Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Conhook, etc [RESOLVED]

Started by jnans , Dec 08 2005 06:13 PM

  • This topic is locked This topic is locked

#1
jnans
Posted 08 December 2005 - 06:13 PM

jnans

    Member

  • Member
  • PipPip
  • 14 posts
Logfile of HijackThis v1.99.1
Scan saved at 7:13:36 PM, on 12/8/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\DigitalPersona\Bin\DPWinLct.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\DigitalPersona\Bin\DpHost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\winlog.exe
C:\Program Files\DigitalPersona\Bin\DPFUSMgr.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\CTHELPER.EXE
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\DigitalPersona\Bin\DPAgnt.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Common Files\AOL\1133920590\ee\AOLSoftware.exe
C:\Program Files\Stop-the-Pop-Up\stopthepop.exe
C:\Program Files\Winamp\winampa.exe
C:\winapi64.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Pixoria\Konfabulator\Konfabulator.exe
C:\Program Files\Pixoria\Konfabulator\Konfabulator.exe
C:\Program Files\Pixoria\Konfabulator\Konfabulator.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Hijack This\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gmail.com/
O2 - BHO: (no name) - {00DBDAC8-4691-4797-8E6A-7C6AB89BC441} - C:\WINDOWS\system32\jkhhh.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [DPAgnt] C:\Program Files\DigitalPersona\Bin\DPAgnt.exe
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1133920590\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [sureshotpopupkiller] "C:\Program Files\Stop-the-Pop-Up\stopthepop.exe" -minimized
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [Services] C:\winapi64.exe
O4 - Startup: Konfabulator.lnk = C:\Program Files\Pixoria\Konfabulator\Konfabulator.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1133918127843
O16 - DPF: {85D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin class) - http://secure2.comne...login-devel.cab
O20 - Winlogon Notify: DPWLN - C:\WINDOWS\System32\DPWLEvHd.dll
O20 - Winlogon Notify: jkhhh - C:\WINDOWS\SYSTEM32\jkhhh.dll
O20 - Winlogon Notify: sstqo - sstqo.dll (file missing)
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Windows XP FUS Manager (DPFUSMgr) - DigitalPersona, Inc. - C:\Program Files\DigitalPersona\Bin\DPFUSMgr.exe
O23 - Service: Biometric Authentication Service (DpHost) - DigitalPersona, Inc. - C:\Program Files\DigitalPersona\Bin\DpHost.exe
O23 - Service: Windows Logon (winlog) - Unknown owner - C:\WINDOWS\winlog.exe
  • 0

Advertisements

#2
retrac
Posted 13 December 2005 - 12:24 AM

retrac

    Visiting Staff

  • Member
  • PipPipPip
  • 578 posts
Hello jnans and Welcome to Geeks to Go :)

Sorry for the delay on getting to your log :)

Please post a New HijackThis log :tazz:

Thanks
  • 0

#3
jnans
Posted 13 December 2005 - 01:57 AM

jnans

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
Not a problem, thanks for your help!

Here is a new log:




