: click Options click the Settings tab
Uncheck: "Only delete files older than 48 hrs.", click Ok
Then click Run Cleaner (bottom right) then Exit


4.) Run a full system scan with Ad-Aware. Remove all items found. Repeat once if there are any items found. If there are any items that come up with each scan, write the name of the infection down and add the details to your reply.


5.) Run a scan with SpyBot. Remove all items found. Repeat once if there are any items found. If there are any items that come up with each scan, write the name of the infection down and add the details to your reply.

Restart your computer.


6.) Please run this online scan.

ActiveScan <====save the scan log and add it to your reply

Post back again with the scan log from the Panda Active scan and a fresh HiJackThis log. Let me know if there were any items that consistantly came up in the scans with Ad-Aware and SpyBot.
  • 0

#54
gpsugy
Posted 11 December 2005 - 03:53 PM

gpsugy

    Member

  • Topic Starter
  • Member
  • PipPip
  • 86 posts
ok, but what about my virus that contains the virus W32/Jeefo ? should i worry about that?
  • 0

#55
gpsugy
Posted 11 December 2005 - 04:12 PM

gpsugy

    Member

  • Topic Starter
  • Member
  • PipPip
  • 86 posts
hi. i'm a little confused on the CCleaner program. i am on the part where u said, "select the following," and i noticed "clipboard" and "windows log files" were unchecked. does that mean i should uncheck those because when i downloaded the program, they were checked, along with a few other things.
  • 0

Advertisements

#56
joshuacat
Posted 11 December 2005 - 04:25 PM

joshuacat

    Visiting Staff

  • Member
  • PipPipPip
  • 188 posts
Yes, uncheck them as shown.

The Jeefo infection should be taken care of with the deletion of one of the files that you deleted with Killbox. The entry that you removed with HiJackThis was also part of Jeefo.

Let's see where you are after you have completed all of these steps.

Let me know if you are still seeing signs of an infection after you are done.
  • 0

#57
gpsugy
Posted 11 December 2005 - 04:31 PM

gpsugy

    Member

  • Topic Starter
  • Member
  • PipPip
  • 86 posts
wait, then what about things like cookies, they are checked. should i uncheck them?

Edited by gpsugy, 11 December 2005 - 04:35 PM.

  • 0

#58
joshuacat
Posted 11 December 2005 - 05:49 PM

joshuacat

    Visiting Staff

  • Member
  • PipPipPip
  • 188 posts
I will give you my settings and you can go by it.

Internet Explorer - Everything is Checked On, except - Autocomplete Form History.
Windows Explorer - Everything is Checked On
System - Everything is Checked On, except - Clipboard, Windows Log Files.
Advanced -Nothing is checked on.

You can also set this - Next: click Options click the Settings tab
Uncheck: "Only delete files older than 48 hrs."

Everything else can be left at default settings.

After you are done. Click the Cleaner button (top left). Click Run Cleaner (bottom right).

Note: Make sure your browsers are closed before running the cleaner.

Edited by joshuacat, 11 December 2005 - 05:51 PM.

  • 0

#59
gpsugy
Posted 13 December 2005 - 02:53 PM

gpsugy

    Member

  • Topic Starter
  • Member
  • PipPip
  • 86 posts
okay, i'm finished with your instructions. from both ad-aware and spybot, i found a few items that reappeared. they were the tracking cookies atdmt (something similar to that) and doubleclick. for spybot, it showed Avenue A, Inc., DoubleClick, and WildTangent. by the way, i have just gotten a windows update. (should i continue to receive those updates? r they harmful?) also, AntiVir has still detected the W32/Jeefo virus. it has not been deleted by the scans i have finished. it greatly annoys me. i have found the specific file, which is C:\SYSTEM VOLUME INFORMATION\_RESTORE{B32BA8D4-5E5A-41C0-9773-116ED9C8C0C9}\RP422\A0047930.EXE.

anyways, here is my panda activescan log:


Incident Status Location

Adware:adware/ncase Not disinfected C:\WINDOWS\salm_kyf.dat
Adware:adware/seeqbar Not disinfected Windows Registry
Adware:Adware/Exact.BargainBuddyNot disinfected C:\!KillBox\bb_auto_wider.swf
Adware:Adware/Exact.BargainBuddyNot disinfected C:\!KillBox\bb_click_wider.swf
Virus:Trj/Iconz.A Not disinfected C:\!KillBox\iconz3.exe
Adware:Adware/Veevo Not disinfected C:\!KillBox\KDP397d.dll
Adware:Adware/Exact.BargainBuddyNot disinfected C:\!KillBox\logo.gif
Spyware:Spyware/Overpro Not disinfected C:\!KillBox\nsdtmp09.dll

and this is my hijackthis log:

