Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

HJT - Relmwalker


  • This topic is locked This topic is locked
14 replies to this topic

#1 Relmwalker

Relmwalker

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:57 PM

Posted 12 May 2005 - 04:43 PM

I have windows xp professional. Last night I obviously ended up at the wrong website looking up cheat codes for a game. Adaware and spybot couldn't even get rid of them all in safe mode. I have run both. Spybot no longer finds any problems. Every restart Ad-aware finds about 51 problems. It says it is fixing them, but obviously not. When I open internet I get pop ups in the upper left hand corner it says "Aruora" Under msconfig/startup it wont let me remove some of the programs from auto starting. I have now also downloaded agv antivirus that deleted 14 problems and continually gives me popups about detecting an additional virus, but not all of it is able to be removed, however on a regular scan it returns nothing. I also run spybot tea timer that gives me alot of pop up boxes for changes being made and even though I click deny effects are still made and not all of them I am allowed to deny. All that being said the extent of knowledge I have about computers is that I have a white one. Please help. Thank you for your time below is my log.

Logfile of HijackThis v1.99.1
Scan saved at 4:25:38 PM, on 5/12/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:WINDOWSSystem32smss.exe
C:WINDOWSsystem32winlogon.exe
C:WINDOWSsystem32services.exe
C:WINDOWSsystem32lsass.exe
C:WINDOWSsystem32svchost.exe
C:WINDOWSSystem32svchost.exe
C:WINDOWSsystem32spoolsv.exe
C:WINDOWSExplorer.EXE
E:NEWFOL~1avgamsvr.exe
E:NEWFOL~1avgupsvc.exe
C:WINDOWSSystem32svchost.exe
c:windowssystem32lcocusi.exe
E:NEWFOL~1avgcc.exe
E:SpybotSpybot - Search & DestroyTeaTimer.exe
C:Program FilesInternet ExplorerIEXPLORE.EXE
C:Program FilesHijackThisHijackThis.exe

R1 - HKCUSoftwareMicrosoftInternet ExplorerMain,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html
R1 - HKCUSoftwareMicrosoftInternet ExplorerMain,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R0 - HKCUSoftwareMicrosoftInternet ExplorerMain,Start Page = http://www.yahoo.com/
R1 - HKCUSoftwareMicrosoftInternet ExplorerSearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R0 - HKCUSoftwareMicrosoftInternet ExplorerToolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:Program FilesYahoo!CompanionInstallscpn0ycomp5_6_2_0.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - E:SpybotSPYBOT~1SDHelper.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:Program FilesYahoo!CompanionInstallscpn0ycomp5_6_2_0.dll
O4 - HKLM..Run: [SpybotSnD] "E:SpybotSpybot - Search & DestroySpybotSD.exe" /autocheck /autofix /autoclose
O4 - HKLM..Run: [AVG7_CC] E:NEWFOL~1avgcc.exe /STARTUP
O4 - HKLM..Run: [MSConfig] C:WINDOWSPCHealthHelpCtrBinariesMSConfig.exe /auto
O4 - HKLM..Run: [uoghtx] c:windowssystem32lcocusi.exe
O4 - HKCU..Run: [SpybotSD TeaTimer] E:SpybotSpybot - Search & DestroyTeaTimer.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:Program FilesJavajre1.5.0_02in
pjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:Program FilesJavajre1.5.0_02in
pjpi150_02.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:Program FilesYahoo!Messengeryhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:Program FilesYahoo!Messengeryhexbmes0521.dll
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - E:NEWFOL~1avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - E:NEWFOL~1avgupsvc.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:WINDOWSsvcproc.exe

BC AdBot (Login to Remove)

 


m

#2 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:12:57 AM

Posted 13 May 2005 - 01:05 AM

Hello Relmwalker and welcome to theBC forums. After reviewing your log I see that you are running msconfig in /auto mode which means that you may have selectively removed some items in the past from the startup procedure. This can hide malware from us when we are performing a fix, so we would like you to reenable those startup entries by doing the following:

Please click on Start, then Run, and type msconfig and then press Enter. When the window opens you should be on the General tab. Click on the Normal Startup item. Then press ok until you are out of the program. If it asks to reboot, do not reboot even if that means leaving the computer on till I get back to you.

Now please create a new Hijackthis Log and post it here as a reply. I will review it when it comes in.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#3 Relmwalker

Relmwalker
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:57 PM

Posted 13 May 2005 - 02:18 AM

OK i did what you said, but the computer locked up for whatever reason when I did that and while I wasn in the bathroom my girlfriend rebooted me directly after. I went back hit the normal mode again and followed stated procedure again. Unfortunately I quite literally have parts of my machine held together with duct tape and the side of the case open with a fan blowing in to help keep it from freezing up. Anyhow here is the log as requested. Thank you so much for taking the time to help out. I truly and deeply appreciate it.

Log file of HijackThis v1.99.1
Scan saved at 2:12:51 AM, on 5/13/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:WINDOWSSystem32smss.exe
C:WINDOWSsystem32winlogon.exe
C:WINDOWSsystem32services.exe
C:WINDOWSsystem32lsass.exe
C:WINDOWSsystem32svchost.exe
C:WINDOWSSystem32svchost.exe
C:WINDOWSExplorer.EXE
C:WINDOWSsystem32spoolsv.exe
c:windowssystem32yqsmkav.exe
E:NEWFOL~1avgamsvr.exe
E:NEWFOL~1avgupsvc.exe
C:WINDOWSSystem32svchost.exe
C:Program FilesInternet ExplorerIEXPLORE.EXE
C:WINDOWSSystem32wuauclt.exe
C:Program FilesInternet ExplorerIEXPLORE.EXE
C:Program FilesHijackThisHijackThis.exe

R1 - HKCUSoftwareMicrosoftInternet ExplorerMain,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html
R1 - HKCUSoftwareMicrosoftInternet ExplorerMain,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R0 - HKCUSoftwareMicrosoftInternet ExplorerMain,Start Page = http://www.yahoo.com/
R1 - HKCUSoftwareMicrosoftInternet ExplorerSearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R0 - HKCUSoftwareMicrosoftInternet ExplorerToolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:Program FilesYahoo!CompanionInstallscpn0ycomp5_6_2_0.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - E:SpybotSPYBOT~1SDHelper.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:Program FilesYahoo!CompanionInstallscpn0ycomp5_6_2_0.dll
O4 - HKLM..Run: [vzhvyhh] c:windowssystem32yqsmkav.exe
O4 - HKLM..Run: [SpybotSnD] "E:SpybotSpybot - Search & DestroySpybotSD.exe" /autocheck /autofix /autoclose
O4 - HKLM..Run: [jlvhfn] c:windowssystem32opmgsq.exe
O4 - HKLM..Run: [AVG7_CC] E:NEWFOL~1avgcc.exe /STARTUP
O4 - HKCU..Run: [SpybotSD TeaTimer] E:SpybotSpybot - Search & DestroyTeaTimer.exe
O4 - HKCU..Run: [IB73Rfe6U] cdost.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: GStartup.lnk = C:Program FilesCommon FilesGMTGMT.exe
O4 - Global Startup: Icatch(VI) SnapDetect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:Program FilesMicrosoft OfficeOfficeOSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:Program FilesJavajre1.5.0_02in
pjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:Program FilesJavajre1.5.0_02in
pjpi150_02.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:Program FilesYahoo!Messengeryhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:Program FilesYahoo!Messengeryhexbmes0521.dll
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - E:NEWFOL~1avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - E:NEWFOL~1avgupsvc.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:WINDOWSsvcproc.exe

#4 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:12:57 AM

Posted 13 May 2005 - 02:32 AM

Hi Relmwalker. It looks like you are having a problem with submitting the log. There is no formatting and I can't tell where the files/folders are located. Please follow this procedure to copy/paste the log here:

Start HijackThis and click the Do a system scan and save a log button to perform a scan and create a log file. When the scan is complete, Notepad will open up with the log file in it. While in Notepad, press Ctrl-A to select all text and then Ctrl-C to copy the text to the clipboard.

POST the log in this thread using the Add Reply button. Click in the data-entry window and press Ctrl-V to paste the log into the window. Add any other comments which you believe might be helpful in our analysis. and click the Add Reply button.

I will review your log when it comes in.


DO NOT MAKE ANY CHANGES OR CLICK "FIX CHECKED" UNTIL I CHECK THE LOG, AS SOME OF THE FILES ARE LEGIT AND VITAL TO THE FUNCTION OF YOUR COMPUTER

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#5 Relmwalker

Relmwalker
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:57 PM

Posted 13 May 2005 - 03:44 AM

thats exactly what I did in both those posts. will do it again. I used instructions from http://www.bleepingcomputer.com/tutorials/how-to-post-a-hijackthis-log/ step by step both times.

Logfile of HijackThis v1.99.1
Scan saved at 3:41:37 AM, on 5/13/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
c:\windows\system32\yqsmkav.exe
E:\NEWFOL~1\avgamsvr.exe
E:\NEWFOL~1\avgupsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\svcproc.exe
C:\Program Files\Yahoo!\Messenger\YPager.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_6_2_0.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - E:\Spybot\SPYBOT~1\SDHelper.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_6_2_0.dll
O4 - HKLM\..\Run: [vzhvyhh] c:\windows\system32\yqsmkav.exe
O4 - HKLM\..\Run: [SpybotSnD] "E:\Spybot\Spybot - Search & Destroy\SpybotSD.exe" /autocheck /autofix /autoclose
O4 - HKLM\..\Run: [jlvhfn] c:\windows\system32\opmgsq.exe
O4 - HKLM\..\Run: [AVG7_CC] E:\NEWFOL~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [SpybotSD TeaTimer] E:\Spybot\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [IB73Rfe6U] cdost.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: GStartup.lnk = C:\Program Files\Common Files\GMT\GMT.exe
O4 - Global Startup: Icatch(VI) SnapDetect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - E:\NEWFOL~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - E:\NEWFOL~1\avgupsvc.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe

hope thats what you wanted. :thumbsup:

#6 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:12:57 AM

Posted 13 May 2005 - 11:29 AM

Hi Relmwalker. Yes that looks much better. Ok, please print these directions and then proceed with the following steps in order.

Fix Nail.exe

Step #1

Download CCleaner and install it but do not run it yet.

Download and install ewido security suite. Update the program and then close it. Do not run it yet.

Step #2

Open Notepad and copy/paste the text in the quotebox below into the new document:

@ECHO OFF
cd\windows
Nail.exe /FULLREMOVE
sc config SvcProc start= disabled
sc stop SvcProc
sc delete SvcProc
attrib -s -r -h nail.exe
attrib -s -r -h svcproc.exe
del nail.exe
del svcproc.exe
exit


Save the document to your desktop as fixnail.bat and close Notepad.

Step #3

Start in Safe Mode Using the F8 method:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until the boot menu appears.
  • Use the arrow keys to select the Safe Mode menu item.
  • Press the Enter key.
Step #4

Start HijackThis and click the Scan button to perform a scan. Look for the following items and click in the checkbox in front of each item to select it:R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O4 - HKLM\..\Run: [vzhvyhh] c:\windows\system32\yqsmkav.exe
O4 - HKLM\..\Run: [jlvhfn] c:\windows\system32\opmgsq.exe
O4 - HKCU\..\Run: [IB73Rfe6U] cdost.exe
O4 - Global Startup: GStartup.lnk = C:\Program Files\Common Files\GMT\GMT.exe

Now close ALL open windows except HijackThis and click the Fix Checked button to finish the repair.

Step #5

Locate the fixnail.bat file on your desktop and double-click on it to run it.

Step #6

Start CCleaner and click on the Run Cleaner button in the lower right-hand corner. When it is finished close CCleaner.

Step #7

Start ewido and click the Scanner button and then click the Start button. Let it run to completion and fix everything it finds.

Step #8

You currently have the Gator advertizing software installed on your computer. See the link below for directions on how to remove it:
Gator Removal Instructions and Help

Step #9

Your operating system is extremely out of date. By not keeping your OS updated you leave yourself open to many of the infections that cannot be installed on a properly updated system. I strongly recommend that you go to the Windows Update site and install Service Pack 2. Once that is done, go back to the Windows Update site and install all available Critical Updates. This will patch your system with the most current security fixes and plug all the known holes which your present system has open.

Step #10

OK. Reboot your computer normally, start HijackThis and perform a new scan. Use the Add Reply button to post your new log file back here along with details of any problems you encountered performing the above steps and I will review it when it comes in.

OT

Edited by OldTimer, 13 May 2005 - 11:31 AM.

I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#7 Relmwalker

Relmwalker
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:57 PM

Posted 13 May 2005 - 06:36 PM

Ok so I followed steps 1-7 exactly as stated except two files wernt found in the scan

O4 - HKLM\..\Run: [vzhvyhh] c:\windows\system32\yqsmkav.exe
and
O4 - HKLM\..\Run: [jlvhfn] c:\windows\system32\opmgsq.exe

Other than that everything went well. Upon startup its acting the same though. I am now finding 1 file with spybot. Still finding all the same files with ad-aware(mostly VX2 files). Also ewido on startup immideatly founf a problem to clean and spybot tea timer found something trying to change itself. Below is a new log. Previosly for some reason I had not been able to download service pack 2, and I havent tried it again nor the gator removal, but will be doing that now.




Logfile of HijackThis v1.99.1
Scan saved at 6:26:35 PM, on 5/13/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.exe
E:\NEWFOL~1\avgcc.exe
E:\Spybot\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\Twain_32\CA561A\SnapDetect.exe
E:\NEWFOL~1\avgamsvr.exe
E:\NEWFOL~1\avgupsvc.exe
E:\New Folder\security suite\ewidoctrl.exe
E:\New Folder\security suite\ewidoguard.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wuauclt.exe
E:\New Folder\avgemc.exe
C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\8b5e9cdb91dddbb342695fbdc36fe0e4\update\update.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
E:\Angel\Angel.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_6_2_0.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - E:\Spybot\SPYBOT~1\SDHelper.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_6_2_0.dll
O4 - HKLM\..\Run: [SpybotSnD] "E:\Spybot\Spybot - Search & Destroy\SpybotSD.exe" /autocheck /autofix /autoclose
O4 - HKLM\..\Run: [AVG7_CC] E:\NEWFOL~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] E:\NEWFOL~1\avgemc.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] E:\Spybot\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: Icatch(VI) SnapDetect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - E:\NEWFOL~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - E:\NEWFOL~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - E:\New Folder\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - E:\New Folder\security suite\ewidoguard.exe

#8 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:12:57 AM

Posted 13 May 2005 - 11:21 PM

Hi Relmwalker. I think you have some files hiding out in your operating system Let's do a check and see what we find.

Download PFind.zip and unzip the contents to its own permanent folder.

Important! Reboot in SAFE MODE !!

Start in Safe Mode Using the F8 method:
  • Restart the computer in Safe Mode.
  • As soon as the BIOS is loaded begin tapping the F8 key until the Advanced Options menu appears.
  • Use the arrow keys to select the Safe Mode menu item.
  • Press the Enter key.
Locate the pfind.bat file and double-click it to run it. It will start scanning your computer and could take a little while so be patient. When the DOS window closes, reboot back to normal mode.

Post the contents of C:\pfind.txt back here and I will review it when it comes in.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#9 Relmwalker

Relmwalker
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:57 PM

Posted 14 May 2005 - 01:04 AM

I did get windows service pack 2 and 17 other updates installed. I tried the gator thing, but I dont know where system tray is and it was not listed in add/remove programs like the website said it was.

Here is the information you requested.

Files found with this application may be legitimate.
Only remove files that you know are malware related.


Checking the C: folder



Checking the C:\Program Files folder



Checking the C:\WINDOWS folder

C:\WINDOWS\tsc.exe: UPX!
C:\WINDOWS\vsapi32.dll: UPX!t4
C:\WINDOWS\z2b.sys: PEC2
C:\WINDOWS\z2b.sys: PECompact2


Checking the C:\WINDOWS\SYSTEM32 folder

C:\WINDOWS\SYSTEM32\bndyuy.exe: UPX!
C:\WINDOWS\SYSTEM32\ncfht.exe: PEC2
C:\WINDOWS\SYSTEM32\ncfht.exe: PECompact2
C:\WINDOWS\SYSTEM32\ntdll.dll: .aspack
C:\WINDOWS\SYSTEM32\z2b.sys: PEC2
C:\WINDOWS\SYSTEM32\z2b.sys: PECompact2


Checking all directories under the C:\WINDOWS\SYSTEM32\drivers folder

C:\WINDOWS\SYSTEM32\Drivers\avg7core.sys: error finding UPX! header
C:\WINDOWS\SYSTEM32\Drivers\avg7core.sys: =FSG!u$h
C:\WINDOWS\SYSTEM32\Drivers\avg7core.sys: UPX!


Checking the C:\Documents and Settings\All Users\Start Menu\programs\Startup\ folder




Checking the C:\Documents and Settings\All Users\Application Data folder




Checking the C:\Documents and Settings\Kiren\Start Menu\programs\Startup\ folder




Checking the C:\Documents and Settings\Kiren\Application Data folder




Checking the Windows folder for system and hidden files within the last 60 days


C:\WINDOWS\
bootstat.dat Sat May 14 2005 12:51:02a A.S.. 2,048 2.00 K
z2b.sys Thu Mar 31 2005 5:04:14a ..SHR 273,613 267.20 K

C:\WINDOWS\DOWNLO~1\
desktop.ini Thu Apr 28 2005 9:15:24a ...H. 65 0.06 K

C:\WINDOWS\OFFLIN~1\
desktop.ini Thu Apr 28 2005 9:15:24a ...H. 65 0.06 K

C:\WINDOWS\SYSTEM32\
ncfht.exe Thu Mar 31 2005 5:04:12a ..SHR 196,954 192.34 K
z2b.sys Thu Mar 31 2005 5:04:14a ..SHR 180,427 176.20 K

C:\WINDOWS\TASKS\
sa.dat Sat May 14 2005 12:49:58a A..H. 6 0.00 K

C:\WINDOWS\SYSTEM32\CONFIG\
default.log Sat May 14 2005 12:50:52a A..H. 8,192 8.00 K
sam.log Sat May 14 2005 12:51:16a A..H. 1,024 1.00 K
security.log Sat May 14 2005 12:51:04a A..H. 12,288 12.00 K
software.log Sat May 14 2005 12:51:16a A..H. 57,344 56.00 K
system.log Sat May 14 2005 12:51:10a A..H. 720,896 704.00 K

C:\WINDOWS\PCHEALTH\HELPCTR\PACKAG~1\
pab9c9~1.cab Fri May 13 2005 9:35:54p ..SHR 305,145 297.99 K
pabdc9~1.cab Fri May 13 2005 9:40:52p ..SHR 68,327 66.72 K

C:\WINDOWS\SYSTEM32\CATROOT\{F750E~1\
kb890859.cat Sat Mar 19 2005 10:27:20p ..S.. 18,199 17.77 K
kb890923.cat Fri Mar 18 2005 6:21:16p ..S.. 16,497 16.11 K
kb893066.cat Fri Mar 18 2005 5:49:46p ..S.. 10,786 10.53 K
kb893086.cat Fri Mar 18 2005 7:39:48p ..S.. 13,574 13.25 K

C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM~1\
ntuser~1.log Fri May 13 2005 10:12:10p A..H. 1,024 1.00 K

C:\WINDOWS\SYSTEM32\MICROS~1\PROTECT\S-1-5-18\USER\
d2823a~1 Fri May 13 2005 9:51:08p A.SH. 388 0.38 K
prefer~1 Fri May 13 2005 9:51:08p A.SH. 24 0.02 K

21 items found: 21 files, 0 directories.
Total of file sizes: 1,886,886 bytes 1.80 M



! REG.EXE VERSION 3.0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SpybotSnD REG_SZ "E:\Spybot\Spybot - Search & Destroy\SpybotSD.exe" /autocheck /autofix /autoclose
AVG7_CC REG_SZ E:\NEWFOL~1\avgcc.exe /STARTUP
AVG7_EMC REG_SZ E:\NEWFOL~1\avgemc.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents


! REG.EXE VERSION 3.0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce


! REG.EXE VERSION 3.0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx


! REG.EXE VERSION 3.0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices


! REG.EXE VERSION 3.0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce


! REG.EXE VERSION 3.0

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SpybotSD TeaTimer REG_SZ E:\Spybot\Spybot - Search & Destroy\TeaTimer.exe


! REG.EXE VERSION 3.0

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce


! REG.EXE VERSION 3.0

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices


! REG.EXE VERSION 3.0

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce


! REG.EXE VERSION 3.0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system


! REG.EXE VERSION 3.0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon


! REG.EXE VERSION 3.0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
PostBootReminder REG_SZ {7849596a-48ea-486e-8937-a2a3009f31a9}
CDBurn REG_SZ {fbeb8a05-beee-4442-804e-409d6c4515e9}
WebCheck REG_SZ {E6FB5E20-DE35-11CF-9C87-00AA005127ED}
SysTray REG_SZ {35CEC8A3-2BE6-11D2-8773-92E220524153}


! REG.EXE VERSION 3.0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\apitrap.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ASSTE.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVSTE.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Cleanup.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cqw32.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\divx.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\divxdec.ax

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DJSMAR00.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DRMINST.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\enc98.EXE

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\EncodeDivXExt.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\EncryptPatchVer.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\front.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fullsoft.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GBROWSER.DLL

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\htmlmarq.ocx

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\htmlmm.ocx

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\install.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ishscan.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ISSTE.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\javai.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\jvm.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\jvm_g.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\main123w.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mngreg32.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msci_uno.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mscoree.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mscorsvr.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mscorwks.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msjava.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mso.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NAVOPTRF.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NeVideoFX.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NPMLIC.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NSWSTE.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\photohse.EXE

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PMSTE.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ppw32hlp.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\printhse.EXE

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\prwin8.EXE

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ps80.EXE

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\psdmt.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\qfinder.EXE

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\qpw.EXE

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Salwrap.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\setup.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\setup32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sevinst.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\symlcnet.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tcore_ebook.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TFDTCTT8.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ua80.EXE

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\udtapi.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ums.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vb40032.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vbe6.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wpwin8.EXE

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\xlmlEN.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\xwsetup.EXE

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\_INSTPGM.EXE


! REG.EXE VERSION 3.0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Userinit REG_SZ C:\WINDOWS\system32\userinit.exe,



! REG.EXE VERSION 3.0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Shell REG_SZ explorer.exe



! REG.EXE VERSION 3.0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
AppInit_DLLs REG_SZ

#10 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:12:57 AM

Posted 14 May 2005 - 09:31 AM

Hi Relmwalker. It looks like we have a few files trying to hide so let's take care of them.

Download Pocket Killbox and unzip it to your desktop.

Double-click on KillBox.exe to launch the program.
  • Highlight the lines below and press the Ctrl key and the C key at the same time to copy them to the clipboard:
    • C:\WINDOWS\z2b.sys
      C:\WINDOWS\SYSTEM32\bndyuy.exe
      C:\WINDOWS\SYSTEM32\ncfht.exe
  • Now go to the Killbox application and click on the File menu and then the Paste from Clipboard menu item. In the Full Path of File to Delete box you should see the first file. If you dropdown that box you should see the rest of them. Make sure that they are all there.
  • Click on the Delete on Reboot option and then click on the red circle with a white 'X' in to to delete the files. Killbox will tell you that all listed files will be deleted on next reboot, click YES. When it asks if you would like to Reboot now, click YES. If you get a "PendingFileRenameOperations Registry Data has been Removed by External Process!" message then just restart manually.
Your system will reboot now.

Start HijackThis and perform a new scan. Use the Add Reply button to post your new log file back here along with details of any problems you encountered performing the above steps and I will review it when it comes in.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#11 Relmwalker

Relmwalker
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:57 PM

Posted 14 May 2005 - 02:59 PM

No problems doing that one. Here is the information requested.



Logfile of HijackThis v1.99.1
Scan saved at 2:58:13 PM, on 5/14/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
E:\NEWFOL~1\avgcc.exe
E:\NEWFOL~1\avgemc.exe
E:\Spybot\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\Twain_32\CA561A\SnapDetect.exe
E:\NEWFOL~1\avgamsvr.exe
E:\NEWFOL~1\avgupsvc.exe
E:\New Folder\security suite\ewidoctrl.exe
E:\New Folder\security suite\ewidoguard.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wuauclt.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_6_2_0.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - E:\Spybot\SPYBOT~1\SDHelper.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_6_2_0.dll
O4 - HKLM\..\Run: [AVG7_CC] E:\NEWFOL~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] E:\NEWFOL~1\avgemc.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] E:\Spybot\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: Icatch(VI) SnapDetect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - E:\NEWFOL~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - E:\NEWFOL~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - E:\New Folder\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - E:\New Folder\security suite\ewidoguard.exe

#12 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:12:57 AM

Posted 14 May 2005 - 10:12 PM

Hi Relmwalker. Now that is a squeaky clean log. Good job! How are things running? any problems?

We have a couple of last steps to perform and then you're all set.

First, let's reset your hidden/system files and folders. System files are hidden for a reason and we don't want to have them openly available and susceptible to accidental deletion.* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View tab.
* Under the Hidden files and folders heading UNSELECT Show hidden files and folders.
* CHECK the Hide protected operating system files (recommended) option.
* Click Yes to confirm.
* Click OK.
Next, let's clean your restore points and set a new one:

Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs from changing those files. This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected)1. Turn off System Restore.On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
2. Restart your computer.

3. Turn ON System Restore.On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check Turn off System Restore.
Click Apply, and then click OK.
[/list]System Restore will now be active again.

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programs:
  • SpywareBlaster to help prevent spyware from installing in the first place.
  • SpywareGuard to catch and block spyware before it can execute.
  • IESpy-Ad to block access to malicious websites so you cannot be redirected to them from an infected site or email.
You should also have a good firewall. Here are 3 free ones available for personal use:and a good antivirus like the one you are currently using. It is critical to have both a firewall and an anti-virus application and to keep them updated.

To keep your operating system up to date visit monthly. And to keep your system clean run these free malware scanners
weekly, and be aware of what emails you open and websites you visit.

To learn more about how to protect yourself while on the internet read this article by Tony Klien: So how did I get infected in the first place?

Have a safe and happy computing day!

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#13 Relmwalker

Relmwalker
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:57 PM

Posted 15 May 2005 - 04:54 AM

I haven't had a chance to be really on line for the last 36 hours about now except to reply to these posts. I surfed a couple min just now, and had no pop ups so that is a great sign. I cleared my restore points as directed. I am running ewido, spybot, adaware, and agv all right now. Spybot had so far found a file, a folder, and a registry key so there might still be some lurking in here, but So far looks really good. I will download the firewall and other programs when I wake up in the morning. Only problems I am heaving now is that adaware is now started to run very very slowly. My system in general seams to be slower I think because of all the programs now running. Maybe all this will also correct whatever was wrong and not letting me do a disk cleanup. Again I really appreciate your help, and will post again tomorrow after I have had a chance to really test to see if its still there.

#14 Relmwalker

Relmwalker
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:57 PM

Posted 15 May 2005 - 06:19 PM

Ok this morning I ran adaware and had 46 files and modules found. I cleared those up rebooted ran again and had 9 found. Cleaned those up rebooted and had nothing in any program. Ad-aare, soybot, agv, and ewido all scan clean. I haven't had any popups today and all is great. after a now much needed defrag I am opeing to have some speed back. I can not stress enough how much you have helped me and how much I appriciate it.

#15 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:12:57 AM

Posted 15 May 2005 - 06:34 PM

You're very welcome Relmwalker. I'm glad that we could help.

Yes you will find that with AdAware. There only has to be a cookie on your machine and it flags it as a problem. I would be more concerned if AVG or ewido came back with something than AdAware.

Now that your issues have been resolved I will close this topic. If you need it reopened for this same issue then please PM me. If you have any new issues in the future then please start a new topic.

Cheers.

Keep on computing!

OT :thumbsup:
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users