Logfile of HijackThis v1.99.1
Scan saved at 2:55:59 AM, on 12/13/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\DigitalPersona\Bin\DPWinLct.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\dllmgr64.exe
C:\Program Files\DigitalPersona\Bin\DpHost.exe
C:\WINDOWS\scvhost.exe
C:\Program Files\DigitalPersona\Bin\DPFUSMgr.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\userinit.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\CTHELPER.EXE
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\DigitalPersona\Bin\DPAgnt.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Common Files\AOL\1133920590\ee\AOLSoftware.exe
C:\Program Files\Stop-the-Pop-Up\stopthepop.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\igps.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINDOWS\System32\pgws.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\z00096.exe
C:\Hijack This\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gmail.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: ATLDistrib Object - {7A1A109F-58B3-414B-9829-5F4D9BE5FEDE} - C:\WINDOWS\System32\pmnlm.dll
O2 - BHO: LinkTracker Class - {8B6DA27E-7F64-4694-8F8F-DC87AB8C6B22} - C:\Program Files\QL\qlink32.dll
O2 - BHO: (no name) - {C5AF2622-8C75-4dfb-9693-23AB7686A456} - C:\WINDOWS\DH.dll
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [DPAgnt] C:\Program Files\DigitalPersona\Bin\DPAgnt.exe
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1133920590\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [sureshotpopupkiller] "C:\Program Files\Stop-the-Pop-Up\stopthepop.exe" -minimized
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [Services] C:\winapi64.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [lspins] "C:\WINDOWS\System32\igps.exe"
O4 - HKLM\..\Run: [Contextual Tool] C:\WINDOWS\z00096.exe
O4 - Startup: Konfabulator.lnk = C:\Program Files\Pixoria\Konfabulator\Konfabulator.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1133918127843
O16 - DPF: {85D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin class) - http://secure2.comne...login-devel.cab
O18 - Filter: text/html - {3551784B-E99A-474f-B782-3EC814442918} - C:\Program Files\QL\qlink32.dll
O20 - Winlogon Notify: DPWLN - C:\WINDOWS\System32\DPWLEvHd.dll
O20 - Winlogon Notify: pmnlm - C:\WINDOWS\System32\pmnlm.dll
O20 - Winlogon Notify: sstqo - sstqo.dll (file missing)
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: dllmgr64 - Unknown owner - C:\WINDOWS\dllmgr64.exe
O23 - Service: Windows XP FUS Manager (DPFUSMgr) - DigitalPersona, Inc. - C:\Program Files\DigitalPersona\Bin\DPFUSMgr.exe
O23 - Service: Biometric Authentication Service (DpHost) - DigitalPersona, Inc. - C:\Program Files\DigitalPersona\Bin\DpHost.exe
O23 - Service: Local Security Authority Subsystem Service (lsass) - Unknown owner - C:\WINDOWS\scvhost.exe
O23 - Service: Windows Logon (winlog) - Unknown owner - C:\WINDOWS\winlog.exe (file missing)
  • 0

#4
retrac
Posted 13 December 2005 - 07:37 AM

retrac

    Visiting Staff

  • Member
  • PipPipPip
  • 578 posts
Hello jnans :) Lets knock this Malware OUT :tazz:



Please print these instructions out for use in Safe Mode.



Please download VundoFix.exe to your desktop.
  • Double-click VundoFix.exe to extract the files
  • This will create a VundoFix folder on your desktop.
  • After the files are extracted, please reboot your computer into Safe Mode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight Safe Mode then hit enter.
  • Once in safe mode open the VundoFix folder and doubleclick on KillVundo.bat
  • You will first be presented with a warning.
    It should look like this

    VundoFix V2.15 by Atri
    By using VundoFix you agree that you are doing so at your own risk
    Press enter to continue....


  • At this point press enter one time.

  • Next you will see:

    Please Type in the filepath as instructed by the forum staff
    and then press enter:


  • At this point please type the following file path (make sure to enter it exactly as below!):
    • C:\WINDOWS\system32\pmnlm.dll

  • Press Enter to continue with the fix.

  • Next you will see:

    Please type in the second filepath as instructed by the forum
    staff then press enter:

  • At this point please type the following file path (make sure to enter it exactly as below!):C:\WINDOWS\system32\mlnmp.*
    This will be the vundo filename spelt backwards. For example, if the vundo dll was vundo.dll you would enter odnuv.*
  • Press Enter to continue with the fix.
  • The fix will run then HijackThis will open, if it does not open automatically please open it manually.
  • In HiJackThis, please place a check next to the following items and click FIX CHECKED:

    O2 - BHO: ATLDistrib Object - {7A1A109F-58B3-414B-9829-5F4D9BE5FEDE} - C:\WINDOWS\System32\pmnlm.dll
    O2 - BHO: LinkTracker Class - {8B6DA27E-7F64-4694-8F8F-DC87AB8C6B22} - C:\Program Files\QL\qlink32.dll
    O2 - BHO: (no name) - {C5AF2622-8C75-4dfb-9693-23AB7686A456} - C:\WINDOWS\DH.dll
    O4 - HKLM\..\Run: [lspins] "C:\WINDOWS\System32\igps.exe"
    O4 - HKLM\..\Run: [Contextual Tool] C:\WINDOWS\z00096.exe
    O16 - DPF: {85D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin class) - <a href="http://secure2.comne...ogin-devel.cab" target="_blank" rel="nofollow">http://secure2.comne...n-devel.cab</a>
    O20 - Winlogon Notify: pmnlm - C:\WINDOWS\SYSTEM32\pmnlm.dll
    O20 - Winlogon Notify: sstqo - sstqo.dll (file missing)
  • After you have fixed these items, close Hijackthis.
  • Press enter to exit the program then manually reboot your computer.
  • Once your machine reboots please continue with the instructions below.
Download and install CleanUp!

Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu).
Set the program up as follows:
Click "Options..."
Move the arrow down to "Custom CleanUp!"
Put a check next to the following (Make sure nothing else is checked!):
  • Empty Recycle Bins
  • Delete Cookies
  • Delete Prefetch files
  • Cleanup! All Users
Click OK
Press the CleanUp! button to start the program.

It may ask you to reboot at the end, click NO.




Please delete these folders using Windows Explorer(if present):

C:\Program Files\QL

Please delete these files using Windows Explorer(if present):

C:\WINDOWS\DH.dll
C:\WINDOWS\dllmgr64.exe
C:\WINDOWS\System32\igps.exe
C:\WINDOWS\z00096.exe
C:\WINDOWS\System32\pgws.exe






Then,
Please run this online virus scan:
You will need to be using Microsoft Internet Explorer to do this scan : Link to ActiveScan
Click the "Scan Your PC" button in the middle of the page.
You will have to Allow the installation of Active X controls.
You will have to enter a valid e-mail address.
Then click "My Computer" when it asks what you want to scan.
Save the Report after scan finishes. (somewhere you can find it)



Next
Open HijackThis, click None of the above, click Config, click Misc Tools
Click "Open Uninstall Manager"
Click "Save List" (generates uninstall_list.txt)
Click Save, copy and paste the results in your next post.

Now make a NEW HijackThis Log.



Here is what i need from you :

1. Vundofix.txt from the Vundo Folder
2. Uninstall_list.txt from the HijackThis Folder
3. ActiveScan.txt
4. A New HijackThis log



ALSO what kind of Sound Card do you have ?? Do you use Creative....

Also do you use any "Parental Controls" on this computer ??


Thanks :)
  • 0

#5
jnans
Posted 13 December 2005 - 01:58 PM

jnans

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
Vundofix.txt


VundoFix V2.15 by Atri
--------------------------------------------------------------------------------------

Listing files contained in the vundofix folder.
--------------------------------------------------------------------------------------

killvundo.bat
process.exe
ReadMe.txt
vundo.reg
vundofix.txt

--------------------------------------------------------------------------------------

Filepaths entered
--------------------------------------------------------------------------------------

The filepath entered was C:\WINDOWS\system32\pmnlm.dll

The second filepath entered was C:\WINDOWS\system32\mlnmp.*

--------------------------------------------------------------------------------------

Log from Process
--------------------------------------------------------------------------------------


Killing PID 444 'smss.exe'

Killing PID 1904 'explorer.exe'


Killing PID 536 'winlogon.exe'
--------------------------------------------------------------------------------------

C:\WINDOWS\system32\pmnlm.dll Deleted sucessfully.
C:\WINDOWS\system32\mlnmp.* Deleted sucessfully.

Fixing Registry
--------------------------------------------------------------------------------------




Uninstall List.txt


Ad-Aware SE Personal
Adobe Reader 7.0.5
AOL Uninstaller (Choose which Products to Remove)
ATI - Software Uninstall Utility
ATI Display Driver
AVG Free Edition
CleanUp!
Contextual Tool
DH
DigitalPersona Password Manager 1.0.1
HijackThis 1.99.1
Image Resizer Powertoy for Windows XP
Macromedia Flash Player 8
Morpheus 5.1 (remove only)
Panda ActiveScan
Quicklinks
QuickTime
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893066)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899589)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905495)
Security Update for Windows XP (KB905749)
Stop-the-Pop-Up
Update for Windows XP (KB898461)
Winamp (remove only)
Windows Genuine Advantage v1.3.0254.0
Windows Installer 3.1 (KB893803)
Windows Media Format Runtime
Windows Media Player 10
Windows XP Hotfix - KB835732
Windows XP Hotfix - KB842773
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB892944
Windows XP Hotfix - KB896688
Yahoo! Widget Engine




ActiveScan.txt


Incident Status Location

Spyware:Spyware/LinkReplacer Not disinfected C:\Program Files\QL\qlink32.dll
Adware:adware/dollarrevenue Not disinfected C:\drsmartload1.exe
Adware:adware/popupsandbannersNot disinfected C:\WINDOWS\timessquare.exe
Adware:adware/searchresults Not disinfected Windows Registry
Spyware:Spyware/Virtumonde Not disinfected C:\Hijack This\backups\backup-20051207-205931-966.dll
Possible Virus. Not disinfected C:\Hijack This\backups\backup-20051213-142427-430.dll
Spyware:Spyware/LinkReplacer Not disinfected C:\Hijack This\backups\backup-20051213-142427-881.dll
Spyware:Spyware/LinkReplacer Not disinfected C:\Hijack This\backups\backup-20051213-142953-989.dll
Spyware:Spyware/LinkReplacer Not disinfected C:\Program Files\QL\qlink32.dll
Spyware:Spyware/LinkReplacer Not disinfected C:\RECYCLER\S-1-5-21-484763869-1960408961-725345543-1003\Dc6\qlink32.dll
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\awvtq.dll
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\awvvv.dll
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\ddccd.dll
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\geebx.dll
Virus:W32/Sdbot.ftp Not disinfected C:\WINDOWS\system32\i
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\jkhhh.dll
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\mljjk.dll
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\sstqr.dll
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\vtutt.dll




HijackThis log


Logfile of HijackThis v1.99.1
Scan saved at 2:48:08 PM, on 12/13/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\DigitalPersona\Bin\DPWinLct.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\DigitalPersona\Bin\DpHost.exe
C:\Program Files\DigitalPersona\Bin\DPFUSMgr.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\CTHELPER.EXE
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\DigitalPersona\Bin\DPAgnt.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Common Files\AOL\1133920590\ee\AOLSoftware.exe
C:\Program Files\Stop-the-Pop-Up\stopthepop.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\igps.exe
C:\WINDOWS\System32\pgws.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Hijack This\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gmail.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: LinkTracker Class - {8B6DA27E-7F64-4694-8F8F-DC87AB8C6B22} - C:\Program Files\QL\qlink32.dll
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [DPAgnt] C:\Program Files\DigitalPersona\Bin\DPAgnt.exe
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1133920590\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [sureshotpopupkiller] "C:\Program Files\Stop-the-Pop-Up\stopthepop.exe" -minimized
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [Services] C:\winapi64.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [lspins] "C:\WINDOWS\System32\igps.exe"
O4 - Startup: Konfabulator.lnk = C:\Program Files\Pixoria\Konfabulator\Konfabulator.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1133918127843
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O18 - Filter: text/html - {3551784B-E99A-474f-B782-3EC814442918} - C:\Program Files\QL\qlink32.dll
O20 - Winlogon Notify: DPWLN - C:\WINDOWS\System32\DPWLEvHd.dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: dllmgr64 - Unknown owner - C:\WINDOWS\dllmgr64.exe (file missing)
O23 - Service: Windows XP FUS Manager (DPFUSMgr) - DigitalPersona, Inc. - C:\Program Files\DigitalPersona\Bin\DPFUSMgr.exe
O23 - Service: Biometric Authentication Service (DpHost) - DigitalPersona, Inc. - C:\Program Files\DigitalPersona\Bin\DpHost.exe
O23 - Service: Local Security Authority Subsystem Service (lsass) - Unknown owner - C:\WINDOWS\scvhost.exe (file missing)
O23 - Service: Windows Logon (winlog) - Unknown owner - C:\WINDOWS\winlog.exe (file missing)







I have a Creative Soundblaster Audigy 2 Value sound card.
I do NOT use parental controls on this computer.


When going to start up my computer in Safe Mode, I am able to get passed the XP Welcome log-on screen. It then goes back to the black screen with "Safe Mode" in all four corners. Nothing happens. Therefore, I did the tasks you requested in normal mode with the ethernet cable unplugged. Everything seemed to work OK, but whenever I go to manually delete the "QL" folder out of the "Program Files" folder, it re-appears at the bottom of the list.


Thanks for your help!
  • 0

#6
retrac
Posted 14 December 2005 - 05:29 AM

retrac

    Visiting Staff

  • Member
  • PipPipPip
  • 578 posts
Alright jnans ... Well Safe Mode does have Safe Mode in all 4 corners ( Was the Start button Viewable ??? IF SO you can get to your desktop shortcuts by clicking : Start> My Computer> local disk C > Documents & Settings> USERNAME> Desktop ) but Maybe one of these virus's is keeping you from Safe Mode. Lets see if we can take care of that :)



Download 1
Please download the Killbox.
to the desktop but do NOT run it yet.


Download 2
Please download ewido security suite it is a free version of the program.
  • Install ewido security suite
  • When installing, under "Additional Options" uncheck..
    • Install background guard
    • Install scan via context menu
  • Launch ewido, there should be an icon on your desktop, double-click it.
  • The program will now open to the main screen.
  • When you run ewido for the first time, you may get a warning "Database could not be found!". Click OK. We will fix this in a moment.
  • You will need to update ewido to the latest definition files.
    • On the left hand side of the main screen click update.
    • Then click on Start Update.
  • The update will start and a progress bar will show the updates being installed.
    (the status bar at the bottom will display ("Update successful")
If you are having problems with the updater, you can use this link to manually update ewido.
ewido manual updates
Close Ewido. ( WE Will use this Later )


Step 1
Now before we can fix some of these things in HijackThis We need to stop A few Processes. Here is how you do it :Press Ctrl + Alt + Delete at the same time and then click on the Processes Tab if not already selected.
Now click on each of the following processes and click the "End Process" button for each one. Click Yes for each warning message.


pgws.exe

igps.exe




Step 2
Please open HiJackThis and scan. Check the boxes next to all the entries listed below.


O2 - BHO: LinkTracker Class - {8B6DA27E-7F64-4694-8F8F-DC87AB8C6B22} - C:\Program Files\QL\qlink32.dll
O4 - HKLM\..\Run: [Services] C:\winapi64.exe
O4 - HKLM\..\Run: [lspins] "C:\WINDOWS\System32\igps.exe"
O18 - Filter: text/html - {3551784B-E99A-474f-B782-3EC814442918} - C:\Program Files\QL\qlink32.dll
O23 - Service: dllmgr64 - Unknown owner - C:\WINDOWS\dllmgr64.exe (file missing)
O23 - Service: Local Security Authority Subsystem Service (lsass) - Unknown owner - C:\WINDOWS\scvhost.exe (file missing)
O23 - Service: Windows Logon (winlog) - Unknown owner - C:\WINDOWS\winlog.exe (file missing)


Now close all windows and browsers other than HiJackThis, then click Fix Checked.


Step 3
Then please TRY and reboot into Safe Mode by restarting your computer and pressing F8 as your computer is booting up. Then select the Safe Mode option.
( if you CANT, just do this in normal mode )


Once in Safe Mode, please run Killbox.

Select "Delete on Reboot".

Copy everything in BOLD below to the clipboard by highlighting them and pressing Control-C:


C:\WINDOWS\System32\igps.exe
C:\WINDOWS\System32\pgws.exe
C:\WINDOWS\dllmgr64.exe
C:\WINDOWS\scvhost.exe
C:\WINDOWS\winlog.exe
C:\Program Files\QL\qlink32.dll
C:\drsmartload1.exe
C:\winapi64.exe
C:\WINDOWS\timessquare.exe
C:\RECYCLER\S-1-5-21-484763869-1960408961-725345543-1003\Dc6\qlink32.dll
C:\WINDOWS\system32\awvtq.dll
C:\WINDOWS\system32\awvvv.dll
C:\WINDOWS\system32\ddccd.dll
C:\WINDOWS\system32\geebx.dll
C:\WINDOWS\system32\jkhhh.dll
C:\WINDOWS\system32\mljjk.dll
C:\WINDOWS\system32\sstqr.dll
C:\WINDOWS\system32\vtutt.dll

Return to Killbox, go to the File menu, and choose "Paste from Clipboard". Right click in the White Box provided and choose Paste

Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run TheKillbox, click here to download and run missingfilesetup.exe. Then try TheKillbox again..

Let the system reboot into Normal Windows




Step 4
Now please try and boot into Safe Mode Again even if it didnt let you last time. ( Still follow the directions below even if you cant get to Safe Mode )

Boot into Safe Mode:
Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.



Step 5
Now open EWIDO and do the following:
  • Click on scanner
  • Click on Complete System Scan and the scan will begin.
  • You will be prompted to clean the first infection.
  • Select "Perform action on all infections", then proceed.
  • Once the scan has completed, there will be a button located on the bottom of the screen named Save report
  • Click Save report.
  • Save the report .txt file to your desktop or a location where you can find it easily.
Close ewido security suite.




NOW reboot back into Normal Mode


This is what I need :

1. The Ewido Report
2. A NEW HijackThis Log
3. How is the PC running ?
4. Delete the re-appearing C\Program Files\QL folder again and let me know if it Dies :)


Thanks :tazz:
  • 0

#7
jnans
Posted 14 December 2005 - 08:13 AM

jnans

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
Ewido Report



---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 9:06:52 AM, 12/14/2005
+ Report-Checksum: FC6634AE

+ Scan result:

C:\Hijack This\backups\backup-20051213-142427-881.dll -> Spyware.Suggestor : Cleaned with backup
C:\Hijack This\backups\backup-20051213-142953-989.dll -> Spyware.Suggestor : Cleaned with backup


::Report End





Hijack This Log



Logfile of HijackThis v1.99.1
Scan saved at 9:10:50 AM, on 12/14/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\DigitalPersona\Bin\DPWinLct.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\DigitalPersona\Bin\DpHost.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\DigitalPersona\Bin\DPFUSMgr.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\CTHELPER.EXE
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\DigitalPersona\Bin\DPAgnt.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Common Files\AOL\1133920590\ee\AOLSoftware.exe
C:\Program Files\Stop-the-Pop-Up\stopthepop.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Hijack This\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gmail.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [DPAgnt] C:\Program Files\DigitalPersona\Bin\DPAgnt.exe
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1133920590\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [sureshotpopupkiller] "C:\Program Files\Stop-the-Pop-Up\stopthepop.exe" -minimized
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - Startup: Konfabulator.lnk = C:\Program Files\Pixoria\Konfabulator\Konfabulator.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1133918127843
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O20 - Winlogon Notify: DPWLN - C:\WINDOWS\System32\DPWLEvHd.dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Windows XP FUS Manager (DPFUSMgr) - DigitalPersona, Inc. - C:\Program Files\DigitalPersona\Bin\DPFUSMgr.exe
O23 - Service: Biometric Authentication Service (DpHost) - DigitalPersona, Inc. - C:\Program Files\DigitalPersona\Bin\DpHost.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Local Security Authority Subsystem Service (lsass) - Unknown owner - C:\WINDOWS\scvhost.exe (file missing)
O23 - Service: Windows Logon (winlog) - Unknown owner - C:\WINDOWS\winlog.exe (file missing)






The computer seems to be running pretty well, no hangs or anything like that. The QL folder looks like it is gone for good! The final two items on the hijack this log seem to not be going away though... not sure if that is a big deal seeing as how they are missing items anyways?
  • 0

#8
retrac
Posted 14 December 2005 - 05:31 PM

retrac

    Visiting Staff

  • Member
  • PipPipPip
  • 578 posts
Welcome Back jnans :)

Looks Like we got alot of it there. :tazz:

Do you still Have KillBox on your desktop ?? IF NOT please re download it from HERE.


Next
To stop a service and set to 'disabled'

1. Go to Start > Run and type in Services.msc then click OK
2. Click the Extended tab.
3. Scroll down until you find the service.
===>Local Security Authority Subsystem Service
4. Click once on the service to highlight it.
5. Click Stop (if applicable)
6. Right-Click on the service.
7. Click on 'Properties'
8. Select the 'General' tab
9. Click the Arrow-down tab on the right-hand side on the 'Start-up Type' box
10. From the drop-down menu, click on 'Disabled'
11. Click the 'Apply' tab, then click 'OK'



Next
To stop a service and set to 'disabled'

1. Go to Start > Run and type in Services.msc then click OK
2. Click the Extended tab.
3. Scroll down until you find the service.
===>Windows Logon
4. Click once on the service to highlight it.
5. Click Stop (if applicable)
6. Right-Click on the service.
7. Click on 'Properties'
8. Select the 'General' tab
9. Click the Arrow-down tab on the right-hand side on the 'Start-up Type' box
10. From the drop-down menu, click on 'Disabled'
11. Click the 'Apply' tab, then click 'OK'




Next
Please open HiJackThis and scan. Check the boxes next to all the entries listed below.

O23 - Service: Local Security Authority Subsystem Service (lsass) - Unknown owner - C:\WINDOWS\scvhost.exe (file missing)
O23 - Service: Windows Logon (winlog) - Unknown owner - C:\WINDOWS\winlog.exe (file missing)


Now close all windows and browsers other than HiJackThis, then click Fix Checked.





Next
Please run Killbox.

Select "Delete on Reboot".

Copy everything in BOLD below to the clipboard by highlighting them and pressing Control-C:

C:\WINDOWS\winlog.exe
C:\WINDOWS\scvhost.exe

Return to Killbox, go to the File menu, and choose "Paste from Clipboard". Right click in the White Box provided and choose Paste

Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run TheKillbox, click here to download and run missingfilesetup.exe. Then try TheKillbox again..

Let the system reboot.



Please post a NEW HijackThis log :woot:

Are you able to get to Safe Mode now ???

Thanks :)
  • 0

#9
jnans
Posted 14 December 2005 - 09:04 PM

jnans

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
Logfile of HijackThis v1.99.1
Scan saved at 10:01:59 PM, on 12/14/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\DigitalPersona\Bin\DPWinLct.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\DigitalPersona\Bin\DpHost.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\DigitalPersona\Bin\DPFUSMgr.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\CTHELPER.EXE
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\DigitalPersona\Bin\DPAgnt.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Common Files\AOL\1133920590\ee\AOLSoftware.exe
C:\Program Files\Stop-the-Pop-Up\stopthepop.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
c:\program files\common files\aol\1133920590\ee\aim6.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Hijack This\HijackThis.exe
C:\WINDOWS\System32\wuauclt.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gmail.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [DPAgnt] C:\Program Files\DigitalPersona\Bin\DPAgnt.exe
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1133920590\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [sureshotpopupkiller] "C:\Program Files\Stop-the-Pop-Up\stopthepop.exe" -minimized
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - Startup: Konfabulator.lnk = C:\Program Files\Pixoria\Konfabulator\Konfabulator.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1133918127843
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O20 - Winlogon Notify: DPWLN - C:\WINDOWS\System32\DPWLEvHd.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Windows XP FUS Manager (DPFUSMgr) - DigitalPersona, Inc. - C:\Program Files\DigitalPersona\Bin\DPFUSMgr.exe
O23 - Service: Biometric Authentication Service (DpHost) - DigitalPersona, Inc. - C:\Program Files\DigitalPersona\Bin\DpHost.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe




Safe mode does indeed work now! And with my minor knowledge of Hijack This logfile decipherability, it looks like the malware is gone.