Logfile of HijackThis v1.99.1
Scan saved at 3:46:48 PM, on 12/13/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\AVPersonal\AVGNT.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\AVPersonal\AVGUARD.EXE
C:\Program Files\AVPersonal\AVWUPSRV.EXE
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Ghang Family\Desktop\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe"
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AVGCtrl] "C:\Program Files\AVPersonal\AVGNT.EXE" /min
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Search the Web - C:\WINDOWS\Web\Ers_src.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: ppctlcab - http://www.pestscan....er/ppctlcab.cab
O16 - DPF: RaptisoftGameLoader - http://www.miniclip....tgameloader.cab
O16 - DPF: {00001016-A15C-11D4-97A4-0050BF0FBE67} (NetmarbleStarter16 Class) - http://www.netmarble...NMStarter16.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnote...ad/mnviewer.cab
O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} (yucsetreg Class) - C:\Program Files\Yahoo!\common\yucconfig.dll
O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F98} (CR64Loader Object) - http://www.miniclip....pGameLoader.dll
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zon...er.cab30149.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan....r/axscanner.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitd...can8/oscan8.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/.../GrooveAX27.cab
O16 - DPF: {85AF9A98-3423-45E4-8BAD-85645F16AC31} (P3 Bugs VoD Loader Class) - http://player.bugs.c.../mv/p3bvset.cab
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - http://www.spgame.co...game/msxml4.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab30149.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {9BED3AC7-E6D4-43E7-B8A1-1FA502F639E1} (XTools Control) - http://player.bugs.c...l/mv/XTools.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX/kdx.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalci...illama/ampx.cab
O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\Program Files\AVPersonal\AVGUARD.EXE
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Program Files\AVPersonal\AVWUPSRV.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Power Manager (PowerManager) - Unknown owner - C:\WINDOWS\svchost.exe (file missing)
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE

i've done everything you've told me to do. i hope u can help me, Thanks :tazz:
  • 0

#60
joshuacat
Posted 13 December 2005 - 07:44 PM

joshuacat

    Visiting Staff

  • Member
  • PipPipPip
  • 188 posts
gpsugy:

I will answer some of your questions.

Windows Updates - Nothing to worry about, this is a good thing. This will ensure your computer has all of the latest security updates available installed on your computer and is secure from any known security holes.

W32/Jeefo virus - This is one of the entries in your HiJackThis log that I am still trying to get rid of. O23 - Service: Power Manager (PowerManager) - Unknown owner - C:\WINDOWS\svchost.exe (file missing) - From what I can see from your log, the files has been deleted, but the service still exists. We will get rid of it in this post. Your antivirus program is detecting the file(A0047930.EXE) in the System restore point. In that state, the virus is harmless unless you do a XP system restore. We will clear your system restore points as part of my cleanup speech. Right now, a bad system restore point is better than none at all.

Entries detected by Ad-aware and SpyBot - I believe, and I could be wrong, that SpyBot and Ad-aware is picking up some of the remnants from when you had several infections on your computer. We will see if you come up clean after this post.

By the way, in case you see this in the Panda Scan, any of the files that are in the C:\!KillBox\ directory are safe in their current location. KillBox uses this directory as backup in case we want to restore the file later.

Let's run through the steps below and see where we are after this post.

After reviewing your log I see a few items that require our attention. Please print out the instructions here (or save it in Notepad) so that you can follow along more easily.

1.)
  • Please double-click Killbox.exe.
  • Select:
    • Delete on Reboot
    • then Click on the All Files button.
  • Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

    C:\WINDOWS\salm_kyf.dat

  • Return to Killbox, go to the File menu, and choose Paste from Clipboard.
  • Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).
If your computer does not restart automatically, please restart it manually.


2.) Go to Start > Run and type Services.msc then hit Ok
Scroll down and find the below service:

Power Manager (PowerManager)

When you find it, double-click on it. In the next window that opens, under the General tab click the Stop button, then click the drop-down box to change the Startup Type to Disabled. Now hit Apply and then Ok.

Open HiJackThis, click on None of the above, just start the program. Now, click on the Config button (bottom right), click on Misc Tools, then click on Delete an NT Service. A window will pop up. Enter the below item into that field (make sure there are NO spaces before or after the name):

PowerManager

Click OK.

It should pull up information about the service, then ask if you want to reboot. Click YES.


3.) Start in Safe Mode Using the F8 method:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until the boot menu appears.
  • Use the arrow keys to select the Safe Mode menu item.
  • Press the Enter key.
If you are having problems, additional instructions on how to do this can be found here: How to start Windows in Safe mode.


4.) Run a full system scan with Ad-Aware. Remove all items found. Repeat once if there are any items found. If there are any items that come up with each scan, write the name of the infection down and add the details to your reply.


5.) Run a scan with SpyBot. Remove all items found. Repeat once if there are any items found. If there are any items that come up with each scan, write the name of the infection down and add the details to your reply.

Restart your computer.


6.) Please run this online scan.

ActiveScan <====save the scan log and add it to your reply

Post back again with the scan log from the Panda Active scan and a fresh HiJackThis log. Let me know if there were any items that consistantly came up in the scans with Ad-Aware and SpyBot.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP