Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Several issues resolved, need help finishing.


  • Please log in to reply
14 replies to this topic

#1 CrazyDog1

CrazyDog1

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:18 AM

Posted 02 April 2005 - 02:00 PM

I am helping a friend by cleaning up their system. They had a large amount of bleep-ware on their computer, making it virtually unusable. After countless program executions, many fixes applied, many diffrent forums searched, I am still having a few issues that I need some help with. I have followed the n00b guide that is posted here, as well as from many other sites, and below are results.

Ad-Aware
By instinct, this along with SpyBot was the first thing that I ran. Ad-Aware took out some 400+ issues. I still continue to get a few tracking cookies everytime I subsequently run the program, most definatly from all the pop-ups that I am experiencing.

CWShredder
This program found one issue & was resolved immediatly.

SpyBot S&D
This program has also removed many items. However, there were several things that could not be removed that I had to use various fixes for in order to get them removed. *Grinler hugs Google. However, I still have a couple issues unresolved, various fixes unsuccessful:
CallingHome.biz - 4 entries
  • HKEY_USERS\S-1-5-18\Software\DLMAX
  • HKEY_USERS\S-1-5-20\Software\DLMAX
  • HKEY_USERS\S-1-5-19\Software\DLMAX
  • HKEY_USERS\DEFAULT\Software\DLMAX
Elitum.EliteBar - 4 entries
  • HKEY_USERS\S-1-5-18\Software\LQ
  • HKEY_USERS\S-1-5-20\Software\LQ
  • HKEY_USERS\S-1-5-19\Software\LQ
  • HKEY_USERS\DEFAULT\Software\LQ
Anti-Virus
Uninstalled the OEM software that he had, and install Symantic Corporate 9.0.3.1000. It found and removed 14 items.

Trend Houscall
It removed stuff as well. However, there are 7 files it can not remove:
TROJ VG.A - C:\Windows\System\Cache\pi1_51.exe
TROJ AGENT.NJ - C:\Windows\System\Cache\adl_dh.exe
TROJ VG.A - C:\Windows\System32\Cache\pi1_51.exe
TROJ AGENT.NJ - C:\Windows\System32\Cache\adl_dh.exe
TROJ STARTPA.A - C:\Windows\System32\eliteerror32.dat
TROJ VB.KM - C:\Windows\System32\sysmonnt.exe
TROJ STARTPA.A - C:\Windows\protector.update.exe
I have not removed any of these, as I want to ensure there is no neccessary removal instructions.

Panda
---LOG START---
Incident                      Status                        Location

Adware:Adware/QoolShown       No disinfected                C:\WINDOWS\System32\hepbgsp.dll
Virus:Trj/Small.HQ            Disinfected                   Operating system
Adware:Adware/IESearchBar     No disinfected                C:\WINDOWS\isrvs\mfiltis.dll
Adware:Adware/nCase           No disinfected                C:\WINDOWS\System32\FLEOK
Adware:Adware/BHO             No disinfected                Windows Registry
Adware:Adware/BookedSpace     No disinfected                C:\WINDOWS\bsx32
Adware:Adware/Apropos         No disinfected                C:\Program Files\cxtpls
Adware:Adware/Sqwire          No disinfected                C:\WINDOWS\System32\tsuninst.exe
Spyware:Spyware/TVMedia       No disinfected                C:\Documents and Settings\default\Application Data\sskknwrd.dll
Adware:Adware/IPInsight       No disinfected                C:\WINDOWS\farmmext.ini
Adware:Adware/ISearch         No disinfected                C:\WINDOWS\isrvs
Adware:Adware/Twain-Tech      No disinfected                C:\DOCUME~1\default\LOCALS~1\Temp\THI*.tmp
Adware:Adware/EliteBar        No disinfected                Windows Registry
Adware:Adware/Beginto         No disinfected                C:\WINDOWS\System32\dsktrf.dll
Spyware:Spyware/SurfSideKick  No disinfected                Windows Registry
Spyware:Spyware/Search3       No disinfected                C:\Program Files\Search3 Toolbar
Adware:Adware/Transponder     No disinfected                C:\WINDOWS\dlmax.dll
Virus:Trj/CPR.A               Disinfected                   C:\WINDOWS\SYSTEM\Cache\setup.exe
Virus:Trj/Downloader.BOD      Disinfected                   C:\WINDOWS\SYSTEM\Cache\AUNIcons.exe
Virus:Trj/Downloader.BJM      Disinfected                   C:\WINDOWS\SYSTEM\Cache\pi1_51.exe
Spyware:Spyware/ShhhToolbar   No disinfected                C:\WINDOWS\SYSTEM\Cache\runsearch.exe
Adware:Adware/VirtualBouncer  No disinfected                C:\WINDOWS\SYSTEM\Cache\wrapperouter.exe
Virus:Trj/Delf.EB             Disinfected                   C:\WINDOWS\SYSTEM\Cache\HelperInstall.exe
Virus:Trj/Downloader.BJL      Disinfected                   C:\WINDOWS\SYSTEM\Cache\adl_dh.exe
Adware:Adware/Apropos         No disinfected                C:\WINDOWS\SYSTEM\Cache\cxtpls_loader.exe
Adware:Adware/nCase           No disinfected                C:\WINDOWS\SYSTEM\Cache\pop.exe
Adware:Adware/ILookup         No disinfected                C:\WINDOWS\SYSTEM\Cache\desktrf-fran-162813.exe
Adware:Adware/WinTools        No disinfected                C:\WINDOWS\SYSTEM\Cache\adl_ibis_AS2.exe
Adware:Adware/TopRebates      No disinfected                C:\WINDOWS\SYSTEM\Cache\WebRebates_Auto_InstallSilent.exe
Virus:Trj/Delprot.A           Disinfected                   C:\WINDOWS\SYSTEM32\DRIVERS\delprot.sys
Virus:Trj/Startpage.SJ        Disinfected                   C:\WINDOWS\SYSTEM32\eliteerror32.dat
Adware:Adware/EliteBar        No disinfected                C:\WINDOWS\SYSTEM32\elitedoolsav.dat
Virus:Trj/CPR.A               Disinfected                   C:\WINDOWS\SYSTEM32\sysmonnt.exe
Adware:Adware/eZula           No disinfected                C:\WINDOWS\SYSTEM32\psis80ex.ax[mscb.dll]
Spyware:Spyware/BargainBuddy  No disinfected                C:\WINDOWS\SYSTEM32\psis80ex.ax[cashback.exe]
Adware:Adware/AdLogix         No disinfected                C:\WINDOWS\SYSTEM32\qgfodf.exe
Adware:Adware/AdLogix         No disinfected                C:\WINDOWS\SYSTEM32\qxgvyf.exe
Adware:Adware/AdLogix         No disinfected                C:\WINDOWS\SYSTEM32\qxgvy.dll
Adware:Adware/QoolShown       No disinfected                C:\WINDOWS\SYSTEM32\hepbgsp.dll.tmp
Virus:W32/Spybot.QV.worm      Disinfected                   C:\WINDOWS\SYSTEM32\bgqyv.dat
Adware:Adware/ISearch         No disinfected                C:\WINDOWS\SYSTEM32\Cache\MTE0MzA6ODoxMg.exe
Virus:Trj/Downloader.BJM      Disinfected                   C:\WINDOWS\SYSTEM32\Cache\pi1_51.exe
Adware:Adware/Apropos         No disinfected                C:\WINDOWS\SYSTEM32\Cache\cxtpls_loader.exe
Adware:Adware/VirtualBouncer  No disinfected                C:\WINDOWS\SYSTEM32\Cache\wrapperouter.exe
Adware:Adware/nCase           No disinfected                C:\WINDOWS\SYSTEM32\Cache\saie1101.exe
Virus:Trj/Downloader.BJL      Disinfected                   C:\WINDOWS\SYSTEM32\Cache\adl_dh.exe
Virus:Trj/Delf.EB             Disinfected                   C:\WINDOWS\SYSTEM32\Cache\HelperInstall.exe
Adware:Adware/ILookup         No disinfected                C:\WINDOWS\SYSTEM32\Cache\tool2_162813.exe
Spyware:Spyware/BargainBuddy  No disinfected                C:\WINDOWS\SYSTEM32\Cache\installer_MARKETING17.exe
Adware:Adware/nCase           No disinfected                C:\WINDOWS\SYSTEM32\Cache\pop.exe
Adware:Adware/TopRebates      No disinfected                C:\WINDOWS\SYSTEM32\Cache\WebRebates_Auto_InstallSilent.exe
Spyware:Spyware/ISTbar        No disinfected                C:\WINDOWS\SYSTEM32\tsuninst.exe
Virus:Trj/Small.HQ            Disinfected                   C:\WINDOWS\SYSTEM32\winup2date.dll
Adware:Adware/IESearchBar     No disinfected                C:\WINDOWS\isrvs\mfiltis.dll
Adware:Adware/IESearchBar     No disinfected                C:\WINDOWS\isrvs\desktop.exe
Adware:Adware/FIsearch        No disinfected                C:\WINDOWS\isrvs\msdbhk.dll
Adware:Adware/ISearch         No disinfected                C:\WINDOWS\isrvs\isearch.xpi[isearch.jar][isearch.js]
Adware:Adware/ISearch         No disinfected                C:\WINDOWS\isrvs\ffisearch.exe
Virus:W32/Spybot.QV.worm      Disinfected                   C:\WINDOWS\pss\pudc.exeCommon Startup
Virus:Trj/Imiserv.D           Disinfected                   C:\WINDOWS\systb.exe
Adware:Adware/IPInsight       No disinfected                C:\WINDOWS\TEMP\THI248B.TMP\farmmext.inf
Adware:Adware/IPInsight       No disinfected                C:\WINDOWS\TEMP\THI248B.TMP\farmmext.ini
Adware:Adware/Apropos         No disinfected                C:\WINDOWS\TEMP\auf0.exe
Adware:Adware/Envolo          No disinfected                C:\WINDOWS\TEMP\AutoUpdate0\setup.inf
Adware:Adware/EliteBar        No disinfected                C:\WINDOWS\TEMP\suicidetb.exe
Spyware:Spyware/BetterInet    No disinfected                C:\WINDOWS\TEMP\DrTemp\thnall2r.exe
Adware:Adware/Transponder     No disinfected                C:\WINDOWS\TEMP\THI6653.TMP\dlmax.cab[dlmax.dll]
Adware:Adware/Transponder     No disinfected                C:\WINDOWS\TEMP\THI6653.TMP\dlmax.dll
Adware:Adware/Transponder     No disinfected                C:\WINDOWS\DLMAX.DLL
Virus:Trj/Startpage.SJ        Disinfected                   C:\WINDOWS\protector_update.exe
Adware:Adware/Transponder     No disinfected                C:\WINDOWS\inf\dlmax.inf
Adware:Adware/Apropos         No disinfected                C:\Program Files\CxtPls\CxtPls.dll
Adware:Adware/Apropos         No disinfected                C:\Program Files\CxtPls\CxtPls.exe
Adware:Adware/Apropos         No disinfected                C:\Program Files\CxtPls\ProxyStub.dll
Adware:Adware/Apropos         No disinfected                C:\Program Files\CxtPls\WinGenerics.dll
Adware:Adware/Apropos         No disinfected                C:\Program Files\CxtPls\uninstaller.exe
Adware:Adware/SAHAgent        No disinfected                C:\Temp\sahagent-cdt1004.exe
Adware:Adware/IPInsight       No disinfected                C:\undo\backup.cab[farmmext.ini]
Adware:Adware/IPInsight       No disinfected                C:\undo\backup.cab[FARMMEXT.INF]
Virus:W32/Spybot.QV.worm      Disinfected                   C:\Documents and Settings\default\Local Settings\Temp\tp7543.exe
Adware:Adware/IPInsight       No disinfected                C:\Documents and Settings\default\Local Settings\Temp\THI2B41.tmp\farmmext.inf
Adware:Adware/IPInsight       No disinfected                C:\Documents and Settings\default\Local Settings\Temp\THI2B41.tmp\farmmext.ini
Adware:Adware/IPInsight       No disinfected                C:\Documents and Settings\default\Local Settings\Temp\THI4197.tmp\farmmext.inf
Adware:Adware/IPInsight       No disinfected                C:\Documents and Settings\default\Local Settings\Temp\THI4197.tmp\farmmext.ini
Virus:Bck/Paci.A              Disinfected                   C:\Documents and Settings\default\Local Settings\Temp\ptf_0004.exe
Adware:Adware/ISearch         No disinfected                C:\Documents and Settings\default\Local Settings\Temp\B24181139\build3.exe
Spyware:Spyware/ISTbar        No disinfected                C:\Documents and Settings\default\Local Settings\Temp\tsinstall_4_0_3_8_b17.exe
Adware:Adware/EliteBar        No disinfected                C:\Documents and Settings\default\Local Settings\Temp\1420252.dll
Adware:Adware/Transponder     No disinfected                C:\Documents and Settings\default\Local Settings\Temp\THI7259.tmp\dlmax.inf
Adware:Adware/Transponder     No disinfected                C:\Documents and Settings\default\Local Settings\Temp\THI7259.tmp\dlmax.dll
Adware:Adware/Transponder     No disinfected                C:\Documents and Settings\default\Local Settings\Temp\THI155.tmp\dlmax.inf
Adware:Adware/Transponder     No disinfected                C:\Documents and Settings\default\Local Settings\Temp\THI155.tmp\dlmax.dll
Adware:Adware/VirtualBouncer  No disinfected                C:\Documents and Settings\default\Local Settings\Temp\temp.fr8BCB\AdDestroyer.exe
Adware:Adware/AdDestroyer     No disinfected                C:\Documents and Settings\default\Local Settings\Temp\temp.frD8D5
Adware:Adware/AdDestroyer     No disinfected                C:\Documents and Settings\default\Local Settings\Temp\temp.fr2AB5
Spyware:Spyware/ISTbar        No disinfected                C:\Documents and Settings\default\Local Settings\Temp\GLF1AGLF1A.EXE
Virus:W32/Spybot.QV.worm      Disinfected                   C:\Documents and Settings\default\Local Settings\Temporary Internet Files\Content.IE5\T3VVTZHI\i282[1].exe
Adware:Adware/StartPage.DD    No disinfected                C:\updlog355.exe
Adware:Adware/StartPage.DD    No disinfected                D:\updlog35.exe
---LOG END---

--restarted (well many times, but once before the following)--

Hijack This
---LOG START---
Logfile of HijackThis v1.99.1
Scan saved at 4:16:47 AM, on 04/02/2005
Platform: Windows XP  (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\RUNDLL32.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\pudc.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\msiexec.exe
C:\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = www.google.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://desktop.presario.net/scripts/redirectors/presario/deskredir.dll?c=3c00&s=consumer&LC=0409
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://desktop.presario.net/scripts/redirectors/presario/deskredir.dll?c=3c00&s=consumer&LC=0409
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://desktop.presario.net/scripts/redirectors/presario/deskredir.dll?c=3c00&s=consumer&LC=0409
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [AUNPS2] RUNDLL32 AUNPS2.DLL,_Run@16
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\System32\marlni.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {06FE5D02-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirectors/presario/srchredir.dll?s=avlinksearch&c=3c00&LC=0409 (file missing)
O9 - Extra 'Tools' menuitem: &Find Pages Linking to this URL - {06FE5D02-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirectors/presario/srchredir.dll?s=avlinksearch&c=3c00&LC=0409 (file missing)
O9 - Extra button: (no name) - {06FE5D03-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirectors/presario/srchredir.dll?s=avhostsearch&c=3c00&LC=0409 (file missing)
O9 - Extra 'Tools' menuitem: Find Other Pages on this &Host - {06FE5D03-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirectors/presario/srchredir.dll?s=avhostsearch&c=3c00&LC=0409 (file missing)
O9 - Extra button: (no name) - {06FE5D04-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirectors/presario/srchredir.dll?s=altavista&c=3c00&LC=0409 (file missing)
O9 - Extra 'Tools' menuitem: AV Live - {06FE5D04-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirectors/presario/srchredir.dll?s=altavista&c=3c00&LC=0409 (file missing)
O9 - Extra button: Translate - {06FE5D05-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirectors/presario/srchredir.dll?s=avbabelfish&c=3c00&LC=0409 (file missing)
O9 - Extra 'Tools' menuitem: AV &Translate - {06FE5D05-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirectors/presario/srchredir.dll?s=avbabelfish&c=3c00&LC=0409 (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall-beta.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/yinst/yinst_current.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EPUWALControl_v1-0-3-17.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/aio/en/check/qdiagh.cab?325
O16 - DPF: {FC67BB52-AAB6-4282-9D51-2DAFFE73AFD0} - http://download.spyspotter.com/spyspotter/SpSp29952.40opt/SpySpotterCabInstall.cab
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
---LOG END---

Thanks in advance. You guys do wonderful work here.

Edited by CrazyDog1, 02 April 2005 - 04:14 PM.


BC AdBot (Login to Remove)

 


m

#2 CrazyDog1

CrazyDog1
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:18 AM

Posted 02 April 2005 - 06:27 PM

Can anyone suggest a program, or a place in which I may be able to find some help?

#3 IMM

IMM

  • Members
  • 134 posts
  • OFFLINE
  •  
  • Local time:04:18 AM

Posted 02 April 2005 - 08:05 PM

These 2 are bad news but also indicate that there is likely a hidden startup item in the Global Startup folder (AllUsers)
O4 - HKLM\..\Run: [AUNPS2] RUNDLL32 AUNPS2.DLL,_Run@16
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\System32\marlni.exe

This item also looks pretty weird
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0

--------
To start - let's look for the hidden
Download FindQoologic-Narrator.zip save it to your Desktop.
http://forums.net-integration.net/index.ph...=post&id=134981

Extract (unzip) the files inside into their own folder called FindQoologic.
Open the FindQoologic folder.
Locate and double-click the Find-Qoologic.bat file to run it.
wait until a text opens, post it in a reply to your thread.

------ additionally
Download: http://www.bleepingcomputer.com/files/spyware/imm_mh4.zip
Unzip it to a folder (it will make it's own subfolder there called imm_mh4)
Double click on the runme.bat in that folder and it should produce a MH4_Look.log file which will open in notepad.
If it fails - re-extract and try again. Post (paste) the MH4_Look.log file to this post.
There will also be a MH4_err.log file produced in that folder. Have a look at it with notepad.
If the MH4_err log contains anything - attach rather than paste it using the browse button in the reply editor
If you can't do that - just post the text bits from the error log which avoid most of the hex numbers in the file
(keep it short :thumbsup: )

Edited by IMM, 02 April 2005 - 08:13 PM.


#4 CrazyDog1

CrazyDog1
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:18 AM

Posted 02 April 2005 - 08:24 PM

These 2 are bad news but also indicate that there is likely a hidden startup item in the Global Startup folder (AllUsers)
O4 - HKLM\..\Run: [AUNPS2] RUNDLL32 AUNPS2.DLL,_Run@16
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\System32\marlni.exe

This item also looks pretty weird
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0

Should I fix these before or after running the two programs?

#5 IMM

IMM

  • Members
  • 134 posts
  • OFFLINE
  •  
  • Local time:04:18 AM

Posted 02 April 2005 - 08:55 PM

just run the 2 programs first - so I can see where we are at - if you try to fix them (like Arnold) they will be back :thumbsup:

#6 CrazyDog1

CrazyDog1
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:18 AM

Posted 02 April 2005 - 09:46 PM

Well, Qoologic didnt find anything, but while the program runs, the cmd windows shows "Too Many parameters", and the stops responding. The text output is:

PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
»»»»»»»»»»»»»»»»»»»»»»»» Files found in System »»»»»»»»»»»»»»»»»»»»»»»


imm_mh4 produced (no errors):
An Ms4Hd_look by IMM (v0.003)
Version Info: 5.1000 = Windows XP Pro  (Build 2600)
The volume containing the system directory is  C: (FAT32)

HKLM\SYSTEM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ms4Hd
Error: Unable to open key  (Return Code was 2)

HKLM\SYSTEM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ms4Hd\Files
Error: Unable to open key  (Return Code was 2)

HKLM\SYSTEM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ms4Hd\Processes
Error: Unable to open key  (Return Code was 2)

HKLM\SYSTEM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ms4Hd\RegKeys
Error: Unable to open key  (Return Code was 2)

HKLM\SYSTEM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ms4Hd\RegValues
Error: Unable to open key  (Return Code was 2)

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
 (1 subkey(s)  and 5 values)   last modified 06:32 2/4/2005 (UTC)
  [SystemTray]              "SysTray.Exe"  (SZ)
  [AUNPS2]                  "RUNDLL32 AUNPS2.DLL,_Run@16"  (SZ)
  [ccApp]                   ""C:\Program Files\Common Files\Symantec Shared\ccApp.exe""  (SZ)
  [vptray]                  "C:\PROGRA~1\SYMANT~1\VPTray.exe"  (SZ)
  [KavSvc]                  "C:\WINDOWS\System32\marlni.exe"  (SZ)


#7 IMM

IMM

  • Members
  • 134 posts
  • OFFLINE
  •  
  • Local time:04:18 AM

Posted 02 April 2005 - 10:30 PM

Please download the fstarts.zip package http://castlecops.com/zx/IMM/fstart.zip
Unzip the whole thing somewhere (both files from in it must be in the same folder)
Run it by doubleclicking on the run_fstarts.bat file
The resulting text file (fstarts.txt) should open in notepad - post it here

---
Try extracting that first find-qoologic one again
Are you sure it failed? -- it can actually take as much as 15 minutes to run (depending on filesystem speed etc.) and may be a little deceptive about being stopped

If you are sure it quit on you - it's probably the result of an AV in the way
Try it again from SAFE mode
How to start the computer in Safe mode

Edited by IMM, 02 April 2005 - 10:38 PM.


#8 CrazyDog1

CrazyDog1
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:18 AM

Posted 03 April 2005 - 12:18 AM

Sorry for the delay, I have been waiting for a BitDefender scan to finish. I lost the results, because I posted them here, the log was too big, it cut off the rest of my post. I prefer not to go through that one again...

So, ya, here is fstart log:
(fstarts by IMM - test ver. 0.001) Using address check -- 0x77f7ecc3 

Global Startup:
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
 .
 ..
 desktop.ini
 pudc.exe
 SpySubtract.lnk
 Microsoft Office.lnk

User Startup:
C:\Documents and Settings\default\Start Menu\Programs\Startup
 .
 ..
 desktop.ini

And I did not wait long enough for the Qoologic to complete, here are the results...
PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE. 
»»»»»»»»»»»»»»»»»»»»»»»» Files found in System »»»»»»»»»»»»»»»»»»»»»»» 
  
* urllogic C:\WINDOWS\HRAVK.DLL

* ad-beh C:\WINDOWS\System32\HEPBGSP.DLL
* ad-beh C:\WINDOWS\System32\PONQA.DLL
* ad-beh C:\WINDOWS\System32\WINUP2~1.DLL
* ad-beh C:\WINDOWS\System32\MARLNI.EXE
* ad-beh C:\WINDOWS\System32\RXCQODC.EXE
* ad-beh  C:\WINDOWS\System32\BGQYV.DAT
* ad-beh  C:\WINDOWS\System32\WMCONFIG.CPL
* ad-beh C:\WINDOWS\UNADBEH.EXE
»»»»»»»»»»»»»»»»»»»»»»»» startup files»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»  

* exe  C:\docume~1\alluse~1\startm~1\programs\startup\PUDC.EXE

»»»»»»»»»»»»»»»»»»»»»»»»» Checking Global Startup »»»»»»»»»»»»»»»»»»»»»

 NOT using address check -- 0x77f7ecc3 

Global Startup:
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
 .
 ..
 desktop.ini
 pudc.exe
 SpySubtract.lnk
 Microsoft Office.lnk

User Startup:
C:\Documents and Settings\default\Start Menu\Programs\Startup
 .
 ..
 desktop.ini

»»»»»»»»»»»»»»»»»»»»»»»» Registry Entries Found »»»»»»»»»»»»»»»»»»»»»»»  

! REG.EXE VERSION 3.0

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\LDVPMenu
    <NO NAME>	REG_SZ	{BDA77241-42F6-11d0-85E2-00AA001FE28C}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
    <NO NAME>	REG_SZ	{750fdf0e-2a26-11d1-a3ea-080036587f03}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
    <NO NAME>	REG_SZ	{09799AFB-AD67-11d1-ABCD-00C04FC30936}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
    <NO NAME>	REG_SZ	{A470F8CF-A1E8-4f65-8335-227475AA5C46}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\TDS-3
    <NO NAME>	REG_SZ	{E8ADA3E1-CE9B-44A0-A165-997304EF4E18}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\tsgkqmgm
    <NO NAME>	REG_SZ	{68d5a642-e712-41d6-92d3-527ee4325971}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
    <NO NAME>	REG_SZ	Start Menu Pin
  
»»»»»»»»»»»»»»»»»»»»»»»»» Active setup »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
 
"Find activesetup", version1, launched at: 23:14
Operating System: Windows XP


HKLM\Software\Microsoft\Active Setup\Installed Components\
"646ab90e-54cd-4153-9a42-5f38fcfab588\(Default)" = ""
                                     \StubPath   = "C:\WINDOWS\System32\rxcqodc.exe" [null data]

Whats worse is all these dog-gone pop-ups! This is really annoying, it takes me ten minutes to post.

Edited by CrazyDog1, 03 April 2005 - 12:24 AM.


#9 IMM

IMM

  • Members
  • 134 posts
  • OFFLINE
  •  
  • Local time:04:18 AM

Posted 03 April 2005 - 01:00 AM

This is the hidden startup item I was looking for
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\pudc.exe
(you'll notice that HijackThis won't show it)

Let's try the following:

Download the attached fixme.txt file from the bottom of the post to somewhere on your machine (desktop is fine) and then rename it to fixme.reg
We'll need it later.

Download PocketKillbox from http://www.bleepingcomputer.com/files/spyware/KillBox.zip
Unzip it somewhere to keep.
Run it - choose Tools > Delete Temp Files and click OK

Empty the TIF (Temporary Internet Files)
To do so use Control Panel > Internet Options(or right click the IE icon on the desktop and choose Properties)
Click Delete Files on the General Tab - place a check in the Delete all offline content box and then press OK

Run HijackThis again, push Scan and place a check mark next to the following items using your mouse.
Next, close all browser Windows, and push the 'Fix checked' button in HijackThis
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O4 - HKLM\..\Run: [AUNPS2] RUNDLL32 AUNPS2.DLL,_Run@16
O16 - DPF: {FC67BB52-AAB6-4282-9D51-2DAFFE73AFD0} - http://download.spyspotter.com/spyspotter/...rCabInstall.cab


Run the fixme.reg file you downloaded earlier by double clicking on it and answering yes or OK

Start the Killbox you downloaded earlier
Put a check next to "Delete on Reboot".
Copy and paste each of the following lines into the file name box, then click the red button with the X after each.
It will ask you if you want to reboot each time you click it, answer NO until after you've pasted the last file name, at which time you should answer Yes.
C:\WINDOWS\HRAVK.DLL
C:\WINDOWS\System32\HEPBGSP.DLL
C:\WINDOWS\System32\PONQA.DLL
C:\WINDOWS\System32\WINUP2DATE.DLL
C:\WINDOWS\System32\MARLNI.EXE
C:\WINDOWS\System32\RXCQODC.EXE
C:\WINDOWS\System32\BGQYV.DAT
C:\WINDOWS\System32\WMCONFIG.CPL
C:\WINDOWS\UNADBEH.EXE
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\pudc.exe


On the reboot choose SAFE mode
How to start the computer in Safe mode

Run the fixme.reg file you saved again !
Clean out the IE TIF and the temp files (use killbox) again and then run your Adaware from safe mode.
It is probably also wise to run your antivirus at this point as well

Reboot normally, and post a fresh HijackThis log so I can how we did

Attached Files



#10 IMM

IMM

  • Members
  • 134 posts
  • OFFLINE
  •  
  • Local time:04:18 AM

Posted 03 April 2005 - 01:26 AM

I should add that if I am wrong about that proxy server thing you can restore it from a HijackThis backup
(backups button in the Misc. Tools section)

#11 CrazyDog1

CrazyDog1
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:18 AM

Posted 03 April 2005 - 03:04 AM

Ad-aware only came up with a handful of tracking cookies.
Symantic search was clean.
(but it also did not detect what Trend & Panda did)

Hijack Log:
Logfile of HijackThis v1.99.1
Scan saved at 3:03:55 AM, on 04/03/2005
Platform: Windows XP  (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\interMute\SpySubtract\SpySub.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\msiexec.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = www.google.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://desktop.presario.net/scripts/redirectors/presario/deskredir.dll?c=3c00&s=consumer&LC=0409
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://desktop.presario.net/scripts/redirectors/presario/deskredir.dll?c=3c00&s=consumer&LC=0409
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://desktop.presario.net/scripts/redirectors/presario/deskredir.dll?c=3c00&s=consumer&LC=0409
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {06FE5D02-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirectors/presario/srchredir.dll?s=avlinksearch&c=3c00&LC=0409 (file missing)
O9 - Extra 'Tools' menuitem: &Find Pages Linking to this URL - {06FE5D02-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirectors/presario/srchredir.dll?s=avlinksearch&c=3c00&LC=0409 (file missing)
O9 - Extra button: (no name) - {06FE5D03-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirectors/presario/srchredir.dll?s=avhostsearch&c=3c00&LC=0409 (file missing)
O9 - Extra 'Tools' menuitem: Find Other Pages on this &Host - {06FE5D03-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirectors/presario/srchredir.dll?s=avhostsearch&c=3c00&LC=0409 (file missing)
O9 - Extra button: (no name) - {06FE5D04-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirectors/presario/srchredir.dll?s=altavista&c=3c00&LC=0409 (file missing)
O9 - Extra 'Tools' menuitem: AV Live - {06FE5D04-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirectors/presario/srchredir.dll?s=altavista&c=3c00&LC=0409 (file missing)
O9 - Extra button: Translate - {06FE5D05-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirectors/presario/srchredir.dll?s=avbabelfish&c=3c00&LC=0409 (file missing)
O9 - Extra 'Tools' menuitem: AV &Translate - {06FE5D05-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirectors/presario/srchredir.dll?s=avbabelfish&c=3c00&LC=0409 (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall-beta.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/yinst/yinst_current.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EPUWALControl_v1-0-3-17.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/aio/en/check/qdiagh.cab?325
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe


#12 IMM

IMM

  • Members
  • 134 posts
  • OFFLINE
  •  
  • Local time:04:18 AM

Posted 03 April 2005 - 03:26 AM

You can uninstall that spyspotter program if it was fully installed
http://www.spyspotter.com/support.php

You can see what others think of it at
http://www.spywarewarrior.com/rogue_anti-spyware.htm :thumbsup:

Some of what you had makes me slightly nervous - but this is only because I am unsure of what the various cleaners have already done or not
There is nothing presently showing in that HijackThis log

I am going to take a few minutes to go thru the stuff previously posted and see what's what - I'll post after that

Are you getting any popups ?

I'd like to see the contents of C:\WINDOWS\inf\dlmax.inf (if it's short - if not PM me)

Edited by IMM, 03 April 2005 - 03:35 AM.


#13 CrazyDog1

CrazyDog1
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:18 AM

Posted 03 April 2005 - 03:34 AM

as of yet, no. but I have been here before. As far as removing spyspotter, I tried (I didnt install that - I know, it sux) but it wont uninstall, I get errors. I will try the support page.

#14 CrazyDog1

CrazyDog1
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:18 AM

Posted 03 April 2005 - 03:47 AM

Ya, Im missing install.log file... should I reinstall, then uninstall?

#15 IMM

IMM

  • Members
  • 134 posts
  • OFFLINE
  •  
  • Local time:04:18 AM

Posted 03 April 2005 - 04:04 AM

Yes - you could try installing then removing

Some infections will cripple an AdAware install - how recently was it added and have you checked to see if anything has been added to the ignore lists?

---- here's the other stuff (read the link at the bottom before starting this)
There is some risk in the following -- but this is what I'd try

Set your Explorer up using the info in this link so that hidden and System files are visible
Also Uncheck the "Hide extensions for known file types" box

Make a backup of C:\WINDOWS\inf\dlmax.inf and of C:\WINDOWS\dlmax.dll (zip them somewhere)

The entire C:\Documents and Settings\default\ profile looks fishy to me - however having the following folder is normal
C:\Documents and Settings\Default User\
Do you know how to log on as admin if profiles get messed up?
It's also possible that it was installed this way and is normal ?
Are both default and Default User present ?

BTW - your/his installation really needs SP2 and all the critical updates.

Use Explorer and try to find these files - if found - delete them - if they fail to delete - please let me know ! (some of them will now be gone)
C:\WINDOWS\System32\hepbgsp.dll
C:\WINDOWS\System32\tsuninst.exe
C:\Documents and Settings\default\Application Data\sskknwrd.dll
C:\WINDOWS\farmmext.ini
C:\Documents and Settings\default\Application Data\THI*.tmp
C:\WINDOWS\System32\dsktrf.dll
C:\WINDOWS\dlmax.dll
C:\WINDOWS\inf\dlmax.inf
C:\WINDOWS\SYSTEM32\elitedoolsav.dat
C:\WINDOWS\SYSTEM32\psis80ex.ax
C:\WINDOWS\SYSTEM32\psis80ex.ax
C:\WINDOWS\SYSTEM32\qgfodf.exe
C:\WINDOWS\SYSTEM32\qxgvyf.exe
C:\WINDOWS\SYSTEM32\qxgvy.dll
C:\WINDOWS\SYSTEM32\hepbgsp.dll.tmp
C:\WINDOWS\SYSTEM32\tsuninst.exe
C:\WINDOWS\protector_update.exe
C:\updlog355.exe
D:\updlog35.exe


The entire contents of C:\WINDOWS\TEMP\ (including any subfolders)
The contents of C:\Documents and Settings\default\Local Settings\Temp\ (including any subfolders)


Delete these Folders entirely
C:\Temp\
C:\WINDOWS\SYSTEM\Cache\
C:\WINDOWS\isrvs\
C:\Program Files\Search3 Toolbar\
C:\Program Files\CxtPls\
C:\WINDOWS\bsx32\
C:\WINDOWS\System32\FLEOK


I'm not sure who the following folder belongs to - one of the AV's ?
C:\undo\


After going over the files as above what does Panda say on a scan ?

Of late - we've been seeing isrvs in conjunction with bube variants
I'm not sure if your explorer is infected or not?

This procedure in the following link may work but you will have to clear the other antivirus utils out of the way first
http://castlecops.com/postt106277.html

Edited by IMM, 03 April 2005 - 04:36 AM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users