My hat is off to you retrac, thank you very much! GeeksToGo saves the day once again! :tazz:
  • 0

#10
retrac
Posted 15 December 2005 - 11:41 AM

retrac

    Visiting Staff

  • Member
  • PipPipPip
  • 578 posts
Welcome Back jnans :tazz: Your computer is Clean :)


Now to clean out your restore points:
Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs from changing those files. This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected)1. Turn off System Restore.On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
2. Restart your computer.

3. Turn ON System Restore.On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check Turn off System Restore.
Click Apply, and then click OK.
[/list]System Restore will now be active again.


Next
Now there are a few things here you can do to keep this from happening Again.


The following 3 Programs use NONE of your computers power :) So there is no reason to not use them.

1. Please Download SpyBot S&D
Install the program. During installation Make sure Teatimer IS NOT checked.
Then follow all the setup steps "backup registry, Download Updates, Immunize"
After all that Close SpyBot and then restart it.
Now Select the Search and Destroy button, Check for problems and after scanning is complete, Fix selected problems.

Keep Spybot updated and Immunized (weekly) to help protect yourself in the future.


2. SpywareBlaster is a MUST HAVE. download it HERE and install it. Click Update then Check for Update then after its done Click Protection then Click Enable All Protection.. UPDATE & Enable ALL Protection Weekly.

3. Use Mvps hosts file. Read about it here (look for the Hosts.zip and left click it to download it. Since you are using XP you will download it Then extract it and copy and paste the HOSTS file into C\Windows\System32\Drivers\etc . It will ask you if you want to replace ...Click Yes or OK. ) At the time Panda ActiveScan finds this file as Adware but it is incorrect. So if you do another scan with Panda dont be surprised to see an entry like Adware \ secure32 C\Windows\system32\drivers\etc\hosts. Panda Activescan may have already fixed this but maybe not ...I havent done a scan in a couple days :)
UPDATE Monthly


MUST HAVE
Firefox is like the same thing as Microsofts Internet Explorer but it is much safer for surfing the web. I recommend using it in place of Internet Explorer. HOWEVER you will still need Microsft Internet Explorer for some sites Like Windows Updates, some online payment sites, and some Online Virus scans that require ActiveX Controls. Pleasedownload it and install it. Let it import your favorites from Internet explorer and set it as your default browser... ( multi-tab browsing is cool : try right clicking your Bookmarks "aka Favorites" and select open in new tab ) Firefox RULES :)

You can always go: Start> IExplore to use Internet Explorer. ( when you need it )




Now Do you have a firewall ??? If not try ZoneAlarm it is free. I use it and its easy to understand. Pretty much every program will ask before it is allowed to access the internet. And it will block any attempt to connect to an unsecure port on your PC from malicious people. Firewall Is a Must Have



ALSO Go to Start> and right click on" My Computer". Select "Properties" then Select the "Automatic Updates" tab and set your updates to "Automatic" and Apply.


Also Ewido Security Suite is only a 2 week trial. If you dont plan on keeping Ewido after the 2 week trial it is a good idea to remove it. ( It adds a couple of running processes which can slow down the PC a little )


Please Let me know how all this went and if you have any questions.

Thanks retrac :P :woot:
  • 0

#11
jnans
Posted 16 December 2005 - 03:10 PM

jnans

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
All of those are great programs! Thanks for the suggestions!


I would use Firefox, but I have a Microsoft Fingerprint Reader keyboard, and well everyone knows how Microsoft does things if you're not using IE.


Thanks again,

Joel Nans
  • 0

#12
therock247uk
Posted 18 December 2005 - 08:55 PM

therock247uk

    Expert

  • Expert
  • 14,672 posts
  • MVP
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :tazz:

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP