Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Need help with HijackThis log Analysis


  • This topic is locked This topic is locked
10 replies to this topic

#1 nomonkeytricks

nomonkeytricks

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:01:00 AM

Posted 20 May 2005 - 10:50 PM

Dear Friends,

During the last week I have used Spybot S&E, Microsoft Antispyware and AdAware to remove Ezula, Statblaster, People on Page and about a dozen others, but they keep coming back. Could you please advise ? My log is below.



Logfile of HijackThis v1.99.1
Scan saved at 10:44:28 PM, on 5/20/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\WINDOWS\userint32.exe
C:\WINDOWS\SYSCFG16.EXE
C:\aight.exe
C:\WINDOWS\System32\rcbstr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\AIM\aim.exe
C:\WINDOWS\System32\qtwgnt5.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://channels.aimtoday.com/search/aimtoolbar.jsp
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\userint32.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [Windows Service Manager] C:\WINDOWS\userint32.exe
O4 - HKLM\..\Run: [GhA6C] C:\WINDOWS\gqdunofc.exe
O4 - HKLM\..\Run: [Windows System Configuration] C:\WINDOWS\SYSCFG16.EXE
O4 - HKLM\..\Run: [lJJe] C:\windows\system32\lJJe.exe
O4 - HKLM\..\Run: [8WIG4o] C:\windows\system32\8WIG4o.exe
O4 - HKLM\..\Run: [Lsass] C:\aight.exe
O4 - HKLM\..\Run: [eMr] C:\documents and settings\viviane\local settings\temp\eMr.exe
O4 - HKLM\..\Run: [7FfW0B] C:\windows\system32\7FfW0B.exe
O4 - HKLM\..\Run: [rn4T36W] rcbstr.exe
O4 - HKLM\..\Run: [Windows DLL Loader] C:\WINDOWS\SYSCFG16.EXE
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [aCv3RWamV] qtwgnt5.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1108617423311
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab

BC AdBot (Login to Remove)

 


#2 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 21 May 2005 - 04:34 AM

Hi nomonkeytricks and Welcome to the Bleeping Computer!

Was that the Entire HijackThis Log???

Please Update and then configure Ad Aware like this

Configure Ad-Aware SE Personal 1.05:
o Click on the Gear button at the top of the window.
o Click "General" on the left hand side to display the General Settings box.
+ Make sure these items have a green check next to them. If they do not, click once on the circle next to them to put a green checkmark:
# "Automatically save logfile"
# "Automatically quarantine objects prior to removal"
# "Safe Mode (always request confirmation)"
# "Prompt to update outdated definitions" - change to 7 days from the default 14.
o Click "Scanning" on the left hand side to display the Scan Settings box.
+ Make sure these items have a green check next to them. If they do not, click once on the circle next to them to put a green checkmark:
# "Scan within archives"
# "Select drives & folders to scan" - select your hard drive(s).
# "Scan active processes"
# "Scan registry"
# "Deep-scan registry"
# "Scan my IE favorites for banned URLs"
# "Scan my Hosts file"
o Click "Advanced" on the left hand side to display the Advanced Settings box.
+ Make sure these items have a green check next to them. If they do not, click once on the circle next to them to put a green checkmark:
# "Move deleted files to Recycle Bin"
# "Include additional object information"
# "Include negligible objects information"
# "Include environment information"
o Click "Defaults" on the left hand side to display the Default Settings box.
+ Make sure these items have your preferred settings in them.:
# "Default homepage"
# "Default searchpage"
o Click "Tweak" on the left hand side to display the Tweak Settings box.
+ Click the + (plus) sign next to the Log Files section. This will expand the section.
+ Make sure these items have a green check next to them. If they do not, click once on the circle next to them to put a green checkmark:
# "Include basic Ad-Aware settings in log file"
# "Include additional Ad-Aware settings in log file"
# "Include reference summary in log file"
# "Include alternate data stream details in log file"
+ Click the + (plus) sign next to the Scanning Engine section. This will expand the section.
+ Make sure these items have a green check next to them. If they do not, click once on the circle next to them to put a green checkmark:
# "Unload recognized processes & modules during scan"
# "Scan registry for all users instead of current user only"
# "Obtain command line of scanned processes"
+ Click the + (plus) sign next to the Cleaning Engine section. This will expand the section.
+ Make sure these items have a green check next to them. If they do not, click once on the circle next to them to put a green checkmark:
# "Always try to unload modules before deletion"
# "During removal, unload Explorer and IE if necessary"
# "Let Windows remove files in use at next reboot"
# "Delete quarantined objects after restoring"
o Once you are done with these settings, click "Proceed" to save them.
o This will take you back to the main screen.
Run Ad-Aware SE Personal 1.05:
o Click the "Start" button.
o Uncheck the "Search for negligible risk entries" entry.
o Choose the "Use custom scanning options" scan mode.
o Click the "Next" button.
o Ad-Aware will begin to scan for malware residing on your computer.
o Allow the scan to finish.
o Right-click on any entry in the list and click "Select All" to select the whole list.
o Click "Next" and choose "OK" at the prompt to quarantine and remove the objects.

Please DO NOT run it yet!

Please Download CleanUp! 4.0:
http://downloads.stevengould.org/cleanup/CleanUp40.exe

If that Link doesnt work,just go to Google.com and Search for CleanUp!

It should be the First Return!!
Once Installed,Open and Click CleanUp! and When Prompted to Log Off,do so!

Reboot into SAFE MODE(Tap F8 when restarting)
Here is a link on how to boot into Safe Mode:
http://service1.symantec.com/SUPPORT/tsgen...src=sec_doc_nam

After restarting in Safe Mode,Configure Windows to Show All Hidden Files and Folders,this must be done after restarting in Safe Mode!!
Here is a link to help with that:
http://www.bleepingcomputer.com/forums/ind...showtutorial=62

Open and Run CleanUp!,when propted to log off click "No"

Locate and Delete these

C:\aight.exe<< File Only!

C:\WINDOWS\gqdunofc.exe<< File Only!

C:\WINDOWS\userint32.exe<< File Only and do not confuse this with the legitimate windows file userint.exe

C:\WINDOWS\SYSCFG16.EXE<< File Only!

C:\WINDOWS\System32\rcbstr.exe<< File Only!

C:\WINDOWS\System32\qtwgnt5.exe<< File Only!

C:\windows\system32\lJJe.exe<< File Only!

C:\windows\system32\8WIG4o.exe<< File Only!

C:\windows\system32\7FfW0B.exe<< File Only!

C:\documents and settings\viviane\local settings\temp\eMr.exe<< File Only!

Open and Run Ad Aware, Delete all it finds!

Run MSCONFIG and enable everything in the startup area. To get to MSCONFIG, click on Start -> Run -> type in MSCONFIG -> click OK!

Under the "General" Tab
Make Sure Normal Startup is Checked!!


Click Apply>>OK>>Follow the Prompts to Restart!!

Restart Normal and have the PC Scanned here:
Panda Active Scan

You will need to be using Internet Explorer for the Scan to work!

Save the Report it generates and post it along with a Fresh HiijackThis log!!

#3 nomonkeytricks

nomonkeytricks
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  

Posted 21 May 2005 - 04:22 PM

Hello, Crete

You gave me good instructions, but I'm afraid I wasn't able to follow them as well as I wished. I couldn't get Panda to scan - I received and "error on page" message from them with no further expanation. And in the part where you tell me to Locate and Delete - was I supposed to be able to do that from CleanUp ?

I've run a new HijackThis log, which I am posting below. Sorry!


Logfile of HijackThis v1.99.1
Scan saved at 4:14:32 PM, on 5/21/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\WINDOWS\userint32.exe
C:\WINDOWS\SYSCFG16.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://channels.aimtoday.com/search/aimtoolbar.jsp
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\userint32.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [Windows Service Manager] C:\WINDOWS\userint32.exe
O4 - HKLM\..\Run: [GhA6C] C:\WINDOWS\gqdunofc.exe
O4 - HKLM\..\Run: [Windows System Configuration] C:\WINDOWS\SYSCFG16.EXE
O4 - HKLM\..\Run: [lJJe] C:\windows\system32\lJJe.exe
O4 - HKLM\..\Run: [8WIG4o] C:\windows\system32\8WIG4o.exe
O4 - HKLM\..\Run: [Lsass] C:\aight.exe
O4 - HKLM\..\Run: [eMr] C:\documents and settings\viviane\local settings\temp\eMr.exe
O4 - HKLM\..\Run: [7FfW0B] C:\windows\system32\7FfW0B.exe
O4 - HKLM\..\Run: [rn4T36W] rcbstr.exe
O4 - HKLM\..\Run: [Windows DLL Loader] C:\WINDOWS\SYSCFG16.EXE
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [aCv3RWamV] qtwgnt5.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1108617423311
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab

#4 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 21 May 2005 - 07:45 PM

Not a problem>We can handle this you just stick with me!!! :thumbsup:

CleanUp! is a program for cleaning temp files>You just open it and Click the Cleanup button>it scans the system for all temp files and removes the Unecessary ones>then you just click Close and Click Yes to Log Off so Cleanup can finish cleaning the files!

Go to Add\Remove Programs and Remove WeatherBug if it exist!

I am going to have you download a tool that will make deleting those files much easier!

Download Pocket KillBox from here:
http://www.bleepingcomputer.com/files/killbox.php

There is a Direct Download and a description of what the Program does inside this link.
Download and Unzip it and Have it ready to Use!

Copy or Print out the Rest of these directions so you will have them handy while in Safe Mode!

Reboot into SAFE MODE(Tap F8 when restarting)

Please Highlight and Right Click the list below then Select Copy!

C:\aight.exe
C:\WINDOWS\gqdunofc.exe
C:\WINDOWS\userint32.exe
C:\WINDOWS\SYSCFG16.EXE
C:\WINDOWS\System32\rcbstr.exe
C:\WINDOWS\System32\qtwgnt5.exe
C:\windows\system32\lJJe.exe
C:\windows\system32\8WIG4o.exe
C:\windows\system32\7FfW0B.exe
C:\Program Files\AWS\WeatherBug\Weather.exe
C:\Program Files\AWS\WeatherBug
C:\Program Files\AWS
C:\documents and settings\viviane\local settings\temp\eMr.exe


Now Open Pocket KillBox>Click File>Click Paste to Clipboard!

Now put a tick by any of these selections that are available!

"Standard File Kill"
"End Explorer Shell while Killing File"
"Deltree(Include Subdirectories)"


Once those are ticked,Click the Red Circle with the White X in the Middle to Delete!!

Continue to click until all the files are gone from the list!

Open HijackThis and put a check by these but DO NOT hit the Fix Checked button yet!

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\userint32.exe

O4 - HKLM\..\Run: [Windows Service Manager] C:\WINDOWS\userint32.exe

O4 - HKLM\..\Run: [GhA6C] C:\WINDOWS\gqdunofc.exe

O4 - HKLM\..\Run: [Windows System Configuration] C:\WINDOWS\SYSCFG16.EXE

O4 - HKLM\..\Run: [lJJe] C:\windows\system32\lJJe.exe

O4 - HKLM\..\Run: [8WIG4o] C:\windows\system32\8WIG4o.exe

O4 - HKLM\..\Run: [Lsass] C:\aight.exe

O4 - HKLM\..\Run: [eMr] C:\documents and settings\viviane\local settings\temp\eMr.exe

O4 - HKLM\..\Run: [7FfW0B] C:\windows\system32\7FfW0B.exe

O4 - HKLM\..\Run: [rn4T36W] rcbstr.exe

O4 - HKLM\..\Run: [Windows DLL Loader] C:\WINDOWS\SYSCFG16.EXE

O4 - HKCU\..\Run: [aCv3RWamV] qtwgnt5.exe

O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)

Now Make sure ALL WINDOWS and BROWSERS are CLOSED and hit the Fix Checked Button!!

While in Safe Mode>Run CleanUp again!

Once all is complete>come on back and lets have a look at another HijackThis Log!

Edited by Cretemonster, 21 May 2005 - 07:47 PM.


#5 nomonkeytricks

nomonkeytricks
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:01:00 AM

Posted 21 May 2005 - 10:48 PM

Hello, Crete


I was able to follow this last bit much better - I believe there was no instruction that I couldn't complete. Here's the new log. Thanks for all you've done so far. I look forward to finding out what comes next. yrs, nomonkeytricks

Logfile of HijackThis v1.99.1
Scan saved at 10:39:14 PM, on 5/21/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\WINDOWS\wdungv.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\System32\wuauclt.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://channels.aimtoday.com/search/aimtoolbar.jsp
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll
O3 - Toolbar: (no name) - {FAA356E4-D317-42a6-AB41-A3021C6E7D52} - (no file)
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [salm] c:\temp\salm.exe
O4 - HKLM\..\Run: [wdungv] C:\WINDOWS\wdungv.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O15 - Trusted Zone: http://ny.contentmatch.net (HKLM)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1108617423311
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab

#6 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 22 May 2005 - 12:12 AM

Lord I am losing it bad! :thumbsup:

First things First......Lets get some Free Antivirus Software Installed on this PC!

You said you couldnt get to the Online Scan,Was this because Internet Explorer would not allow Access?

Download the Hoster from here
http://www.funkytoad.com/download/hoster.zip

Unzip and Run the Program!

Press "Restore Original Hosts" and press "OK". Exit Program. This will restore the original deleted Hosts file.

Now lets get some Antivirus Software Downloaded and Installed!

AVG Anti-Virus plus Firewall
http://www.grisoft.com/doc/AvgPlusFw/lng/us/tpl/tpl01

Please read the Material printed on the page before you start!

This Antivirus plus Firewall is completely Free and Updates Automatically!

Once you have it Installed>Scan the System>Automatic Healing will prevent you from having to locate the files yourself!

Once the Scan is Completed>Go to Add\Remove Programs and Remove

180Solutions

Reboot into SAFE MODE(Tap F8 when restarting)

Copy&Paste these 2 entries into KillBox and use the same Insructions as before!

C:\temp\salm.exe
C:\WINDOWS\wdungv.exe

Open HijackThis and put a check by these but DO NOT hit the Fix Checked button yet!

O4 - HKLM\..\Run: [salm] c:\temp\salm.exe

O4 - HKLM\..\Run: [wdungv] C:\WINDOWS\wdungv.exe

O15 - Trusted Zone: http://ny.contentmatch.net (HKLM)

O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab

Now Make sure ALL WINDOWS and BROWSERS are CLOSED and hit the Fix Checked Button!!

Restart in Normal Mode and Post a Fresh HijackThis Log!

#7 nomonkeytricks

nomonkeytricks
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  

Posted 22 May 2005 - 05:52 PM

Hello, Crete

Whew! It takes a lot of time to install and run all these programs. As regards Panda Active Scan, I was able to run it this time ( before I did any of your other directions ) and I'll post the log below



Incident Status Location

Adware:Adware/eZula No disinfected Windows Registry
Adware:Adware/CWS No disinfected C:\Documents and Settings\Viviane\Favorites\Fun & Games\Betting.lnk
Adware:Adware/Apropos No disinfected Windows Registry
Adware:Adware/SideSearch No disinfected C:\Program Files\Lycos
Adware:Adware/SideFind No disinfected Windows Registry
Adware:Adware/WildTangent No disinfected C:\WINDOWS\wt
Adware:Adware/WUpd No disinfected Windows Registry
Adware:Adware/MyWebSearch No disinfected C:\Program Files\MyWebSearch
Adware:Adware/StatBlaster No disinfected C:\js.exe
Adware:Adware/Apropos No disinfected C:\WINDOWS\SYSTEM32\locck32.exe
Adware:Adware/StatBlaster No disinfected C:\WINDOWS\SYSTEM32\update.exe
Virus:Trj/Bhotcher.A Disinfected C:\WINDOWS\SYSTEM32\wcBUsL.exe
Virus:Trj/Bhotcher.A Disinfected C:\WINDOWS\SYSTEM32\bTX.exe
Adware:Adware/Apropos No disinfected C:\WINDOWS\SYSTEM32\loceers.exe
Virus:Trj/Bhotcher.A Disinfected C:\WINDOWS\SYSTEM32\aFy.exe
Adware:Adware/MemoryWatcher No disinfected C:\WINDOWS\SYSTEM32\Mun8s0W.exe
Adware:Adware/MemoryWatcher No disinfected C:\WINDOWS\SYSTEM32\KtdFz9.exe
Adware:Adware/MemoryWatcher No disinfected C:\WINDOWS\SYSTEM32\LhoK9W3.exe
Spyware:Spyware/ISTbar No disinfected C:\WINDOWS\g.exe
Adware:Adware/WinAD No disinfected C:\WINDOWS\l.exe
Virus:W32/Sdbot.DMR.worm Disinfected C:\WINDOWS\winsmc.exe
Adware:Adware/SAHAgent No disinfected C:\WINDOWS\l1ifqvha.exe
Adware:Adware/SideSearch No disinfected C:\WINDOWS\sepsd.bin
Adware:Adware/HuntBar No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\19ED0BE8-FFD4-4801-89AB-EE0547\F9F7D3A7-2148-4F74-A68C-287AF2
Adware:Adware/Apropos No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\AAD940D9-23AF-4324-B8C4-96F554\7A6375AD-7A1D-4B86-99A1-8AB018
Adware:Adware/Apropos No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\AAD940D9-23AF-4324-B8C4-96F554\11681A82-BD90-4CB1-AC70-FD95BE
Adware:Adware/Apropos No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\AAD940D9-23AF-4324-B8C4-96F554\715F92C2-AAEF-4AD3-93B2-57AE9E
Adware:Adware/Apropos No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\AAD940D9-23AF-4324-B8C4-96F554\18A46425-CC12-4EF3-B5E7-E9DE2B
Adware:Adware/Apropos No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\AAD940D9-23AF-4324-B8C4-96F554\9B478A75-C651-4148-B1EB-E559F8
Adware:Adware/Apropos No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\AAD940D9-23AF-4324-B8C4-96F554\B9D53C5E-2423-4D27-98ED-7EC3A8
Spyware:Spyware/ISTbar No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\880FE351-5266-489B-95C8-B6FA4A\893F2AC6-A706-47AF-A36C-DAD673
Adware:Adware/WinTools No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\B9309D44-AFAC-4E71-A45C-E91195\E49750B5-F759-4E16-999A-B094E5
Adware:Adware/Apropos No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\96A93590-C7B7-4E8C-BAFA-B7A88F\07F23A2A-AA73-4035-BB19-A45092
Adware:Adware/Apropos No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\96A93590-C7B7-4E8C-BAFA-B7A88F\A9853D65-321C-481F-96C4-5667A9
Adware:Adware/Apropos No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\96A93590-C7B7-4E8C-BAFA-B7A88F\808FA987-8673-4442-B4BD-422933
Adware:Adware/Apropos No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\96A93590-C7B7-4E8C-BAFA-B7A88F\860CACBD-CB80-4021-9191-E38C79
Adware:Adware/Apropos No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\96A93590-C7B7-4E8C-BAFA-B7A88F\1DA5C7AD-CC76-471E-9ACB-626A2B
Adware:Adware/WUpd No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\28C5133D-9473-4760-A041-4FD873\89CF09BB-96D5-4C4B-BCAA-C6568B
Adware:Adware/WUpd No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\28C5133D-9473-4760-A041-4FD873\12B31F16-2ACF-458B-850E-0EE437
Adware:Adware/WUpd No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\28C5133D-9473-4760-A041-4FD873\8DFC1E24-3709-4EF1-A8C3-373762
Spyware:Spyware/BargainBuddy No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\B1407FFD-335A-48B5-AAE1-E06987\91087D45-FBC3-406D-92B3-0DADA3
Spyware:Spyware/BargainBuddy No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\B1407FFD-335A-48B5-AAE1-E06987\4C08EC09-19C2-4E02-B067-D87921
Spyware:Spyware/BargainBuddy No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\B1407FFD-335A-48B5-AAE1-E06987\A8A6D471-59C5-41D1-93B9-3C3128
Adware:Adware/Apropos No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\63AF49D4-2229-4BB2-8DD4-09F630\417E1404-8770-40FB-9E15-5A20CE
Adware:Adware/Apropos No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\63AF49D4-2229-4BB2-8DD4-09F630\01713B5C-0C5B-43E2-942E-F473BF
Adware:Adware/Apropos No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\63AF49D4-2229-4BB2-8DD4-09F630\799AFCAA-96F1-4F6B-8C9A-10E88A
Adware:Adware/Apropos No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\63AF49D4-2229-4BB2-8DD4-09F630\049B2399-7EF9-434F-B6A3-CE865B
Adware:Adware/Apropos No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\63AF49D4-2229-4BB2-8DD4-09F630\EE2E4DFD-63DC-48CF-8A4D-DFA88D
Adware:Adware/Apropos No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\42C93A34-32C1-49F1-8E4A-A26775\A9E3B6C6-D6B8-4E45-92C4-9B2163
Adware:Adware/Apropos No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\14410A22-17EB-4DC6-8F5E-9EAEC9\8FBE699E-3A17-44D3-960C-A8D1FA
Adware:Adware/Apropos No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\14410A22-17EB-4DC6-8F5E-9EAEC9\E56A80B9-EF02-47D2-9DA6-1A07D0
Adware:Adware/Apropos No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\7461167C-67B5-458C-88C3-3ABD4F\47EFA533-A96B-4B3A-A6F2-841C42
Adware:Adware/Apropos No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\7461167C-67B5-458C-88C3-3ABD4F\01775CD8-C6E3-44ED-B037-8C8D02
Adware:Adware/Apropos No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\7461167C-67B5-458C-88C3-3ABD4F\961B1AF1-E94C-41CC-8AC0-D9FD8C
Adware:Adware/Apropos No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\7461167C-67B5-458C-88C3-3ABD4F\BD354238-EAD4-4053-9EBF-ECFDA0
Adware:Adware/Apropos No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\7461167C-67B5-458C-88C3-3ABD4F\6887F733-0688-4BD2-B440-42C3A5
Adware:Adware/WUpd No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\655FB92C-FFE6-4ED2-81E9-225FC5\7B1DB4CF-F7A4-4C71-9A62-E93A72
Adware:Adware/WUpd No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\655FB92C-FFE6-4ED2-81E9-225FC5\0B8DAA4F-D3B6-4B2C-B9F2-D48A6E
Adware:Adware/WUpd No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\655FB92C-FFE6-4ED2-81E9-225FC5\204F9193-7E15-495B-82A6-7C1EE9
Adware:Adware/SideFind No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\AFA522B5-EE57-4237-B595-86E825\8CE97975-DE9E-49AC-98CD-1EC68E
Adware:Adware/SideFind No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\AFA522B5-EE57-4237-B595-86E825\671F8647-14A8-4FB2-9041-A3C130
Spyware:Spyware/BargainBuddy No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\10F53A21-E3D0-4A9C-8073-583B23\B449AC8E-B0E7-4229-8EC3-913FB7
Adware:Adware/MyWebSearch No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\C194B276-809E-41A3-8F42-339F7A\B77A6320-0F06-4C6E-819B-0370F8
Adware:Adware/WinTools No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\C194B276-809E-41A3-8F42-339F7A\5AA631D8-BD56-45E1-A1BF-F8E4DA
Adware:Adware/Apropos No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\AAD36DA8-30F9-4D51-854B-B20D94\CE30245B-C114-4289-AE72-C646D7
Adware:Adware/Apropos No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\AAD36DA8-30F9-4D51-854B-B20D94\56B0D606-682B-47DC-A627-359524
Adware:Adware/eZula No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\947A2ABE-E6A2-4185-B081-B15AA4\E31F17F9-4C7A-4A16-8F46-E3D3C3
Adware:Adware/WUpd No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\539AEF73-5417-4936-9D88-523758\93FA30E0-EA7D-405F-B59C-47B7A8
Adware:Adware/WUpd No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\539AEF73-5417-4936-9D88-523758\F001DD31-E5EB-4E3C-84BB-82CC4D
Adware:Adware/WUpd No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\539AEF73-5417-4936-9D88-523758\10C7A44B-7372-4231-8215-6546C0
Spyware:Spyware/BargainBuddy No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\CD03D239-EFEC-4289-BED8-8D7283\94CFD1B5-953E-4568-B8CF-0BAB52
Spyware:Spyware/BargainBuddy No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\CD03D239-EFEC-4289-BED8-8D7283\7F25D59D-ECAC-4E76-89AF-6F72BD
Spyware:Spyware/BargainBuddy No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\CD03D239-EFEC-4289-BED8-8D7283\1C7DB8AB-D9EB-443B-B937-1EED7E
Spyware:Spyware/ISTbar No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\8E06E488-2001-446F-8872-F3DB8E\DF042477-2436-4E6E-8795-ABEA9C
Adware:Adware/WinTools No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\5130DE1C-2F42-4000-B741-280674\83F9AC3F-C8AF-4B53-BE85-9C83C9
Adware:Adware/SideFind No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\3A4637A7-B7CA-4CBB-87B9-2EDA39\34951AE4-2A06-4537-9173-A00A4D
Adware:Adware/SideFind No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\3A4637A7-B7CA-4CBB-87B9-2EDA39\0E34F1A9-3357-425D-A0B8-C0B4FD
Adware:Adware/WinTools No disinfected C:\NULL
Possible Virus. No disinfected C:\lanman.exe
Possible Virus. No disinfected C:\!Submit\userint32.exe
Adware:Adware/Trymedia No disinfected C:\Downloads\LemonadeTycoonSetup-dm[1].exe
Adware:Adware/StatBlaster No disinfected C:\system.exe
Adware:Adware/StatBlaster No disinfected C:\inf.exe
Adware:Adware/StatBlaster No disinfected C:\version.exe
Spyware:Spyware/ISTbar No disinfected C:\tmp.exe[g.exe]
Adware:Adware/WinAD No disinfected C:\tmp.exe[l.exe]
Virus:Trj/Multidropper.QW Disinfected C:\iMeshInst.exe
Adware:Adware/StatBlaster No disinfected C:\yay.exe
Adware:Adware/CWS No disinfected C:\Documents and Settings\Viviane\Favorites\Shop\Discount.lnk
Adware:Adware/CWS No disinfected C:\Documents and Settings\Viviane\Favorites\Shop\Computers.lnk
Adware:Adware/CWS No disinfected C:\Documents and Settings\Viviane\Favorites\Shop\Books.lnk
Adware:Adware/CWS No disinfected C:\Documents and Settings\Viviane\Favorites\Shop\Auctions.lnk
Adware:Adware/CWS No disinfected C:\Documents and Settings\Viviane\Favorites\Shop\Flowers.lnk
Adware:Adware/CWS No disinfected C:\Documents and Settings\Viviane\Favorites\Shop\Golf.lnk
Adware:Adware/CWS No disinfected C:\Documents and Settings\Viviane\Favorites\Shop\Jewelry.lnk
Adware:Adware/CWS No disinfected C:\Documents and Settings\Viviane\Favorites\Shop\Movies.lnk
Adware:Adware/CWS No disinfected C:\Documents and Settings\Viviane\Favorites\Shop\Music.lnk
Adware:Adware/CWS No disinfected C:\Documents and Settings\Viviane\Favorites\Shop\Online Store.lnk
Adware:Adware/CWS No disinfected C:\Documents and Settings\Viviane\Favorites\Shop\Perfume.lnk
Adware:Adware/CWS No disinfected C:\Documents and Settings\Viviane\Favorites\Shop\Sleepwear.lnk
Adware:Adware/CWS No disinfected C:\Documents and Settings\Viviane\Favorites\Living\Insurance.lnk
Adware:Adware/CWS No disinfected C:\Documents and Settings\Viviane\Favorites\Living\Home.lnk
Adware:Adware/CWS No disinfected C:\Documents and Settings\Viviane\Favorites\Living\Find a Degree.lnk
Adware:Adware/CWS No disinfected C:\Documents and Settings\Viviane\Favorites\Living\Find a job.lnk
Adware:Adware/CWS No disinfected C:\Documents and Settings\Viviane\Favorites\Living\Dating.lnk
Adware:Adware/CWS No disinfected C:\Documents and Settings\Viviane\Favorites\Going Places\Travel.lnk
Adware:Adware/CWS No disinfected C:\Documents and Settings\Viviane\Favorites\Going Places\Luggage.lnk
Adware:Adware/CWS No disinfected C:\Documents and Settings\Viviane\Favorites\Going Places\Hotel Deals.lnk
Adware:Adware/CWS No disinfected C:\Documents and Settings\Viviane\Favorites\Going Places\Car Rentals.lnk
Adware:Adware/CWS No disinfected C:\Documents and Settings\Viviane\Favorites\Going Places\Air Tickets.lnk
Adware:Adware/CWS No disinfected C:\Documents and Settings\Viviane\Favorites\Fun & Games\Horoscope.lnk
Adware:Adware/CWS No disinfected C:\Documents and Settings\Viviane\Favorites\Fun & Games\Games.lnk
Adware:Adware/CWS No disinfected C:\Documents and Settings\Viviane\Favorites\Fun & Games\Casino Palace.lnk
Adware:Adware/CWS No disinfected C:\Documents and Settings\Viviane\Favorites\Fun & Games\Betting.lnk
Adware:Adware/CWS No disinfected C:\Documents and Settings\Viviane\Favorites\Fun & Games\Casino.lnk
Adware:Adware/CWS No disinfected C:\Documents and Settings\Viviane\Favorites\Technology\Adware Remover.lnk
Adware:Adware/CWS No disinfected C:\Documents and Settings\Viviane\Favorites\Technology\Anti-Virus.lnk
Adware:Adware/CWS No disinfected C:\Documents and Settings\Viviane\Favorites\Technology\PC Cleaner.lnk
Adware:Adware/CWS No disinfected C:\Documents and Settings\Viviane\Favorites\Technology\Tech & gadgets.lnk


Next, I downloaded Hoster and restored the original hosts ( perhaps you could explain this to me at an appropriate time )

Then I installed AVG + firewall and ran a scan ( it found 3 trojans )

I could not find 180solutions in the add/remove ( although I have seen this among the recent invasive spyware )

I put the 2 exe files in Killbox, but it said they could not be found, and here is my most recent Hijack this log. Thank you for all your effort so far. I can't exactly say I've been enjoying this, but I do appreciate the help.


Logfile of HijackThis v1.99.1
Scan saved at 5:49:23 PM, on 5/22/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgfwsrv.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://channels.aimtoday.com/search/aimtoolbar.jsp
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1108617423311
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG Firewall (AVGFwSrv) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgfwsrv.exe

#8 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 23 May 2005 - 01:15 AM

You did Great!!!!!! :thumbsup:

Thank You very nuch for following through with the AVG Instructions,You let me know what you think of it Please???

Lets take out the rest of the Trash

Restart in Safe Mode

Use the exact same instructions for Killbox

Here is the list,you will probably get more file not found messages,which is fine with me,atleast we know the bugs arent there anymore if you get that message!

Here is the list of files for Killbox

C:\Documents and Settings\Viviane\Favorites\Shop
C:\Documents and Settings\Viviane\Favorites\Living
C:\Documents and Settings\Viviane\Favorites\Going Places
C:\Documents and Settings\Viviane\Favorites\Technology
C:\Documents and Settings\Viviane\Favorites\Fun & Games
C:\Program Files\Lycos
C:\WINDOWS\wt
C:\Program Files\MyWebSearch
C:\NULL
C:\Downloads\LemonadeTycoonSetup-dm[1].exe
C:\WINDOWS\SYSTEM32\locck32.exe
C:\WINDOWS\SYSTEM32\update.exe
C:\WINDOWS\SYSTEM32\wcBUsL.exe
C:\WINDOWS\SYSTEM32\bTX.exe
C:\WINDOWS\SYSTEM32\loceers.exe
C:\WINDOWS\SYSTEM32\aFy.exe
C:\WINDOWS\SYSTEM32\Mun8s0W.exe
C:\WINDOWS\SYSTEM32\KtdFz9.exe
C:\WINDOWS\SYSTEM32\LhoK9W3.exe
C:\WINDOWS\g.exe
C:\WINDOWS\l.exe
C:\WINDOWS\winsmc.exe
C:\WINDOWS\l1ifqvha.exe
C:\WINDOWS\sepsd.bin
C:\lanman.exe
C:\system.exe
C:\inf.exe
C:\version.exe
C:\tmp.exe[g.exe]
C:\tmp.exe[l.exe]
C:\iMeshInst.exe
C:\yay.exe
C:\js.exe


Restart back in Normal Mode and Install and Update SpywareBlaster 3.4
http://www.javacoolsoftware.com/spywareblaster.html

Post back and tell me how things are now?

#9 nomonkeytricks

nomonkeytricks
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:01:00 AM

Posted 23 May 2005 - 10:09 AM

Hello, Crete


Things are definitely looking better !

I downloaded SpywareBlaster 3.4 - I had this on my computer once before, but had removed it because I felt it was innefective. Perhaps because I didn't see any wheels turning, or the like, I figured it wasn't doing anything.

AVG seems very good. I noticed that it was a beta that will expire some time in the future. Do you think they will require payment at that time ?
One thing about AVG that is different for me, is that a popup might come up asking authorization for say "Microsoft Antispyware to communicate for updates" and asking for approval. I believe I will know how to respond to most of these prompts, but I wonder if my kids will be able to figure them out, if they are the users at the time.

The problems that caused me to seek help in the first place ( pop-ups, spyware, etc. ) all seem to have been driven off. I am very grateful for this. I'm posting a new log below. If I need to do more, or understand more, please let me know.

no-monkey-tricks :thumbsup:
Logfile of HijackThis v1.99.1
Scan saved at 9:55:07 AM, on 5/23/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgfwsrv.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://channels.aimtoday.com/search/aimtoolbar.jsp
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1108617423311
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG Firewall (AVGFwSrv) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgfwsrv.exe

#10 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 23 May 2005 - 10:56 AM

You have done yourself proud with this Infection and I suspect this has been a most eye opening experience for you! :thumbsup:

So let me not send you off without first showing you some links that may very well answer some of your questions!

http://forums.thetechguys.com/showthread.php?t=4544

http://www.pcstats.com/articleview.cfm?articleID=1579

http://forums.thetechguys.com/showthread.php?t=8859


Lets go ahead and Flush out System Restore and Create a Nice Clean Restore Point for you to fall back on if the need ever comes up!
http://service1.symantec.com/SUPPORT/tsgen...src=sec_doc_nam

Simply Disable System Restore and Restart the PC>Once Restarted>Renable it>The Next time you Restart you will have a Clean Restore Point!

Now for your question about AVG plus Firewall!

As for the kids>Well,you are gonna have to educate them on what to and what not to do when these messages come up!

My kids (17&18) have what i called a forced education!

Folks like me and you know that term as "DO it My Way or Dont Do it at all!!"

As it may sound crude to tell your kids that>Sometimes we just have to be able to think for them!

Now for the Beta part of the AVG program!

I suspect that it will expire and I have a solution for that as well!

AVG 7 without firewall is suppose to be free and Sygates Personal Firewall has the same legacy!

That being said>When the time comes to drop the present program you have,you can replace it with those 2 above mentioned programs!

Here is a list of free AVs I looked up for you>They are in no particular order and I recommend staying with AVG but if the program is not to remain free,then you have plenty of options to choose from!!

AVG
http://www.grisoft.com/doc/1
http://www.grisoft.com/doc/AvgPlusFw/lng/u...l/tpl01<< New Beta Version!

Antivir
http://www.free-av.com/

avast! 4 Home Edition
http://www.avast.com/eng/avast_4_home.html

BitDefender Free Edition v7
http://www.bitdefender.com/bd/site/products.php?p_id=24

a-squared Free
http://www.emsisoft.com/en/software/free/

ClamAV
http://www.clamwin.com/

For the Firewall>I will not recommend any other but this one

Sygate Personal Firewall:
http://smb.sygate.com/products/spf_standard.htm

This is the only Firewall I have evr had Installed and was most impressed with the performance and Versatility of the program,not to mention it seems a bit lighter on the PCs than say Zone Alarm!

I do believe that just about covers it>You can have HijackThis fix this one entry

R3 - Default URLSearchHook is missing

Any other Questions>Feel free to ask away!

#11 nomonkeytricks

nomonkeytricks
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  

Posted 23 May 2005 - 09:59 PM

Hello, Crete

I did the system restore disable/enable, and have run this latest log. It looks good to me, and I have not experienced any recurring problems.

During the last few days, I've been reading some of the other posts on this site, and it seems that I was very lucky not to have contracted a problem far worse than the one I had.

I thank you again - does this topic automacically end when there is no more to add ?

yours, no-monkey-tricks :thumbsup:


Logfile of HijackThis v1.99.1
Scan saved at 9:50:57 PM, on 5/23/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgfwsrv.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://channels.aimtoday.com/search/aimtoolbar.jsp
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1108617423311
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG Firewall (AVGFwSrv) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgfwsrv.exe




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users